TIFA

Menu
Call Now

Privacy Policy for The TIFA Group

Effective Date: 11/16/2025

This Privacy Policy explains how The TIFA Group (“we,” “us,” or “our”) processes personal data collected via the corporate website (TIFA.co.uk) and across our specialized network of subdomains (e.g., life.tifa.co.uk, Recruits.tifa.co.uk, etc.).

1. Our Role and Structure

The TIFA Group operates a Hub-and-Spoke model. TIFA.co.uk is the central corporate entity and is the Data Controller for general inquiries and governance data. Our subdomains (such as TIFA Life or TIFA Recruits) may operate as separate or joint Data Controllers for their distinct operational purposes (e.g., supported living placements, recruitment).

2. Types of Data We Process and Lawful Basis

We process data across two main categories:

A. Corporate Data (General)

This includes Name, Email, Phone, Company, and Inquiry Type (collected from the Contact Us form). The lawful basis for processing this data is typically Legitimate Interest (Responding to your request or inquiry) or Contract (For formal agreements).

B. Special Category Data (SCD) – High Risk

This includes sensitive information collected exclusively via our operational subdomains, such as health information, details of support needs, immigration status (UASC), DBS status, and safeguarding reports.

Lawful Basis (Article 9)
We rely on the condition for Health or Social Care (Article 9(2)(h)) and the corresponding conditions in Schedule 1 of the Data Protection Act (DPA) 2018.

Professional Obligation
This sensitive processing is carried out subject to a legal duty of confidentiality, meaning all staff handling this data are bound by a professional obligation of secrecy.[1]

Safeguarding Disclosure
We have a legal obligation to share information, including MARF submissions, with Local Authority Multi-Agency Safeguarding Hubs (MASH) where necessary to protect vulnerable individuals. This mandatory disclosure is justified under the legal basis of Legal Obligation (Article 6(1)(c)).

3. Data Processors and Security Measures

We utilise specialized third-party tools to automate and secure our workflows.

Jotform
We use Jotform for securing form submissions (referrals, applications, statutory reporting). We highlight that Jotform is certified as a PCI DSS Level 1 Compliant Service Provider (Source: S_R6, S_R7). Crucially: We utilise Form Encryption (RSA 2048) for all sensitive statutory forms (MARF, Incident Reports) to ensure data is encrypted before transfer and storage (Source: S_R7, S_R10).