Data Protection GDPR

Greatest Expectations retains certain data about employees and learners, which allows it to operate as a business. It enables us to:

• • Monitor learner progression including attendance and achievements
  • Ensure that the learner gets the best possible experience if they have specific requirements
  • Meet the terms of our Prime contracts and arrange courses
  • Recruit and pay staff

We abide by the terms of the Data Protection Act 2018, which is the UK’s implementation of the General Data Protection Regulation (GDPR)

Responsibility for day to day Data Protection matters and implementation of this Policy at Greatest Expectations is that of William Guthrie.

What data do we collect?
Enrolment forms: created by Middlesbrough College and New College Durham, for whom we operate as a sub-contractor.

The information contained in the forms allows us to maintain a working database, and register learners for their qualifications with the relevant awarding bodies.

The enrolment form asks for name, address, National Insurance number, contact phone numbers and email address, and emergency contacts. It asks for ethnicity, residency history, record of prior learning achievement and employment and benefit status.

For Middlesbrough College we retain the original enrolment forms for the duration of the course and then for the remainder of the academic year, thereafter for 5 years in secure storage.

At New College Durham the Prime retains the original forms, we retain a scanned copy for the duration of the course and then for the remainder of the academic year, on a password secure staff-only database.

Personnel

To properly function as a business we ask for, and retain, a personnel record for each member of staff comprising contact and emergency contact details, bank account details to enable payroll, record of DBS number (but not a copy of the DBS itself) copies of relevant teaching and sector competency
certificates, copies of ID: passport, driving licence and birth certificate, a utility bill or similar with the current address, and reference details.

These records are maintained in a locked storage room with access only to the management team.

Other forms

Data capture forms for potential learners, taken directly from the learner, or from an adviser from an outside agency such as DWP with their permission. It comprises name, address, contact phone number and email, National Insurance number, request for reasonable adjustments, benefit entitlement. The form has the ICO data protection statement and opt-in tick boxes agreeing to further correspondence.

The DCF is kept with the learners file and then for 1 year if the learner does not join a course, provided we have been granted permission to retain it.

Legal basis for collecting

Collecting and retaining this information enables us to function as a business and to generate new business, within our primary mission as an independent training provider.

We are sub contracted by our Prime contractors: Middlesbrough College and New College Durham.

The principles of data collection

Our aim is always to ensure the confidentiality, integrity, availability and resilience of our processing systems.

Our collection and use of data is made within the following principles:

• • It will be processed lawfully, fairly and in a transparent manner in relation to individuals
  • It will comply with the rights of the data subject regarding privacy of information, access, rectification when we have incorrect details, deletion (see below) and the portability of personal data if applicable
  • Is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • It is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • Accurate and where necessary kept up to date, that every reasonable step must be taken to ensure that personal data that are inaccurate are corrected or delated as appropriate
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  • Processed in a manner that ensures appropriate security of the data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

Greatest Expectations employees must fully adhere to these principles at all times.

We are classed as a Data Processor.

The right to access information

All information gathered is subject to the consent of the individual.

The individual provides their consent to us contacting them and retaining any information we ask for. This is gathered on the Data Capture Form as above, and kept in the learner’s file for the duration of their course, and then is disposed of with the remainder of their record after 5 years.

Staff and learners have the right to access any personal data that Greatest Expectations keeps on file about them either on computer in paper versions. Staff who wish to view their data should ask the manager, and any learners will be asked to put their request formally in writing.

We aim to comply with requests for access to personal information as quickly as possible, and will ensure that it is provided within 28 days after receipt of request.

Sometimes it is necessary to process ‘sensitive’ information, i.e. about health issues or criminal convictions. This may be to ensure that our centre is a safe place to work or study, to operate our policies (i.e. Equal Opportunities) or to enable us to comply with the law, and to ensure that the interests of the learner and their requirements are met.

We follow guidance from the Information Commissioners Office and have not appointed a specific Data Protection Officer.

Retention of Data

We will keep data for the minimum time necessary to fulfil its purpose and contractual obligations.

Once a year we undertake a “sweep” of paper and electronic data to ensure that anything meeting the criteria is disposed of securely under the 5-year rule.

The right to be forgotten (the right to erasure)

Individuals can make a request for erasure either verbally or in writing, and the company must respond within one month.

Individuals have the right to have their personal data erased if:

• • It is no longer necessary for the purpose which we originally collected or processed it
  • We are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent
  • We are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing
  • We are processing the personal data for direct marketing purposes and the individual objects to that processing
  • We have processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the first principle)
  • We have to do it to comply with a legal obligation

The right to erasure does not apply if we are complying with a legal obligation.

Changes or amendments to this policy

This policy is updated yearly in line with company procedure.

Staff are required to read the new policies and sign to confirm they have done so.

Security and technical facilities – an overview

The security of the information we handle and retain is of paramount importance to Greatest Expectations, not just to ensure compliance with Data Protection regulations, but also to guarantee the integrity of our internal systems.

Data Protection issues are discussed at team meetings and as part of the Standardisation Team meetings.

For processing payroll we use the secure SAGE platform on a PC accessed only by the financial director, and which includes regular security patches.

Access to online learning, registration and certification platforms (i.e. NCFE, Highfield and NOCN) is by password only and accessed by staff with a specific job role.

Our internal database is held in the staff shared drive, accessed only by passwords which staff are prompted to change every 3 months.

Operating system updates are always fully up to date.

V5 06.22 / Review: 06.23 / D. Thomas / Managed by V. Guthrie / Data Protection GDPR