DATA PROTECTION POLICY
Overview
1.1. DMR Training & Consultancy Ltd (DMR) collects and uses information about people with whom it communicates, including members of staff, learners and other customers. This information is kept for a variety of purposes including monitoring business and operational performance, recruiting and paying members of staff and complying with legal and contractual obligations to funding bodies, awarding organisations and the government.
1.2. DMR has an obligation to protect its information assets and in particular, the information relating to its members of staff, learners and other individuals in whatever form that information is held (whether on paper, in a computer, or recorded on other material). DMR is responsible for ensuring that personal data is properly safeguarded and processed in accordance with the following legislation – General Data Protection Regulations (GDPR) and the Data Protection Act 2018.
The General Data Protection Regulation (Gdpr) And The Data Protection Act 2018
2.1. The EU General Data Protection Regulation or “GDPR” was approved by the EU Parliament in April 2016 and came into force in the UK on 25th May 2018. The GDPR replaced the Data Protection Act 1998. The Data Protection Act 2018 is the UK’s implementation of the GDPR.
2.2. The legislation applies to ‘controllers’ and ‘processors’. The controller says how and why personal data is processed and the processor acts on the controller’s behalf.
2.3. The legislation introduced increased accountability and greater responsibilities within organisations to ensure that personal data is protected and processed within the bounds of the law. A wider range of data is now be classed as “personal data”. Data processors (e.g. contractors and service providers) are now regulated and there are stricter rules on consent given by data subjects to the collection and processing of their personal data.
2.4. The GDPR provides for two crucial concepts for future project planning: Data Protection By Design and Data Protection By Default. Both of these principles are enshrined in law under the GDPR (Article 25).
2.5. Data Protection by design means embedding data privacy features and data privacy enhancing technologies directly into the design of projects at an early stage. This will help to ensure better and more cost-effective protection for individual data privacy.
2.6. Data Protection by default means that the user service settings (e.g. no automatic opt-ins on customer account pages) must be automatically data protection friendly, and that only data which is necessary for each specific purpose of the processing should be gathered at all.
2.7. Some key definitions relating to the above legislation: –
2.7.1. Consent – any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2.7.2. Data Breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
2.7.3. Data Controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. A controller is responsible for compliance with Data Protection Laws. Examples of personal data DMR is the Controller of include employee details or information collected related to learners.
2.7.4. Data Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
2.7.5. Data Protection Laws – the General Data Protection Regulation (Regulation (EU) 2016/679) and all applicable laws relating to the collection and use of Personal Data and privacy and any applicable codes of practice issued by a regulator including in the UK, the Data Protection Act 2018.
2.7.6. Data Subject – an individual who is the subject of personal data.
2.7.7. Information Asset – a body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited efficiently. Information assets have recognisable and manageable value, risk, content and lifecycles.
2.7.8. Information Commissioner’s Office (ICO) – the supervisory and regulatory authority responsible for upholding individuals’ rights and ensuring all Data Controllers process personal data within the provisions of legislation. The ICO contact details are: – Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Tel: 0303 123 1113 or 01625 545 745).
2.7.9. Personal Data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2.7.10. Processor – any entity which accesses or uses personal data on the instruction of a Controller.
2.7.11. Process, Processing and Processed – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2.7.12. Special Category Data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
2.7.13. Third Party – a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Lawful Basis For Processing
3.1. DMR may only collect; process; and share Personal Data fairly and lawfully and for specified purposes. DMR will ensure all processing is affiliated to one or more of the following: –
3.1.1. Consent: the Data Subject has given clear consent to process their personal data for a specific purpose.
3.1.2. Contract: the processing is necessary for purposes of a contract with the Data Subject, or with a view to entering into a contract.
3.1.3. Legal obligation: the processing is necessary to comply with legislation (not including contractual obligations).
3.1.4. Vital interests: the processing is necessary to protect someone’s life.
3.1.5. Public task: the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.
3.1.6. Legitimate interests: the processing is necessary for legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data, which overrides those legitimate interests.
3.2. The lawful basis for processing special category data includes: –
3.2.1. Explicit consent – consent which can be demonstrated.
3.2.2. Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.
3.2.3. Processing is carried out in the course of its legitimate activities with appropriate safeguards.
3.2.4. Processing relates to personal data which are manifestly made public by the data subject.
3.2.5. Processing is necessary for the establishment, exercise or defence of legal claims.
3.2.6. Processing is necessary for reasons of substantial public interest.
Policy Statement
4.1. The purpose of this policy is to set out the standards of how DMR handles personal data whether held electronically or manually. DMR is registered as a data controller with the Information Commissioners Office (ICO). DMR’s functions require it to process personal data, primarily to deliver qualifications and training in the construction and low carbon sectors to our learners. In addition, to administer contracts with members of staff, contractors, and suppliers and to comply with any legal or contractual obligations. This policy sets out what DMR expects of all its members of staff, contractors and learners in order to comply with the data protection laws.
4.2. As a data controller, DMR regards the lawful and correct treatment of personal information as very important to the successful and efficient performance of its business activities and to maintain the confidence of those individuals and organisations with whom it interacts with. It is essential that members of staff, learners and other customers about whom DMR collects information, can trust that their personal information will be kept confidential and that their privacy is respected.
4.3. To this end, DMR fully endorses and adheres to the Principles of Data Protection, as set out in the GDPR and the Data Protection Act 2018, whereby data should: –
4.3.1. Be obtained and processed fairly, lawfully and in a transparent manner and shall not be processed unless certain conditions are met. DMR must be transparent with individuals (data subjects) about how we will use their personal data. This is generally done through a Privacy Notice.
4.3.2. Be obtained for a specified and lawful purpose and shall not be processed in
any manner incompatible with that purpose.
4.3.3. Be adequate, relevant and not excessive for those purposes.
4.3.4. Be accurate and kept up to date.
4.3.5. Not be kept for longer than is necessary for that purpose.
4.3.6. Be processed in accordance with the data subject’s rights.
4.3.7. Be kept safe from unauthorised access, accidental loss or destruction.
4.3.8. Not be transferred to a country outside the European Economic Area, unless
that country has equivalent leveIs of protection for personal data.
