GDPR

 

Learning Partnerships regards the lawful and correct processing of personal and sensitive data as an integral part of its purpose and vital for maintaining confidence between employees, volunteers, service users and other stakeholders whom we process data about, on behalf of and ourselves.

 

General Data Protection Regulations (GDPR) and The Data Protection Act 2018 (DPA) contains principles affecting individual’s personal records.  The purpose of this policy is to provide guidance about the protection, sharing and disclosure of employee, volunteer and service user data, but it important to stress that maintaining confidentiality and adhering to data protection legislation applies to anyone handling personal data or sensitive data on behalf of Learning Partnerships.

 

This policy is also in place to ensure that no breach of these requirements occurs.  If you are in any doubt what information you can or cannot disclose and to whom, do not disclose the personal information until you have sought further advice from a member of the Executive Team.

 

You should be aware you and/or Learning Partnerships can be criminally liable if you knowingly or recklessly disclose personal data in breach of this policy.  A serious breach of data protection will result in disciplinary action in line with internal procedures.  Where information is accessed without authority, this constitutes as gross misconduct and could lead to dismissal.

 

  1. Information Commissioner

 

The DPA requires certain data controller (e.g. organisations) to register with the Information Commissioner Officer (ICO) the categories of data they hold about people and what they do with it.

 

  • Learning Partnerships are registered with the ICO. Data Protection Registration Number: Z1046101.

 

  1. Definitions of Personal Data and Sensitive Personal Data

 

  • All identifiable data of an individual
  • All identifiable employee data
  • All identifiable service user/client data
  • All other personal data processed by Learning Partnerships

 

Examples of personal identifiable data Learning Partnerships processes include:

 

  • Names, addresses, emails, phone numbers and other contact information;
  • Financial information;
  • National insurance numbers and payroll data;
  • Health information
  • Service user/client data
  • Photographs
  • DBS (criminal record checks)

 

Certain types of data are regarded as sensitive and attract additional legal protection.  Sensitive personal data is considered to be any data that could identify a person such as:

 

  • Racial or ethnic origin of the data subject;
  • Political opinions,
  • Religious beliefs or other beliefs of a similar nature;
  • Membership of a trade union;
  • Physical or mental health condition;
  • Sexual life;
  • Commission or alleged commission of any offence;
  • Details of bank account, national insurance number, any ID details such as passport/driving licence etc.

 

  1. Data Protection Principles

 

There are eight data protection principles that are central to the DPA.  Learning Partnerships and all of its employees must comply with these principles at all times in its information handling practices.  The eight principles are:

 

  • Principle 1: personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met. See The Conditions of Processing guidance.
  • Principle 2: personal data shall be obtained only for one of more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose of those purposes.
  • Principle 3: personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  • Principle 4: personal data shall be accurate and up to date
  • Principle 5: personal data processed for any purpose or purposes shall be kept for no longer than necessary.
  • Principle 6: personal data shall be processed in accordance with the right of data subjects under this Act.
  • Principle 7: appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal date
  • Principle 8: personal data shall not be transferred to a country or territory outside the European Economic Area (EEA).

 

Consent to personal information being held

The organisation holds personal data about you and by signing your contract of employment, volunteer agreement or course registration form you have consented to that data being processed by us.  Agreeing to the processing of your personal data is a condition of your employment or participation with Learning Partnerships. Learning Partnerships will also hold limited sensitive information about its employees, volunteers or service users for example, sickness and absence records and health information.

 

Personal information on learners is also held for course and funding purposes.  Learners will be made fully aware of the reasons for the information and how it will be held and used.

 

Personal data and sensitive personal data must not be used other than for the specific purposes required to deliver a product or service

 

All data collected from young people under the age of 16, unless there are concerns about mental capacity, in which case this should be extended, is to be treated as sensitive personal data.

 

A record can be computerised and / or manual form.  It may include such documentation as;

 

  • Manually stored paper data e.g. employee or learner records
  • Hand written notes
  • Letters to and from Learning Partnerships
  • Electronic records

 

Back up data (i.e.archived data or disaster recovery records) also falls under the DPA, however a search within them should only be conducted if specifically asked for by the data subject.

 

  1. The right to access personal information

 

The DPA gives every living person (or authorised representative) the right to apply for access to the personal data which organisations (data controllers) hold about them irrespective of when and how they are compiled i.e. written records, electronic and manual records held in a secure filed, subject to certain exemptions.  This is called a Subject Access Request.  The DPA treats personal data relating to employees, volunteers and service users alike.  Individuals also have the right to request that any inaccurate data be corrected or removed.

