About Jigsaw Adoption

1.            Introduction

This Policy sets out the obligations of Jigsaw Adoption Ltd, a company registered in England under number 9172398, whose registered office is at 12 the Broadway, Amersham, Buckinghamshire, HP7 0HP (“the Company”) regarding retention of personal data collected, held, and processed by the Company in accordance with EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).

The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

The GDPR also addresses “special category” personal data (also known as “sensitive” personal data). Such data includes, but is not necessarily limited to, data concerning the data subject’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics (if used for ID purposes), health, sex life, or sexual orientation.

Under the GDPR, personal data shall be kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. In certain cases, personal data may be stored for longer periods where that data is to be processed for archiving purposes that are in the public interest, for scientific or historical research, or for statistical purposes (subject to the implementation of the appropriate technical and organisational measures required by the GDPR to protect that data).

In addition, the GDPR includes the right to erasure or “the right to be forgotten”. Data subjects have the right to have their personal data erased (and to prevent the processing of that personal data) in the following circumstances:

a)            Where the personal data is no longer required for the purpose for which it was originally collected or processed (see above);

b)            When the data subject withdraws their consent;

c)            When the data subject objects to the processing of their personal data and the Company has no overriding legitimate interest;

d)            When the personal data is processed unlawfully (i.e. in breach of the GDPR);

e)            When the personal data has to be erased to comply with a legal obligation; or

f)             Where the personal data is processed for the provision of information society services to a child.

This Policy sets out the type(s) of personal data held by the Company the purpose of operating as a voluntary adoption agency, the period(s) for which that personal data is to be retained, the criteria for establishing and reviewing such period(s), and when and how it is to be deleted or otherwise disposed of.

For further information on other aspects of data protection and compliance with the GDPR, please refer to the Company’s Data Protection Policy.


2.    Aims and Objectives

2.1          The primary aim of this Policy is to set out limits for the retention of personal data and to ensure that those limits, as well as further data subject rights to erasure, are complied with. By extension, this Policy aims to ensure that the Company complies fully with its obligations and the rights of data subjects under the GDPR.

2.2          In addition to safeguarding the rights of data subjects under the GDPR, by ensuring that excessive amounts of data are not retained by the Company, this Policy also aims to improve the speed and efficiency of managing data.


3.    Scope

3.1          This Policy applies to all personal data held by the Company for the purpose of operating as a voluntary adoption agency which includes, without limitation, recruiting, training and assessing potential adopters or children in the UK care system.

3.2          Personal data, as held by the Company is stored in the following ways and in the following locations:

a)            Third-party servers, operated by Amazon Web Services and located in Ireland;

b)            Third-party servers operated by pCloud AG located in Switzerland;

c)            Computers permanently located in the Company’s premises in Amersham;

d)            Laptop computers provided by the Company to its employees; and

e)            Computers and owned by sub-contractors;


4.    Data Subject Rights and Data Integrity

All personal data held by the Company is held in accordance with the requirements of the GDPR and data subjects’ rights thereunder, as set out in the Company’s Data Protection Policy.

4.1          Data subjects are kept fully informed of their rights, of what personal data the Company holds about them, how that personal data is used as set out in Parts 12 and 13 of the Company’s Data Protection Policy, and how long the Company will hold that personal data (or, if no fixed retention period can be determined, the criteria by which the retention of the data will be determined).

4.2          Data subjects are given control over their personal data held by the Company including the right to have incorrect data rectified, the right to request that their personal data be deleted or otherwise disposed of.


5.    Technical and Organisational Data Security Measures

5.1          Technical and organisation measures within the Company to protect the security of personal data are set out in the Company’s data protection policy.


6.    Data Disposal

Upon the expiry of the data retention periods set out below in Part 7 of this Policy, or when a data subject exercises their right to have their personal data erased, personal data shall be deleted, destroyed, or otherwise disposed of as follows:

6.1          Personal data stored electronically shall be deleted from the Company’s cloud storage;

6.2          Personal data stored on the Company’s website shall be deleted; and

6.3          Personal data stored in hardcopy form shall be shredded.


7.    Data Retention

7.1          As stated above, and as required by law, the Company shall not retain any personal data for any longer than is necessary in light of the purpose(s) for which that data is collected, held, and processed.

7.2          Different types of personal data, used for different purposes, will necessarily be retained for different periods (and its retention periodically reviewed), as set out below.

7.3          When establishing and/or reviewing retention periods, the following shall be taken into account:

a)            The objectives and requirements of the Company;

b)            The type of personal data in question;

c)            The purpose(s) for which the data in question is collected, held, and processed;

d)            The Company’s legal basis for collecting, holding, and processing that data;

e)            The category or categories of data subject to whom the data relates;

f)             The need to retain data in order to be able to conduct or assist in child safeguarding investigations.

