GDPR Policy - Privacy Statement

Reviewed July 2021

OUR COMMITMENT

Dynamic Training UK Limited is fully committed to data security and the fair and transparent processing of personal data. This policy sets out how we will treat personal data which you provide to us in compliance with the GDPR law which comes into effect on the 25th of May 2018, this includes building GDPR into current and future contractual commitments. This journey will be a continuous process and will continue up to and after the enforcement date.  The Dynamic Training UK Ltd compliance team is led by our Finance Director and will be responsible for ongoing development and governance of our compliance journey ensuring there is synergy across all businesses and brands.

Dynamic Training UK Ltd strives to improve its security, maintaining privacy for the data it holds and ensuring appropriate security across its partners and supply chain.

Our Commitment to Compliance

  • Commitment to meet all regulatory requirements where appropriate, an active process as further clarification is offered by the ICO
  • Build new regulation into current Management Information Systems as part of continued commitment to security and privacy.
  • Continue along our journey to achieve compliance for GDPR.
  • Plan and prepare to continually improve our policies beyond the 25th May 2018
  • Maintain security and privacy of our data and our client’s data to industry standard best practise / applicable laws.

Data protection policy

Dynamic Training UK Ltd takes the security and privacy of your data seriously. We need to gather and use information or ‘data’ about you as part of our business and to manage our relationship with you. We intend to comply with our legal obligations under the Data Protection Act 2018 (the ‘2018 Act’) and the EU

General Data Protection Regulation (‘GDPR’) in respect of data privacy and security. We have a duty to notify you of the information contained in this policy.

Dynamic Training UK Ltd is a ‘data controller’ for the purposes of your personal data. This means that we determine the purpose and means of the processing of your personal data.

This policy explains how Dynamic Training UK Ltd will hold and process your information. It explains your rights as a data subject. It also explains your obligations when obtaining, handling, processing or storing personal data.

Dynamic Training UK Ltd needs to collect and use certain types of information about people with whom it deals with to operate.  These include current, past and prospective employees and students, suppliers, customers, stakeholders and others with whom it communicates.  In addition, it may occasionally be required by law to collect and use certain types of information of this kind to comply with the requirements of government departments.  Any such information, whether deemed confidential or not, relating to a living individual who can be identified from that information (or from that information or other data in the companies possession), and which may be factual (such as name, address or date of birth) or an opinion (such as a performance appraisal) is subject to data protection laws (and is referred to as “personal data” in this Policy, the Data Protection Procedures and its Appendices).   This personal data must be dealt with properly however it is collected, recorded and used – whether on paper or digitally.  This policy describes how this personal data must be collected, handled and stored.  As such, this policy ensures: compliance with the law and best practice protection of the rights of staff, students, partners etc openness about processing and storage of data avoidance of risk of a data breach.

In accordance with the Data Protection Act 1998 (referred to in this Policy, the Data Protection Procedures and its Appendices as “the Act”) EU General Data Protection Regulation and associated EU Directives, Dynamic Training UK Ltd will handle personal data in a manner which complies with the six Data Protection Principles specified under the Act regarding privacy and disclosure:

Data protection principles

Personal data must be processed in accordance with six ‘Data Protection Principles.’ It must:

  • be processed fairly, lawfully and transparently;
  • be collected and processed only for specified, explicit and legitimate purposes;
  • be adequate, relevant and limited to what is necessary for the purposes for which it is processed;
  • be accurate and kept up to date. Any inaccurate data must be deleted or rectified without delay;
  • not be kept for longer than is necessary for the purposes for which it is processed; and be processed securely.

We are accountable for these principles and must be able to show that we are compliant.

The Act allows individuals to find out what personal data is held about them by making a subject access request.  This covers information held electronically and in some paper records.  Individuals have the right to obtain personal data in an electronic and structured form which allows further use by the individual.

If individuals think they are being prevented from seeing information they are entitled to, they can ask the Information Commissioner to help.  The Information Commissioner’s Office is responsible for looking after rights of individuals and making sure personal data is not misused.

Dynamic Training UK Ltd is registered with the Information Commissioner and all registrations under the Act are reviewed annually for accuracy and completeness by the company.

Dynamic Training UK Ltd has a Data Protection Officer and maintains records/registers of data processing activity.

How we use your personal information

If you are progressing your career through Dynamic Training UK Ltd Apprenticeships or further/higher education, we may need to collect additional personal information to secure funding or satisfy statutory or legal or Government scheme requirements.