4.4. Article 5(2) of the GDPR requires that the controller shall be responsible for, and be able to demonstrate compliance with the Data Protection Principles listed above.
4.5. DMR will: –
4.5.1. Specify why the data is being collected and how it will be used (through a Privacy Statement);
4.5.2. DMR will only process information where it has a specific legal basis to do so.
4.5.3. Ensure that, where DMR asks for consent to use personal data, people are asked to positively opt in, using clear, plain language that is easy to understand.
4.5.4. Tell individuals they can withdraw their consent at any time.
4.5.5. Ensure that all information is adequate, relevant and limited to what is necessary in relation to the purposes for which it is collected.
4.5.6. Ensure that all information is kept accurate and, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate is erased or rectified without delay.
4.5.7. Implement appropriate record keeping standards and keep information in an identifiable form for no longer than is necessary for the purposes for which the personal data is obtained.
4.5.8. Ensure information is protected against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and operational measures.
4.5.9. Report any data breaches promptly and inform the Information Commissioners Office (ICO) and data subjects where required.
4.6. DMR has registered with the Information Commissioner’s Office (ICO) in accordance with the requirements of the Data Protection Act 2018.
4.7. The Operations Manager, in the capacity of DMR’s designated Data Protection Officer (DPO), will be the main contact with the ICO.
4.8. DMR’s members of staff who process or use any personal information must ensure that they follow the Principles of Data Protection at all times. All members of staff must comply with this policy and must ensure that they keep confidential all personal data that they collect, store, use and come into contact with during the performance of their duties. Members of staff must not release or disclose any personal data outside DMR to recipients who are not authorised to access the personal data without the authorisation from the DPO.
4.9. This policy does not form part of members of staff’s formal contracts of employment, but it is a condition of employment that members of staff abide by the rules and policies made by DMR from time to time.
4.10. Compliance with the GDPR and the Data Protection Act 2018 is the responsibility of all members of staff. Any deliberate breach of the Data Protection Policy by a member of staff may lead to disciplinary action being taken or even a criminal prosecution.
4.11. DMR will ensure that members of staff are aware of the Data Protection Policy and its requirements including the breach procedure. This will be undertaken as part of the induction process and ongoing supervision. If staff have any queries in relation to this policy, then they should discuss them with the DPO.
4.12. DMR will ensure that its members of staff are aware of and trained in the company’s data protection legal responsibilities to collect, process, manage and store personal data in a safe and lawful manner.
4.13. DMR requires all its members of staff to complete mandatory training using an on-line data protection and information security learning module administered by the National Cyber Security Centre within 60 days of their start date. All members of staff are required to be retrained annually, or earlier if there are any legislation changes, and to demonstrate a satisfactory understanding of data protection requirements. Training data is kept by the DPO. Staff training records are reviewed every 3 months to ensure training is completed and up to date.
4.14. DMR respects the rights of individuals to access the personal data that is being held about them, to check that it has been fairly obtained and is accurate, and to have such data corrected or deleted where appropriate. DMR also recognises the rights of individuals to prevent their personal data being processed for direct marketing or to object to the processing of personal data where such processing could cause them significant damage or distress.
4.15. Agreement to DMR processing some specified classes of personal data is a condition of acceptance of a learner on any qualification or training programme and a condition of employment for members of staff. This includes information about previous criminal convictions. A refusal by a member of staff or learner to provide consent, can result in an employment, qualification or training programme offer being withdrawn.
4.16. It is the responsibility of members of staff as data subjects to inform DMR of any changes to the information that they have provided in connection with their employment including changes of address or bank account details.
4.17. DMR will maintain the Cyber Essentials Accreditation as a minimum standard to demonstrate its IT Security Management Systems are effective.
Roles And Responsibilities
5.1. The Managing Director has overall responsibility for ensuring DMR complies with all relevant data protection and privacy obligations and for reviewing the Data Protection Policy and procedures on at least an annual basis or when they are changes in legislation.
5.2. The Operations Manager is the designated Data Protection Officer (DPO) for DMR. As such, the DPO will have overall responsibility for the following: –
5.2.1. Arranging the provision of data protection briefing, guidance and support for members of staff regarding their obligations to comply with the data protection laws.
5.2.2. Handling subject access requests and other data protection enquiries from members of staff, learners and other customers.
5.2.3. Responding to individual requests from members of staff, learners and other customers who wish to know what data relating to them is held by DMR.
5.2.4. Checking and authorising third parties that handle DMR’s data.
5.2.5. Promoting and maintaining awareness of data protection laws and related regulations, including staff training, investigating losses and unauthorised disclosures of personal data.
5.2.6. Communicating any changes in legislation, policy or procedures, to members of staff in a timely manner.
5.2.7. Monitoring compliance with data protection laws and conducting internal audits and ensuring members of staff comply with data protection requirements within their remit.
5.2.8. To co-operate with the supervisory authority, the Information Commissioner’s Office (ICO) and to act as a contact point on issues relating to data processing.
Data Protection Procedures
6.1. The following procedures have been developed in order to ensure that DMR meets its responsibilities as a data controller under the terms of the GDPR and the Data Protection Act 2018. For the purposes of these procedures, data collected, stored and used by DMR falls into 2 broad categories – internal and external data records (see below).
6.2. During the course of their duties with DMR, members of staff will deal with personal information data such as the names, addresses, telephone numbers and e-mail addresses of learners, employers and customers. They may be told or overhear sensitive information whilst working for DMR. The Data Protection Act (2018) gives specific guidance on how this information should be dealt with. In summary to comply with the law, personal information data must be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
6.3. Compliance with the Data Protection Act 2018 is the responsibility of all members of staff. DMR will regard any unlawful breach of any provision of the Act by any member of staff as a serious matter which will result in disciplinary action. Any member of staff who breaches the Act or the requirements of this Policy, will be dealt with under the Disciplinary Procedure which may result in dismissal for gross misconduct. Any such breach could also lead to criminal prosecution.
