Data Protection & GDPR

Cognus is committed to ensuring the security of all data.

Steve Broughton and Numi Bababunmi are the leads for all queries under the General Data Protection Regulations (“GDPR”). They can be contacted at

Cognus has also engaged an external Data Protection Officer, ensuring the highest standards of scrutiny and challenge to our data processing. The external Data Protection officer is provided by IT Governance, an experienced provider of data security services within the public sector.

Data subjects are able to complain to Cognus Limited about:

  • how their personal data has been processed
  • how their request for access to data has been handled
  • how their complaint has been handled
  • appeal against any decision made following a complaint.

If you wish to make a complaint, we ask that you contact by email providing appropriate details to enable us to investigate fully. Please include as a minimum: your name, your preferred method of contact, your contact details, the reason for your complaint.

Aligned to the GDPR, please take a look at our Data Protection Policy

Online Privacy Statement

We are registered with the Information Commissioner’s Office are committed to compliance with the GDPR. This notice explains how we use and share personal information which may be collected online, on paper or by email, telephone, or in person by different departments across Cognus Limited.

Our Data Protection Registration number is ZA261762.

Personal data

Under the EU’s General Data Protection Regulation (GDPR) personal data is defined as:  “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

How we use your information

This privacy notice tells you how we, Cognus, will collect and use your personal data for the purpose of providing support to educational settings, families and children/young people to enable them to access, enjoy and thrive in educational settings and in the community. More information about the services that we provide can be found at

Data will be collected from partner organisations including schools and other educational settings, through the use of cookies on the Cognus website and via complaints as well as through our direct contact with you.

If you are employed by Cognus we will collect and use your personal data for the purpose of meeting our contractual obligations to you, to ensure that we are legally compliant with the appropriate legislation and to monitor and manage the business effectively.

Why does Cognus need to collect and store personal data?

In order for us to provide you with services to access education we need to collect personal data for asked to assess your current situation and support you to receive the help that you need either through a Cognus employee or through another service provider. In any event, we are committed to ensuring that the information we collect and use is appropriate for this purpose, and does not constitute an invasion of your privacy.

If you are employed by Cognus for us to meet our contractual and legal obligations we will need to collect and store your personal data.

In terms of being contacted for marketing purposes Cognus would contact you for additional consent.

Will Cognus share my personal data with anyone else?

We may pass your personal data on to third-party service providers contracted to Cognus in the course of dealing with you. Any third parties that we may share your data with are obliged to keep your details securely, and to use them only to fulfil the service they provide on our behalf. When they no longer need your data to fulfil this service, they will dispose of the details in line with Cognus’s procedures.

How will Cognus use the personal data it collects about me?

Cognus will process (collect, store and use) the information you provide in a manner compatible with the EU’s General Data Protection Regulation (GDPR). We will endeavour to keep your information accurate and up to date, and not keep it for longer than is necessary. Cognus is required to retain information in accordance with the law, such as information needed for income tax and audit purposes. How long certain kinds of personal data should be kept may also be governed by specific business-sector requirements and agreed practices. Personal data may be held in addition to these periods depending on individual business needs.

Under what circumstances will Cognus contact me?

Our aim is not to be intrusive, and we undertake not to ask irrelevant or unnecessary questions. Moreover, the information you provide will be subject to rigorous measures and procedures to minimise the risk of unauthorised access or disclosure.

Can I find out the personal data that the organisation holds about me?

Cognus at your request, can confirm what information we hold about you and how it is processed. If Cognus does hold personal data about you, you can request the following information:

  • Identity and the contact details of the person or organisation that has determined how and why to process your data.
  • Contact details of the data protection officer, where applicable.
  • The purpose of the processing as well as the legal basis for processing.
  • If the processing is based on the legitimate interests of Cognus or a third party, information about those interests.
  • The categories of personal data collected, stored and processed.
  • Recipient(s) or categories of recipients that the data is/will be disclosed to.
  • If we intend to transfer the personal data to a third country or international organisation, information about how we ensure this is done securely. The EU has approved sending personal data to some countries because they meet a minimum standard of data protection. In other cases, we will ensure there are specific measures in place to secure your information.
  • How long the data will be stored.
  • Details of your rights to correct, erase, restrict or object to such processing.
  • Information about your right to withdraw consent at any time.
  • How to lodge a complaint with the supervisory authority.
  • Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
  • The source of personal data if it wasn’t collected directly from you.
  • Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.

What forms of ID will I need to provide in order to access this?

Cognus accepts the following forms of ID when information on your personal data is requested:

  • Passport or National Identity Card
  • Driving licence
  • Birth certificate
  • Utility bill (from last 3 months)
  • Current vehicle registration document
  • Bank statement (from last 3 months)
  • Rent book (from last 3 months).

ID must be provided in the form of two copies of forms of identification (one of which must include a signature).

As we are fully owned by the London Borough of Sutton:

Any Subject Access Requests (SAR) must go to their team, by emailing – information on the process, can be found here (external website).

Any Freedom of Information (FOI) requests must go to their team, by emailing – information on the process, can be found here (external website).  



Contact Name: Steve Broughton or Numi Bababunmi
Address line 1: Cognus Limited, Cantium House
Address line 2: Railway Approach, Wallington
Address line 3: SM6 0DZ
Telephone: 020 8323 0450


Further Information
The ICO (Information Commissioners Office) is the UK’s independent body set up to uphold information rights. Find out more about their work and the legislation they cover by visiting the website.

The full Privacy Procedure is included here.

Data Rights Requests (DRR), the Data Subject Rights Procedure can be found here and the required information can be found here (for DRR).