Dynamic Training UK Ltd is funded by the Educational Skills Funding Agency (ESFA) and some of the information you supply will be used by the Educational Funding Agency to fulfil its statutory functions.

This privacy notice has been issued by the Education and Skills Funding Agency (ESFA), on behalf of the Secretary of State for the Department of Education (DfE). It is to inform learners how their personal information will be used by the DfE, the ESFA (an executive agency of the DfE) and any successor bodies to these organisations. For the purposes of the Data Protection Act 1998, the DfE is the data controller for personal data processed by the ESFA.

Your personal information is used by the DfE to exercise its functions and to meet its statutory responsibilities, including under the Apprenticeships, Skills, Children and Learning Act 2009 and to create and maintain a unique learner number (ULN) and a personal learning record (PLR).

Your information may be shared with third parties for education, training, employment and well-being related purposes, including for research. This will only take place where the law allows it and the sharing follows the Data Protection Act 1998.

The English European Social Fund (ESF) Managing Authority (or agents acting on its behalf) may contact you for them to carry out research and evaluation to inform the effectiveness of training.

You can opt out of contact for other purposes by ticking any of the boxes on your learning agreement if you do not wish to be contacted about courses or learning opportunities or for surveys and research. You can also opt out of being contacted by post, phone or email.

Further information about use of and access to your personal data, and details of organisations with whom we regularly share data are available at: https://www.gov.uk/government/publications/esfa-privacy-notice.

How we define personal data

‘Personal data’ means information which relates to a living person who can be identified from that data (a ‘data subject’) on its own, or when taken together with other information which is likely to come into our possession. It includes any expression of opinion about the person and an indication of the intention of us or others, in respect of that person. It does not include anonymized data.

This policy applies to all personal data whether it is stored electronically, on paper or on other materials. This personal data might be provided to us by you, or someone else (for example an employer), or it could be created by us. It could be provided or created during the recruitment to your programme or during your programme or after its termination. It could be created by your manager or other colleagues.

How we define special categories of personal data

‘Special categories of personal data’ are types of personal data consisting of information as to:

  • your racial or ethnic origin;
  • your political opinions;
  • your religious or philosophical beliefs;
  • your trade union membership;
  • your genetic or biometric data;
  • your health;
  • your sex life and sexual orientation; and
  • any criminal convictions and offences.

We may hold and use any of these special categories of your personal data in accordance with the law. If not, contractually applicable you are able to opt in or out.

How we define processing

‘Processing’ means any operation which is performed on personal data such as:

  • collection, recording, organisation, structuring or storage;
  • adaption or alteration;
  • retrieval, consultation or use;
  • disclosure by transmission, dissemination or otherwise making available;
  • alignment or combination; and
  • restriction, destruction or erasure.

This includes processing personal data which forms part of a filing system and any automated processing.

Fair Processing

The Act is not to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the individual to whom the personal data relates.

Dynamic Training UK Ltd will ensure that the individual is told:  that Dynamic Training UK Ltd is the data controller; that the Data Protection Officer is the Dynamic Training UK Ltd representative; the purpose for which the individual’s personal data is to be processed by the companies; and the identity of anyone to whom the personal data may be disclosed or transferred.

Dynamic Training UK Ltd will ensure that:

Any requirements regarding the consent of an individual of the processing of their personal data have been met.  Where information that is regarded as sensitive personal data is processed, explicit consent will usually be required; there is legitimate reason for collecting and using all/any personal data collected;  personal data is not used in any way which has an unjustified adverse effect on individuals;  it is open and honest about what is collected and how it is used;  data is handled in ways in which an individual would reasonably expect;  the data is not used for any unlawful purpose;  data is kept for a reasonable period.  The length of this retention period depends on the purpose for which it was obtained and its nature.  It may be necessary to keep data for a reason set out in Schedules 2 and 3 of the Act.

When collecting personal data an oral or written privacy notice should be issued which states simply the identity of who is collecting data and the purpose(s) for which it will be processed.

What personal data do we collect?

We may collect and process the following personal data if you:

Complete a form on our website, complete a survey, correspond by phone, email or in writing, report a problem, sign up to receive our communication, create an account with us, enter into a training contract with us for us to deliver training.

The information we collect and store relating to you is primarily used to enable us to provide our service

Storing your personal data

The personal information you provide is stored within secure servers.

