Data Protection at Steve Willis Training
Steve Willis Training Centres (SWT) needs to collect, store and process personal data as an integral part of its business operations. Treating this data correctly is vital to our successful operation, and to maintaining confidence between us and those with whom we do business. We may hold data on all individuals with whom we have business relationship, including customers, apprentices, employers, business contacts, suppliers and employees.
This policy describes how this personal data must be collected, handled and stored in accordance with UK law including GDPR. It applies to everyone working or volunteering for or on behalf of SWT, at SWT training centres locations and when working elsewhere.
This Data Protection Policy allows us to make the following commitments:
- We comply with the law and follow best practice
- We protect the rights of staff, customers and partners
- We are open about how we store and process personal data
- We protect ourselves from the risk of a data breach.
About the Data Protection Policy
The following definitions apply throughout this policy:
- Personal data is information that relates to an identifiable person who can be directly or indirectly identified from that information, for example, a person’s name, identification number, location, online identifier. It can also include pseudonymised data.
- Special categories of personal data are data which relates to an individual’s health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership. It also includes genetic and biometric data (where used for ID purposes).
- Criminal offence data is data which relates to an individual’s criminal convictions and offences.
- Data processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Protection Law
Companies and organisations must collect, handle and store personal data in accordance with UK law including the Data Protection Act 2018 and the General Data Protection Regulations (GDPR). This applies whether data is stored electronically or in hard copy.
Data Protection law is underpinned by the 7 key principles of the GDPR, which state that data must be:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate, and where necessary kept up to date
- Stored (in a way that identifies the subject) only for as long as it is needed for the original purpose it was collected
- Processed in a secure way, protecting it from loss, damage or unauthorised use
- Controlled by a Data Controller who is responsible for and can demonstrate compliance with these principles.
Everyone at SWT has a responsibility to ensure they are working in accordance with Data Protection law.
This policy applies to all staff, contractors, suppliers or volunteers working on behalf of SWT. It concerns all data the company holds relating to identifiable individuals, which can include (but is not limited to) the following:
- Names of individuals
- Dates of birth
- National Insurance numbers
- Postal addresses (including postcodes)
- Email addresses
- Telephone numbers
- Candidate Registration Numbers / ULN numbers
- Sage reference or payroll numbers
- Qualification / Award details.
Serious risks to the business from failing to follow the data protection policy include:
- Financial penalty – a data breach can now lead to a fine of up to 4% of annual turnover or €20 million
- Reputational damage – the good name of the business would be damaged by a data breach or incorrect marketing contact
- Business continuity – damage to business systems and operation from hacking or other incident.
Requirements & Responsibilities
Everyone who works for or with SWT has some responsibility for ensuring data is collected, stored and handled appropriately. Each team that handles personal data must ensure that it is handled and processed in line with this policy, and should be able to provide an inventory of the data they hold and information about the flow of data including why it is collected, how it is used and stored, and when it is deleted.
Key areas of responsibility within SWT are as follows.
The Board of Directors: Ultimately responsible for ensuring that SWT meets its data protection obligations and is GDPR compliant.
The Data Controller is responsible for:
- Keeping the board updated about GDPR / data protection responsibilities, risks and issues, including compliance
- Reviewing all GDPR / data protection procedures and related policies, in line with an agreed schedule
- Arranging data protection training and advice
- Handling data protection questions from staff and anyone else covered by this policy
- Dealing with requests from individuals to see the data SWT holds about them (also called ‘subject access requests’)
- Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
SWT’s IT Partner, Boundary IT is responsible for:
- Ensuring all systems, services and equipment used for storing data meet acceptable security standards and are GDPR compliant
- Performing regular checks and scans to ensure security hardware and software is functioning properly
- Evaluating any third-party services the company is considering using to store or process data (e.g. cloud storage).
The Marketing, Communications & Events Coordinator is responsible for:
- Approving any data protection statements attached to communications such as emails and letters
- Maintaining and updating the Data Protection and Privacy policies
- Addressing any data protection queries from journalists or other media outlets
- Working with other staff to ensure marketing initiatives are GDPR compliant.
Requirements for Staff
Later sections of this policy contain detailed guidance on the collection and processing (section 4), and storage (5) of data, and its accuracy (6), in accordance with the principles of GDPR
The following key rules apply to all SWT staff, and form part of their terms and conditions of employment:
- Personal data must only be accessed by staff who need it to carry out their work at SWT – if access to confidential information is required, staff should request it from their line manager.
- Personal data must never be shared informally – in particular by email as this is not secure.
- Staff must keep all data secure, by taking sensible precautions and following the guidelines for processing and storage set out in this policy
- Strong passwords must be used, with a minimum of 16 alpha-numeric characters including symbols.
- Passwords must be changed regularly, and should never be shared with anyone (this includes our IT Partner Boundary IT who should never request a password).
- The identity of all callers and visitors must be verified before any personal data is confirmed or revealed.
- Personal data must not be disclosed to unauthorised people, either within the company or externally.
- Personal data must not be stored externally – e.g. in personal folders on computers, cloud storage, or in hard copy at home. All data must be stored within SWT systems / premises.
