DATA PROTECTION & RETENTION POLICY
Data Protection and Retention Policy
Statement of purpose
This policy sets out how we will look after your (data subject’s) information. This includes what you tell us about yourself, what we learn about you, and the choices you give us about what marketing you want us to send to you. It also provides details of your privacy rights and how to exercise those rights with us.
Data Protection Officer as listed on the last page of this Data Protection Policy
This policy applies to all data processed by us, and affects anyone that may be considered a data subject that is processed by us. This includes employees, learners, subcontractors and centre personnel.
How we treat your information
We aim to ensure that all personal data is:
• processed fairly and lawfully
• obtained and processed only for specified and lawful purposes
• adequate, relevant and not excessive
• accurate and kept up to date
• held securely and for no longer than is necessary.
We will process your data when we have a legal basis for processing it. In doing so, we will take appropriate technical and organisational measures to prevent your data from inappropriate disclosure. When a data breach occurs, we will take steps to inform you without unnecessary delay.
In processing your information we may provide it to relevant third parties such as our suppliers and enforcement agencies where we have a legal basis for doing so. We will never sell your personal information.
Where do we get your personal data at personal data do we collect?
We may collect and process the following personal data:
Information which you freely provide to us
For example when you:
complete a survey or form,
correspond with us by phone, e-mail, or in writing,
sign up to receive notifications / messages from us,
apply to work for us,
enter into a contract with us to receive products and/or services.
We may need to collect personal information by law, or to enter into or fulfil a contract we have with you.
If you choose not to give us this personal information, it may delay or prevent us from fulfilling our contract with you, or doing what we must do by law. It may also mean that we cannot run your accounts or policies. It could mean that we cancel a product or service you have with us.
We sometimes ask for information that is useful, but not required by law or a contract. We will make this clear when we ask for it. You do not have to give us these extra details and it won't affect the products or services you have with us.
Information we collect about you on our website
If you visit our websites, we may automatically collect the following information:
technical information, including the internet protocol (IP) address used to connect your computer to the Internet, login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
information about your visit to our Website such as the products and/or services you searched for and view, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.
Information we receive from other sources / third parties
As part of our role, we routinely collect and process personal data that is provided to us by our customers without direct access to data subjects.
If you are an assessor, tutor or learner, we may receive information about you from your centre, training provider, or employer when they register to receive products and/or services from us. As a regulated awarding organisation, we may also receive information about you from other statutory / governmental agencies, other or other awarding organisations in order to protect the public confidence of qualifications.
By providing personal information to us, you give consent to us for processing the data as set out within this document, and you confirm that you have obtained the appropriate consent from the relevant individuals for the personal data to be processed accordingly by us. We reserve our right to refuse to process information received from you if we have reasonable suspicion that data subjects have not provided consent, or where we feel that there is no legitimate basis for processing.
Information about other people
If you provide information to us about any person other than yourself, such as your relatives, next of kin, your advisers or your suppliers, you must ensure that they understand how their information will be used, and that they have given their permission for you to disclose it to us and for you to allow us, and our outsourced service providers, to use it.
We may refuse to process information about other people if we have reasonable suspicion that they have not provided their consent, or where we feel that there is no legitimate basis for processing.
Sensitive personal data
Sensitive personal information includes information about your:
racial or ethnic origin,
religious or similar beliefs,
trade union activities,
physical or mental health condition ,
details of any commission or alleged commission of offences
genetic or biometric data
In certain cases, we may need to process sensitive personal data from you. We aim to minimise collecting this information so far as possible, and will only collect and process this information if it is absolutely essential to do so, for example to confirm your ability for physical tasks completed during assessments. We aim to do so on the basis of your explicit consent unless there is a legal basis not to.
Personal data held for equal opportunities monitoring purposes
Where personal data obtained is to be held for Equal Opportunities monitoring purposes, all such data will be made anonymous.
Why do we process your data?