Please note that the transmission of information via the internet (including email) is not completely secure and therefore, although we endeavour to protect your personal information you provide us, we cannot guarantee the security of date sent to us electronically and the transmission of such data is therefore entirely at your own risk.

All Dynamic Training UK Ltd email addresses support with TLS email encryption, so it is advised if you are concerned about the contents of any email to use this encryption.

Where we have given you (or where you have chosen) a password so that you can access certain parts of our sites or portals, you are responsible for keeping these passwords confidential.

Data security breach

In the event of a reported data security breach leading to the accidental or unlawful destruction, loss, alteration authorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, Dynamic Training UK Ltd will make every effort to inform affected individuals as appropriate and will liaise with the Information Commissioner to the extent required.

The rights of individuals 

Everyone has a right to know what personal data about them is being held and processed and to whom such personal data may be disclosed.  An individual has the following rights (right to subject access) under the Act:

A right of access to a copy of the information comprised in their personal data;   a right to object to processing that is likely to cause or is causing damage or distress;   a right to prevent/restrict processing for direct marketing; a right to object to decisions being taken by automated means;  

a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and a right to claim compensation for damages caused by a breach of the Act.

Therefore, it is very important to have a simple Data Protection statement included on key documents, for example the student learning agreement.

Under the right of subject access above, an individual is entitled only to their own personal data and not to information relating to others.  Dynamic Training UK Ltd does not usually have to comply with a disclosure request to provide information relating to the individual making the request and another individual unless the other individual has consented to disclosure.

However, it is permitted in certain circumstance to disclose information to a third party without telling the individual if it is to meet a legal obligation for example CSA requests for salary details, or HM Revenue and Customs inspectors.  These are:  the prevention or detection of crime; capture or prosecution of offenders; and the assessment or collection of tax/duty.

As stated above, individuals have a right to subject access.  Individuals may make a written request (including email) to Dynamic Training UK Ltd (a “subject access request”) GDPR@dynamictraining.org.uk.  Under the Equality Act 2010 Dynamic Training UK Ltd will make reasonable adjustment and accept a verbal request from an individual with a disability, learning difficulty, medical condition or limited written skills who finds it unreasonably difficult to make a request in writing.  Requests must be made to the Data Protection Officer.  The individual is usually entitled to be given details of the data held, the purpose for which it is being processed and to whom it may be disclosed.  Hence the individual has a right to a copy of all the personal data held about them irrespective of when the records were created.  Before the request is actioned Dynamic Training UK Ltd must be certain that the person making the request is the individual about whom the personal data relates.  Also, the company can ask for any information reasonably required to find the personal data covered by a request.  It is vital that Dynamic Training UK Ltd has a central record of where all data is held so that it can comply with requests for information and comply with the Act.  Requests for information must be actioned as soon as possible and always within 40 days.

The right to subject access is subject to certain exemptions specified in the Act.  These include, for example: exemptions from disclosure of confidential references, examination marks and examination scripts; and a provision that there is no need to comply with a request if it is similar or identical to one complied with earlier unless a reasonable interval has elapsed.

The Information Commissioner has published various practice notes on these exemptions

Disclosing your information

We may disclose your personal information to any company within our corporate group.  This includes, where applicable, our subsidiaries, our holding company and its subsidiaries. We are obliged to provide feedback to your employer if they have funded the course and request it.

We may also disclose your personal information to:

Where 3rd party funding is required within Apprenticeships or further/higher education;

Disclosure of information to third parties;

Information about an individual should not be disclosed to an appropriate third party unless the individual has given consent;

applicable under the provisions of the Mental Capacity Act 2005;

there is a real risk of harm to a child hence the safeguarding of a child’s welfare overrides the need to keep the information confidential – any matters of this nature must be referred to the Dynamic Training UK Ltd nominated safeguarding officers without delay.

Where a third party, e.g. a solicitor is acting on behalf of an individual, written authority from the individual concerned must be requested before the request is processed.

Requests made by parents and guardians for data about children/young people are subject to the Act.  The data is about the individual and does not belong to a parent/guardian.

the child’s level of maturity and their ability to make decisions;

the nature of the personal data;

any court orders relating to parental access or responsibility that may apply;

  • any duty of confidence owed to the child or young person;
  • any consequences of allowing those with parental responsibility access to the child’s or young person’s information. This is particularly important if there have been allegations of abuse or ill treatment;
  • any detriment to the child or young person if individuals with parental responsibility cannot access this information; and any views the child or young person has on whether their parents should have access to information about them.