- Staff must request help from their line manager or the data controller if they are unsure about any aspect of data protection
SWT will support staff to enable them to meet their responsibilities:
- SWT will provide training to all staff to help them understand their responsibilities when handling data.
- The data controller will ensure that this includes a thorough induction for new staff as well as on an ongoing basis.
- Staff should also be mindful of the activities of others, and offer support if they see something happening that could be in breach of this policy.
Data collection and processing
We collect data in accordance with GDPR guidelines when customers make an enquiry, book a course or attend the training centre. This can include names, contact details, dates of birth, NI numbers, bank or credit card details etc.
We may share personal data across the company to process bookings and run courses, and externally with qualification bodies such as City and Guilds and ERS. We are allowed to do this as part of our contract with the customers under GDPR.
In certain circumstances, data protection law allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances, SWT will disclose the requested data. However, the SWT data controller will ensure the request is legitimate, seeking assistance from the board of Directors and from the company’s legal advisers where necessary.
When working with personal data, staff must take measures to ensure its security:
- Data must not be sent by email as this is not secure, it must always be encrypted before sending. PDFs, Word & Excel documents should be password protected with the password sent separately. Personal data must not be in the body of an email.
- Personal data should not be sent in internal emails, it should be stored securely on the SWT SharePoint and a link sent.
- Personal data should never be transferred outside the European Economic Area
- Staff must not save copies of personal data to their own computers or personal folders on the SWT system. There should be just one central copy of any data.
- Staff must protect data while working on it, for example not leaving papers containing personal data visible on desks, and always locking computer screens when unattended.
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot access it:
- Papers and files should be kept in a locked drawer or filing cabinet
- Papers must not be left on printers
- Staff must not store papers and files at home or in vehicles
- Papers containing data must be shredded and disposed of securely when no longer required
- The SWT Clean Desk Policy should be followed at all times
When data is stored electronically it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
- Data should be protected by strong passwords that are changed regularly and never shared between employees
- If data is stored on removable media (like a CD, DVD or memory stick), these should be kept locked away securely when not being used
- Data should only be stored on designated drives and servers, and should only be uploaded to an approved cloud computing service.
- Servers containing personal data should be sited in a secure location, away from general office space
- Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures
- Data should never be saved directly to laptops or other mobile devices like tablets or smart phones
- All servers and computers containing data should be protected by approved security software and a firewall
Data which we no longer have a legitimate reason to store, for example from initial enquiries that went no further or candidates from assessment days who did not start, must be deleted after an agreed time period. Any questions about storing data safely can be directed to the data controller or SWT’s IT Partner, Boundary IT
The GDPR requires SWT to take reasonable steps to ensure data is kept accurate and up to date. It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible, and the following rules should be followed:
- Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets.
- Staff must ensure data is updated. For instance, by confirming a customer’s details when they call, classroom checks, whenever database records are visited etc
- SWT will endeavour to make it easy for data subjects to update the information SWT holds about them.
- Data should be updated as soon as errors are found – for example if an email address or phone number no longer works, it should be deleted.
SWT will record any data breaches and take action to prevent them from happening again, in accordance with our responsibilities under GDPR. SWT will wherever possible provide a supportive approach to staff that are responsible for meeting the requirements of this policy.
In cases where a data breach is identified the data controller will carry out an investigation to understand the cause. This investigation could result in further staff advice / training if applicable. Any staff who think they, or another employee, may have caused a data breach, however minor, must let their line manager and/or data controller know immediately. Data breaches could include losing some paperwork containing personal information (such as a completed application form), giving personal information to a third party, accidentally sending an email to the wrong person, cc’ing instead of bcc’ing bulk email recipients etc.
Staff who knowingly disregard or fail to meet the requirements set out in this policy will be dealt with through SWT’s disciplinary procedure.
Personal data rights
All individuals have rights over their personal data under GDPR. Individuals who may have rights over data held by SWT include past, current and prospective customers, employees and contractors. These rights can be summarised as follows:
- The right to be informed
- Individuals have the right to be informed about the collection and use of their personal data.
- The right of access
- Individuals have the right to access all the personal information we hold about them. They can request this by emailing email@example.com and we will respond to a request for access within one month.
- The right of rectification
- If there are mistakes in the information we hold about an individual, they can ask to have inaccurate personal data corrected, or completed if it is incomplete. We will respond to a request for rectification within one month.
- Your right to erasure
- This is also known as the “right to be forgotten” and individuals can ask to have your personal data deleted.
We explain in more detail how we handle individuals’ data and their data rights later in this document.
This policy describes the responsibilities of everyone at SWT when working with data, and the rights of individuals over the data we hold about them, and sets out our standard for data handling. It explains how data is collected, processed and stored in accordance in accordance with UK law including GDPR, and it applies to everyone working or volunteering for or on behalf of SWT, at SWT training centres and when working elsewhere.
This policy is in place to protect both the rights of individuals and SWT as a business. Consequences to our business of a breach could include loss of reputation, financial penalty, or loss of funding for our Apprenticeship provision
If you have any questions about this policy or concerns about how data protection at SWT, please contact your line manager or the data controller.