6.4. Members of staff must ensure they: –
6.4.1. Adhere to all data protection requirements to ensure the confidentiality, integrity and availability of personal data.
6.4.2. Complete mandatory training on data protection and adhere to information updates on new legislation, policies and procedures as they become operational.
6.4.3. All DMR members of staff that collect and record personal data shall ensure that the personal data is recorded accurately, is kept up to date and shall also ensure that they limit the collection and recording of personal data to that which is adequate, relevant and limited to what is necessary in relation to the purpose for which it is collected and used.
6.4.4. All DMR members of staff that obtain personal data from sources outside DMR shall take reasonable steps to ensure that the personal data is recorded accurately, is up to date and limited to that which is adequate, relevant and limited to what is necessary in relation to the purpose for which it is collected and used.
6.5. DMR will ensure through its application and registration processes that all individuals give their consent to standard data processing and are notified of the categories of processing, as required by the 2018 Act.
6.6. Where data is defined as sensitive personal data under the Data Protection Act 2018, explicit consent must be obtained from the individual before processing can proceed. The Act defines sensitive personal data as data consisting of information relating to the data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, or the commission or alleged commission of any offence.
6.7. Where there is a legal obligation to process data without seeking the consent of the individual, a record will be kept of the circumstances and justification used.
6.8. DMR’s learners are entitled to know what personal data information DMR holds and processes about them and why, how to gain access to it and how to keep it up to date.
6.9. Personal data will be kept in paper-based systems and on a password-protected computer system. Every effort must be made to ensure that paper-based data is stored in an organised and secure system.
6.10. Where practicable, DMR will seek consent from individuals before displaying photographs in which they appear. If this is not possible (for example, a large group photograph), DMR will remove any photograph from use if a formal request is received. This procedure also applies to photographs published on DMR’s website or in a newsletter.
6.11. Information that is already in the public domain is exempt from the 2018 Act.
Internal Data Records
7.1. DMR obtains personal data (e.g. names, addresses, telephone numbers, e-mail addresses) from application forms and references and in some cases from other documents in respect of members of staff.
7.2. This personal data is stored and processed for the purposes of recruitment, equality and diversity impact monitoring, payroll administration etc.
7.3. Any personal data supplied by a member of staff will be kept in a secure filing cabinet or electronic system and will not be accessed during the day to day running of DMR. DMR encourages a ‘clear desk’ approach for those involved in handling personal data in the course of their duties. All members of staff with access to personal data should ensure that when work areas are unattended, no personal data or sensitive information is left unsecured.
7.4. The contact details of members of staff only may be made available to other members of staff.
7.5. The contact details of members of staff will not be passed onto anyone outside DMR without their explicit consent.
7.6. A copy of members of staff’s contact details will be kept in an emergency file for health and safety purposes and may be used in emergency situations e.g. a fire evacuation.
7.7. Members of staff will be supplied with a copy of their personal data that is held by DMR upon formal request.
7.8. All confidential post must only be opened by the addressee.
7.9. All members of staff are responsible for: –
7.9.1. Checking that any information that they provide to DMR in connection with their employment is accurate and up to date.
7.9.2. Informing DMR of any changes to information which they have provided, e.g. changes of address.
7.9.3. Checking information that DMR may send out from time to time, giving details of information kept and processed about members of staff.
7.9.4. Informing DMR of any data information errors or changes. DMR cannot be held responsible for any errors unless the member of staff has informed DMR of them.
External Data Records
8.1. DMR obtains personal data (e.g. names, addresses, telephone numbers, e-mail addresses) from learners, employers and other customers.
8.2. This personal data is stored and processed for the purposes of carrying out business activities efficiency, assisting members of staff in the provision of services and for the supply of relevant and useful information.
8.3. Learners’, employers’ and customers’ personal data will be kept in a secure filing, cabinet or electronic system and will only accessed by those members of staff involved in the delivery of the service.
8.4. Learners’, employers’ and customers’ personal data may often be collected over the telephone and via e-mail correspondence. During these methods of initial contact, the data owner must be given an explanation of how this data will be used. Written consent will not be requested as it will be assumed that consent has been granted when an individual employer or customer freely supplies their own details.
8.5. Learners’, employers’ and customers’ personal data will not be passed onto anyone outside DMR without their explicit consent unless there is a funding body contractual requirement or legal duty of disclosure under other legislation. In such circumstances the DPO will discuss and agree the data disclosure which may be made available to external bodies or individuals. Learners, employers and customers must be made aware when their details are being collected of the circumstances under which personal data may be passed on externally and their verbal or written consent sought.
8.6. DMR will not disclose Personal Data of learners to parents or next of kin where we have no consent from the learner to do so. There may be exceptional circumstances to this rule, for example where it necessary to protect the vital interest of a learner or someone else.
8.7. Learners, employers and customers will be supplied with a copy of their personal data that is held by DMR upon formal request.
8.8. Learners must ensure that all personal data provided to DMR is accurate and up to date.
8.9. Learners must ensure that changes of address, etc are notified to the DMR Administration Assistant or other member of staff as appropriate.
8.10. Learners who use DMR’s computer facilities may, from time to time, process personal data. If they do, they must notify a member of DMR’s staff.
8.11. Trainer/Assessors should make learners aware of their responsibilities under this section as part of the induction process to their training programme or course.
8.12. Learners’, employers’ and customers’ personal data will be stored for as long as the data owner uses DMR’s services and will normally be retained for a longer period of time for reference purposes or as may be contractually required by a funding body.
8.13. Data records may be routinely destroyed in accordance with the provisions of this Policy.
8.14. If a request is received from an organisation or individual to destroy their data records, or an organisation ceases to exist, DMR will remove their data from paper or electronic file systems. This process will be carried out by the DPO.
Access To Computer Systems
9.1. The Operations Manager is responsible for the allocation of access rights for members of staff and contractors to DMR’s computer systems and for setting the level of access permissions on an individual basis. Access rights will be arranged in conjunction with DMR’s IT service provider.
