Updated April 18
Dynamic Training UK Limited (DTL) and its sister company Hillingdon Training Limited (HTL) are fully committed to data security and the fair and transparent processing of personal data. This policy sets out how we will treat personal data which you provide to us in compliance with the GDPR law which comes into effect on the 25th of May 2018, this includes building GDPR into current and future contractual commitments. This journey will be a continuous process and will continue up to and after the enforcement date. DTL and HTL compliance teams are led by our Finance Director and will be responsible for ongoing development and governance of our compliance journey ensuring there is synergy across all businesses and brands.
DTL and HTL strives to improve their security, maintaining privacy for the data they hold and ensuring appropriate security across their partners and supply chain.
Our Commitment to Compliance
Data Protection Policy
The Company takes the security and privacy of your data seriously. We need to gather and use information or ‘data’ about you as part of our business and to manage our relationship with you. We intend to comply with our legal obligations under the Data Protection Act 2018 (the ‘2018 Act’) and the EU General Data Protection Regulation (‘GDPR’) in respect of data privacy and security. We have a duty to notify you of the information contained in this policy.
The Company is a ‘data controller’ for the purposes of your personal data. This means that we determine the purpose and means of the processing of your personal data.
This policy explains how the Company will hold and process your information. It explains your rights as a data subject. It also explains your obligations when obtaining, handling, processing or storing personal data.
DTL and HTL needs to collect and use certain types of information about people with whom it deals with to operate. These include current, past and prospective employees and students, suppliers, customers, stakeholders and others with whom it communicates. In addition, it may occasionally be required by law to collect and use certain types of information of this kind to comply with the requirements of government departments. Any such information, whether deemed confidential or not, relating to a living individual who can be identified from that information (or from that information or other data in the companies possession), and which may be factual (such as name, address or date of birth) or an opinion (such as a performance appraisal) is subject to data protection laws (and is referred to as “personal data” in this Policy, the Data Protection Procedures and its Appendices). This personal data must be dealt with properly however it is collected, recorded and used – whether on paper or digitally. This policy describes how this personal data must be collected, handled and stored. As such, this policy ensures:
In accordance with the Data Protection Act 1998 (referred to in this Policy, the Data Protection Procedures and its Appendices as “the Act”) EU General Data Protection Regulation and associated EU Directives, DTL and HTL will handle personal data in a manner which complies with the six Data Protection Principles specified under the Act regarding privacy and disclosure:
Data Protection Principles
Personal data must be processed in accordance with six ‘Data Protection Principles.’ It must:
We are accountable for these principles and must be able to show that we are compliant.
The Act allows individuals to find out what personal data is held about them by making a subject access request. This covers information held electronically and in some paper records. Individuals have the right to obtain personal data in an electronic and structured form which allows further use by the individual.
If individuals think they are being prevented from seeing information they are entitled to, they can ask the Information Commissioner to help. The Information Commissioner’s Office is responsible for looking after rights of individuals and making sure personal data is not misused.
DTL and HTL are registered with the Information Commissioner and all registrations under the Act are reviewed annually for accuracy and completeness by the company.
DTL and HTL has a Data Protection Officer and maintains records/registers of data processing activity.
How We Use Your Personal Information
If you are progressing your career through DTL or HTL Apprenticeships or further/higher education, we may need to collect additional personal information to secure funding or satisfy statutory or legal or Government scheme requirements.
DTL and HTL are funded by the Educational Skills Funding Agency (ESFA) and some of the information you supply will be used by the Educational Funding Agency to fulfil its statutory functions.
This privacy notice has been issued by the Education and Skills Funding Agency (ESFA), on behalf of the Secretary of State for the Department of Education (DfE). It is to inform learners how their personal information will be used by the DfE, the ESFA (an executive agency of the DfE) and any successor bodies to these organisations. For the purposes of the Data Protection Act 1998, the DfE is the data controller for personal data processed by the ESFA.
Your personal information is used by the DfE to exercise its functions and to meet its statutory responsibilities, including under the Apprenticeships, Skills, Children and Learning Act 2009 and to create and maintain a unique learner number (ULN) and a personal learning record (PLR).
Your information may be shared with third parties for education, training, employment and well-being related purposes, including for research. This will only take place where the law allows it and the sharing follows the Data Protection Act 1998.
The English European Social Fund (ESF) Managing Authority (or agents acting on its behalf) may contact you for them to carry out research and evaluation to inform the effectiveness of training.