Collecting your data
When do we collect your data?
There may be several times during our interactions with you when we may collect information about you:
- When you contact us to enquire about a course either by telephone, online or in person
- When you book and pay for a course
- When you come to the training centre to take the course.
What data do we collect?
We collect personal information about you when you make an enquiry, this can include:
- Name and date of birth
- Address and telephone number
- Email address
- Your employers name and address
When you book and pay for your course we collect additional information including:
- National insurance number
- Job Title
- Your bank or credit card details when you pay for your course
When you come to the centre we may ask for more information including:
- Passport photo
- Proof of your previous qualifications
Legal permission to process your data
Data protection law in the UK has been strengthened to give you more control over how your personal information is used. Companies must have a lawful reason to collect and hold your information. There are 3 main reasons that allow us to legitimately process your data:
- Contract: if you take a course with SWT, this forms a contract between us. In order to fulfil this contract – to provide your course and manage your qualifications – it is necessary for us to process your data. If you enquire about a course, this is the first step towards entering into a contract with us, even if you don’t book anything with us at the time.
- Legitimate Interest: sometimes we need to process your data in order to run our business effectively. For example, we might contact you to tell you about changes to safety regulations that could affect your job and offer you a relevant course.
- Consent: If we are not processing your data for reasons of Contract or Legitimate Interest, we can do so with your consent – for example if you have ticked a box saying you would like to receive an email newsletter from us.
You can ask us which reason we have used for processing your data, and you can withdraw your consent at any time. Email firstname.lastname@example.org
Further information on all the reasons allowed by law for processing personal data can be found on the Information Commissioner’s Office website:
Storing and Using Your Data
How is your data stored?
We collect your data when we speak to you on the phone or in person, or correspond with you by email or letter. We record your personal details and information about the courses you have taken or enquired about on our secure Training Database. Some information may also be stored on our server, for example payment records or copies of emails.
We may also hold information about you on paper, for example course booking forms, registers, or other correspondence.
Is your data safe?
Data security is a vital part of our business, and we protect all the data we hold, including your personal information. Steve Willis Training has a comprehensive Data Protection Policy covering all aspects of data security. All our staff are signatories to this policy and are fully trained in data security. The policy covers the following areas to offer you the strongest protection for your information:
- Electronic data storage – including security software and firewalls, password protection, anonymisation, encryption.
- Paper data storage – including secure file storage , clean desk policy, shredding.
- Deletion – including timeframes for deleting unnecessary personal data.
- Financial transactions – including safe storage and deletion of payment records.
Sharing your data
We protect your information by never passing it on to third parties without your consent. Qualifications you take with us may be awarded by external bodies such as City & Guilds and ERS. We have to share data with them relating to the completion of your qualifications, for example some of your personal information and details of the assessments you have taken with us. We only give them the information they need to award your certificates, and we work with them to ensure your privacy is respected.
When you contact us by telephone we protect your data by ensuring that it is really you on the phone. You will be asked three security questions to confirm your identity and to ensure that we are not sharing your personal information with anyone else.
How long do we keep your data?
We will only keep your data for as long as it needed for the purpose that it was collected. We do this in accordance with the data retention principles of the ICO’s data protection guide. These are some examples of why we may be retaining your data:
- If you take a course with us, we will keep your record on our database so that we can let you know when your qualification expires, or if the regulations change and you might want to take a new course
- We also keep a record of our financial transactions with you for our tax records
- If we hold your data because you have asked to receive an email newsletter, we will keep your contact details until you unsubscribe.
You have rights over your personal data, and SWT are committed to respecting these rights and answering any queries or requests you might have about them. Full details of your rights and how to make requests can be found on the ICO website but this is how we deal with your rights over the data we hold.
Your right to be informed
Your right of access
You have the right to access all the personal information we hold about you. You can request this by emailing email@example.com and we will confirm if we are processing your data and provide access to all the data we hold. We will respond to a request for access within one month.
Your right of rectification
If there are mistakes in the information we hold about you, you can ask to have inaccurate personal data corrected, or completed if it is incomplete. We will respond to a request for rectification within one month.
Your right to erasure
This is also known as the “right to be forgotten” and you can ask to have your personal data deleted. You can ask for this if we only hold your data because you consented to receive marketing information such as email newsletters from us.
Your right to withdraw consent
If you have given us your consent to use your personal information, for example to send you communications about special offers or email newsletters, you can withdraw that consent at any time. All communications that we send you will contain “unsubscribe” or “opt-out” options to make this easy for you.
If we have a contract with you, you can withdraw your consent for marketing communications, but we will still be able to contact you as part of that contract – for example to let you know that a qualification you hold with us is due for renewal.
Questions or complaints
Call: 01444 870860
Write: Data Protection
Steve Willis Training Centres
Unit F2, Sheddingdean Industrial Estate
Marchants Way, Burgess Hill
West Sussex, RH15 8QY
If you are concerned about the way we are handling your data, or you feel that we have not answered your questions or requests properly, you have the right to complain to the Information Commissioner’s Office.
Call: 0303 123 1113 or visit the Report a Concern section of their website https://ico.org.uk/concerns/