Data Protection Policy
This policy describes how personal data is collected, handled and stored to meet IAAT data protection standards and to comply with the law.
The Data Protection Act 1998 applies to every business that collects, stores and uses personal data relating to customers, staff or other individuals.
1.1 The policy applies to:
- Head office and all branches of IAAT
- All employees and/or volunteers of IAAT
- All sub-contractors, suppliers, Instructors, Assessors, and other people working (paid or unpaid) on behalf of IAAT
1.2 It applies to all data that the company collects and holds relating to: All individuals and or customers
- Postal addressesEmail addresses
- Telephone numbers
- IP addresses, cookies, electronic data
- Plus, any other information relating to individuals, learners and or customers.
IAAT needs to gather and use certain information from customers, suppliers, businesses, employers, instructors and other people the company has a relationship with or may need to contact. Everyone who works for or with IAAT has some responsibility for ensuring data is collected, stored and handled appropriately.
2.1 Jaqui Supple data protection manager is responsible for:
- Awareness of data protection responsibilities, risks and issues
- Reviewing all data protection procedures and related policies, in line with schedule
- Arrange data protection training and advice for employees
- Handling data protection questions and dealing with customer requests
- Checking for sensitive data in any contracts or agreements with third parties
- Ensuring all systems, services and equipment meet acceptable security standards
- Ensuring safe and secure storage of training or assessment materials
- Achievement data is retained for the purposes of reporting to the regulatory authorities as required
- Preform regular hardware and software checks and scans
- Evaluating any third-party services for the purpose of storing or processing data
- Approve any data protection statements attached to e-mails, letters, communication
- Provide guidance to use BCC box when sending emails to groups unless absolutely certain that permission was given for individual details to be made available to others
- Ensure marketing initiatives comply with the data protection principles
- Ensure forms have appropriate data protection notifications on them
3. DATA PROTECTION AND THE LAW
The Data Protection Act 1998 describes how organisations including IAAT must collect, handle and store personal data. These rules apply regardless of whether data is stored electronically, on paper or on other materials.
IAAT working with the new GDPR – General Data Protection Regulations regulatory requirements for data protection which come into force on 25 May 2018.
“Personal data” is defined in both the Directive and the GDPR as any information relating to a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
IAAT makes no distinction between personal data about individuals in their private, public or work roles – the person is the person. Online identifiers including IP address, cookies and so forth are also regarded as personal data if they can be (or are capable of being) without undue effort linked back to the data subject.
“Personal Data Breach’ is defined in the GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, transmitted, stored or otherwise processed”. Data breaches will be reported to ICO Commission within 72hrs
IAAT only collects personal data for specified purposes, and does not use it for other ‘incompatible’ purposes. Example: Individuals details are not used for marketing purposes if originally collected for an entirely different purpose.
IAAT is registered with the Information Commissioner’s Office (ICO) to process personal data. As a registered body, we determine the purposes for which, and the manner in which, personal data is to be processed.
The Scottish Information Commissioner and the UK Information Commissioner’s Office (ICO) have separate roles and responsibilities. The Scottish Information Commissioner is responsible for the freedom of information compliance of all public authorities in Scotland, while the ICO is responsible for public authorities in England, Wales, and Northern Ireland, and for any agencies operating in both Scotland and another part of the UK. The ICO also covers Data Protection rights (personal information) for the whole of the UK, including Scotland.
The Data Protection Act 1998 is underpinned by eight important principles. IAAT regards the lawful and correct treatment of personal information as very important and therefore ensures that personal information complies with the principles of the Act.
3.1 The principles say that personal data must:
- Be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met
- Be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes
- Be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
- Be accurate and, where necessary, kept up to date
- Not be kept for longer than is necessary for that purpose or those purposes
- Be processed in accordance with the rights of data subjects under the Act
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
- Not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
4. GENERAL GUIDELINES
4.1 IAAT will, through appropriate management, strict applications of controls ensure:
- Confidential information is not shared informally
- Personal data is not disclosed to unauthorised people
- Collect and process appropriate information, only to the extent that is needed
- Employees keep all data secure and is only available to those who need it
- Strong passwords are used and regularly changed
- Appropriate security measures are in place to safeguard personal data
- Data is regularly reviewed, updated and archived in line with guidance and schedules
- When working with personal data, employees ensure screens of their computers are always locked when left unattended
- Hold good quality of information ensuring accuracy of data
- ICT systems will be designed, where possible, to encourage and facilitate the entry of accurate data
- Training and assessment materials are kept on secure internal systems that are password protected. Printed assessment materials are locked in secure areas and only available to those intended
- Data is not transferred outside of the European area without suitable safeguards
- Everyone managing and handling personal information understands that they are contractually responsible for following good data protection practice
- Everyone managing and handling personal information is appropriately trained
- Everyone managing and handling personal information is appropriately supervised
- Anybody wanting to make enquiries about personal information knows the process
- Enquiries are promptly and courteously dealt with
- Ensure that the rights of people about whom information is held can be fully exercised under the Act
- Methods of handling personal information are clearly described
- Methods of handling personal information are regularly reviewed, assessed and evaluated
- Data protection risks are monitored through IAAT risk register
- Any breach of the rules and procedures identified in this policy is a potential breach of the Code of Conduct and may lead to disciplinary action.