When we ask you to supply us with personal data we will make it clear whether the personal data we are asking for must be supplied so that we can provide the products and services to you, or whether the supply of any personal data we ask for is optional.
To take steps to fulfil or linked to a contract:
To provide products and/or services which we are contractually obliged to provide to you, your client or the organisation you work for in relation to the contract;
To keep you up to date with any information required in relation to contracted products and/or services between us;
Discharge our duties as an employer.
Legal obligations / Public interest
To monitor qualification achievement standards over time,
To maintain records of achievement and confirm your achievements,
To fulfil any regulatory or statutory obligations of the organisation, such as to provide information respond to any lawful or proportionate request by government authorities, law enforcement or statutory bodies,
To promote public confidence in qualifications (for example to detect, deterring and preventing fraud or malpractice).
Vital interests of the data subject
To protect the safety and security of yourself or others as outlined within our Health and Safety Policy.
Overriding legitimate interests
These interests may include our or a third party’s interests, for example:
For the purposes of good governance,
To audit, analyse and protect systems and data from misuse,
To maintain security, functionality and improve your experience on our website,
To improve or develop our products and/or services,
To monitor, analyse, and improve sales, organisational performance and business performance,
To request for your consent to be contacted by us about relevant products / services,
To conduct prospective research relevant to education, standards that affect our organisation or our products / services,
To collect outstanding debt owed to us,
To resolve arising issues, complaints, claims, or disputes between us and you or your client.
We will rely on your consent to:
provide marketing or information which is not directly relevant to your contract with us,
process or transfer sensitive information where it is not required by a legal, public interest or overriding legitimate interest obligation.
Each marketing email that is sent provides you with the ability to unsubscribe from receiving marketing emails at any time. Alternatively, you can change your preferences by sending a request to us.
(Please note that you cannot opt out of notifications / information related to a contract for products / services unless you terminate the contract itself).
Automated decision making
We may from time to time promote / provide information on social media websites such as LinkedIn, and Facebook that may conduct ‘automated decision making’ in relation to our communication notices we post on those sites. Your interactions with us on those platforms are subject to the terms and conditions of the respective sites, and you do so at your own risk.
We aims to track your engagement with us on the site in which it originates and limit the transference of information outside of those sites in accordance with best practice and the terms and conditions of those sites. We will not store or transfer your interaction within those sites outside of the relevant social media unless there is a proportionate and necessary legal basis for processing. If you have any concerns about how your information is used and the notifications you receive on those sites, you are advised to contact them directly.
Sharing with third parties
We may disclose and share your personal information with:
employers, education institutions or parent/carer (where they have purchased access to our products / services on your behalf)
our service providers / contractors (for example, suppliers who develop or host our IT Services) to the extent where it is required to deliver products / services to you, or to uphold any overriding legitimate interest,
external auditors, to the extent where it is necessary to assess our governance and compliance arrangements,
law enforcement agencies, statutory organisations, governmental bodies or other relevant organisations where we have a legal or public interest obligation to do so,
investigatory and fraud protection agencies, to verify your identity, prevent fraud and/or other criminal offences,
to anyone we deem necessary to protect your vital interests, including the security / safety of yourself and / or other persons, as consistent with applicable law,
debt collection agencies, to protect our legitimate business interests, for example to collect outstanding debt from your organisation),
in other situations with your consent.
Statutory bodies and government agencies we work with may include but is not limited to the following:
SafeCert Awards Ltd
Her Majesty’s Revenue and Customs (HMRC),
Department for Work and Pensions,
Health and Safety Executive (HSE),
Information Commissioner’s Office (ICO).
All of our service providers, centres, and contractors are contractually required to implement appropriate technical and organisational measures to meet the requirements of applicable law, and to process information only in compliance with it.
When we have any customers outside the European Union, data originating from these regions may be processed in the UK and transferred back to its origin country. Data originating from the European Union will not be processed outside the European Union unless it is essential, and even so, not without adequate technical and organisational safeguards.
