Data Protection, Storage and Retention Policy
JC Training & Consultancy Limited collects, and uses information about people with whom it communicates. This personal information is dealt with properly and securely however it is collected, recorded and used.
JC Training & Consultancy regards the lawful and correct treatment of personal information as very important to the successful and efficient performance of its functions, and to maintain confidence between those with whom it deals. To this end JC Training & Consultancy fully endorses and adheres to the Principles of Data Protection, as set out in the Data Protection Act 1998.
Purpose: The purpose of this policy is to ensure that the employees are clear about the principles of Data Protection, and to ensure the guidelines, and procedures in place, are consistently followed. Failure to adhere to the Data Protection Act 1998 is unlawful and could result in legal action being taken against JC Training & Consultancy and/or its employees.
Principles: The Data Protection Act 1998 regulates the processing of information relating to living and identifiable individuals. This includes the obtaining, holding, using or disclosing of such information, and covers computer records, as well as manual filing systems. Data users must comply with the data protection principles of good practice, which underpin the Act. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this JC Training & Consultancy follows the eight Data Protection Principles outlined in the Data Protection Act 1998, which are summarised below:
- Personal data will be processed fairly and lawfully
- Data will only be collected and used for specified purposes
- Data will be adequate, relevant and not excessive
- Data will be accurate and up to date
- Data will not be held any longer than necessary
- Data subject’s rights will be respected
- Data will be kept safe from unauthorised access, accidental loss or damage
- Data will not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data. The principles apply to ‘personal data’ which is information held on computer or in manual filing systems from which they are identifiable.
JC Training & Consultancy employees who process, or use any personal information in the course of their duties will ensure that these principles are JC TRAINING & CONSULTANCY Data Protection Policy Version 1 April 2016.
Procedures: The following procedures have been developed in order to ensure that JC Training & Consultancy meets its responsibilities. For the purposes of these procedures; data collected, stored and used by JC Training & Consultancy falls into 2 broad categories:
- Organisation Name’s internal data records; Staff, volunteers and learners
- Organisation Name’s external data records; Customers and clients.
Purposes: JC Training & Consultancy obtains personal data (names, addresses, phone numbers, email addresses), application forms, and references and in some cases other documents. This data is stored and processed for the following purposes:
- Recruitment (Internal and External)
- Equal & Diversity monitoring
- To distribute relevant organisational material e.g. meeting papers
Payroll Access: Contact details will only made available to another staff. Any other information supplied on application will be kept in a secure filing cabinet and is not accessed during the day to day running of the organisation. Contact details of staff will not be passed on to anyone outside the organisation without their explicit consent. A copy of staff emergency contact details will be kept in the Emergency File for Health and Safety purposes, to be used in emergency situations only. Staff will be supplied with a copy of their personal data held by the organisation if a request is made. The addressee only will open all confidential post. JC TRAINING & CONSULTANCY Data Protection Policy Version 1 April 2016. JC Training & Consultancy will take reasonable steps to keep personal data up to date and accurate. Personal data will be stored for 6 years after an employee has worked for the organisation. Unless the organisation is specifically asked by an individual to destroy their details, it will normally keep them on file for future reference. The Managing Director has responsibility for destroying personnel files and is the lead DPO – Jennifer Crook, Managing Director.
Storage: Personal data is kept in a password-protected computer system. Every effort is made to ensure that paper-based data are stored in organised and secure systems. JC Training & Consultancy operates a clear desk policy at all times. Use of Photographs: Where practicable, JC Training & Consultancy will seek consent from individuals before displaying photographs in which they appear. If this is not possible (for example, a large group photo), the organisation will remove any photograph if a complaint is received. This policy also applies to photographs published on the organisations website, Facebook or Twitter. External data records
Purposes: JC Training & Consultancy obtains personal data (such as names, addresses, and phone numbers) from clients. This data is obtained, stored and processed solely to assist staff in the efficient running of services. Personal details supplied are only used to send material that is potentially useful. Most of this information is stored on the organisation’s database. JC Training & Consultancy obtains personal data and information from clients in order to provide services. This data is stored and processed only for the purposes outlined in the agreement and service specification signed by the client. JC TRAINING & CONSULTANCY Data Protection Policy Version 1 April 2016.