5. DATA STORAGE
5.1 EMT will ensure:
- Paper, CD, DVD files are kept in a locked drawer, when not require
- Printouts are not left where unauthorised people could see them
- Data printouts are shredded and disposed of securely when no longer required
- Electronic data is protected from unauthorised access and accidental deletion
- Passwords are changed regularly
- Data is backed up regularly
- Servers and computers are protected by approved security software
- Data is held in as few places as necessary
- Makes every effort to ensure that data held is accurate and kept up-to-date
- Regularly review data that is collected and cleansing of databases
- Regular archiving of data.
6. DATA SHARING
All documents created by IAAT are checked for accessibility and compatibility prior to pubic sharing; documents are also inspected for sensitive and personal data within:
- Comments, revisions, version, annotations
- Document properties and personal information
- Customised ML data
- Invisible content
- Hidden text.
7. PRIVACY STATEMENT
IAAT committed to protecting the privacy and confidentiality of information provided by ‘users’ who access our website.
In order for ‘users’ to use some of our online services and to respond to enquiries we need to collect and process various personal data. Users may be asked to complete an online form(s) which request, name, address, e-mail and telephone number. The personal data we collect is used to process your request for our services.
By submitting personal information, individuals consent to EMT processing personal information in accordance with our data protection policy. All information provided will be treated as confidential and will only be used for the purpose intended. Anyone can contact EMT to correct or update personal information in our records.
8. REQUEST FOR DATA
An individual is entitled to be given a description of the data being processed or held about them and to be provided with the information constituting personal data and the source.
8.1 EMT will supply information where:
- A request in writing has been made
- A fee not exceeding £10 is received (no VAT applied)
- We are satisfied as to the identity of the applicant
- We are able to locate the requisite data.
Where these criteria have been met we will comply within 20 working days. Where complying with the request would lead to disclosing data about another identifiable person we are not able to comply unless the other individual has consented or it is reasonable to comply without consent.
Where EMT has previously complied with a request, subsequent or similar requests for data will not be supplied unless a ‘reasonable interval’ has elapsed. As a non-public body, IAAT is not covered by the Freedom of Information Act.
9. ARCHIVING AND RETENTION
EMT has an obligation, in line with the data protection policy, to implement and preserve good archiving procedures and processes. Archival records can be in any format; they can exist electronically or paper versions.
9.1 Files are summarised as:
- Operational files – that are in use daily
- Reference files – that are not in use daily, but are used for reference
- Inactive files – that are no longer active
- Remove files – that are removed after a period of inactiveness
- Preserved files – that are preserved permanently or for a specified length of time.
9.2 EMT aims to ensure:
- All records that are kept as archives will be included in a records retention log
- All records that are kept as archives will have a review date
- The length of their retention will be appropriate to the record – normally 3 years for training / assessment documents and normally 7 years for financial records
- Adhere as far as possible to BSI recommendations for the keeping of its archival records
- Individual staff members are responsible for the management of archival records in their areas of work.
9.3 Email archive and retention
- Messages will move to the online archive 18 months from the original send/receive date
- Messages will be deleted from the online archive 5 years from the original send/receive date
- Exceptions: Items in ‘Deleted Items’, ‘RSS Feeds’, and ‘Sync Issues’ folders will be deleted after 90 days.
- Electronic archive folders will be backed up regularly to ensure that they do not get lost.
10. ACCESS TO DATA
- EMT will provide the Regulators, within a reasonable notice period (usually 7 days), access to premises, people and records as required, and fully co-operate with their monitoring activities, including those requested by Lantra.
11. Laptop/Home-Working Guidance / Personal Equipment Use
- Use the laptop as a dial-in facility where possible to minimise the information and work stored on the hard drive of the laptop
- Do not put personal data on a laptop
- Do not send reports or information to home computers via the internet unless you are using a secure connection
- Do not download reports or information onto removable storage devices to take work at home
- Do not take data relating to contacts out of the office. This includes internal and external contacts; hardcopy and softcopy files must not be kept at home. Information must not be kept on company mobile phones.
- If data relating to contacts is held/stored outside of the office environment then all personnel must take appropriate security measures to safeguard personal information.
- If personal details relating to contacts is held/stored on equipment that does not belong to IAAT (this includes information as basic as a name, phone number or address) it is up to the member of staff to ensure that nobody else has access to that information (including family members). All equipment should be password protected.
This policy is reviewed regularly and updated annually or as and when required.