9.2. All members of staff will have access to DMR’s shared drive e.g. to view policies and procedures. However, the level of access to certain information stored within shared drive folders may be restricted depending on an individual member of staff’s job role and the level of access required to undertake that job role.
9.3. The Operations Manager (and where applicable, the Managing Director) will be responsible for the granting and revoking of computer system access permissions for all members of staff.
9.4. In accordance with the Staff Development Policy, DMR will offer new members of staff a structured programme of development starting with induction training through essential job-related training and continuing professional development. The induction process, will include training on data protection, information security, privacy notices and arrangements and rules governing the use of DMR’s computer equipment and facilities.
9.5. Members of staff will be required to attend mandatory training and/or updating sessions as may be arranged by DMR from time to time to train, brief and update members of staff on data protection and information security legislation, rules, requirements and arrangements, including the need to collect, process, manage and store personal data in a safe and lawful manner.
The Rights Of Individuals
10.1. Data protection legislation provides the following rights for individuals, which DMR will respond to within the provision of the law. These rights are not absolute.
10.1.1. The right to receive certain information about our processing activities.
10.1.2. The right of access to personal data.
10.1.3. The right to rectification of inaccurate or incomplete data.
10.1.4. The right to ask DMR to erase their personal data if it no longer necessary in relation the purposes for which it was collected or processed.
10.1.5. The right to restrict processing in certain specific circumstances.
10.1.6. The right to data portability in certain specific circumstances.
10.1.7. The right to object in certain specific circumstances (for example to DMR processing for direct marking purposes).
10.1.8. Rights in relation to automated decision making and profiling.
10.1.9. Right to Withdraw Consent.
10.1.10. Right to Complain to the Information Commissioners Office (ICO).
10.2. Subjects are able to withdraw consent; therefore it is DMR’s Policy that consent should only be relied on as the lawful basis for processing in exceptional circumstances. Where DMR relies on consent as a condition for processing, DMR will: –
10.2.1. Ensure the consent is clear and unambiguous (e.g. no pre-ticked opt-in boxes).
10.2.2. Place consent declarations separate from other terms and conditions.
10.2.3. Provide clear and easy ways for subjects to withdraw consent at any time including contact details of a responsible owner.
10.2.4. Act on withdrawals of consent as soon as possible.
10.2.5. Retain records of consent/withdrawals of consent throughout the lifetime of the data processing.
10.3. The DPO must be contacted to ensure consent is the appropriate legal basis for the processing in question, obtaining of consent meets the requirements of GDPR and open transparency to the data subjects.
10.4. All requests made in relation to the rights listed above should immediately be forwarded to the DPO who will provide advice and assistance on responding to this request.
11. Use Of Computer Equipment
11.1. DMR’s computer systems, equipment and software is the property of DMR used for business purposes. Members of staff are granted access permissions to enable them to undertake their respective job roles.
11.2. Members of staff must seek approval from the Operations Manager prior to using DMR’s system and equipment for personal use.
11.3. Members of staff are required to log-onto DMR’s computer system via the use of their own individual password. Passwords must be kept secret and should not be easily broken, for example using a surname.
11.4. Members of staff should not share their password or use another members of staff’s password. Members of staff doing so will be liable to disciplinary action.
11.5. Members of staff must not load or run unauthorised games or software on DMR’s computer systems or equipment.
11.6. Members of staff must not open documents or communications from unknown sources. Members of staff must not open or download files from the internet. Where required, members of staff should consult the Operations Manager.
11.7. The e-mail facility can be used to promote effective communications within DMR. Direct communications should be the preferable form of communication, where feasible.
11.8. E-mails communication should be written in accordance with the standards of other written communication and the content should be consistent with best DMR practice. Members of staff must note that e-mails may be the subject of legal action against DMR and/or the individual member of staff.
11.9. Staff should always consider if e-mail is the best communication method.
11.10. Staff should always consider whether the e-mail going to just one person.
11.11. Staff should always consider whether to use the ‘reply all’ function. If so, does every person on the list need to receive the reply and any attachment.
11.12. Staff should carefully check the recipients of all e-mails prior to sending regardless of content.
11.13. Staff members should be extra vigilant where personal, sensitive personal or confidential information is included.
11.14. Staff must manage email appropriately, clearing the deleted items folder and using appropriate archiving facilities; and use password protect the content of any email when sending sensitive/confidential/special categories of data.
11.15. Inappropriate use or misuse of DMR’s computer system and equipment may result in disciplinary action being taken against a member of staff, up to and including dismissal. Examples of inappropriate or misuse of computer system and equipment includes, but is not limited to, the following: –
11.15.1. Engagement in on-line gambling or chat rooms.
11.15.2. Accessing racist, pornographic or other inappropriate or unlawful
material.
11.15.3. Sending, receiving, displaying or downloading material that offends, insults or harasses others.
11.15.4. Copying or downloading software
11.15.5. Communicating confidential or sensitive information regarding DMR or one of its customers.
11.16.6. Downloading computer games.
Removable Media
12.1. Removable media is defined as devices or media that is readable and/or writable by the end user and are able to be moved from device to device. Examples of removable media types are USB memory sticks (also known as flash memory devices, thumb devices), digital cameras and optical disks (such as CDs, DVDs).
12.2. Electronic data should only be stored on DMR’s designated drives and servers and should only be uploaded to an approved cloud computing services that DMR may have a contract with (e.g., do not use Dropbox, Google Drive etc.). Electronic personal data stored on DMR’s central server should be password protected, securely encrypted if transferred to any other form of storage device e.g. laptop and deleted at the end of its retention period or when no longer required.
12.3. Each member of staff and learner who uses removable media must take all reasonable precautions to protect and control the removable media from unauthorised physical access, tampering, loss, theft and other threats.
12.4. Sensitive or personal information should be stored on removable media only when it’s encrypted and when it is required for the performance of designated duties or when responding to legitimate requests for information with the minimum amount of data. Unencrypted removable media devices must not be used to store or transfer any sensitive or personal information.
