Data Protection Policy
DATA PROTECTION POLICY
CTSW Skills Ltd needs to keep certain information about its employees, learners and other users to allow it to monitor performance, achievements, and health and safety. It is also necessary to process information so that staff can be recruited and paid, courses organised and legal obligations to funding bodies and government complied with.
To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this, CTSW Skills Ltd must comply with the Data Protection Principles which are set out in the General Data Protection Regulation (GDPR) and revisions. In summary these state that personal data shall be:
Processed lawfully, fairly and in a transparent manner in relation to individuals
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by GDPR, in order to safeguard the rights and freedoms of individuals
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
CTSW Skills Ltd employees and others who process or use personal information must ensure that these principles are followed. In order to ensure that this happens, CTSW Skills Ltd has developed the Data Protection and Document Retention Policy.
Status of the Policy
This policy does not form part of the formal contract of employment but it is a condition of employment that employees will abide by the rules and policies made by CTSW Skills Ltd. Failure to follow the policy can result in disciplinary proceedings being taken.
Any employee who considers that the policy has not been followed, in respect of personal data about themselves, should raise the matter with their Line Manager who will report it to senior management. If the matter is not resolved it should be raised as a formal grievance.
Notification of data held and processed
All employees, learners and other users are entitled to:
Know what information CTSW Skills Ltd holds and processes about them and why
Know how to gain access to it
Know how to keep it up to date
Know what CTSW Skills Ltd is doing to comply with its obligations under GDPR and its revisions
CTSW Skills Ltd will therefore provide all employees, learners and other relevant users with a standard form of notification. This will state all the types of data CTSW Skills Ltd holds and processes about them, and the reasons for which it is processed. CTSW Skills Ltd will try to do this at least once every three years.
Employees are responsible for:
Checking that any information that they provide to CTSW Skills Ltd in connection with their employment is accurate and up to date
Informing CTSW Skills Ltd of any changes to information which they have provided i.e. changes of address
Checking the information that CTSW Skills Ltd will send out from time to time, giving details of information kept and processed about staff
Informing CTSW Skills Ltd of any errors or changes. CTSW Skills Ltd cannot be held responsible for any errors unless the employee has informed them
If and when, as part of their responsibilities, employees collect information about other people such as learners course work, opinions about ability, references to other academic institutions, or details of personal circumstances they must comply with the guidelines for employees held at Appendix 1.
Employees are responsible for ensuring that any personal data they hold is kept securely, and that personal information is not disclosed either orally, in writing or accidentally to any unauthorised third party.
Employees should note that unauthorised disclosure and/or failure to adhere to the requirements set out in this Policy will usually be a disciplinary matter and may be considered gross misconduct in some cases.
Physical personal information should be kept in a locked filing cabinet or in a locked drawer. If it is held electronically then the access password to the PC must be protected, and when held on portable media such as a flash drive the files themselves must be password protected or encrypted.
Personal data should never be stored electronically on an employee’s personal IT equipment or in hard copy at an employee’s home.
Ordinarily, personal data should not be processed at an employee’s home unless remote or home working has been agreed as a workplace requirement. In these cases the employee concerned must have the infrastructure provided to allow them to work within the requirements of this policy. This should include a means of securing physical documents, and IT provision that meets the security requirements of other office-based infrastructure.
Data stored on portable electronic devices or removable media is the responsibility of the employee who operates the equipment. It is the responsibility of this individual to ensure that:
Suitable backups of the data exist
Sensitive data is appropriately encrypted
Sensitive data is not copied onto portable storage devices without first consulting the Data Controller to ensure that appropriate encryption and protection measures are in place
Electronic devices such as laptops, mobile devices and computer media; USB devices, CDs etc, that contain sensitive data are not left unattended when away from the office
For some information the risks of failure to provide adequate security may be so high that it should never be taken home. This might include payroll information, addresses of learners and staff, disciplinary or appraisal records or bank account details. Exceptions to this may only be made with the explicit agreement of the Data Controller within the senior management team.
Learners must ensure that all personal data provided to CTSW Skills Ltd is accurate and up to date. They must ensure that any changes are notified to an appropriate member of staff.