Consent: Personal data is collected over the phone, and using other methods such as email. During this initial contact, the data owner is given an explanation of how this information will be used. Written consent is requested as it is assumed that the consent has been granted when an individual freely gives his or her own details. Personal data will not be passed on to anyone outside the organisation without explicit consent from the data owner unless there is a legal duty of disclosure under other legislation, in which case the managing director will discuss, and agree disclosure with the board of directors. Contact details held on the organisation’s database might be made available to groups/individuals outside of the organisation. Individuals are made aware of when their details are being collected for the database, and their verbal or written consent is requested.
The information collected for learners & stored within our internal Quality Assurance Database includes:
- Date of Birth
- National Insurance
- Unique Learner Number
- Contact Details
This information is captured at induction and enrolment and is explained to the individual to allow streamlined and effective delivery of on course programs along with analysis made for meeting learner requirements on an individual basis. The information in 1-8 is only shared with practitioners for delivery model use only and access to full data is restricted.
Information stored within the Quality Assurance Database is used for recording purposes required by our prime funding partners in reference to ESFA rules and regulations in learner data capture during the induction process.
Access: Only the organisation’s staff will normally have access to personal data. All staff are made aware of the Data Protection Policy and their obligation not to disclose personal data to anyone who is not authorised. Information supplied is kept in a secure electronic system and is only accessed by those individuals involved in the delivery of the service. Information will not be passed on to anyone outside the organisation without his or her explicit consent, excluding statutory bodies e.g. the Inland Revenue. Individuals will be supplied with a copy of any of their personal data held by the organisation if a request is made.
Accuracy: JC Training & Consultancy will take reasonable steps to keep personal data up to date and accurate. Personal data will be stored for as long as the data owner/client uses our services and normally longer. Where an individual cease to use our services and it is not deemed appropriate to keep their records, their records will be destroyed. However, unless we are specifically asked by an individual to destroy their details, we will normally keep them on file for future reference. If a request is received from an organisation/individual to destroy their records, we will remove their details from the database and request that all staff holding paper or electronic details for the organisation destroy them. The managing Director will carry out this work. JC TRAINING & CONSULTANCY Data Protection Policy Version 1 April 2016. This procedure applies if JC Training & Consultancy is informed that an organisation cease to exist.
Storage: Personal data may be kept in paper-based systems and on a password-protected computer system. Paper-based data are stored in organised and secure systems.
Responsibilities of staff: During the course of their duties with JC Training & Consultancy, staff will be dealing with information such as names/addresses/phone numbers/email addresses of clients. They may be told, or overhear sensitive information while working for JC Training & Consultancy. The Data Protection Act (1988) gives specific guidance on how this information should be dealt with. In short to comply with the law, personal information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. Staff, paid or unpaid must abide by this policy. To help staff meet the terms of the Data Protection Act; a Data Protection/Confidentiality statement has been produced. Staff are asked to read and sign this statement, to say that they have understood their responsibilities as part of the induction programme. Compliance: Compliance with the Act is the responsibility of all staff, paid or unpaid. JC Training & Consultancy will regard any unlawful breach of any provision of the Act by any staff, paid or unpaid, as a serious matter which will result in disciplinary action. Any employee who breaches this policy statement will be dealt with under the disciplinary procedure, which may result in dismissal for gross misconduct. Any such breach could also lead to criminal prosecution. Any questions or concerns about the interpretation, or operation of this policy statement should in the first instance be referred to the line manager. Retention of Data: No documents will be stored for longer than is necessary. All documents containing personal data will be disposed of securely in accordance with the Data Protection principles
Request of Information:
Anyone requesting information that is held by JC Training & Consultancy relating to the information held of the learner/participant can be requested in writing and will be supplied within 1 month as stipulated in relation to the GDPR regulations.
Removal of Information:
Information will be removed and deleted if expressed by the learner/participant/employer in relation to out of date information and completed programs after a retained period of time or at the request made in writing.
Retention of Data:
JC Training and Consultancy will keep some forms of information for longer than others. Information should not be kept indefinitely, unless there are specific requirements. In line with principle 5 of the data protection act information should not be kept longer than is necessary. Specific requirements from funders and ESF require documents until 2030 to include but no exclusively:
- All learner paperwork in line development, pre- application, application and during and after the project;
- quarterly or monthly claim forms
All electronic documents must be kept for the same duration as required for paper copies.
When data is no longer required it should be appropriately destroyed
© Copyright JC Training & Consultancy