12.5. All users are responsible for their actions regarding the use of removable media, this includes the use of removable media provided by third party.
12.6. Each member of staff and learner should report the loss or theft of any removable media storing sensitive or personal information to the DPO immediately.
12.7. Each member staff and learner should report if an unknown removable media device is found unattended to the DPO.
Home, Remote And Mobile Working
13.1. Members of staff, authorised to work from home or remotely, are responsible for the security of all data, whether held on disc/encrypted memory stick or paper and must ensure it is stored securely to maintain confidentiality of information from family members or visitors.
13.2. Under no circumstances should personal data be stored at staff members’ homes whether in manual or electronic form, on laptop computers or other personal portable device. Staff working from home must ensure the same level of data security is applied and not downloaded to personal devices. Staff are instructed to use DMR provided equipment where possible. Where this is not possible and staff use their own devices, access must be through the Office 365 portal and no data should be downloaded.
13.3. Sensitive or personal data must be disposed of by recognised methods using office based shredding equipment or other means.
13.4. Laptops or other portable equipment must never be left unattended in cars.
13.5. Members of staff should connect with a wired connection wherever possible. Where a wired connection is not possible and a wireless connection is used, this should be a secure connection. Sensitive or personal data should not be accessed via wireless connection. Such data should be stored on a network drive and not held on the portable computer device
13.6. Members of staff will not install any hardware to or inside any DMR owned portable computer device, unless authorised by Operations Manager.
13.7. Members of staff will allow the installation and maintenance of any DMR installed anti-virus updates immediately.
13.8. No family members may use any DMR provided equipment.
13.9. Equipment must be secured whenever it is not in use by either locking away in a cupboard or drawer or by locking the device to the desk.
13.10. Portable computer devices should be switched off, logged off, or the keyboard locked when left unattended, even if only for a few minutes. All data on portable computer devices must, where possible, be encrypted. If this is not possible, then all sensitive and personal data held on the portable device must be encrypted.
13.11. DMR may use video conferencing facilities in order to hold meetings for staff and training sessions for learners virtually. When these are recorded, the organiser of the meeting will inform those involved in the meeting/lesson that it is being recorded and the reason(s) why. Consent can be refused or withdrawn at any time.
Processing Personal Data
14.1. Personal data is information that relates to a living individual directly or indirectly, from which they can be identified. It includes factual information or expressions of opinion about the individual. DMR and its members of staff, learners and associates must comply with the principles set out in the Data Protection Act 2018 when personal data is being processed. Processing includes any activity that involves the handling of personal data including its collection, use, storage, adaptation, dissemination or disposal.
14.2. All members of staff will typically process data about individuals on a regular basis, such as when marking registers, conducting and documenting progress reviews, writing references, or as part of a training delivery and management role.
14.3. DMR will ensure through application and registration processes that all individuals give their consent to these types of data processing and are notified of the categories of processing, as required by the 2018 Act. The information that members of staff deal with on a day-to-day basis will be classed as ‘standard’ and will cover categories such as: –
14.3.1. General personal details such as name, address and telephone number.
14.3.2. Details about training course attendance, course work marks, examination grades and associated comments.
14.3.3. Notes of personal supervision, including comments about learners’ behaviour and discipline.
14.4. Learners are entitled to information about their marks for both coursework and examinations.
14.5. Sometimes it may be necessary to process information about an individual’s health, criminal convictions, race and gender and family details. This may be to
ensure that the DMR training centre is a safe place for everyone e.g. recording information that a learner is pregnant as part of DMR’s pastoral responsibilities, or to operate other DMR policies, such as the sick pay policy or equality and diversity policy.
14.6. As this information is considered sensitive, and it is recognised that the processing of it may cause particular concern or distress to individuals, members of staff and learners will be asked to give express consent for DMR to do this. Offers of employment or training programme or course places may be withdrawn if an individual refuses to consent to this, without good reason.
14.7. In some rare cases DMR may need to share information about learners with other public bodies where not to do so could threaten their safety or that of others. DMR will always seek learners’ agreement before it shares the information and take their wishes into consideration. However, if learners or those whose safety is threatened are under the age of 18, then consideration for health and safety is paramount e.g. a learner is injured and unconscious, but in need of medical attention, and a member of staff tells the hospital that the learner is pregnant.
14.8. The Managing Director or Operations Manager may designate certain members of staff as ‘authorised staff’. These members of staff will be the only members of staff authorised to access data that is not standard data or is classed as sensitive data.
14.9. The only exception to this would be if a non-authorised member of staff is satisfied and can demonstrate that the processing of sensitive data is necessary in the best interests of a learner or member of staff and he/she has either informed an ‘authorised staff’ member of this, or has been unable to do so and processing the data is urgent and necessary in all the circumstances.
14.10. Before processing any personal data, all members of staff should consider the following: –
14.10.1. Do you really need to record the information?
14.10.2. Is the information ‘sensitive’?
14.10.3. If the information is sensitive, do you have the data subject’s express consent?
14.10.4. Has the individual been told that this type of data will be processed?
14.10.5. Are you authorised to collect/store/process the data?
14.10.6. If yes, have you checked with the data subject that the data is accurate?
14.10.7. If you do not have the data subject’s consent to process, are you satisfied that it is in the best interests of the individual or the safety of others to collect and retain the data?
14.10.8. Are you sure that the data is secure?
Marketing
15.1. DMR may take photographs and record images of individuals. DMR will obtain verbal consent of general photographs used for social media. Written consent will be obtained for any face-to-face profile photography or videos of staff or learners for marketing and promotional materials.
15.2. Consent can be refused or withdrawn at any time. If consent is withdrawn, DMR will delete the photograph or video and not distribute it further. When using photographs and videos in this way DMR will not accompany them with any other personal information about a learner, to ensure they cannot be identified unless this has been explicitly agreed beforehand, for example on posters describing a learner’s journey and progression route.