7.4          Notwithstanding the following defined retention periods, certain personal data may be deleted or otherwise disposed of prior to the expiry of its defined retention period where a decision is made within the Company to do so (whether in response to a request by a data subject or otherwise) except where such deletion would be in breach of applicable regulation or, in the reasonable opinion of the Company reduce the Company’s ability to lead, participate in or assist in investigations related to safeguarding children.

7.5          The period for which personal data is retained depends in what capacity the data subject interacts with the company and, for potential adopters, how far they progress in the adoption process.





Data subject category

Data collected

Purpose of Data

Retention Period


Data subjects browsing the website

No data collected




Data subjects sending a message to the Company through the website or email

IP address

Type of browser

Operating system used



Telephone number

Any data given in body of message

To facilitate discussion about data subject potentially entering adoption process

5 years

An adoption agency is required to reply to other adoption agencies if the query whether adopters have registered or enquired with the first agency

Data subjects registering on website and filling our preliminary interest form

All data set out above

Age range



Type of work

Type of relationship

Preferences in respect of adoption

Whether the household already has children

Size of home

Any other personal data provided by data subject in emails or otherwise

Providing login and access to the website; and

To progress discussion about potentially entering the adoption process and to be able to make a preliminary assessment of probability of success

5 years

An adoption agency is required to reply to other adoption agencies if the query whether adopters have registered or enquired with the first agency

Data subjects entering and completing the adoption process either through successfully adopting children in the UK

All data set out above

Data in respect of data subjects that the Company is required to collect for the process of going through the adoption process as set out in the Adoption Agencies (Miscellaneous Amendments) Regulations 2013

Such data includes, but is not limited to:

Date of birth

Ethnicity and cultural identity


Marital status

Address history

A family tree

Details of any employment

Medical information and history

Details on financial situation

Details of any previous legal processes involving a family court

Languages spoken

A chronology of the data subject’s life

Ni number

A DBS check

To assess the data subject(s)’ suitability to adopt children from the UK care system;

To share with local authorities to enable them to decide whether to place children for adoption with the data subject; and

To facilitate adoption support once the children move in

100 year

An adoption agency is required to keep adoption records for 100 years

Data subjects who complete the adoption process through having their approval to adopt terminated by the Company and  data subjects who voluntarily withdraw from the process

As above

To assess the data subject(s)’ suitability to adopt children in the UK

10 years

This is the period deemed appropriate for safeguarding purposes



8.            Sharing data with third parties

In order to comply with applicable regulation, assess data subjects’ suitability to adopt children, and, where data subjects have been approved to adopt, to match them with children waiting to be adopters, the Company may share personal data with third parties. Such personal data may include sensitive personal data.

Sharing of data with third parties will only take place where it is required by applicable regulation and where the Company reasonably considers it necessary in the interest of the data subject or in the interest of looked after children.

Third parties include, without limitation, local authorities in the UK as well as the NSPCC and Capita plc and other organisations which the Company is required to pr deem it appropriate to contact as part of the adoption process.

The Company will not share personal data with third parties for marketing purposes.

9.            Cookies

The Company’s website may place and access certain first-party Cookies on your computer or device. First-party Cookies are those placed directly by the Company and are used only by the Company. The Company uses Cookies to facilitate and improve your experience of its website and to provide and improve its services.

All Cookies used by and on the Company’s website are used in accordance with current Cookie Law.

Before Cookies are placed on a computer or device, the user will be shown a prompt requesting your consent to set those Cookies. By giving consent to the placing of Cookies data subjects are enabling the Company to provide the best possible experience and service.

Data Subjects can choose to enable or disable Cookies in their internet browser. Most internet browsers also enable users to choose whether they wish to disable all Cookies or only third-party Cookies. By default, most internet browsers accept Cookies, but this can be changed. For further details, data subject should consult the help menu in their internet browser or the documentation that came with the device.

Data subjects can choose to delete Cookies on their computer or device at any time, however this may delete information that enables data subjects to access the Company’s website more quickly and efficiently including, but not limited to, login and personalisation settings.

It is recommended that data subjects keep their internet browser and operating system up-to-date and that they consult the help and guidance provided by the developer of the internet browser and manufacturer of the computer or device if they are unsure about adjusting the privacy settings.

10.         Implementation of Policy

This Policy shall be deemed effective as of the date written above. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.


This Policy has been approved and authorised by:


Erik Ferm




25 May 2018






Read more

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we'll assume that you are happy to receive cookies. To find out more about the cookies we use and how to delete them, see our privacy policy.

  I accept cookies from this site.