Data Protection Policy
1. Aim
This policy covers all operating areas of Elite Training and Consultancy. Compliance with the arrangements detailed within this policy and applicable supporting procedures are mandatory upon all personnel within the organisation.
Accessing, processing, disclosing or otherwise using personal data without authority or in contravention to the requirements of the Data Protection Act 1998 and the General Data Protection Requirements 2018 will result in disciplinary action as per company procedure and may constitute a criminal offence.
2. Background
The Data Protection Act 1998 came into force on 1 March 2000. It gives effect in UK law to the 1995 EC Data Protection Directive. The Act strengthens and extends the data protection regime created by the Data Protection Act 1984, which it replaces. The 1998 Act applies to:
• computerised personal data
• personal data held in structured manual files
It applies to all processing of personal data, including collection, use, disclosure, destruction or merely holding data.
The General Data Protection Regulations (GDPR) came into force on the 25th May 2018. Under this law regulators can impose fines on businesses that are not compliant and give individuals much more power of the way their own information is collected, stored and used by us. Specifically, under these regulations’ individuals have:
• the right to be informed that we are processing their data
• the right to access this information
• the right to have the information corrected
• the right to restrict the processing
• the right to data portability
• the right to object to having their information processed
• rights in relation to automated decision making and profiling
3. Our Commitment
Elite Training and Consultancy will endeavour to implement and monitor systems and processes to ensure that all activities resulting in the collection, processing, maintenance, communication and evaluation of personal data observe and comply the Data Protection Act 1998 / General Data Protection Regulations 2018 and in doing so upholds individual rights.
It is Elite Training and Consultancy’s intent to ensure that
• Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless the data subject has given consent to the processing and/or the processing is deemed necessary, appropriate and lawful.
• Sensitive personal data shall not be processed unless the subject has given explicit consent to processing and/or the information is deemed necessary as determined by the criteria in schedule 3 of the Data Protection Act 1998 and the General Data Protection Regulations 2018
• Personal Data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
• Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
• Personal data shall be accurate and where necessary kept up to date.
• Personal data processed for any purpose or purposes, shall not be kept for longer than is necessary for that purpose or those purposes. Personal data shall be processed in accordance with the rights of the data subjects as specified in the Act.
• Appropriate technical and organisational measures shall be taken to safeguard against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data.
• Personal data may be transferred to a country or territory outside the European Economic Area. These data transfers are legal under the GDPR and Privacy Shield as long as we adhere to the requirements for legal processing. We encrypt all data in transit and in storage.
4. Individual Rights
In upholding Elite Training and Consultancy’s responsibility to the principles of the Data Protection Act 1998 and the General Data Protection Regulations 2018, Elite Training and Consultancy shall implement policy and procedure to ensure the following rights of individuals are maintained.
• The right of subject access to certain information both electronic and hard copy, subject to a request being received in writing and where specified, payment of an appropriate fee, the maximum of which will be £10.00. All requests for such information shall be dealt with promptly and in all events within forty days.
• The right to have information amended or corrected
• The right of an individual to have their information be prepared for transfer.
• The right of an individual to have information about them removed from Elite Training and Consultancy systems.
Elite Training and Consultancy reserve the right to withhold access to records, or parts of records which may contain referenced information relating to an identifiable individual who is not the intended recipient, unless the other individual has consented to the disclosure or where it is reasonable to comply with the provision of such information without such consent.
• The right to prevent processing likely to cause unwarranted and substantial damage or distress
• The right to prevent processing for the purpose of direct marketing
• Rights in relation to automated processing
• Rights to compensation
• Rights to rectification, blocking erasure or destruction
• The right to request an assessment
5. Specific Arrangements
5.1 Notification
Responsibility shall be allocated to an individual for ensuring that company registration with the Information Commissioner’s Office is valid and that the details in any register entry relating to the processing of employee records are correct and current.
5.2 Awareness
Training shall be provided to all employees within the corporate induction process, which as a minimum shall cover the principles of Data Protection, company policy and procedure, individual responsibilities and potential liabilities.
5.3 Collection of Information
All requests and requirements for the provision of information containing personal data as specified under the Act, regardless of origin or medium of communication shall be supported by a clear and comprehensible statement of intent as to recipients, purpose and processing.
5.4 Authorisation
Processing of personal or sensitive data as defined under the Data Protection Act and the General Data Protection Regulations shall not be undertaken without the explicit consent of the Data Subject.
5.5 Maintenance/Security and Retention of Records
Elite Training and Consultancy shall institute systems and standards to ensure:
• Records are retained only for as long as is necessary to meet operating, contractual and statutory requirements
• All information retained is current and appropriate.