You can opt out of contact for other purposes by ticking any of the boxes on your learning agreement if you do not wish to be contacted about courses or learning opportunities or for surveys and research. You can also opt out of being contacted by post, phone or email.
Further information about use of and access to your personal data, and details of organisations with whom we regularly share data are available at: https://www.gov.uk/government/publications/esfa-privacy-notice.
How we define personal data
‘Personal data’ means information which relates to a living person who can be identified from that data (a ‘data subject’) on its own, or when taken together with other information which is likely to come into our possession. It includes any expression of opinion about the person and an indication of the intentions of us or others, in respect of that person. It does not include anonymised data.
This policy applies to all personal data whether it is stored electronically, on paper or on other materials. This personal data might be provided to us by you, or someone else (for example an employer), or it could be created by us. It could be provided or created during the recruitment to your programme or during your programme or after its termination. It could be created by your manager or other colleagues.
How we define special categories of personal data
‘Special categories of personal data’ are types of personal data consisting of information as to:
We may hold and use any of these special categories of your personal data in accordance with the law. If not, contractually applicable you are able to opt in or out.
How we define processing
‘Processing’ means any operation which is performed on personal data such as:
This includes processing personal data which forms part of a filing system and any automated processing.
The Act is not to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the individual to whom the personal data relates.
DTL and HTL will ensure that the individual is told: that DTL and HTL is the data controller; that the Data Protection Officer is the DTL and HTL representative; the purpose for which the individual’s personal data is to be processed by the companies; and the identity of anyone to whom the personal data may be disclosed or transferred.
DTL and HTL will ensure that:
Any requirements regarding the consent of an individual of the processing of their personal data have been met. Where information that is regarded as sensitive personal data is processed, explicit consent will usually be required; there is legitimate reason for collecting and using all/any personal data collected; personal data is not used in any way which has an unjustified adverse effect on individuals; it is open and honest about what is collected and how it is used; data is handled in ways in which an individual would reasonably expect; the data is not used for any unlawful purpose; data is kept for a reasonable period. The length of this retention period depends on the purpose for which it was obtained and its nature. It may be necessary to keep data for a reason set out in Schedules 2 and 3 of the Act.
When collecting personal data an oral or written privacy notice should be issued which states simply the identity of who is collecting data and the purpose(s) for which it will be processed.
What personal data do we collect?
We may collect and process the following personal data
Complete a form on our website, complete a survey, correspond by phone, email or in writing, report a problem, sign up to receive our communication, create an account with us, enter into a training contract with us for us to deliver training.
The information we collect and store relating to you is primarily used to enable us to provide our service
Storing Your Personal Data
The personal information you provide is stored within secure servers.
Please note that the transmission of information via the internet (including email) is not completely secure and therefore, although we endeavour to protect your personal information you provide us, we cannot guarantee the security of date sent to us electronically and the transmission of such data is therefore entirely at your own risk.
All DTL and HTL email addresses support with TLS email encryption, so it is advised if you are concerned about the contents of any email to use this encryption.
Where we have given you (or where you have chosen) a password so that you can access certain parts of our sites or portals, you are responsible for keeping these passwords confidential.
Data Security Breach
In the event of a reported data security breach leading to the accidental or unlawful destruction, loss, alteration authorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, DTL and HTL will make every effort to inform affected individuals as appropriate and will liaise with the Information Commissioner to the extent required.
The Rights of Individuals
Everyone has a right to know what personal data about them is being held and processed and to whom such personal data may be disclosed. An individual has the following rights (right to subject access) under the Act:
A right of access to a copy of the information comprised in their personal data; a right to object to processing that is likely to cause or is causing damage or distress; a right to prevent/restrict processing for direct marketing; a right to object to decisions being taken by automated means; a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and a right to claim compensation for damages caused by a breach of the Act.
Therefore, it is very important to have a simple Data Protection statement included on key documents, for example the student learning agreement.
Under the right of subject access above, an individual is entitled only to their own personal data and not to information relating to others. DTL and HTL does not usually have to comply with a disclosure request to provide information relating to the individual making the request and another individual unless the other individual has consented to disclosure.
However, it is permitted in certain circumstance to disclose information to a third party without telling the individual if it is to meet a legal obligation for example CSA requests for salary details, or HM Revenue and Customs inspectors. These are: the prevention or detection of crime; capture or prosecution of offenders; and the assessment or collection of tax/duty.