Whistleblowing and malpractice
In accordance with the conditions of recognition, we may report to third parties such as other awarding organisations, centres and statutory bodies where we have reasonable grounds for suspecting that you have contravened our Malpractice or Maladministration Policy or committed a relevant criminal offence. We will only share your information with organisations so far as is reasonable to investigate any allegations that may affect the delivery of our products / services, or to fulfil our legal obligations under any conditions of recognition applied by a statutory body.
To protect personal information, you are urged to:
notify us of any changes to your information / status to ensure your information is accurate and up to date,
keep passwords safe,
only access our services using secure networks,
maintain updated internet security and virus protection software on your devices and computer systems,
contact us immediately if you suspect a security or privacy concern or issue.
We may immediately suspend or terminate your access without notice if we become aware that you are in breach of our Terms and Conditions or of this Policy.
Providing validation of your achievements
We will not provide this information or confirm your achievements to third parties without your consent.
It is important that you keep your certificate safe, and that you do not disclose these details to third parties if you do not wish for them to verify your details. By providing this information to a third party, you are consenting for the person to verify your achievements through any verification service which we operate.
Purposes for which personal data may be held (employees)
Personal data relating to employees may be collected primarily for the purposes of:
recruitment, promotion, training, redeployment, and/or career development;
administration and payment of wages and sick pay;
calculation of certain benefits including pensions;
disciplinary or performance management purposes;
recording of communication with employees/students and their representatives;
compliance with legislation;
provision of references to financial institutions, to facilitate entry onto educational courses and/or to assist future potential employers; and
Staff, volunteers and students, staffing levels and career planning.
All our employees, centres and relevant contractors are required to keep up to date with training and updates provided by the ICO regularly for advice and guidance on data protection issues and to aid CPD. Unauthorised access, amendment, deletion or transfer of records will be treated as gross misconduct / malpractice by us.
As a requirement of the new General Data Protection Regulation (GDPR), and my commitment to be transparent on the way that I collect, store and process information about you. I have written this policy to explain in detail what happens to any information I hold on you. Please refer to my Privacy Notice for further information about my data protection procedures and responsibilities.
Any data that I retain relating to you will fall under one of the following categories:
e.g. Medical information via pre-course questionnaires for any special requirements, attendance registers, accident form, medical disclosure form required for physically related tasks such as manual handling,
These items contain welfare information. I am required to retain these records for legal / insurance purposes for at least the validity period of the award you are entered for.
e.g Contracts, Attendance Registers, Invoices & Payment Records, Records of Defaults / Legal Action
These items include payment and attendance information. For HMRC purposes, I am required to retain these records for 6 years.
I will also retain your contact information (phone number and email address) for up the validity of the award, to verify you are qualified or be able to request the issue for example of a replacement certificate. This will also allow us to contact you to clarify any accounts or financial information where necessary.
I will ensure that all data is stored securely. Paper records are kept in a lockable file and digital files are stored on computer which is secured with a password and virus protection. Following the retention period, paper records will be shredded and digital files securely deleted.
In addition we ask for original photographic documents such as driving license or passport. This is only for the trainer/assessor/IQA to verify the identity of you, before they register you on accredited award. We will not keep copies of these on our files.
You have the right to request access to information that I hold about you, you may also ask for information held about you to be withdrawn – your ‘right to erasure’. Please refer to my Privacy Notice for further details regarding your rights to access data. There are however exceptions to these rights, for example the right to access or erasure may be refused due to legal or regulatory restrictions or where the disclosure of information risks adversely affecting the rights and freedoms of third parties.
Exercising your data rights
We aim to deal with any concerns which you may have about your information effectively and efficiently as part of our day to day operations with you.
If you have a concern about the way your data is used which cannot be addressed by our representative you work with, write to the data protection officer as listed on the last page of this document, with your concerns or formally exercise your legal rights by using the Data Rights Form as listed in appendix 1.
