Data Protection Policy
In order to carry out our business, the Involved Learning Group (Involved Learning) needs to gather and use certain information about individuals. This includes customers, employees, suppliers, business contacts, and other people to who we are delivering a service, with whom we have a relationship, or may otherwise need to contact.
We are committed to managing the way we collect, store and use data to ensure we respect the privacy and rights of the individuals to whom it relates, including:
complying with the Data Protection Act 1998 (the ‘Act’)
protecting the rights of staff, customers and other data subjects
storing and processing individuals’ data securely and in line with required legislation
As an organisation that processes personal data, Involved Learning are registered with the Information Commissioner’s Office, an independent authority that regulates and enforces the Act.
This policy and associated procedures will be communicated to staff through induction, staff training and refresher training sessions, and reinforced as through audit and compliance activity.
This policy will be made available to programme participants and other individuals for whom we hold information, via publication on our website. It will also be communicated through programme inductions.
This Policy and associated procedures should be read in conjunction with the following Policies:
Information Assurance & Security
IT User Agreement
Within this policy the following definitions apply:
Data subject – an individual who is the subject of personal data.
Data Controller* – the person who determines the purposes for which and the manner in which any personal data are, or are to be, processed.
Data Processor* – in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Personal Data – data that relates to a living individual who can be identified from that data, or from that data and other information which is held.
Sensitive personal data – personal data relating to racial or ethnic origin; political opinions; religious (or similar) beliefs; trade union membership; physical or mental health condition; sexual life; commission or alleged commission by them of any offence; or any proceedings for any offence committed by them, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive data can also be any data that contains confidential information about the organisation, its products and services, its customers and suppliers.
* A data controller must be a “person” recognised in law e.g. an individual or organisation. Within Involved Learning the Data Controller is the Group Finance and Corporate Services Director. In the case of contracts being delivered on behalf of a commissioner, such as the Department for Work & Pensions or Skills Funding Agency, the commissioning body will usually have the role of Data Controller, with Involved Learning taking the role of Data Processor. For example, DWP are the Data Controller for employment programme data; NOMS are the Date Controller for NOMS CFO data. Involved Learning must comply with our contractual and legal obligations towards commissioners when managing data.
Principles of Data Protection
Any personal data which Involved Learning collects, records or uses in any way – whether it is held on paper, on computer or other media – will have appropriate safeguards in place to ensure that we comply with the Act. Involved Learning fully endorses and adheres to the eight principles of the Act, which state that personal data:
1. shall be processed fairly and lawfully and, in particular, shall not be processed.
2. shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. shall be accurate and, where necessary, kept up to date.
5. processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. shall be processed in accordance with the rights of data subjects under this Act.
7. shall be protected against unauthorised or unlawful processing, against accidental loss or destruction of, or damage to, personal data by appropriate technical and organisational measures.
8. shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Information we hold
Involved Learning keeps personal data to:
administer programmes on behalf of commissioning organisations, and to comply with our contractual requirements.
to provide an effective service to customers by identifying their needs and managing their progress.
meet awarding body requirements in relation to achievement of qualifications by learners.
to claim relevant funding for achievements with customers attending funded programmes.
manage the recruitment, employment and termination of employment of our staff.
The type of data may include (but is not limited to) personal demographic and contact information e.g. names, addresses, nationality, date of birth; references; health and disability information; educational attainment; financial information relating to employment or a service we are providing to customers; information about an individual’s performance; attendance records; disciplinary records.
All personal data will remain confidential. Only people specifically required and entitled to access this information to fulfil their job function may do so, and are required to maintain its confidentiality at all times. All other employees are prohibited from accessing, reading, copying or in any other way dealing with such information.
From time to time, we may need to disclose some information to relevant third parties e.g. where requested by the data subject for the purpose of giving a reference, or to help a customer into education or work.
Prior to disclosure – unless it is a legal obligation e.g. data required by HM Revenue & Customs, a contractual obligation placed upon us by a service commissioner that is covered by alternative legislation – data subjects will be fully informed of the personal data that is being disclosed, the reasons for the disclosure, and the way(s) in which it will be processed.
There may be occasions when data subjects are required to sign a Confidentiality and/or Data Sharing Agreement giving consent to the sharing of some information with other parties. Data subjects can withdraw their consent to share information at any time.
We may occasionally contact individuals by email, mail or telephone with details of our products and services. Recipients wishing to opt out of receiving this information should write to the Data Controller at Involved Learning, Highlands, Carthagena Road, Sutton, Bedfordshire, SG19 2NQ
Involved Learning will ensure that all staff comply with the following when processing and/or transmitting personal data:
When we collect any personal data, we will inform individuals why we are collecting it and what we intend to use it for.
