006 - Data Protection Policy GDPR

POLICIES&PROCEDURES

DataProtectionPolicy (GDPR)

Introduction

Thispolicyappliestotheprocessingofpersonaldatainmanualandelectronicrecordskeptbythe Company.ItalsocoverstheCompany’sresponsetoanydatabreachandotherrightsunderthe GeneralDataProtectionAct2018andGeneralDataProtectionRegulations(GDPR).

Thispolicyappliestothepersonaldataofemployeesandlearners;jobapplicants,existingand formeremployees,apprentices,volunteers,placementstudents,workersandself-employed contractors,potential,existingandcompletedlearners.Thesearereferredtointhispolicyas relevantindividuals.

“Personaldata”isinformationthatrelatestoanidentifiablepersonwhocanbedirectlyorindirectly identifiedfromthatinformation,forexample,aperson’sname,identificationnumber,location, onlineidentifier.Itcanalsoincludepseudonymiseddata.

“Specialcategoriesofpersonaldata”isdatawhichrelatestoanindividual’shealth,sexlife,sexual orientation,race,ethnicorigin,politicalopinion,religion,andtradeunionmembership.Italso includesgeneticandbiometricdata(whereusedforIDpurposes).

“Criminaloffencedata”isdatawhichrelatestoanindividual’scriminalconvictionsandoffences.

“Dataprocessing”isanyoperationorsetofoperationswhichisperformedonpersonaldataoron setsofpersonaldata,whetherornotbyautomatedmeans,suchascollection,recording, organisation,structuring,storage,adaptationoralteration,retrieval,consultation,use,disclosureby transmission,disseminationorotherwisemakingavailable,alignmentorcombination,restriction, erasureordestruction

TheCompanymakesacommitmenttoensuringthatpersonaldata,includingspecialcategoriesof personaldataandcriminaloffencedata(whereappropriate)isprocessedinlinewithGDPRand domesticlawsandallitsemployeesconductthemselvesinlinewiththis,andotherrelated,policies WherethirdpartiesprocessdataonbehalfoftheCompany,theCompanywillensurethatthethird partytakessuchmeasuresinordertomaintaintheCompany’scommitmenttoprotectingdata In linewithGDPR,theCompanyunderstandsthatitwillbeaccountablefortheprocessing, managementandregulation,andstorageandretentionofallpersonaldataheldintheformof manualrecordsandoncomputers.

2.Typesofdataheld

ThefollowingtypesofdatamaybeheldbytheCompany,asappropriate,onrelevantindividuals:

name,address,phonenumbers-forindividualandnextofkin CVsandotherinformationgatheredduringrecruitment referencesfromformeremployers NationalInsurancenumbers jobtitle,jobdescriptionsandpaygrades taxcodes holidayrecords internalperformanceinformation medicalorhealthinformation/sicknessabsencerecords conductissuessuchaslettersofconcern,disciplinaryproceedings termsandconditionsofemployment trainingdetailspriorqualifications Bankaccountinformation Pension Dateofbirth

Learningactivityandfundingused

RelevantindividualsshouldrefertotheCompany’sprivacynoticeformoreinformationonthe reasonsforitsprocessingactivities,thelawfulbasesitreliesonfortheprocessinganddata retentionperiods.

3 Dataprotectionprinciples

AllpersonaldataobtainedandheldbytheCompanywill:

beprocessedfairly,lawfullyandinatransparentmanner becollectedforspecific,explicit,andlegitimatepurposes beadequate,relevantandlimitedtowhatisnecessaryforthepurposesofprocessing bekeptaccurateanduptodate Everyreasonableeffortwillbemadetoensurethatinaccurate dataisrectifiedorerasedwithoutdelay notbekeptforlongerthanisnecessaryforitsgivenpurpose beprocessedinamannerthatensuresappropriatesecurityofpersonaldataincluding protectionagainstunauthorisedorunlawfulprocessing,accidentalloss,destructionordamage byusingappropriatetechnicalororganisationmeasures complywiththerelevantGDPRproceduresforinternationaltransferringofpersonaldata.

Inaddition,personaldatawillbeprocessedinrecognitionofindividuals’dataprotectionrights,as follows:

therighttobeinformed therightofaccess therightforanyinaccuraciestobecorrected(rectification) therighttohaveinformationdeleted(erasure) therighttorestricttheprocessingofthedata therighttoportability therighttoobjecttotheinclusionofanyinformation therighttoregulateanyautomateddecision-makingandprofilingofpersonaldata.