The form covers the following requests:
subject access request (SAR)
amendment / rectification request
We won’t normally charge a fee unless it was reasonable and within the confines of the law.
For more information about how your rights apply, please see the ICO guidance at ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/.
We aim to respect your request wherever possible however, please note that there are exception to when these rights may apply. If we are unable to comply with your request due to an exception, we will explain this to you in our response.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
Data rights response – timescales and costs
If you are not a learner, we will usually with your request within 30 days of the receipt of your request, or at most, 60 days, if the information we hold about you is excessive.
If you are a learner, we may not be able to comply with your request as it may prejudice the assessment process. We are obliged to disclose information about you (including any results or scripts) within 40 days of receiving a formal request for disclosure from you unless you request the results before they have been announced, by which we are required to respond within 5 months of the date of the request, or within 40 days from when the results are published (whichever is earlier).
If there is an administrative error and your mark has not been recorded accurately, we will correct it when you request a SAR. The DfE has stipulated by contract that they must be informed whenever a learner exercises their data rights with an awarding organisation. In submitting a request to us, you agree to your request being passed to the DfE.
Event of a breach
In the event of a breach of your personal information, we will take reasonable steps to inform you wherever possible. We will also make best endeavours to inform the ICO within 72 hours of first finding the breach. If relevant to any legal obligation, we will also inform the appropriate regulator and the DfE.
Our recovery time objective (RTO) is:
1 working day for minor breaches
5 working days for serious breaches
This may be longer in serious or complex cases.
Retention of records
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any regulatory duty, public interest, or overriding legitimate interest.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Credit card information is not stored, such information is processed directly on PCI DSS Compliant systems provided by payment / banking providers.
Personal information relevant to staff at our approved centres is usually held for a minimum of 6 years after contract termination. After 3 years, only summary information about the staff’s name and job role are held.
Learner achievement information is normally held indefinitely as it is in both your and the public interest to be able to verify your qualification achievements. Your assessment evidence and responses are retained so long as it is relevant to maintain the standards of assessment and qualifications, up to a maximum of 7 years.
Sensitive personal information such as biometric information, or those linked to reasonable adjustments / special consideration – is removed as soon as practicable, and at most retained for a year from the date of the outcome.
For more information, please refer to our Data Retention Policy.
We take very seriously any improper collection or misuse of personal information. Please report it to us in accordance with our Malpractice Policy to our Data Protection Officer as listed on the last page of this document.
You can also complain to us in accordance with our Complaints Policy.
If you believe that your data protection rights may have been breached, and we have been unable to resolve your concern, you may lodge a complaint the applicable supervisory authority or to seek a remedy through the courts.
Please visit ico.org.uk/concerns/ for more information on how to report a concern to the UK Information Commissioner’s Office.
Appendix 1 - Data Rights Request Form
Date Rights Request Form
What is your relationship to us?
I am / was connected with a course
I am / was a registered candidate
I was previously a member of staff / contractor
When was this?
Please provide any identification numbers / reference numbers which we issued to you which you are aware of
Please provide any details of centres whom you are connected to
What data rights are you looking to exercise?
Restrict processing request
Object processing request
Provide any further notes / explanation for your request
I confirm I am the named data subject above, and I confirm that I authorise you the company listed above to take any processing steps necessary to deal with my request. We are contractually and legally obliged to inform other agencies such as the Department for Education of any requests of this nature, and will provide the details of your request to that organisation.
Admin use only
Collated: Person responsible
Date received :
I the data protection officer and responsible officer as listed below authorise the use of the policy and have signed and dated it.
FAST Fire & Security Technologies Ltd
5 Glamorgan Street
Data Protection Officer
This policy will be reviewed at least on a yearly basis and signed and dated on review
Last Review Date: 03/02/2020
List of Changes: N/A
Name of Data Protection Officer: MD
Signature of Data Protection Officer: DH