Our rules on data protection and the legal conditions that must be satisfied in relation to the obtaining, handling, processing, storage, transportation and destruction of personal information.
Any questions or concerns about the operation of this policy should be referred in the first instance to our HR department firstname.lastname@example.org
Everyone has rights about how their personal information is handled. During our activities, we will collect, store and process personal information about our learners, employees, employers, suppliers and we recognise the need to treat it in an appropriate and lawful manner.
The information, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the GDPR Act 2018 and other regulations. The Act imposes restrictions on how we may use that information.
Computer Misuse Act & Cyber Crime 2018
The Company needs to hold and use information about its employees, job applicants, clients/learners, prospective clients/learners, members and suppliers, in order to carry out its business. Where the information stored constitutes personal data that relates to a living individual, we are obliged to comply with the requirements of the Data Protection Act, 2018, and General Data Protection Regulation (GDPR), as amended.
This Policy sets out what data will be retained and how this data will be managed.
Data Protection Principles
The Company is required to ensure that personal data is:
• processed fairly and lawfully;
• processed only for specific purposes;
• adequate, relevant and not excessive;
• accurate and kept up to date;
• kept for no longer than is necessary;
• kept in accordance with your rights; and
• kept securely and not transferred outside the European Economic Area unless an adequate level of protection for your rights is in place.
In essence, this means that we aim to tell you, in writing, what information we hold about you, the legal reason we hold it, as below, from whom we have obtained it, to whom we will disclose it, where the data is being transferred to (if outside the UK), how the data is to be protected, and the retention period of the data.
Personal Data, and the legal reasons why we hold it
The following are the legal options for holding your data:
You give your consent
Processing is necessary for the implementation and performance of a contract with you
Compliance with a legal obligation
Processing is necessary to protect the vital interests of yourself or another person
The data is necessary for the performance of a task carried out in the public interest
The data is necessary for the purposes of legitimate interests pursued by the controller (likely to be the Company holding the data) or a third party (could be someone acting on the Company’s behalf).
Much of the personal or sensitive personal data stored by an organisation will relate to learner recruitment.
In terms of recruitment, these are the reasons why we keep and process data:
considering your suitability for recruitment;
administration of all relevant paperwork;
RPL and APA information relevant to the qualification;
compliance with legal requirements;
to establish your training and/or development requirements;
to establish a contact point in an emergency.
Sensitive Personal Data
In addition, the Company may hold, use and otherwise process sensitive personal data. Sensitive personal data is, according to the GDPR, personal data which consists of the following:
your racial or ethnic origin;
your political opinions;
your religious or similar beliefs;
your professional memberships
your physical or mental health or condition;
your sexual life;
We envisage processing sensitive personal data in the following circumstances:
information relating to your physical or mental health or condition, for health monitoring purposes, assessing your suitability for work and for equal opportunities monitoring;
information relating to your racial or ethnic origin where relevant to any application for a work permit and for equal opportunities monitoring;
A high level of security will be in place for this type of data and limited access will apply.
Obligations relating to your Personal Data
Personal data and sensitive personal data will be held, both manually and on computer. Such data shall only be kept for as long as necessary, in accordance with legislation and the Company’s Data Retention Policy.
In order to enable us to comply with the obligation to keep data up to date, you are required to immediately notify the Company of any changes to your personal details including, without limitation, any changes to your name, address, emergency contacts.
Obligations relating to the Personal Data of Others
The Company will not make use of, divulge, or communicate to any person, any personal data or sensitive personal data relating to any third parties, including without limitation the following:
applicants for training, learning and development (successful and unsuccessful);
learners and employers and former learners and employers
other individuals who are working within the organisation
Breach of this requirement will be treated very seriously and, where appropriate, disciplinary action will be taken against the relevant employees. You should also be aware that, in certain circumstances, someone making an unauthorised disclosure of personal data, could be committing a criminal offence.
The Company will carry out a Data Protection Impact Assessment when implementing new technology or dealing with processing involving high risk for individuals.
Data Subject Rights
The GDPR gives learners, employers and employees certain rights in connection with personal and sensitive personal data which relates to them.
These are your rights in relation to your personal data:
to be informed of what data we hold, why we hold it and where it came from. This will be explained at the point of requesting the information.
to make a subject access request and (subject to certain legal exemptions) to receive copies of your personal data which we hold. If you wish to exercise this right, you must make a request in writing to a senior member of staff. There will normally be no charge for providing the information you have requested and it will normally be provided within one month from the date of request.
to have any inaccurate data corrected or erased.
to restrict processing.
to object to the data being held and processed. This may, however, not result in us withdrawing our holding and processing of the data.
to withdraw consent under certain circumstances.
Other rights in relation to automated decision making and profiling.
to lodge a complaint with a supervisory authority.
Where the Company decides to use an external data processor, this will be detailed in the written contract. This will ensure that both sides understand their responsibilities.
Data relating to children may require the parents’ consent.
The Company is obliged to report data breaches within 72 hours. Disciplinary action will be taken against you should you not report a breach immediately you are aware one has occurred.