Data Protection Policy

A) INTRODUCTION

We  may  have  to  collect  and  use  information  about  people  with  whom  we  work. These may include members, current, past and prospective employees, clients,  and suppliers.    This  personal  information  must  be  handled  and  dealt  with  properly, however it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means, and there  are safeguards within the  Data Protection Act 2018 to ensure this.

We regard the lawful and correct treatment of personal information as very important to our successful operation and to maintaining confidence between us and those with whom  we  carry  out  business.    We  will  ensure  that  we  treat  personal  information lawfully and correctly.

To this end we fully endorse and adhere to the Principles of Data Protection as set out in the Data Protection Act 2018, and the new GDPR

General Data Protection Regulation (GDPR)

We will only use your personal data for the purpose of the course you have enrolled onto. Your information is stored on cloud password protected databases.  We may use your email address to inform you of special offers, if you do not wish to be informed of special offers, please email info@thelearningcollege.co.uk and advise.

All calls in and out of the college are recorded for training and monitoring purposes. We reserve the right under RIPA (Regulation of Investigatory Powers Act 2000) to incept, meaning communications are made available to a third party if required when the organisation is question has

1. obtained the customers consent
2. where it is authorised to do so by the Lawful Business Regulations

These circumstances can be

• to establish the existence of facts relevant to the business, such as keeping a record of instructions given by telephone where it is necessary or desirable to know what has been said during a conversation;
• to ascertain compliance with regulatory or self-regulatory practices or procedures relevant to the business. This would include monitoring as a means of checking that the business is complying with external regulatory  guidelines;
• to ascertain or demonstrate standards that are or ought to be achieved by persons using the system. This could include monitoring for the purposes of quality control or staff training;
• to prevent or detect crime. For example, monitoring to detect evidence of fraud or corruption;
• to investigate or detect the unauthorised use of the communications system or ensure the effective operation of the system, such as monitoring employee access to certain applications and data.

1. The principles of data protection

The  Act  stipulates  that  anyone  processing  personal  data  must  comply  with  Eight

Principles of good practice.  These Principles are legally enforceable.

The Principles require that personal information:

1. shall be processed fairly and lawfully and in particular, shall not be processed unless specific conditions are met;
2. shall be  obtained  only  for  one  or  more  specified  and  lawful  purposes  and shall not be further processed in any manner incompatible with that purpose or those purposes;
3. shall be adequate, relevant and not excessive  in  relation to the purpose  or purposes for which it is processed;
4. shall be accurate and where necessary, kept up to date;
5. shall not  be  kept  for  longer  than  is  necessary  for  that  purpose  or  those purposes;
6. shall be processed in accordance with the rights of data subjects under the

Act;

1. shall be kept secure i.e. protected by an appropriate degree of security;
2. shall not  be  transferred  to  a  country  or  territory  outside  the  European Economic Area, unless that country or territory ensures an adequate level of data protection.

The Act provides conditions for the processing of any personal data.  It also makes a distinction between personal data and “sensitive” personal data.

Personal data is defined as data relating to a living individual who can be identified from:

1. that data;
2. that data and other information which is in the possession of, or is likely to come into the possession of the data controller and includes an expression of opinion about the individual and any indication of the intentions of the data controller, or any other person in respect of the individual.

Sensitive personal data is defined as personal data consisting of information as to:

1. racial or ethnic origin;
2. political opinion;
3. religious or other beliefs;
4. trade union membership;
5. physical or mental health or condition;
6. sexual life;
7. criminal proceedings or convictions.

2. Handling of personal/sensitive information

We will, through appropriate management and the use of strict criteria and controls,:

1. observe fully  conditions  regarding  the  fair  collection  and  use  of  personal information;
2. meet our  legal  obligations  to  specify  the  purpose  for  which  information  is used;
3. collect and process  appropriate  information and  only to  the extent  that  it  is needed to fulfil operational needs or to comply with any legal requirements;
4. ensure the quality of information used;
5. apply strict checks to determine the length of time information is held;
6. shall be accurate and where necessary, kept up to date;
7. shall not  be  kept  for  longer  than  is  necessary  for  that  purpose  or  those purposes;
8. shall be processed in accordance with the rights of data subjects under the

Act;

1. shall be kept secure i.e. protected by an appropriate degree of security;

In addition, we will ensure that:

1. everyone managing and handling personal information understands that they are contractually responsible for following good data protection practice;
2. methods of handling personal information are regularly assessed and evaluated;

All members of staff are to be made fully aware of this policy and of their duties and responsibilities under the Act.

All managers and staff must take steps to ensure that personal data is kept secure at all  times  against  unauthorised  or  unlawful  loss  or  disclosure  and  in  particular  will ensure that:

1. paper files  and  other  records  or  documents  containing  personal/sensitive data are kept in a secure environment;
2. personal data held on computers and computer systems is protected by the use of  secure  passwords,  which   where   possible  have  forced  changes periodically;
3. individual passwords should be such that they are not easily compromised.

All contractors, consultants, partners or Directors must:

1. ensure that they and all of their staff who have access to personal data held or processed  for  or  on  behalf  of  us,  are  aware  of  this  policy  and  are  fully aware of their duties and responsibilities under the Act.   Any breach of any provision  of  the  Act  will  be  deemed  as  being  a  breach  of  any  contract between the Company and that individual, company, partner or firm;
2. allow data protection audits by us of data held on our behalf (if requested);
3. indemnify us  against  any  prosecutions,  claims,  proceedings,  actions  or payments of compensation or damages, without limitation.

All contractors who are users of personal information supplied by us will be required to  confirm  that  they  will  abide  by  the  requirements  of  the  Act  with  regard  to information supplied by us.

3. Implementation

The  Data  Protection  Act  2018 (now GDPR) requires  every  data  controller  who  is  processing personal data, to notify and renew their notification, on an annual basis.  Failure to do so is a criminal offence.