Data Protection Policy (GDPR)
DAC Training Solutions needs to keep certain data about its employees, students and other users to allow it to record and monitor performance and achievements and comply with health and safety requirements. Information must be processed for the recruitment and payment of staff, and to satisfy the requirements of funding bodies, Awarding bodies, Government and auditors.
In the course of your work you may come into contact with or use confidential information about employees, clients, students and customers, for example their names, medical history and home address.
The Data Protection Act 1998 contains principles affecting employees’ and other personal records. Information protected by the Act includes not only personal data held on computer but also certain manual records containing personal data, for example employee personnel files that form part of a structured filing system. The purpose of these rules is to ensure you do not breach the Act. If you are in any doubt about what you can or cannot disclose and to whom, do not disclose the personal information until you have sought further advice from Managing Director.
You should be aware that you can be criminally liable if you knowingly or recklessly disclose personal data in breach of the Act. A serious breach of data protection is also a disciplinary offence and will be dealt with under the Company’s disciplinary procedures. If you access another employee’s personnel records without authority, this constitutes a gross misconduct offence and could lead to your summary dismissal.
Notification
The Centre is required to notify the Information Commissioner (formerly known as the Data Protection Commissioner) about the processing of personal data carried out by the Centre. The Centre has notified its processing accordingly and has appointed a designated data controller to review and co-ordinate the processing of personal data within the Centre in accordance with the Data Protection Act 1998 and recommended good practice. The Centre is only permitted to process data within the remit of its notification. Further details of the designated data controller’s role and contact details are set out later in this policy.
Data Protection principles
To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this, the Centre must comply with the Data Protection Principles set out in the Data Protection Act 1998.
This act has 8 main principles, as itemised below:
Processed fairly and lawfully and must not be processed unless certain conditions are met in relation to personal data and additional conditions are met in relation to sensitive personal data. The conditions are either that the employee has given consent to the processing, or the processing is necessary for the various purposes set out in the Act. Sensitive personal data may only be processed with the explicit consent of the employee and consists of information relating to:
race or ethnic origin
political opinions and trade union membership
religious or other beliefs
physical or mental health or condition
sexual life
criminal offences, both committed and alleged.
Obtained only for one or more specified and lawful purposes, and not processed in a manner incompatible with those purposes.
Adequate, relevant and not excessive. The Company will review personnel files on an annual basis to ensure they do not contain a backlog of out-of-date information and to check there is a sound business reason requiring information to continue to be held.
Accurate and kept up to date. If your personal information changes, for example you change address, you must inform your line manager as soon as practicable so that the Company’s records can be updated. The Company cannot be held responsible for any errors unless you have notified the Company of the relevant change.
Not kept for longer than is necessary. The Company will keep personnel files for no longer than six years after termination of employment. Different categories of data will be retained for different time periods, depending on legal, operational and financial requirements. Any data which the Company decides it does not need to hold for a period of time will be destroyed after one year. Data relating to unsuccessful job applicants will only be retained for a period of one year.
Processed in accordance with the rights of employees under the Act.
Appropriate technical and organisational measures will be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Personnel files are confidential and are stored in locked filing cabinets. Only authorised employees have access to these files. Files will not be removed from their normal place of storage without good reason.
Personal data stored on discs, memory sticks, portable hard drives or other removable storage media will be kept in locked filing cabinets or locked drawers when not in use by authorised employees. Data held on computer will be stored confidentially by means of password protection, encryption or coding, and again only authorised employees have access to that data. The Company has network backup procedures to ensure that data on computer cannot be accidentally lost or destroyed.
Not transferred to a country or territory outside the European Economic Area unless that country ensures an adequate level of protection for the processing of personal data.
The Centre and all staff who process or use any personal information must ensure that they always follow these principles. In order to ensure that this happens, the Centre has published this Data Protection Policy.
Adherence to the Policy
Although this policy is not included in any contract of employment, it is a condition of employment that employees will obey the rules and policies that the Centre develops over time. Failure to observe the Data Protection Policy may therefore lead to disciplinary action and a serious or deliberate breach of the rules may be regarded as gross misconduct. It could also constitute a criminal offence. Any member of staff or student who believes that the policy has not been followed in respect of their personal data should firstly raise the matter with the Centre’s designated data controller (whose details appear later on in this policy). If the matter cannot be immediately resolved then it should be dealt with under the Centre’s grievance procedure in the case of staff, and in the case of students under the Centre’s Student Complaints procedure.
Requirements upon Staff
All staff are responsible for:
Ensuring that any information that they provide to the Centre in connection with their employment is accurate and up to date.
Informing the Centre of any changes to information, which they have provided, such as changes of address.
Informing the Centre of any errors in staff information held by the Centre.
The centre cannot be held responsible for such errors if the staff member has not informed the centre of them. If and when, as part of their responsibilities, staff collect information about other people, (i.e. about students' course work, opinions about ability, references to other Academic institutions or details of personal circumstances).
