GDPR Policy

For reference, please see below our policy documents.

Data Protection Principles

There are eight protection principles. Personal information must:

Be used fairly and lawfully
Be used for limited, specifically stated purposes
Be used in a way that is adequate, relevant and not excessive
Be accurate
Be kept for no longer than is absolutely necessary
Be handled according to people’s data protection rights
Be kept safe and secure
Not transferred outside the European Economic Area without adequate protection

Purpose of Policy Includes:

Complying with the law, following good practice, protecting clients, staff and other individuals

protecting the organisation. Making clear: How we collect, use, store data and methods used to protect personal data.

Personal Data:

Personal data may be collected during our activities to process customer enquiries and orders, including:

Contact names, positions held, landline phone numbers/mobile phone numbers, site addresses.

Personal data will be collected for individuals attending training courses and may include:

Candidate name, date-of-birth, photograph of the individual and location of training.

Personal data will be collected on contract training-staff (instructors) and may include:

Instructor name, photograph, address, contact telephone numbers (home, business, mobile), qualifications held (copy of original certificates) and accreditation details (instructor training identification card, passport-style)

Policy Statement

Includes our commitment to:

Comply with both the law and good practice
Respect individuals’ rights
Be open and honest with individuals whose data is held
Provide training and support for staff who handle personal data, so that they can act confidently and consistently
Notify the Information Commissioner’s Office when changes in our operation affects the data we collect and how we will remain compliant with the Act

Key Risks

The main risks within our organisation fall into two key areas:

Information about individuals getting into the wrong hands, through poor security or inappropriate disclosure of information.
Individuals being harmed by inaccurate or insufficient.

Responsibilities of Data Protection Officer include:

Briefing the board on Data Protection responsibilities
Reviewing Data Protection and related policies
Advising other staff on sensitive Data Protection issues
Ensuring that Data Protection induction and training takes place
Notification of changes to the Information Commissioner’s Office
Handling subject access requests
Approving unusual or controversial disclosures of personal data
Approving contracts with Data Processors

Staff & Data Processors

All staff are recognised within the Company as Data Processors, when performing their duties that include the handling of personal data. All staff are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work (from now on, where ‘staff’ is used, this includes: employed, administrative staff, training staff and training-contractors).

Enforcement

A minor infringement (non-deliberate act) of any mishandling of personal data will result in a record placed within their personnel file and re-training on the Company data protection policies and procedures.

A serious infringement (identified as a deliberate act, following an investigation) of any staff mishandling personal data will result dismissal/termination of contract on the grounds of gross misconduct.

Data Recording and Storage

Accuracy

The key area of accurate, personal data in our operation is primarily: candidate data. This data is recorded for the purpose of registering attendance and, when applicable, successful completion of a training course, with the latter resulting in the production of a certificate and may include an identification card with the inclusion of the individual’s photograph. Generally, information is collected for single use purposes.

Candidate names may be provided at the time of a course booking, regardless, a member of the training-staff will record all candidate details, in the presence of the candidate, with accuracy clarified prior to the start of a course, adding this information to the training paperwork, having the candidate sign for both accuracy, use, storage timescales and ‘right to be forgotten’.

Updating

At the time of receiving course paperwork into the office, a member of the Central Support Team is required to check the details received and clarify with the training-staff member, that delivered the course, if any detail is unclear. On occasion it may be necessary to contact the individual that booked the course to clarify the spelling of a name or date-of-birth (latter if required for course) and manually update the course paperwork. Corrected and information deemed to be clear and correct at the time of receiving course paperwork is then manually loaded onto the electronic, Central Booking System.

Personal Data Distribution

Head and shoulder images will be sent from a training-staff member via email, using their mobile device. Upon confirmation of receipt from the office-team the image will be deleted from the mobile device. When required the image will be sent to our accrediting body via email, together with the course registration details.

Storage

Personal information (including individuals external to the Company) detailed on training paperwork will be stored securely on-site, our secure servers using McAfee LiveSafe Real- Time Scanning (Anti-mailware, Firewall & Web Control) and Apple Inc’s iCloud.

Electronic, candidate data is limited to: individual’s name, name of company and course details, held on our internal secure server.

Retention Periods

Training paperwork is stored securely and held for six-years as required by our accrediting bodies. Electronic data is held indefinitely.

Archiving

Following the course paperwork retention period of six-years, paperwork must be disposed of securely. Unused, replaced Computer/Server hard-drives, CD’s & DVD’s must be securely wiped and destroyed.

Access

Access will be granted by the business owner only and within a maximum of 30 days.

Procedure for Making Request

Subject access requests must be recorded and filed, detailing all relevant information regarding the request.

Provision for Verifying Identity

Subject access requests can be made by an individual in the employment of the company, that we categorise as a customer. The request must be made on company letterhead and include the full name and position of the individual making a request. The information received must be verified with the customer’s appropriate contact: Human Resources (HR) department, manager that performs the HR function or a Director that the request is valid.

Subject access requests made by candidate, previously attending a training course, must include full details of a training course they attended, including date-of-birth. Should the date-of-birth not have been taken at the time of the training course, the identity of the individual must be clarified with the customer’s appropriate contact.

Charging

Charges for subject access will incur a maximum fee which may be charged at £10.00 + VAT per request.

The charge, if made, must be made clear to the individual making the request. In the case of a customer, a purchase order will be required.

Transparency Commitment

We will not use personal data for any other purpose than the reason it was collected. In the case of customer, company information is used:

To process orders
To record activity
Produce customer invoices
Provide analytical data on our activities by individual customers, customers by group- type and training course/training materials sold by category-type.
To contact customers to remind them that refresher training is due
To inform our customers when new services become available In the case of candidate’s, information is used:
To record course details and produce certificates
To register successful candidate information on accrediting body databases
To produce personal identity cards
No information taken from our customers or candidates will be shared with a third-party unconnected to process of course delivery/training materials supply, accounts processing or debt-collection.

Responsibility

All staff members are responsible for transparency in relation to different types of Data Subject.

Consent Underlying Principles

We must only use and hold personal data under the following conditions. In the case of customer, company information:

To perform our duties as a commercial training provider In the case of candidate’s.
To meet our legal and accrediting body obligations to provide evidence of training.

Forms of Consent

Consent is understood to be given at the time it is collected in order for us to deliver services and support our customers and candidates with evidence of training undertaken with our company.

As training-candidates are less likely to be aware of their rights to have personal details protected, we consider them to be a vulnerable group. Each candidate will be required to read a declaration at the time of course delivery; this clearly outlines the reason for data collection, how the data will be used, how it is stored, restrictions of use and their ‘right to be forgotten’. The candidate will be required to sign and print their name below the declaration, giving their consent to use their personal data, as described within the declaration.

Withdrawing Consent

A customer or candidate may request for their information be removed from our systems and files. The timescale for removal is set-out below:

Customer, company information.
Seven years from last business transaction Candidate information.
Six years from last training course undertaken.

Direct Marketing

Marketing activities will be limited to the promotion of new, relevant services as they become available. Promotions will only be made at a business-to-business level.

Opting Out

A customer request for their information be removed from our systems for promotional purposes must be flagged immediately and the information passed to the Manager with Data Protection Officer responsibility.

Sharing Lists

No customer or candidate data will be shared with a third-party for the purpose of their own marketing activity.

In the instance of the Company purchasing marketing data to expand its customer-base; only lists that carry a guarantee that the identified contacts were given the option to opt-out will be used.