Rights to access information
Employees, learners and other users of CTSW Skills Ltd have the right to access any personal data that is being kept about them, either electronically or in hard copy.
In order to gain access, an individual may wish to receive notification of the information currently being held. This request should be made in writing to a member of the senior management team.
CTSW Skills Ltd aims to comply with requests for access to personal information as quickly as possible but will ensure that it is provided within 15 working days unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the person making the request.
Production of CTSW Skills Ltd information
Information that is already in the public domain is exempt from the GDPR. It is Greenlight Training Ltd’s policy to make as much information public as possible, and in particular the following information will be available to the public for inspection:
Names and contact details of CTSW Skills Ltd senior management team
List of employees
In many cases, CTSW Skills Ltd an only process personal data with the consent of the individual. In some cases if the data is sensitive, express consent must be obtained. Agreement to CTSW Skills Ltd processing some specified classes of personal data is a condition of acceptance of a learner onto any course, and a condition of employment for employees. This includes information about previous criminal convictions.
Some jobs or courses will bring employees and learners into contact with children, including young people below the age of 18. CTSW Skills Ltd has a duty under The Children’s Act 2004 and other enactments to ensure that employees are suitable for the positions they apply for, and learners are suitable for the courses offered. CTSW Skills Ltd also has a duty of care to all employees and learners and must therefore make sure that employees and those who use CTSW Skills Ltd facilities do not pose a threat or danger to other users.
CTSW Skills Ltd will also ask learners for information about particular health needs such as allergies to particular forms of medication, or any conditions such as asthma or diabetes. CTSW Skills Ltd will only use the information in the protection of the health and safety of the individual but will need consent to process in the event of a medical emergency, for example.
Therefore, all prospective employees and learners will be asked to sign a consent to process data regarding particular types of information when an offer of employment or a course place is made. A refusal to sign such a form can result in the offer being withdrawn.
Processing sensitive information
Sometimes it is necessary to process information about a person’s health, criminal convictions, race, gender and family details. This can be to ensure CTSW Skills Ltd is a safe place for everyone, or to operate other CTSW Skills Ltd policies such as the sick pay policy or equal opportunities policy.
As this information is considered sensitive and it is recognised that the processing of it may cause particular concern or distress to individuals, employees and learners will be asked to give express consent for CTSW Skills Ltd to do this.
Offers of employment or course places may be withdrawn if an individual refuses to consent to this without good reason.
The Data Controller
CTSW Skills Ltd is the data controller under GDPR and the Managing Director is therefore ultimately responsible for implementation. There are designated data controllers who deal with day to day matters.
CTSW Skills Ltd has designated 2 data controllers who are the primary authorisation for receipt and supply of data requests. They are:
Mandy Davey – Managing Director
Anne Willis – Quality Manager
Learners will be entitled to information about their marks for both coursework and examinations. This may take longer than other information to provide.
Retention of data
CTSW Skills Ltd will keep some types of information for longer than others. Information should not be kept indefinitely unless there are specific requirements. In line with principle 5 of GDPR, information should not be kept longer than is necessary. Appendix 2 gives a breakdown of timescales for the retention of various types of information.
When data is no longer required it should be destroyed through confidential waste disposal.
Compliance with GDPR is the responsibility of all employees of CTSW Training/1st Leap Training. Any deliberate breach of the data protection policy may lead to disciplinary action being taken, access to CTSW Skills Ltd facilities being withdrawn, or criminal prosecution in serious cases. Any questions or concerns about the interpretation or operation of this policy should be taken up with the designated data controller.
APPENDIX 1 - STAFF GUIDELINES FOR DATA PROTECTION
1 Employees will process data about learners on a regular basis, when marking registers, writing reports or references, or as part of a pastoral or supervisory role.
