| The Term …. | Will hereinafter refer to… |
|---|---|
| Directors | The directors of PAAH. |
| Company Directors | The directors of PAAH Funded Organisations |
| Centres | All PAAH Funded Organisations |
| Personnel | Any personnel employed by PAAH and/or theSubcontractors and partner organisations that are responsible for deliver or support of PAAH Funded Learners. |
| Partner | Employers and work placement providers of PAAH |
| Organisations | Funded Learners. |
PAAH is committed to ensuring that all organisations delivering training, learning and assessment funded by PAAH safeguard the personal information and details of all its learners, employers, staff and other customers. This Policy has been produced to meet the statutory requirements of current legislation. It will provide a uniform approach to data protection and freedom of information.
This policy will provide a model set of guidelines for learners, staff, parents, employers and other customers of PAAH, or any of its funded organisations to fully appreciate…
The law regarding personal data
How personal data should be processed, stored, archived and deleted/destroyed
How learners, employers, parent or other customers can access their personal data.
In addition, there is brief guidance at the end of the policy on Freedom of Information which covers information held by centres.
The objective of the policy is to ensure that PAAH and its funded organisations act within the requirements of the General Data Protection Regulation when retaining and storing personal data, and when making it available to individuals, and that the process of responding to enquiries for other information is also ls compliant with the GDPR.
The GDPR controls how personal information should be used by organisations, businesses or the government. Everyone who is responsible for using data has to follow strict rules called ‘data protection principles’. They will make sure the information is…
used fairly and lawfully
used for limited, specifically stated purposes
used in a way that is adequate, relevant and not excessive
accurate
kept for no longer than is absolutely necessary
handled according to people’s data protection rights
kept safe and secure
not transferred outside the UK without adequate protection
There is stronger legal protection for more sensitive information, such as:
ethnic background
political opinions
religious beliefs
health
sexual health
criminal records
The Data Protection Act gives an individual the right to find out what information PAAH and its funded organisations store about them.
Under the GDPR access to their own personal information is a statutory right for:
Learners (if they are of an age to understand the information they request) and parents (as defined in the Education Act 1996) may also request access to their learner’s personal data.
Personnel employed by PAAH Funded Organisations
Customers or clients accessing services or products being delivered by the training organisation.
Employers working in partnership with the centres.
Anyone has the right to question and correct inaccurate personal information, but this will be a matter of fact, not opinion. Personal data should always be kept securely and protected by passwords if it is electronic, and access to it should only be by those authorised to see it – confidentiality should be respected. The law also provides that personal data should not be kept longer than is required. Third party data (information about someone other than the requesting individual) should in general only be provided with their permission. There should be a named person with overall responsibility for personal data within each organisation. In most cases, this would be the Managing Director.
GDPR – for further information see the links below…
For a quick summary….
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
The Freedom of Information Act gives the public the right to ask any public sector organisations for all the recorded information they have on any subject. Anyone can make a request for information – there are no restrictions on your age, nationality or where you live. If you ask for information about yourself, then your request will be handled under the Data Protection Act.
For a quick summary….
https://www.gov.uk/make-a-freedom-of-information-request/the-freedom-of-information-act
For the full act….
http://www.legislation.gov.uk/ukpga/2000/36/contents
Responsibility for the detailed implementation of this policy rests with the Directors of PAAH.
Directors of PAAH funded organisations have the prime responsibility to ensure that data is appropriately protected within their companies and that any requests for information are dealt with in line with the nature of this policy and any legislation requirements.
All personnel within organisations funded by PAAH have a shared responsibility to protect information and data held by their organisation relating to personnel, learners or other customers. They will make information available to PAAH, E.S.F.A. (Education and Skills Funding Agency), Ofsted or other recognised organisations for quality and audit purposes.
Learners have the right to request access to their records in line with the nature of this policy. Learners have a responsibility to protect the data of employers, their customers (where appropriate) and visitors to the centre. This will be covered in their induction as appropriate to their training programme.
Employers have the right to request data pertaining to their employees, unless the data has been marked “confidential”. They can request access to their learner’s training and assessment records, reviews and learning agreements, along with attendance information.
All requests for personal information should be dealt with within 1 month of receipt except requests for educational records. All requests will be acknowledged in writing on receipt, and access to records will be arranged as soon as possible. If awaiting third party consents, the training organisation will arrange access to those documents already available, and notify the individual that other documents may be made available later.
For educational records access will be provided within 15 working days, and if copies are requested, these will be supplied within 15 working days of payment.
N/A
PAAH Directors are responsible for the production of this policy and therefore will sign the policy to demonstrate their agreement and understanding of the content.
PAAH funded organisations will sign to accept the content of the policy and register their agreement to comply. Organisations delivering training to PAAH funded learners will choose whether to fully adopt this policy for use with PAAH learners within their organisation, with any necessary approved addendum added to personalise as required. Alternatively, they will produce their own GDPR policy which will be in line with requirements of this policy and PAAH will approve it as suitable.