15.3. DMR uses a variety of marketing techniques to attract learners, employers and the public to the services and activities DMR offers. DMR may contact individuals to send them marketing or promote DMR, but when this is carried out, it will only be done in a legally GDPR compliant manner where DMR has obtained consent. DMR will keep records documenting how and when consent was given, these may be held in a variety of storage mechanisms depending on the type of data and/or consent required. This information will be readily available for staff to check that consent has been obtained.
Information Security
16.1. DMR will contract with a specialist IT service provider, who will manage DMR’s e-mail system and on-line applications and will provide software device monitoring support, gateway firewall protection and anti-virus endpoint and anti-hijack protection.
16.2. The anti-virus protection measures will prevent malware attacks.
16.3. The IT service provider will manage unexpected systems failure (including the threat of a cyber-attack) and will ensure that DMR’s systems are securely configured and aligned to user access needs and privileges.
16.4. Laptops provided by DMR will be encrypted by the IT service provider.
16.5. In all circumstances, all members of staff must ensure the security of personal data and that personal data is: –
16.5.1. Put away in lockable storage cabinets or drawers.
16.5.2. Not left on unattended desks or tables.
16.5.3. Not accessible to other users via unattended ICT equipment.
16.5.4. Secured through ICT equipment, CD, memory stick or e-mail attachment being password-protected.
16.5.5. Not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party.
16.6. All members of staff should ensure that computer passwords are changed regularly.
16.7. Computer data should be regularly backed up in line with DMR’s backup procedures.
16.8. All servers containing sensitive data must be approved and protected by security software and strong firewall.
16.9. Personal data should never be saved directly to mobile devices such as laptops, tablets or smartphones.
16.10. Personal or sensitive data must not be stored on or communicated through services which are not provided by DMR such as personal e-mail
16.11. Paper records containing personal data must be shredded when being disposed.
16.12. All members of staff should ensure that they do not take electronic personal data off DMR’s premises.
16.13. When transferring and sharing data with external organisations, such as the Education and Skills Funding Agency or other funding bodies, necessary security arrangements should be adhered to by members of staff such as using encryption.
16.14. An appropriate leavers and joiners process shall be in place to ensure that all members of staff and contractors have information access permissions revoked and return all of DMR’s assets in their possession upon termination of their employment, contract or agreement.
Data Subject Information Requests
17.1. Members of staff, learners and other customers of DMR have the right to access any personal data that is being kept about them either on computer or in certain files. Any person who wishes to exercise this right should notify the DPO in writing.
17.2. DMR will aim to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 10 working days unless there is good reason for any delay. In such cases, the reason for delay will be explained in writing to the individual or organisation making the request. The statutory deadline for complying with requests for access to personal information is 40 days.
17.3. Requests for data erasure or rectification, i.e. to have inaccurate data rectified or completed if incomplete can be made verbally or in writing. All requests will be recorded and will be responded to within 10 working days. In certain cases, depending on the purpose for holding the data and the nature of the request DMR may be unable to comply, for example if personal data is needed by DMR to comply with a legal obligation (for example sending payroll information to HMRC) or to perform a task carried out in the public interest. If this is the case DMR will inform the individual within a month of the request, explain why this is the case and how to contact the Information Commissioner’s Office to complain about this decision.
17.4. DMR will not usually charge for a data subject request, but reserve the right to charge a reasonable administration fee for excessive or manifestly unfounded requests, if the request is repetitive. DMR may charge for request for further copies of the same information.
17.5. Requests to object to processing including direct marketing, processing based on legitimate interest or performance of a task in the public interest or for purposes of scientific/historical research and statistics can be made in writing to the DPO. DMR will stop processing personal data for direct marketing purposes when we receive an objection. DMR will stop other processing unless it has legitimate grounds for processing which override the interests, rights and freedom of the individual. If this is the case DMR will advise the individual of this.
17.6. Requests in writing can be made to: The Data Protection Officer, DMR Training & Consultancy Ltd, 87-89 Church Street, Leigh, Greater Manchester, WN7 1AZ.
17.7. The Managing Director should be consulted when requests for information about learners are received from the police, statutory bodies, solicitors and third parties.
17.8. All disclosures must be made with consent or in accordance with a non-disclosure exemption as provided in the Data Protection Act 2018 which would cover disclosures to the police, providing the requirements of the exemption are complied with.
17.9. Data Protection Laws impose strict controls on personal data being transferred outside the EEA. Transfer includes sending personal data outside the EEA but also includes storage of personal data or access to it outside the EEA. Personal data must not be transferred to a country outside the EEA unless that country has equivalent levels of protection for personal data. Therefore, any personal data being sent outside of the EEA must be approved by the DPO.
Contracts And Agreements With Third Parties
18.1. Any contracts or agreements issued by DMR to employers and subcontractors (e.g. an agreement with an employer covering the delivery of Apprenticeships) will include reference to the Data Protection Act 2018 and place a contractual responsibility on DMR and employers to ensure that any processing of personal data is undertaken in compliance with the requirements of the Act.
18.2. If DMR appoints a contractor who is a processor of DMR’s personal data, data protection laws require DMR to only appoint them where DMR has carried out sufficient due diligence and only where DMR has appropriate contracts in place. DMR must only use processors who meet the requirements of the data protection laws and protect the rights of individuals.
18.3. The contract must include the following: –
18.3.1. The subject matter and duration of the processing.
18.3.2. The nature and purpose of the processing.
18.3.3. The type of personal data and categories of data subject and obligations and rights of the controller.
18.3.4. To ensure that people processing the data are subject to a duty of confidence.
18.3.5. To take appropriate measures to ensure the security of processing.
18.3.6. Not to engage a sub-processor without the prior consent of DMR.
18.3.7. To assist in providing subject access and allowing data subjects to exercise their rights.
18.3.8. To assist DMR in meeting its obligations in relation to the security of processing.
18.3.9. The notification of personal data breaches and data protection impact assessments.
18.3.10. To delete or return all personal data to DMR as requested at the end of the contract, submit to audits and inspections, provide DMR with whatever information it needs to ensure that they are both meeting their data protection obligations and to tell DMR immediately if it is asked to do something infringing the law.