2 CTSW Skills Ltd will ensure, as part of the induction procedure, that all learners give their consent to this sort of processing and are notified of the categories of processing as required by GDPR. The information that employees deal with on a day-to-day basis will be standard and will cover categories such as:
General personal details such as name and address
Details about class attendance, course work marks and grades and associated comments
Notes of personal supervision, including behaviour and discipline
3 Information about a learner’s physical or mental health, sex life, political or religious views, trade union membership or ethnicity or race is sensitive and can only be collected and processed with the learners consent. If staff need to record this information they should use the CTSW Skills Ltd standard form. For example:
Recording information about dietary needs
For religious or health reasons prior to taking learners on a field trip
Recording information that a learner is pregnant as part of pastoral duties
4 All staff have a duty to make sure that they comply with the data protection principles which are set out in the CTSW Skills Ltd Data Protection Policy. In particular staff must ensure that records are:
Kept and disposed of safely and in accordance with CTSW Skills Ltd policy
CTSW Skills Ltd will designate employees who will be the only people authorised to hold or process data that is:
Not standard data
The only exception to this will be if a non-authorised employee is satisfied that the processing of the data is necessary:
In the best interests of the learner or staff member, or a third person, or CTSW Skills Ltd
He or she has either informed the authorised person of this or has been unable to do so and processing is urgent and necessary
This should only happen in very limited circumstances e.g. a learner is injured and unconscious and in need of medical attention, and an employee tells the hospital that the student is pregnant or has a particular religious belief.
5 Authorised employees will be responsible for ensuring that all data is kept securely.
6 Employees must not disclose personal data to any learner, unless for normal academic or pastoral purposes, without authorisation or agreement from the person involved, or in line with the CTSW Skills Ltd policy.
7 Employees shall not disclose personal data to any other employee except with the authorisation or agreement of the designated data controller, or in line with the CTSW Skills Ltd policy.
8 Before processing any personal data, employees should consider the checklist:
Do you really need to record the information
Is the information ‘standard’ or is it ‘sensitive’
If it is sensitive, do you have the data subject’s express content
Has the student been told that this type of data will be processed
Are you authorised to collect/store/process the data
If yes, have you checked with the data subject that the data is accurate
Are you sure that the data is secure
If you do not have the data subject’s consent to process, are you satisfied that it is in the best interests of the learner or the staff member to collect and retain the data
Have you reported the fact of data collection to the authorised person within the required time
APPENDIX 2 - DATA RETENTION SCHEDULE - SUMMARY
1. Purpose of this document
A vital part of the CTSW Skills Ltd Data Protection Policy and practice is that personal data is retained by CTSW Skills Ltd for the appropriate period of time; neither too long nor too short. The Data Protection Policy states that it is the CTSW Skills Ltd policy to retain all information only for as long as specified in the Data Retention Schedule and, in general, no longer than two years plus the current year.
This document is a summary of the Data Retention Schedule and gives an indication of the kind of personal data which needs to be retained for longer than the maximum two years stipulated in the policy.
The time limits for those items subject to legislation as specified in detail in the Data Retention Schedule, and outlined in Section 3 below, remain in force and should be referred to in cases of doubt.
2. Current plus two-year rule
As stated in the Data Protection Policy, personal data should not be held by CTSW Skills Ltd or more than two years after it ceases to be current unless there is a specific reason for doing so.
The definition of ‘current’ will vary according to the personal data; for example it will mean until the course has finished where it relates to learners, or until an employee has ceased employment with CTSW Skills Ltd where it relates to employees.
It should be remembered that the ‘current plus two years’ rule is a maximum period for retention. If there is no need to keep the personal data that long then it should be disposed of in an appropriate manner before the two year point.
3. Exceptions to the two-year rule
This section gives a guide to the categories which have legislation determining the length of time for which personal data within that category should be retained. An indication is given to the main section of the Data Retention Schedule dealing with this category.
• Enrolment forms, transfers, withdrawals, disciplinary, appeals Current year plus 6
• Exams data Current year plus six
• Purchase ledger, sales ledger, cash book payments etc. Current year plus 6
• Payroll data Current year plus six
• Correspondence with complainants. Current year plus 6
• Service level agreements
• Legal contracts
• Tender documentation
Life of contract plus six years
Data Protection/FOI requests
• Correspondence regarding DP/FOIA requests Current year plus six
• Attendance records – holiday/leave, personal/domestic leave, parental leave, maternity leave
• Flexible working requests
• Return to work discussions and Occupational health reports
• Employment tribunal records
• Disclosure certificates
• Disciplinary and Grievance
Personnel Data Retention Schedule from six months to 18 years
Health and Safety records
• Health and Safety Retention Schedule up to 50 years