4.Procedures

TheCompanyhastakenthefollowingstepstoprotectthepersonaldataofrelevantindividuals, whichitholdsortowhichithasaccess:

Itappointsoremploysemployeeswithspecificresponsibilitiesfor: theprocessingandcontrollingofdata1. thecomprehensivereviewingandauditingofitsdataprotectionsystemsandprocedures2. overviewingtheeffectivenessandintegrityofallthedatathatmustbeprotected.3. Thereareclearlinesofresponsibilityandaccountabilityforthesedifferentroles. Itprovidesinformationtoindividualsontheirdataprotectionrights,howitusestheirpersonal data,andhowitprotectsit.Theinformationincludestheactionsrelevantindividualscantakeif theythinkthattheirdatahasbeencompromisedinanyway

Itprovidesitsemployeeswithinformationandtrainingtomakethemawareoftheimportance ofprotectingpersonaldata,toteachthemhowtodothis,andtounderstandhowtotreat informationconfidentially

Itcanaccountforallpersonaldataitholds,whereitcomesfrom,whoitissharedwithandalso whoitmightbesharedwith

Itcarriesoutriskassessmentsaspartofitsreviewingactivitiestoidentifyanyvulnerabilitiesin itspersonaldatahandlingandprocessing,andtotakemeasurestoreducetherisksof mishandlingandpotentialbreachesofdatasecurity Theprocedureincludesanassessmentof theimpactofbothuseandpotentialmisuseofpersonaldatainandbytheCompany Itrecognisestheimportanceofseekingindividuals’consentforobtaining,recording,using, sharing,storingandretainingtheirpersonaldata,andregularlyreviewsitsproceduresfordoing so,includingtheaudittrailsthatareneededandarefollowedforallconsentdecisions.The Companyunderstandsthatconsentmustbefreelygiven,specific,informedandunambiguous. TheCompanywillseekconsentonaspecificandindividualbasiswhereappropriate.Full informationwillbegivenregardingtheactivitiesaboutwhichconsentissought.Relevant individualshavetheabsoluteandunimpededrighttowithdrawthatconsentatanytime

Ithastheappropriatemechanismsfordetecting,reportingandinvestigatingsuspectedor actualpersonaldatabreaches,includingsecuritybreaches.Itisawareofitsdutytoreport significantbreachesthatcausesignificantharmtotheaffectedindividualstotheInformation Commissioner,andisawareofthepossibleconsequences Itisawareoftheimplicationsinternationaltransferofpersonaldatainternationally.

5.Accesstodata

RelevantindividualshavearighttobeinformedwhethertheCompanyprocessespersonaldata relatingtothemandtoaccessthedatathattheCompanyholdsaboutthem.Requestsforaccessto thisdatawillbedealtwithunderthefollowingsummaryguidelines:

AformonwhichtomakeasubjectaccessrequestisavailablefromtheHeadofCentralSupport.The requestshouldbemadetotheHeadofCentralSupport.

TheCompanywillnotchargeforthesupplyofdataunlesstherequestismanifestlyunfounded, excessiveorrepetitive,orunlessarequestismadeforduplicatecopiestobeprovidedtoparties otherthantheemployeemakingtherequest

TheCompanywillrespondtoarequestwithoutdelay.Accesstodatawillbeprovided,subjectto legallypermittedexemptions,withinonemonthasamaximum.Thismaybeextendedbyafurther twomonthswhererequestsarecomplexornumerous.

RelevantindividualsmustinformtheCompanyimmediatelyiftheybelievethatthedatais inaccurate,eitherasaresultofasubjectaccessrequestorotherwise TheCompanywilltake immediatestepstorectifytheinformation

6.Datadisclosures

TheCompanymayberequiredtodisclosecertaindata/informationtoanyperson The circumstancesleadingtosuchdisclosuresinclude:

anyrelevantfundingbodies anyrelevantexaminationbodies anyemployeebenefitsoperatedbythirdparties disabledindividuals-whetheranyreasonableadjustmentsarerequiredtoassistthematwork individuals’healthdata-tocomplywithhealthandsafetyoroccupationalhealthobligations towardstheemployee forStatutorySickPaypurposes HRmanagementandadministration-toconsiderhowanindividual’shealthaffectshisorher abilitytodotheirjob thesmoothoperationofanyemployeeinsurancepoliciesorpensionplans.

Thesekindsofdisclosureswillonlybemadewhenstrictlynecessaryforthepurpose

7.Datasecurity

TheCompanyhasachievedandcontinuestoadheretoCyberEssentialsPlusAccreditation–CertificateNo:280ff6c6-4cc6-4f61-b54f-821d4e5d53e8–CertDate:Nov2022

TheCompanyadoptsproceduresdesignedtomaintainthesecurityofdatawhenitisstoredand transported.

Inaddition,employeesmust:

ensurethatallfilesorwritteninformationofaconfidentialnaturearestoredinasecuremanner andareonlyaccessedbypeoplewhohaveaneedandarighttoaccessthem ensurethatallfilesorwritteninformationofaconfidentialnaturearenotleftwheretheycanbe readbyunauthorisedpeople checkregularlyontheaccuracyofdatabeingenteredintocomputers alwaysusethepasswordsprovidedtoaccessthecomputersystemandnotabusethemby passingthemontopeoplewhoshouldnothavethem usecomputerscreenblankingtoensurethatpersonaldataisnotleftonscreenwhennotinuse.