 

  1. Practical implications

 

Understanding and complying with the principles is the key to understanding and complying with our responsibilities as a data controller.  Therefore, Learning Partnerships will, through appropriate management and strict application of criteria and controls:

 

  • Ensure that there is a lawful ground for using the personal data.
  • Ensure that the use of the data is fair and that will meet one of the specified conditions.
  • Only use sensitive personal data where Learning Partnerships has obtained the individual’s explicit consent; unless an exemption applies.
  • Only use sensitive personal data, if it is absolutely necessary for Learning Partnerships to use it.
  • Explain to individuals, at the time their personal data is collected, how that information will be used.
  • Only obtain and use personal data for those purposes which are known to the individual.
  • Personal data should only be used for the purpose it was given. If we need to use the data for other purposes, further consent may be needed.
  • Only keep personal data that is relevant to Learning Partnerships.
  • Keep personal data accurate and up to date.
  • Only keep personal data for as long as is necessary.
  • Always adhere to Subject Access Requests and be receptive to any queries, requests or complaints made by individuals in connection with their personal data.
  • Always allow individuals to opt-out of receiving bulk information. Learning Partnerships will always suppress the details of individuals who have opted out of receiving information (e.g. marketing).
  • Will always give an option to “opt in” when consent is needed to share personal data unless there is a statutory/ legal reason to do so.
  • Take appropriate technical and organisational security measures to safeguard personal data.

 

In addition, Learning Partnerships will ensure that:

 

  • There is an employee appointed as the Data Protection Officer with specific responsibility for Data Protection.
  • Everyone managing and handling personal data and sensitive personal data understands that they are legally responsible for following good data protection practice and has received and read the data protection policy.
  • Everyone managing and handling personal data and sensitive personal data is appropriately supervised by their line manager.
  • Enquiries about handling personal data and sensitive personal data is appropriately supervised by their line manager.
  • Enquiries about handling personal data and sensitive personal data are promptly and courteously dealt with.
  • Methods of handling personal data and sensitive personal data are regularly assessed and evaluated by the Data Protection Officer and Executive Team.
  • A review and audit of data protection arrangements is undertaken annually.
  • Methods of handling personal data and sensitive personal data are regularly assessed and evaluated by the Data Protection Officer and Executive Team.
  • Performance with personal data and sensitive personal data handling is regularly assessed and evaluated by the Data Protection Officer and Executive Team.
  • Formal written Data Sharing Agreements are in place before any personal data and sensitive personal data is transferred to a third party.

 

  1. Roles and Responsibilities

 

Maintaining confidentiality and adhering to GDPR and data protection legislation applies to everyone at Learning Partnerships.  Learning Partnerships will take necessary steps to ensure that everyone managing and processing personal data understands that they are responsible for following good data protection practice. Employees will receive a copy of the policy at their induction and also receive relevant updates and training as required.

 

All Employees and volunteers have a responsibility to:

 

  • Observe all guidance and codes of conduct in relation to obtaining, using and disclosing personal data and sensitive personal data ;
  • Obtain and processing personal data and sensitive personal data only for specified purposes;
  • Only access personal data and sensitive personal data that is specifically required to carry out their activity or work;
  • Record data correctly in both manual and electronic records;
  • Ensure any personal data and sensitive personal data is held is kept secure;
  • Ensure that personal data and sensitive personal data is not disclosed in any form to any unauthorised third party;
  • Ensure personal data and sensitive personal data is sent securely; and
  • Read and understand the policy, raising any questions to check understanding.
  • Failure to adhere to any guidance in this policy could mean an individual(s) being criminally liable for deliberate unlawful disclosure under the DPA. This may result in criminal prosecution and/or disciplinary action.

All Managers are responsible for:

 

  • Determining if their programme holds personal data and sensitive personal data and ensuring that the data is adequately secure, access is controlled and that the data is only used for the intended purposes(s);
  • Provide clear messaging to those in their teams about data protection requirements and measures;
  • Ensure personal and sensitive personal data is only held for the purpose intended;
  • Ensure personal and sensitive personal data is not communicated or shared for non-authorised purposes; and
  • Ensure personal and sensitive personal data is encrypted when transmitted or appropriate security measures are taken to protect when in transit or storage.

 

Data Protection Officer / Executive Team members’ responsibilities include:

 

  • Ensuring compliance with legislation principles;
  • Ensure employees and volunteers receive a copy of relevant policies and understand their responsibilities and receive training as necessary;
  • Ensuring notification of processing of personal data and sensitive personal data to the Information Commissioner is up to date;
  • Providing guidance and advice to employees in relation to compliance with legislative requirements;
  • Auditing data protection arrangements annually;
  • Reporting on any breaches of Data Protection legislation;
  • Reviewing the document retention schedule to ensure documents are destroyed and kept for no longer than is necessary.

 

Executive team members have overall responsibility for data protection within Learning Partnerships and to ensure compliance to DPA and GDPR.

 

The Information Commissioner Office (ICO) is responsible for overseeing compliance e.g. investigating complaints, issuing codes of practice and guidance, maintaining a register of data protection officers. Any failure to comply with DPA may lead to investigation by the ICO which could result in serious financial or other consequences for Learning Partnerships.

 

  1. Breach of Policy

 

In the event that an employee fails to comply with this policy, the matter may be considered as misconduct and dealt with in accordance with Learning Partnerships Disciplinary Policy and procedure.

 

Dealing with a Data Breach

 

If a data breach is suspected, the person who identified the breach should immediately:

 

  • Notify the relevant department manager and
  • Notify the Data Protection Officer / Executive Team member

 

 

Following notification of a breach, the Data Protection Officer will take the following actions as a matter of urgency:

 

Assess the risks associated with the breach;

Inform the appropriate people and organisations that the breach has occurred;

Notify the service user/employee/volunteer if data has been breached;

Review our response and update our information security