Data Protection Policy and Procedure

Current Version:   April 2024 v1

Informed by UK Quality Code – Core Practices for Standards and Quality

1.0   Introduction

1.1   The Centre is committed to preserving the privacy of its learners and employees and to complying with the Data Protection Act 2018 and GDPR 2016. In order to achieve this commitment, the information that we have about our learners and employees will be collected and used fairly, stored safely and not unlawfully disclosed to any other person. 

2.0   Principles

2.1   The  Centre,  its  staff  and  others  who  process  or  use  any  personal information must ensure that they follow the data protection principles set out in the Data Protection Act 2018 and other relevant legislation

These principles are that personal data shall:

      • Be obtained and processed fairly and lawfully
      • Be  obtained  for  a specified  and lawful  purpose and  shall  not  be processed in any manner incompatible with that purpose
      • Be adequate, relevant and not excessive for those purposes
      • Be accurate and kept up to date
      • Not be kept longer than is necessary for that purpose
      • Be processed in accordance with the data subject rights
      • Be kept safe from unauthorised access, accidental loss or destruction
      • Not be transferred to any third party

2.2   The Centre will not release staff or learner data to any third party without the consent of the individual concerned before releasing personal data.

3.0   Responsibilities 

3.1   Senior Management 

The  responsibility  of  ensuring  compliance  with  this  policy  and  for communicating the policy to all staff lies with the senior management team.

3.2  Data Protection Coordinator

At present the Data Protection Coordinator is the Operations Manager. They have operational responsibility for the implementation of this policy.

Staff and managers

All staff and managers are responsible for ensuring that staff are aware and are in compliance with this policy.

3.3  All staff and students

All staff and students (and in the case of students under the age of 18, their parents, legal guardians or educational representatives) are responsible for ensuring that all personal data provided to the Centre is correct and current.

4.0 Compliance

Failure to comply with the data protection policy and procedure may result in disciplinary action.

5.0 Review

The policy and procedure will be reviewed periodically. 

Data Protection Procedure

1.0   Introduction

1.1   The Centre needs to keep certain information about its employees and learners to monitor recruitment, attendance, performance, achievements and health and safety. It is necessary to process information so that staff can be recruited  and  paid  and  our  obligations  to  accrediting  bodies  can  be maintained. To comply with current legislation, information must be collected and  used  fairly,  stored  safely  and  not  disclosed  to  any  other  person unlawfully. 

1.2   This  must  be  done  in  compliance  with  Data  Protection  Principles. According to these principles, data must:

      • Be  obtained  and  processed  fairly  and  lawfully  and  shall  not  be processed unless certain conditions are met
      • Be  obtained  for  a  specified  and  lawful  purpose  and  shall  not  be processed in any manner incompatible with that purpose
      • Be adequate, relevant and not excessive for that purpose
      • Be accurate and current
      • Not be kept longer than is necessary for that purpose
      • Be processed in accordance with the data subject’s rights
      • Be kept safe from unauthorised access, accidental loss or destruction

1.3    The Centre and all staff who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens the Centre has developed this policy.

2.0   Responsibilities of staff

2.1   All staff members are responsible for:

      • Checking that any information they provide to the Centre in connection with their employment is accurate and up to date.
      • Informing  the  Centre  of  any  changes  to  information,  which  they provided i.e. change of address.
      • Informing the Centre of any errors or changes. The Centre is not liable for any errors unless the staff member has informed us of this.   

2.2    All  staff  will  process  data  about  individuals  on  a  regular  basis,  when marking registers, writing reports or references or as part of their pastoral or academic role. 

2.3    The Centre will ensure through registration procedures that all individuals give their consent to this type of processing and are notified of the categories of processing as required by the DPA 2018 and GPPR 2016. The information, that staff deal with on a day to day basis will be standard and will cover categories such as:

      • General  personal  details  such  as  name,  contact  information  and address
      • Details about class attendance, coursework marks
      • Notes of personal supervision, including matters about behaviour and discipline     

2.4     Information  about  an  individual’s  physical  or  mental  health,  sexual orientation, political or religious views, ethnicity or race sensitive and can only be processed with consent.

2.5     All staff members have a duty to make sure that they comply with the data protection principles, which are set out in the staff handbook.

2.6     In particular, staff must ensure that records are:

      • Accurate
      • Up to date
      • Fair
      • Kept and disposed of safely, and in accordance with the Centre policy     

2.7   The Centre will designate staff in the relevant area as ‘authorised staff’. These staff members are the only staff authorised to access the data that is:

      • Not standard data; or
      • Sensitive data  

2.8   Authorised staff will be responsible for ensuring that personal data is kept securely. In particular staff must ensure that personal data is:

      • Placed in a lockable storage
      • Not left on unattended desks or tables
      • Not left on unattended on IT equipment or is not accessible to other users; all staff are reminded to log off when not at their work station. All IT equipment must be password protected
      • Shredded where appropriate if kept as paper records 

2.9   Staff must not disclose personal data to any individual, unless for normal academic or pastoral purposes, without authorisation or agreement from the data controller, or in line with the Centre policy.

2.10       Before processing any personal data, all staff should consider:

      • Do you really need the information?
      • Is the information ‘sensitive’?
      • If it is sensitive, do you have the data subject’s express consent?
      • Has the individual been told that this type of data will be processed?
      • Are you authorised to collect, store and process the data?
      • If  yes,  have  you  checked  with  the  data  subject  that  the  data  is accurate?
      • Are you sure that the data is secure?
      • If  you  do  not  have  the  data  subject’s  consent  to  process,  are  you satisfied that it is in the best interests of the individual or the safety of others to collect and retain the data?  

3.0   Rights to access information

3.1   Staff, individuals, students (or their legal representatives) and other users of the Centre have the right to access any personal data that is being kept about them either on computers or in certain files. Any person who wishes to exercise this should complete the Centre request form for Access to Data and give it to reception.

3.2   The Centre may make a charge for this request but any waiver is at the discretion of the Centre.

3.3   The  Centre  aims  to  comply  with  requests  for  access  to  personal information as quickly as possible but within 21 days of request unless there is good reason for the delay. In such cases, the reason for the delay will be explained in writing to the data subject making the request.

4.0   Subject Consent

4.1   In  some  cases,  the  Centre  can  only  process  personal  data  with  the consent  of  the  individual.  However,  if  the  data  is  sensitive  then  express consent  must  be  obtained.  Agreement  to  the  Centre  processing  some specified classes of personal data is a condition of employment for members of staff and a condition of acceptance of an individual onto any course. This will include information about previous criminal convictions.

4.2   The Centre may also ask for information about particular health needs such as particular forms of medication, or allergies or any conditions such as asthma or diabetes. The Centre will only use this information for the purposes of health and safety, however, in the event of a medical emergency, consent from the individual will be required.