Personaldatashouldnotbekeptortransportedonlaptops,USBsticks,orsimilardevices.These shouldallbekeptsecurelywithinthesystemtheyarestored,eg:PICS,Zohodriveetc

Thetransmissionofdataisdonesecurelythroughsystemsweuse:Zoho,PICS,etc Allaccountsare passwordprotectedandencrypted

FailuretofollowtheCompany’srulesondatasecuritymaybedealtwithviatheCompany’s disciplinaryprocedure Appropriatesanctionsincludedismissalwithorwithoutnotice,dependent ontheseverityofthefailure

8.Internationaldatatransfers

TheCompanydoesnottransferpersonaldatatoanyrecipientsoutsideoftheEEA.

9.Breachnotification

9.1Definition–Incident

Forthetermsofthispolicy,an‘incident’isanyoccurrencewherePersonalDatahas,ormayhave, beenmadeavailabletosomeonewhodoesnothavetherighttoseeoraccessit.Thisdoesnotapply exclusivelytoelectronicinformation,astheDataProtectionActcoversallformofdata,including paperrecords.

ExamplesofanIncident:

AlaptopcontaininglearnerorstaffrecordsgoesmissingwhilstawayfromCompanypremises Alearnerfilecontainingpersonalinformationaboutthatlearner(eg address,DOB,telephone number,etc)cannotbefound

Youre-mailseemstohavebeenhacked,andyoubelievesomepersonaldatayouhavesenttoa colleaguecouldhavebeencompromised

9.2WhattodoifyouthinkanIncidentmayhavetakenplace

Ifyouthinkapotentialbreachofdatasecuritymayhavehappened,youmust:

a)Immediatelyinformamemberofseniormanagement–dothisverbally,notbyemail,andifyou can’tgetholdofonemanager,moveontoanother.

b)Giveasmuchinformationabouttheincidentasyoucan:i.e.whathasoccurred(laptoporfile missing,emailsinsecure),whenitoccurred,whereitoccurred,whyitoccurred

c)Makeasimplewrittenreportassoonaspossible,coveringeverythinginb)above,andhaveit readytosubmitwhenasked.

9.3Whathappensifadatasecuritybreachisreported

Aninvestigationwilltakeplaceandareportmadetothoroughlyassessthelikelihoodofavalid securitybreach,andtrytoidentifywhatrecordsareatrisk.

Ifthesecuritybreachisvalid,andpotentiallossofpersonaldataislikelytohaveoccurred:

TheInformationCommissioner’sOfficewillbecontactedandareportoftheincidentmade Ifandwhenitispossibletoestablishwhoseinformationhasbeencompromised,contactthe individualsowningtheinformation Ifandwhenitispossibletoestablishwhatinformationhasbeencompromised,contactany contractingagencytoadviseofapossiblebreach,andprovideasmuchdetailaspossible

Whereadatabreachislikelytoresultinarisktotherightsandfreedomsofindividuals,itwillbe reportedtotheInformationCommissionerwithin72hoursoftheCompanybecomingawareofit andmaybereportedinmorethanoneinstalment.

Individualswillbeinformeddirectlyintheeventthatthebreachislikelytoresultinahighrisktothe rightsandfreedomsofthatindividual

Ifthebreachissufficienttowarrantnotificationtothepublic,theCompanywilldosowithoutundue delay

10.Training

Newemployeesmustreadandunderstandthepoliciesondataprotectionaspartoftheirinduction

Allemployeesreceivetrainingcoveringbasicinformationaboutconfidentiality,dataprotectionand theactionstotakeuponidentifyingapotentialdatabreach

Thenominateddatacontroller/auditors/protectionofficersfortheCompanyaretrained appropriatelyintheirrolesundertheGDPR

Allemployeeswhoneedtousethecomputersystemaretrainedtoprotectindividuals’privatedata, toensuredatasecurity,andtounderstandtheconsequencestothemasindividualsandthe CompanyofanypotentiallapsesandbreachesoftheCompany’spoliciesandprocedures.

11.Records

TheCompanykeepsrecordsofitsprocessingactivities,includingthepurposefortheprocessingand retentionperiodsinitsDataRecord.Theserecordswillbekeptuptodatesothattheyreflectcurrent processingactivities.

12.DataProtectionOfficer

TheCompanydoesnotmeettheICOrequirementsofneedingtoappointaDataProtectionOfficer.

13.Testing/Assessment

TheHeadofIT&Facilitiesreviewsandtestsonaregularbasistherobustnessofoursecurity proceduresthroughpenetrationtestingtodetermineanyvulnerabilities,theseareriskassessedand threatleveldeterminedwithappropriatemeasuresimplemented.

14.Reviewofthepolicy

ASeniorManagerwillreviewthispolicyannuallyormorefrequentlywheretherearesignificant changesincircumstances.

To be disseminated to: All Staff / Service Users

Authorised by:

Amendments:

Aug 2018 – Created

Dec 2018 – Updated with actions to be taken (9)

Dec 2019 – Cyber Essentials Accreditation certificate number added

Nov 2020 – Replaced Google drive with Zoho drive, Added data protection Act 2018 and a wider list to types of data held

Dec 2021 – Updated Cyber Essential Plus certificate number and certification date

Dec 2022 - Updated Cyber Essential Plus certificate number and certificate date.