Data Sharing
19.1. DMR will only share personal data with third parties as part of the statutory duties placed on the organisation or as declared in a Privacy Notice. A Privacy Notice forms part of DMR’s learner enrolment process and new employee’s induction process and they are designed to ensure all learners and staff are fully informed of how their data will be used. DMR will not share information about apprentices and other learners with anyone without consent unless the law and DMR policies allows us to do so.
19.2. DMR has a duty to provide the Education and Skills Funding Agency (ESFA), an executive agency of the Department of Education, with ESFA funded learners’ eligibility, enrolment, achievement and other personal data.
19.3. Information provided by apprentices may be used by DMR to issue them with a Unique Learner Number (ULN) and to create a Personal Learning Record (PLR).
19.4. The ULN enables DMR and other education and training providers and awarding organisations regulated by Ofqual to share information about learners’ participation and achievement in a consistent and approved manner, promoting good information management practice and helping to improve accuracy and efficiency.
19.5. The PLR stores apprentices’ education and training participation and achievement information collected directly from educational institutions and other bodies. The LRS is accessible by DMR under agreement with the Department of Education.
19.6. DMR may use the ESFA’s ILR Learner Entry Tool to submit information relating to apprentices to the ESFA. Data is submitted in an encrypted zip file.
19.7. Information sharing between DMR and external partner or stakeholder organisations will be conducted in accordance with the requirements of the data protection laws and in accordance with a formal contract agreement or service level agreement.
19.8. DMR will ensure that the information shared under such agreements is necessary for the purpose for which it is being shared, is shared only with those individuals who need to have it, is accurate and up-to-date, is shared in a timely fashion and is shared securely (e.g. by the use of encryption).
19.9. Personal data will only be disclosed to a third party where a lawful basis exists.
19.10. Personal data will not be shared with third parties unless certain safeguards or contractual arrangements are in place or where there is a legal or statutory obligation to disclose. In dealing with a request, DMR will be sensitive to and give proper consideration to the data subjects rights and privacy in relation to any ‘third party’ information contained in the response.
19.11. Special Category personal data will only be disclosed where a lawful basis specific to Special Category data, as defined by data protection legislation, is met.
Closed Circuit Television
20.1. DMR is fully committed to the safety of its members of staff, learners and visitors and to this extent has invested in the security of its buildings and facilities. This process involves the use, management, operation and regulation of a closed-circuit television (CCTV) system at its office and training centre premises. The CCTV systems will be operated for 24 hours each day, every day of the year. The CCTV systems will help to: –
20.1.1. Protect learners, members of staff, contractors and visitors and their personal property.
20.1.2. Protect DMR’s buildings and equipment.
20.1.3. Support the police in preventing and detecting crime and assist in the identification and apprehension of offenders.
20.1.4. Monitor the security of the site and monitor staff and contractors when carrying out their duties.
20.1.5. Promote the good behaviour of learners.
20.2. The Managing Director will check and confirm that the systems are properly recording and that cameras are functioning correctly, on a regular basis. The systems will be checked and (to the extent necessary) serviced, annually.
20.3. CCTV systems are commonly based around digital technology and therefore need to be treated as holding information that will be processed under the Data Protection Act 2018. Information may be in the form of recordings or down from the CCTV system.
20.4. The CCTV system is registered with the Information Commissioners Office under the terms of the Data Protection Act 2018 and DMR will comply with the requirements of the Data Protection Act 2018 and the Information Commissioner’s Code of Practice.
20.5. Materials or knowledge secured from the CCTV system will not be used by DMR for any commercial purpose. Downloads will only be released to regulatory bodies upon their request.
20.6. All fixed cameras are in plain sight on DMR’s premises and DMR does not routinely use CCTV for covert monitoring or the monitoring of private property outside DMR’s premises.
20.7. No CCTV images will be captured from areas in which individuals would have a heightened expectation of privacy, including changing and washroom facilities.
20.8. Images will be viewed and/or monitored in a suitable environment where it is unlikely they will be accessed or inadvertently viewed by unauthorised persons.
20.9. Images will be stored for four weeks and will be automatically over-written unless DMR considers it reasonably necessary for the pursuit of the objectives outlined above, or if lawfully required by an appropriate third party such as the police or the local authority. Where such data is retained, it will be retained in accordance with the Act and DMR’s Data Protection Policy. Information including the date, time and length of the recording, as well as the locations covered and groups or individuals recorded, will be recorded in a system log book.
20.10. Access to stored CCTV images will only be given to authorised persons, under the supervision of the Managing Director, in pursuance of the above objectives (or if there is some other overriding and lawful reason to grant such access). The Managing Director must be satisfied of the identity of any person wishing to view stored images or access the system and the legitimacy of the request. Wherever practicable steps will be taken to obscure images of non-relevant individuals.
20.11. The following are examples when the Managing Director may authorise access to CCTV images: –
20.11.1 Where required to do so by the police or some relevant statutory authority and in accordance with the law.
20.11.2. To make a report regarding suspected criminal behaviour.
20.11.3. To enable a designated safeguarding lead or an appointed deputy to examine behaviour which may give rise to any reasonable safeguarding concern.
20.11.4. To assist DMR in establishing facts in cases of unacceptable learner behaviour, in which case the parents/guardian may be informed as part of the management of a particular incident.
20.11.5. To enable DMR’s insurance company to pursue a claim for damage done to insured property.
20.12. Where images are disclosed as aforementioned above, a record will be made in a system log including the person viewing the images, the time of access, the reason for viewing the images, the details of images viewed and the crime incident number (if applicable).
20.13. DMR will adhere to the ICO’s code of practice for the use of CCTV.
Retention And Disposal Of Personal Data
21.1. DMR must ensure that personal data is kept no longer than is necessary. Records which have reached the end of their life (whether held in electronic or paper format) should generally be destroyed under confidential conditions.
21.2. No electronic or documentary records will be stored for longer than is necessary. All documents containing personal data will be disposed of securely. In general, information about learners will be kept for a period of 6 years after they complete or leave their training programme or course.
