Data Protection Policy
All personal information must be dealt with properly to ensure compliance with data protection legislation – the European General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA2018) which implements the GDPR in the UK.The Act and the Freedom of Information Act 2000 are overseen and enforced by the Information Commissioners Office (ICO), who is an independent public body responsible directly to Parliament.
E-Training World Ltd, as a data controller, will be open and transparent when processing and using personal information by following the 8 Principles as set out in the Act:
Principle 1: Personal data shall be obtained and processed fairly and lawfully.
Principle 2: Personal data shall be obtained only for the specified and lawful purposes and shall be processed for limited purposes.
Principle 3: Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is obtained.
Principle 4: Personal data shall be accurate and kept up to date.
Principle 5: Personal data shall not be kept for longer than necessary.
Principle 6: Personal data shall be processed in accordance with the rights of the data subject under the Data Protection Act 1998.
Principle 7: Personal data (manual and electronic) must be kept secure.
Principle 8: Personal data shall not be transferred outside the European Union unless that country provides adequate levels of protection for the rights of the data subject.
Scope of Policy
This policy applies to all employees at E-Training World. For the purposes of this policy, the term “Staff” means all members of E-Training World staff including permanent, fixed term, and temporary staff, governors, any third party representatives, agency workers, volunteers, interns, agents and sponsors engaged with the E-Training World UK or overseas. This policy also applies to all members of staff employed by any of E-Training World subsidiary companies.
All contractors and agents acting for or on behalf of E-Training World should be made aware of this policy.
The Company Secretary is responsible for the operation of this policy.
This policy applies to all personal and sensitive personal data processed and stored electronically and manually (paper based) files. It aims to protect and promote the rights of individuals (“Data Subjects”) and the Company.
“Personal Data” Any information which relates to a living individual who can be or may identified from that information the individual, for example: A person’s name and address (postal and email) (ii) Date of birth (iii) Statement of fact (iv) Any expression or opinion communicated about an individual (v) Minutes of meetings, reports (vi) Emails, file notes, handwritten notes, sticky notes (vii) CCTV footage if an individual can be identified by the footage (viii) Employment and student applications (ix) Spreadsheets and/or databases with any list of people set up by code or student/staff number (x) Employment or education history
“Sensitive Personal Data” Any information relating to an individual’s: (i) Ethnicity (ii) Gender (iii) Religious or other beliefs (iv) Political opinions (v) Membership of a trade union (vi) Sexual orientation (vii) Medical history (viii) Offences committed or alleged to have been committed by that individual
“Data Subject” Any living individual who is the subject of personal data whether in a personal or business capacity
Manual records are paper based and structured, accessible and form part of a relevant filing system (filed by subject, reference, dividers or content), where individuals can be identified and personal data easily accessed without the need to trawl through a file.
The Company recognises and understands the consequences of failure to comply with the requirements of the Act may result in: Criminal and civil action; Fines and damages; Personal accountability and liability; Suspension/withdrawal of the right to process personal at by the Information Commissioners Office (ICO); Loss of confidence in the integrity of the Company’s systems and procedures; Irreparable damage to E-Training World’s reputation.
Where staff do not comply with this policy, the Company may also consider taking action in accordance with the Company’s established Disciplinary Procedure.
Staff will not gain access to information that is not necessary to hold, know or process. All information which is held will be relevant and accurate for the purpose for which it is required. The information will not be kept for longer than is necessary and will be kept secure at all times.
Staff will ensure that all personal or sensitive personal information is anonymised as part of any evaluation of assets and liability assessments except as required by law.
Staff who manage and process personal or sensitive personal information will ensure that it is kept secure and where necessary confidential. Sensitive personal information will only be processed in line with the provisions set out in this policy.
Staff are responsible for notifying their line manager or the Data Protection and Freedom of Information Manager if they believe or suspect that a conflict with this policy has occurred, or may occur in the future. This includes notification of any actual or suspected data breach.
E-Training World (Data Controller) Obligations
The Company will follow Code of Practice issued by the ICO when developing policies and procedure in relation to data protection.
The Company will ensure that Data Processing and/or Sharing Agreements are applied to all contracts and management agreements where the Company is the data controller contracting out services and processing of personal data to third parties (data processors3). The Company will ensure this agreement clearly outlines the roles and responsibilities of both the data controller and the data processor.
The Company will adhere to and follow the 8 principles of data protection and the Privacy & Electronic Communications (PEC) Regulations when conducting surveys, marketing activities etc and where the Company collects, processes, stores and records personal data.
The Company will not transfer or share personal information with countries outside of the European Economic Area (EEA) unless that country has a recognised adequate level of protection in place in line with the recommendations outlined in the Act.
E-Training World will ensure all staff are provided with data protection training and promote the awareness of the company’s data protection and information security policies, procedures and processes.
Data Subjects Rights
The Company acknowledges individuals (data subjects) rights under the Act to access any personal data held on our systems and in our files upon their request, or to delete and/or correct this information if it is proven to be inaccurate, excessive or out of date.
The Company recognises that individuals have the right to make a request in writing and upon payment of a fee, obtain a copy of their personal information, if held on our systems and files.
The Company recognises that individuals have the right to prevent data processing where it is causing them damage or distress, or to opt out of automated decision making and stop direct marketing.
The Company will only share information in accordance with the provisions set out in the Act and where applicable the Company will inform individuals of the identity of third parties to whom we may share, disclose or be required to pass on information to, whilst accounting for any exemptions which may apply under the Act Individuals can access their personal data via a ‘Subject Access Request’ (SAR).
Individuals who wish to make a complaint relating to breaches of the Data Protection Act 1998 and/or complaints that an individual’s personal information is not being processed in line with this policy may do so in writing to the: Data Protection & Freedom of Information Manager E-Training world Limited, 48 Highland Road, Chichester, West Sussex, PO19 5QT or by emailing: email@example.com
VERSION: 1 AUTHOR/ OWNER:
V3: 22.06.2021 Approved By: V.3 Board of Directors