Personal data must be transmitted over secure networks only – transmission over unsecure networks is not permitted in any circumstances.
Documents containing personal data must be password protected.
Personal data contained in the body of an email, whether sent or received, must only be emailed via secure systems with appropriate encryption and security.
Personal data in the body of an email should be copied from the body of that email and stored securely. The email itself should be deleted. All temporary files associated with the email should also be deleted.
Where personal data is to be sent by fax the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data.
Where personal data is transferred in hardcopy it should be passed directly to the recipient or posted using a recognised secure postal carrier. Using an intermediary is not permitted.
All hard copies of personal data must be stored securely in a locked box, drawer, cabinet or similar.
All electronic copies of personal data should be stored securely using passwords and suitable data encryption, where possible on a drive or server which cannot be accessed via the internet.
All passwords used to protect personal data should be changed regularly and should not use words or phrases which can be easily guessed or otherwise compromised.
Data Subject Access
Rights of Data Subjects
Data subjects have the right to:
access to a copy of the information comprised in their personal data within 40 days of making a request;
object to processing that is likely to cause or is causing damage or distress;
prevent processing for direct marketing;
object to decisions being taken by automated means;
in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and
claim compensation for damages caused by a breach of the Act.
Subject Access Requests
Individuals who want to see a copy of the information an organisation holds about them must write to the Data Controller requesting this information, including sufficient detail to enable their identity to be confirmed and the data to be identified. A fee of £10 must be submitted with the request.
In response to a compliant request, the following information will be provided:
whether any personal data is held.
a description of any data held.
the reason it is being processed.
details of any third-party organisations that the data has been passed to.
details of the source of the data where available.
a copy of information comprising the data including details of any technical terminology or codes.
Data that is exempt from the right of subject access will not be supplied. This may include information relating to crime prevention and detection; negotiations with the subject; confidential references supplied by Involved Learning.
We will respond to all subject access requests promptly and in any event within 40 calendar days of receiving it.
Involved Learning will record any subject access requests in a Subject Access Log in accordance with the Information Commissioner’s guidelines.
All staff and partners working on behalf of Involved Learning – responsible for ensuring data is collected, stored and handled appropriately in line with this policy.
Board Members – responsible for ensuring the Data Protection Policy is appropriate, reflects legislative requirements and good governance practices, and that Involved Learning meets its legal obligations.
Data Controller – responsible for ensuring all staff are appropriately trained, advising individuals about implementation of the policy, dealing with Subject Access Requests, and ensuring Involved Learning’s registration with the Information Commissioner’s Office is updated in line with our legal obligations.
Monitoring & Review
The effectiveness of this policy will be monitored by the Group Finance & Corporate Services Director through the audit and compliance function of Involved Learning to ensure compliance with data handling and security.
This policy will be reviewed annually by the Data Controller, or more frequently if legislation and/or best practice changes, in order to ensure it continues to meet current legislative requirements, adopts emerging best practice, and continues to be effective and relevant to the wider business.
The Data Controller will report back to the Board on the performance of the policy with recommendations for improvement if required. Any changes to the policy will be communicated to all employees.
Appendix 1 – Employee Data
Employee records include references obtained during recruitment; details of terms of employment; payroll, tax and national insurance information; performance appraisals; details of job duties and job/salary band; health records; absence records including self-certification forms; details of any disciplinary records; training records; contact names and addresses; correspondence with the Company and other information provided.
Information about health is gathered for the purposes of compliance with our health and safety and occupational health obligations; for personnel management and administration e.g. to support reasonable adjustments to be made to assist employees at work and administration of insurance, pension, sick pay and any other related benefits. Only senior managers and Human Resources will have access to this data; and will not be revealed to fellow employees and peers (unless those employees are responsible for health records in the normal course of their duties). Employees have the right to request that the Company does not keep health records on them. All such requests must be made in writing and addressed to the Head of Service HR or the Group Finance and Corporate Services Director.
Records will be retained throughout the period of employment, and for a period up to 6 years following termination for management and administrative purposes.
The Company may from time to time monitor the activities of employees. Such monitoring may include, but will not necessarily be limited to internet and email monitoring. Any employee to be monitored will be informed in advance. The Company shall use its best and reasonable endeavours to ensure that there is no intrusion upon employees’ personal communications or activities and under no circumstances will monitoring take place outside of the employee’s normal place of work or work hours.
Employee Subject Access Request
Employees should follow the main policy in relation to requesting access to their personal data. If employees only wish to view their data and do not wish to have a copy they should make this clear in their request. In this case access will be given in the presence of the Head of Service HR or the Group Finance & Corporate Services Director to ensure the security of personal data of other employees