• Requests for information rectification, blocking erasure or destruction from the data subject shall be responded to within a maximum of ten days.
• All manual records containing personal data are maintained securely with authorisation for access clearly defined and communicated.
• Access to all records containing personal data maintained electronically is restricted by means of access controls and passwords to personnel authorised by the Director only.
• Destruction or deletion of records containing personal data is undertaken in a controlled manner by authorised personnel only.
• That the maintenance, control and accessing of records containing personal data is monitored on a regular basis.
5.6 Data Processors/ Third Parties (Pension Schemes/Health Schemes/ Insurance Schemes/ contractual partners)
Elite Training and Consultancy shall ensure that:
• Information provided to a third party on behalf of the data subject is limited to the minimum necessary to meet obligations and that any such information exchange is subject to the explicit consent of the data subject.
• Information collected on behalf of third parties shall not be accessed without the explicit consent of the data subject.
• Where explicit consent is granted, records of processing shall be made available within seven days or request.
• Assessment materials disseminated to third parties are securely stored on approved, managed cloud storage platforms where access will be limited to verified accounts for both the candidate/learner and Elite staff members directly involved in delivery.
• Assessment materials gathered from third parties are securely stored on approved, managed cloud storage platforms where access will be limited to verified accounts for both the candidate/learner and Elite staff members directly involved in assessment and internal verification.
• All assessment materials gathered indirectly are deleted from devices and/or accounts on confirmation of successful transfer to approved, managed cloud storage platform.
5.7 International Management
Information containing personal data may be transferred out of the European Economic Area.
Elite Training and Consultancy reserves the right to assume implied consent to the provision of specific information as relevant and appropriate to the effective management of personnel when requested by a client in compliance SLA’s in place.
5.8 Disclosure
Disclosure of information pertaining to learners or clients shall be undertaken only in circumstances as detailed in the learner/client information disclosure policy by specified individuals to specified parties and only with the consent of the data subject.
Disclosure of information pertaining to employees shall be undertaken only in circumstances as detailed in the employee information disclosure policy by specified individuals to specified parties and only with the consent of the data subject.
Any employee receiving unsolicited requests for information about any employee/learner or client shall refer the enquiry to Senior Management.
5.9 Data Loss Prevention & Monitoring
• The Global Administrator is responsible for real-time monitoring of electronic communication tools with DLP rules to protect sensitive information in all digital storage repositories and digital communication tools.
• DPL tools are configured for compliance with legislation in all regions that data is held and processed; the Global Administrator is responsible for reviewing and reconfiguring DLP rules prior to new legislation coming into force.
• The Global Administrator is responsible for reporting to the Director all actual and attempted breaches following a notification, or at the specific request of a Senior Manager; if there is enough evidence to suggest abuse of such communication by an individual, in contravention of Elite Training and Consultancy’s electronic communication policy, this will trigger internal disciplinary procedures and potential legal action.
• Actual instances of data loss, where the data is covered under GDPR legislation, are reported to the ICO within 72 hours where feasible, and to SLA clients within 24 hours.
• The Global Administrator is responsible for ensuring that all managed devices, are up to date, secure and have live protection against malicious software; mobile devices are encrypted and tracked, and local administrator accounts are restricted.
5.10 Visual Monitoring
• Monitoring by means of CCTV and Web cam shall only be reviewed for the purpose of protecting Elite Training and Consultancy’s employees, learners, partners, clients, premises and/or property.
• The use and purpose of such technology is clearly communicated including any provision for ongoing monitoring.
• Data recorded is automatically deleted after six months, except when required to provide evidence to support the purpose for which the surveillance was intended.
• CCTV, and security token access-controlled entrances at front and rear of building are tested daily and serviced annually by authorised engineers. Alarm systems is tested weekly by authorised engineers.
• Reception area is always staffed during working hours and locked when unstaffed, visitors must report to reception to be signed in and be escorted by a member of staff to their designated meeting/training room.
5.11 All employees are responsible for maintain the security of information, where an employee becomes aware of the loss of information this must be reported immediately to their line manager or any member of the senior management team immediately
5.12 Complaints/Grievance
Any employee with a specific complaint and or grievance relating to any aspect of company policy, procedure or process should seek redress through Elite Training and Consultancy grievance and/or complaints procedures.
This policy and any procedures that ensure data protection compliance shall be reviewed a minimum of once annually or in line with legislative changes or internal evaluation of audit findings.
6. Reference Procedures and Documentation
Maintenance and Control of Information