As stated above, individuals have a right to subject access. Individuals may make a written request (including email) to DTL and HTL (a “subject access request”) firstname.lastname@example.org. Under the Equality Act 2010 the College will make reasonable adjustment and accept a verbal request from an individual with a disability, learning difficulty, medical condition or limited written skills who finds it unreasonably difficult to make a request in writing. Requests must be made to the Data Protection Officer. The individual is usually entitled to be given details of the data held, the purpose for which it is being processed and to whom it may be disclosed. Hence the individual has a right to a copy of all the personal data held about them irrespective of when the records were created. Before the request is actioned DTL and HTL training must be certain that the person making the request is the individual about whom the personal data relates. Also, the company can ask for any information reasonably required to find the personal data covered by a request. It is vital that DTL and HTL training has a central record of where all data is held so that it can comply with requests for information and comply with the Act. Requests for information must be actioned as soon as possible and always within 40 days.
The right to subject access is subject to certain exemptions specified in the Act. These include, for example: exemptions from disclosure of confidential references, examination marks and examination scripts; and a provision that there is no need to comply with a request if it is similar or identical to one complied with earlier unless a reasonable interval has elapsed.
The Information Commissioner has published various practice notes on these exemptions
Disclosing Your Information
We may disclose your personal information to any company within our corporate group. This includes, where applicable, our subsidiaries, our holding company and its subsidiaries. We are obliged to provide feedback to your employer if they have funded the course and request it.
We may also disclose your personal information to:
Where 3rd party funding is required within Apprenticeships or further/higher education;
Disclosure of Information to Third Parties;
Information about an individual should not be disclosed to an appropriate third party unless
the individual has given consent;
applicable under the provisions of the Mental Capacity Act 2005;
there is a real risk of harm to a child hence the safeguarding of a child’s welfare overrides the need to keep the information confidential – any matters of this nature must be referred to the Dynamic and Hillingdon training nominated safeguarding officers without delay.
Where a third party, e.g. a solicitor is acting on behalf of an individual, written authority from the individual concerned must be requested before the request is processed.
Requests made by parents and guardians for data about children/young people are subject to the Act. The data is about the individual and does not belong to a parent/guardian. The following considerations must be applied:
the child’s level of maturity and their ability to make decisions;
the nature of the personal data;
any court orders relating to parental access or responsibility that may apply;
any duty of confidence owed to the child or young person;
any consequences of allowing those with parental responsibility access to the child’s or young person’s information. This is particularly important if there have been allegations of abuse or ill treatment;
any detriment to the child or young person if individuals with parental responsibility cannot access this information; and
any views the child or young person has on whether their parents should have access to information about them.
Usually for learners at DTL and HTL, personal data should not be disclosed to a parent/guardian unless the student has consented to information being shared with that person in their learning agreement. Any issues or concerns must be discussed with the Safeguarding and Prevent Manager.
In the event DTL and HTL are the data controller in respect of personal data collected from a child, this personal data may not be disclosed or transferred to third parties without the explicit and verifiable consent of the child’s parent or guardian, unless the child understands the implications of his or her actions.
As stated above there are exemptions when information must be disclosed to a third party. Exemptions do not require DTL and HTL training to automatically disclose personal data to the police or other law enforcement agencies – they merely ensure the parameters of the Act are not breached.
Possible Sources of Data Covered by the Act
Learner files and individual learning plans; student data held on MIS. Email messages and documents/memos/letters. Enrolment forms/learning agreements. Registers and Curriculum Record Books. Student visit records. Financial records for example invoices, Expenses claims, photographs, video images and social media posts
Possible Location of Data Covered by the Act
Formal files. Central filing systems. Ad hoc files held by managers/team leaders. Files in storage/archive. Information held by third parties e.g. payroll bureau. Notebooks. CCTV, archived images. Computerised systems operating both centrally and locally.
Responsibilities of Staff
Staff should not share data informally. When access to confidential information is required, staff can request it from their line managers.
DTL and HTL will provide training to all employees to help them understand their responsibilities when handling data; it is the responsibility of staff to attend such training.
Staff should keep all data secure, by taking sensible precautions and following the guidelines.
Strong passwords must be used, and they must never be shared.
Personal data should not be disclosed to unauthorised people, either within the company or externally.
Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
Staff should request help from their line manager or the data protection officer if they are unsure about any aspect of data protection.