The new General Data Protection Rule comes into force on 25 May 2018. This privacy notice tells you what information we hold, why we have it and what we do with it.
Your privacy is important to us. It is also important for you to know that we only collect and use personal data for the purposes we tell you about.
Greatest Expectations is a “Data Processor” under guidelines from the Information Commissioners Office. This definition means:
“any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”
How we use your information
As a training company we process your data within the legitimate interest that you have asked us to provide you with training services. Therefore we have to register you with the appropriate awarding body, verify your identity in order to comply with contractual obligations, and ensure you receive the best possible service from us.
- Data Protection says that we are allowed to use and share your personal data only where we have a proper reason to do so. The law says we must have one or more of these reasons and these are:
- Contract – your personal information (Name, Date of Birth, National Insurance Number, Contact telephone numbers, Email address) is processed in order to fulfil a contractual arrangement e.g. your training course and the certificate upon completion of it.
- Consent – where you agree to us using your information in this way: when you start we will ask you if we can keep your details and contact you, giving you the choice of how we do that.
- Legitimate Interests – this means the interests of Greatest Expectations in managing our business to allow us to provide you with the best products and services in the most secure and appropriate way: for example telling you of opportunities to enhance your learning / work chances with further training
- Legal Obligation – where there is statutory or other legal requirement to share the information e.g. when we have to share your information for law enforcement purposes.
We are Data Processor for:
Department for Work and Pensions
- Legitimate interests / Contractual: To tell advisers if the learners they refer to us have or have not attended.
New College Durham
- Legitimate interests / Contractual: when a learner has completed the registration paperwork for their course, with the English and Maths assessments, we forward the paperwork to NCD/ M’ bro College and retain a copy of it for administration purposes and to keep track of learner progress.
Good Things Foundation
- Legitimate interests / Contractual / Consent: the learner completes a basic registration form (Name, Address, National Insurance Number, and Email/Phone) and answers a tick box set of questions about their current IT capabilities. Learners are clearly asked if we can contact them about future opportunities and their preferred method of contact.
- Legitimate interests / Contractual / Consent: this is a secure website and password protected, on which we register learners for their qualification and certificate upon successful completion of their course. We print off a list of learners we have registered so we can keep track.
Certain personal information (such as health/mental health details, criminal record checks, ethnicity and sexual orientation) may be collected as “special category” and processed for New College Durham and Middlesbrough College at their request.
We maintain a record of bookings for each training course: name, NI number, telephone number and the contact details of the adviser making the referral from DWP, unless the booking comes directly from the learner. The information is transferred to our database and the paper copy shredded.
We keep any learner work until it is collected by the learner after the course is ended. It would not be ethical to destroy that work.
We also have to keep the Learn My Way registration forms until April 2020, which will be one year after the contract has ended.
We use password-protected software, only accessed by staff who have to access it as part of their job role.
Data Protection Officer
Official guidelines are that a DPO need only be appointed if:
- You are a public authority (except for courts acting in their judicial capacity);
- Your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- Your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
Greatest Expectations does not fall into these categories. If this changes in the future then appropriate steps will be taken to appoint a suitably trained person. Until then overall responsibility and contact for Data Protection remains with the management.
(Information Commissioner’s Office quote: If you decide that you don’t need to appoint a DPO, either voluntarily or because you don’t meet the above criteria, it’s a good idea to record this decision to help demonstrate compliance with the accountability principle.)
Keeping in touch with you
We want to keep you up to date with training or employment opportunities. We will clearly ask your permission to do this, and your preferred method of contact.
How long we keep your information
The length of time we retain it is determined by a number of factors including the purpose for which we use that information and our obligations under other laws.
As a general rule we will keep your personal information for 7 years after the date it is no longer needed by us for any of the purposes listed under how we use your information above.
The only exceptions to this are where:
- The law requires us to hold your personal information for a longer period, or delete it sooner
- You exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted or required under the law
- We bring or defend a legal claim or other proceedings during the period we retain your personal information, in which case we will retain your personal information until those proceedings have concluded and no further appeals are possible
- In limited cases, existing or future law or a court or regulator requires us to keep your personal information for a longer or shorter period.
What are your rights?
You are entitled to request the following from Greatest Expectations. These are called your Data Subject Rights and there is more information on these on the Information Commissioners website www.ico.org.uk
- Right of access –to request access to your personal information and information about how we process it
- Right to rectification –to have your personal information corrected if it is inaccurate and to have incomplete personal information completed
- Right to erasure (also known as the Right to be Forgotten) – to have your personal information erased.
- Right to restriction of processing – to restrict processing of your personal information
- Right to data portability – to electronically move, copy or transfer your personal information in a standard form
- Right to object – to object to processing of your personal information
If you have any general questions about your rights or want to exercise your rights please contact firstname.lastname@example.org at any time and we will do our very best to help you.
You have the right to lodge a complaint with a data protection regulator in Europe. The contact details for the Information Commissioner’s Office (ICO), the data protection regulator in the UK, are available on the ICO website www.ico.org.uk
Where your personal information has or is being used in a way that you believe does not comply with data, however, we encourage you to contact us before making any complaint and we will seek to resolve any issues or concerns you may have.