Usually for learners at Dynamic Training UK Ltd, personal data should not be disclosed to a parent/guardian unless the student has consented to information being shared with that person in their learning agreement.  Any issues or concerns must be discussed with the Safeguarding and Prevent Manager.

In the event Dynamic Training UK Ltd are the data controller in respect of personal data collected from a child, this personal data may not be disclosed or transferred to third parties without the explicit and verifiable consent of the child’s parent or guardian, unless the child understands the implications of his or her actions.

As stated above there are exemptions when information must be disclosed to a third party.  Exemptions do not require Dynamic Training UK Ltd to automatically disclose personal data to the police or other law enforcement agencies – they merely ensure the parameters of the Act are not breached.

Possible sources of data covered by the Act

Learner files and individual learning plans; student data held on MIS.  Email messages and documents/memos/letters. Enrolment forms/learning agreements.  Registers and Curriculum Record Books. Student visit records. Financial records for example invoices, Expenses claims, photographs, video images and social media posts

Possible location of data covered by the Act

Formal files. Central filing systems.  Ad hoc files held by managers/team leaders. Files in storage/archive. Information held by third parties e.g. payroll bureau. Notebooks. CCTV, archived images.  Computerised systems operating both centrally and locally.

Responsibilities of staff

Staff should not share data informally.  When access to confidential information is required, staff can request it from their line managers.

Dynamic Training UK Ltd will provide training to all employees to help them understand their responsibilities when handling data; it is the responsibility of staff to attend such training.

  • Staff should keep all data secure, by taking sensible precautions and following the guidelines.
  • Strong passwords must be used, and they must never be shared.
  • Personal data should not be disclosed to unauthorised people, either within the company or externally.
  • Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
  • Staff should request help from their line manager or the data protection officer if they are unsure about any aspect of data protection.

GLA (Greater London Authority)

The GLA’s Privacy Notice The Greater London Authority (GLA) is London’s regional government. The Mayor of London provides Citywide leadership, and the London Assembly is a watchdog for London responsible for holding the Mayor and his advisers to public account. Find out more about what we do and who we work with at www.london.gov.uk.  The Mayor of London is responsible for the Adult Education Budget (AEB) in London and the funding provided for your course. This funding is being used to ‘match fund’ a European Social Fund (ESF) programme for residents in Greater London.  The majority of the information provided by you in this Enrolment Form is collected by Education and Skills Funding Agency (ESFA) under its privacy notice (see below). This information is shared with the GLA, which operates as a data controller of your personal data under relevant data protection law. The GLA is required to process your personal data to enable it to carry out its functions and statutory responsibilities including reporting to the Department of Work and Pensions (DWP) on the ‘match funding' of ESF programmes. In addition, the GLA collects some supplementary information to comply with ESF requirements, for which the DWP is the data controller Information about use of and access to your personal data held by the GLA, details of organisations with whom the GLA regularly share data, information about how long the GLA retain your data, and how to exercise your rights is set out in the GLA AEB Procured Privacy Notice (https://www.london.gov.uk/sites/default/files/2019-0730_aeb_procured_privacy_notice_.pdf).

ESFA

The ESFA’s Privacy Notice  The ESFA has issued this privacy notice, on behalf of the Secretary of State for the Department of Education (DfE). It is to inform learners how their personal information will be used by the DfE, the ESFA (an executive agency of the DfE) and any successor bodies to these organisations. For the purposes of relevant data protection legislation, the DfE is the data controller for personal data processed by the ESFA. Your personal information is used by the DfE to exercise its functions and to meet its statutory responsibilities, including under the Apprenticeships, Skills, Children and Learning Act 2009 and to create and maintain a unique learner number (ULN) and a personal learning record (PLR). Your information will be securely destroyed after it is no longer required for these purposes. Your information may be used for education, training, employment and well-being related purposes, including for research.  The DfE and the English ESF Managing Authority (or agents acting on their behalf) may contact you in order for them to carry out research and evaluation to inform the effectiveness of training. Your information may also be shared with other third parties for the above purposes, but only where the law allows it and the sharing is in compliance with data protection legislation. Further information about use of and access to your personal data held by the ESFA, details of organisations with whom it regularly shares data, information about how long it retains your data, and how to change your consent to being contacted, please view the ESFA: privacy notice (https://www.gov.uk/government/publications/esfa-privacy-notice).