21.3. Personal data for learners funded by the European Social Fund will need to be retained until at least 31 December 2034.
21.4. DMR may need to keep information about members of staff for longer periods of time. In general, all information will be kept for 6 years after a member of staff leaves DMR. Some information however will be kept for much longer. This will include information necessary in respect of pensions, taxation, potential or current disputes or litigation regarding the employment, and information required for job references.
21.5. Paper records must be shredded when being disposed of. If there is a significant amount of material which cannot be dealt with by normal shredding machines, this should be disposed of using a reputable disposal contractor.
21.6. Computerised records must be permanently deleted, with particular care taken that ‘hidden’ data cannot be recovered.
Personal Data Security Breaches
22.1. A personal data breach is defined very broadly and is effectively any failure to keep personal data secure, which leads to the accidental or unlawful loss (including loss of access to), destruction, alteration or unauthorised disclosure of personal data. Whilst most personal data breaches happen as a result of action taken by a third party, they can also occur as a result of something someone within DMR does. In the event of an actual, suspected or potential breach, DMR will take immediate action to secure the information and mitigate any further or possible compromise of data.
22.2. Breaches of security can be caused by a number of factors. Some examples are: –
22.2.1. Loss or theft of a learner’s or member of staff’s data and/or equipment on which such data is stored.
22.2.2. Inappropriate access controls allowing unauthorised use of personal data.
22.2.3. Equipment failure.
22.2.4. Human error.
22.2.5. Unforeseen circumstances such as a fire or flood.
22.2.6. Hacking.
22.2.7. ‘Blagging’ offences where information is obtained by deception.
22.3. There are three main types of Personal Data breach which are as follows: –
22.3.1. Confidentiality breach – where there is an unauthorised or accidental disclosure of, or access to, personal data e.g. hacking, accessing internal systems that a member of staff is not authorised to access, accessing personal data stored on a lost laptop, phone or other device, people “blagging” access to personal data they have no right to access, putting the wrong letter in the wrong envelope, sending an email to the wrong student, or disclosing information over the phone to the wrong person.
22.3.2. Availability breach – where there is an accidental or unauthorised loss of access to, or destruction of, personal data e.g. loss of a memory stick, laptop or device, denial of service attack, infection of systems by ransomware, deleting personal data in error, loss of access to personal data stored on systems, inability to restore access to personal data from back up, or loss of an encryption key.
22.3.3. Integrity breach – where there is an unauthorised or accidental alteration of personal data.
22.4. If a data security breach occurs, DMR will respond to and manage the breach effectively by means of a 5-part process: –
22.4.1. Reporting a breach.
22.4.2. Containment and recovery.
22.4.3. Assessing the risks.
22.4.4. Notification of breach.
22.4.5. Evaluation and response.
22.5. Members of staff suspecting that a personal data breach has occurred, should not attempt to investigate the matter themselves. They should immediately and without delay, contact the DPO. Members of staff should preserve all evidence relating to the potential personal data breach.
22.6. All members of staff have an obligation to report actual or potential data protection compliance failures. This allows DMR to investigate the failure and take remedial steps, if necessary, maintain a register of compliance failures and notify the supervisory authority of any compliance failures that are material either in their own right or as part of a pattern of failures.
22.7. The DPO will be responsible for logging information risks, by date, impact and the actions required.
22.8. Suspected or confirmed breaches which may cause damage/distress to the data subjects must be reported to the ICO within 72 hours by the DPO, from when DMR becomes aware of it.
22.9. The DPO will investigate the failure and take remedial steps, if necessary, maintain a register of compliance failures and notify the supervisory authority of any compliance failures that are material either in their own right or as part of a pattern of failures.
22.10. The DPO will consider whether the police need to be informed. This would be appropriate where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future.
22.11. The DPO will take appropriate steps to recover any losses and limit the damage. He/she will ascertain whose data was involved in the breach, the potential effect on the data subject and what further steps need to be taken to remedy the situation.
22.12. The DPO’s investigation should be completed as a matter of urgency. It will consider the type of data, its sensitivity, what protections are in place (e.g. encryption), what has happened to the data, whether the data could be put to any illegal or inappropriate use, how many people are affected, what type of people have been affected (learners, members of staff, suppliers etc.) and whether there are wider consequences to the breach.
22.13. A clear record should be made of the nature of the breach and the actions taken to mitigate it. If systemic or ongoing problems are identified, then an action plan must be drawn up to rectify them.
22.14. Any member of staff who fails to notify of a breach, or is found to have known or suspected a breach has occurred, but has not followed the correct reporting procedures will be liable to disciplinary action. If the breach warrants a disciplinary investigation, the DPO will conduct such as investigation in line with DMR’s Disciplinary Policy and Procedure.
Personal Data Security Breaches
23.1. DMR will not monitor its members of staff unless it has reason to believe that they are involved in criminal activity. In such instances DMR will operate under the guidance of the police and in accordance with the Data Protection Act 2018.
23.2. DMR reserves the right to introduce monitoring from time to time. Such monitoring may include checking e-mails to ensure the system is not being abused and checking websites visited by members of staff using DMR’s computer systems.
23.3. Prior to introducing monitoring, DMR will outline the purpose for which monitoring is being introduced, ensure the monitoring approach is limited to serve that purpose and where possible, consult with members of staff accordingly.
Data Protection Impact Assessment
24.1. The GDPR introduce a new requirement to carry out a risk assessment in relation to the use of personal data for a new service, product or process. This must be done prior to the processing via a Data Protection Impact Assessment (DPIA). A DPIA should be started as early as practical in the design of processing operations. A DPIA is not a prohibition on using personal data but is an assessment of issues affecting personal data which need to be considered before a new product/service/process is rolled out. Where a DPIA reveals risks which are not appropriately mitigated the ICO must be consulted. All DPIAs must be reviewed and approved by the DPO.
Review
25.1. This policy will be reviewed annually.
• Implementation date: July 2014
• Last reviewed date: December 2022
Helping people succeed in life