Data Security
All staff are responsible for ensuring that:
Any personal data that they hold is kept securely. Securely would mean that it is stored in a locked drawer or filing cabinet. Information stored on a computer should be pass worded, and magnetic media used for storage or backup purposes should also be secured.
Personal information is not disclosed in either verbal or written form, deliberately or accidentally to any unauthorised third party.
Under no circumstances must information be released about an individual to any person requesting this information by phone, fax or post unless the identity of the person making the request and that they are entitled to receive the information requested has been confirmed. Parents (unless in relation to children under 16), spouses, partners, children and employers of students are not entitled to information about another individual.
Any personal information passed to third parties who process that information on behalf of the Centre must sign the Centre’s data processing contract. A copy of this contract can be obtained from the Centre’s designated data controller.
Personal data must only be disclosed to those authorised to see it.
Staff should note that unauthorised disclosure will usually be a disciplinary matter, and may in some cases be regarded as gross misconduct. The individual staff member may also incur a personal liability or be charged with a criminal offence.
Student Obligations
Students must ensure that all personal data provided to the Centre is accurate and
up to date. They must ensure that any changes of address are notified to the Centre via their course tutor.
Students using the Centre’s computer facilities may not process any personal data without the express permission, in writing, of the Centre’s designated data controller.
Rights to Access Information
Staff, students and other users of the Centre have the right to access personal data
(Except excluded data) that is being kept about them either on computer or by means of other forms of storage. They are also entitled to be informed of the purpose for which the data is being or is intended to be used and the likely recipients (or class of recipients). The right may be exercised at reasonable intervals (which the Centre deems to be every 6 months). Any person who wishes to exercise this right should contact the Managing director Office.
Other Rights
Individuals have the following additional rights in relation to information processed
about them: -
To request the Centre to not process information which will or is likely to cause substantial and unwarranted damage or distress to the individual;
To be notified of any decisions made solely based on automatic processing, such as performance at work, credit worthiness, reliability or conduct and the logic behind any decision making.
To have a decision based solely on automatic processing to be reviewed upon written request and;
To prevent the Centre from taking any decision which significantly affects the
Individual based solely upon personal information processed by automatic means.
Fair and Lawful Processing
The Centre must ensure that:
Wherever possible individuals are notified of the personal data which has been obtained or retained, its source and the purposes for which the personal data may be used or disclosed; and In most cases, that there is consent for the use and disclosure of that information.
All prospective staff and students will be asked to consent to their data being processed when an offer of employment or a course place is made. A refusal to give that consent, without reasonable grounds, may result in the offer being withdrawn.
If the purposes of intended processing are known to the individual at the time their personal information is collected or if those purposes are normal then a general consent will be deemed to have been given by the individual when furnishing the information.
If the information is not received directly from the individual, the Centre must ensure that the individual has been notified in the manner set out above and that the Centre has authority to use this information.
If the reasons for processing any personal information change, the data subject must be notified at that point.
Occasionally, specific business needs can justify processing without consent.
However, only the Centre’s designated data controller may authorise any such
processing without consent. Provided that the identification of individuals cannot be ascertained or is not disclosed, aggregate or statistical information may be used to respond to any legitimate internal or external requests for data, e.g. returns to National Council – ELWA.
Processing Sensitive Information
Sometimes it is necessary to process information about a person's criminal convictions, race, gender and family details. This may be to ensure the Centre is a safe place for everyone, or to operate Centre policies, such as the equal opportunities policy. The Centre will ask for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as asthma or diabetes or disabilities.
The Centre will only use the information in the protection of the health and safety of the individual or to identify support requirements for individuals with disabilities, but will need consent to process for example, in the event of a medical emergency.
Because this information is considered sensitive, and it is recognised that the processing of it may cause particular concern or distress to individuals, staff and students will be asked to give express consent for the Centre to do this.
Offers of employment or course places may be withdrawn if an individual refuse to
consent to this, without good reason.
Data Controllers
The Centre Corporation is the data controller under the Act, and the Acting Principal and Senior Management Team are therefore responsible for implementation. The designated data controller will deal with day-to-day matters. The designated data controller is Dawn Griffiths, Managing Director, email: dawn@dactrainingsolutions.co.uk
Examination Marks
Under the provisions of the Act students are entitled to information about coursework and examination marks as part of their entitlement from the Centre. This information may take longer than other information to provide because of delays by external bodies or moderation processes.
Retention of Data
The Centre will keep some forms of information for longer than others. Data on students, including any information on health, race or disciplinary matters, will be destroyed after 7 years but a summary will be held to contain a full record of academic achievement.
The Centre will need to keep certain central personnel records for lengthy periods (depending on the nature of the data) of up to 10 years. This will include information necessary in respect of pensions, taxation, potential or current disputes or litigation regarding the employment, and information required for job references.
Conclusion
Compliance with the Data Protection Act 1998 is the responsibility of all members of
the Centre. Any deliberate breach of the data protection policy may lead to disciplinary action being taken, access to Centre facilities being withdrawn, personal liability or even a criminal prosecution. Any queries on the operation or interpretation of this policy should be addressed to the Centre’s designated data controller.