All personnel delivering or supporting PAAH funded learners will receive a copy of the PAAH GDPR Policy (this could be an electronic version through a VLE) along with a thorough training/briefing, during their induction to post by an appropriate person – arranged by the subcontractor. Further training needs will be assessed on a continued basis, at an annual appraisal. Personnel will be asked to sign a declaration to register their understanding and agreement with this policy.
All learners will receive a “user friendly” version of the PAAH Disciplinary Policy and/or their own subcontractor’s provider policy, during their induction, at the commencement of their training programme. They will be shown where full policies can be located or how to access through a VLE. They will be asked to sign a declaration to register their understanding and agreement with the ethos of the policy.
Employers involved in the recruitment and employment of learners, will receive a thorough training/briefing and a copy of the PAAH Disciplinary Policy or access to the document through a VLE. They will be asked to sign a declaration to register their understanding and agreement with the ethos of the policy.
Processing, storing, archiving and deleting personal data: guidance
PAAH requires funded organisations records and personal data about learners to be kept safe, secure and confidential. The information can be shared appropriately by the professionals working at the training organisations and with PAAH to ensure the provider makes the best educational provision for the learner. The law permits such information to be shared with other educational establishments should a learner move training providers.
Training records for a learner should be kept securely for seven years after the learner leaves the centre (the location of these records will be determined by the PAAH directors and each organisation. Should the centre not continue being funded through PAAH all records should be handed over to a current director (or their representative) of PAAH. Where a learner is known to be ‘Match Funded’ by The ESF personal records must be kept for the specified period.
Data on personnel employed by the funded organisations is sensitive information and confidential to the individual, and is shared, where appropriate, at the discretion of the company director and with the knowledge, and if possible the agreement of the personnel member concerned.
Confidential staff records should be maintained by each funded organisation in line with legal requirements and are the responsibility of each organisation’s own director.
Highly confidential learner information should be marked as such and sealed. Access should be requested in writing to the appropriate director if it is deemed necessary by PAAH personnel.
Interview records, CV’s and application forms for unsuccessful applicants should not be retained beyond 6 months.
All formal complaints made to a director or PAAH should be kept for at least seven years in confidential files, with any documents on the outcome of such complaints. Individuals concerned in such complaints may have access to such files subject to data protection and to legal professional privilege in the event of a court case.
PAAH recommends that portable and mobile devices including magnetic media, used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software which is designed to guard against the compromise of information.
Personal data an employer can keep about an employee
Employees’ personal data should be kept safe, secure and up to date by an employer. Data an employer can keep about an employee includes…..
name
address
date of birth
sex
education and qualifications
work experience
National Insurance number
tax code
details of any known disability
emergency contact details
They will also keep details about an employee such as:
employment history with the organisation
employment terms and conditions (e.g. pay, hours of work, holidays, benefits, absence)
any accidents connected with work
any training taken
any disciplinary action
What an employer should tell an employee
An employee has a right to be told…
what records are kept and how they’re used
the confidentiality of the records
how these records can help with their training and development at work
If an employee asks to find out what data is kept on them, the employer will have 1 month to provide a copy of the information.
An employer shouldn’t keep data any longer than is necessary and they will follow the rules on data protection/governance.
PAAH requires learners to be able to request access to his/her own data. This request should not be charged for and does not have to be in writing. The funded organisation will judge whether the request is in the learner’s best interests, and that the learner will understand the information provided. They may also wish to consider whether the request has been made under coercion.
A parent / legal guardian of an under 18 year old learner can request access to or a copy of their son/daughter’s training records and other information held about the learner. The request must be made in writing. There should be no charge for such requests on behalf of the learner, but there may be a charge for photocopying records. Organisations should check, if such a request for information is made, that no other legal obstruction (for example, a court order limiting an individual’s exercise of parental responsibility) is in force.
The law requires that all requests for personal information are dealt with within 1 month of receipt except requests for educational records (see above). All requests will be acknowledged in writing on receipt, and access to records will be arranged as soon as possible. If awaiting third party consents, the training organisation will arrange access to those documents already available, and notify the individual that other documents may be made available later.
Parents should note that all rights under the GDPR to do with information about their son/daughter rest with the learner as soon as they are old enough to understand these rights.
For educational records (unlike other personal data; see below) access will be provided within 15 working days, and if copies are requested, these will be supplied within 15 school days of payment.
Personnel of a PAAH Funded Organisation should be able to request access to their own records at no charge, but the request must be made in writing. The member of staff has the right to see their own records, and to ask for copies of the records. There should be no charge for copies of records.
In all cases, should third party information (information about another individual) be included in the information the staff will try to obtain permission to show this information to the applicant, with the exception of information provided by another member of training staff which is exempt from a requirement for third party consents. If third party permission is not obtained the person with overall responsibility should consider whether the information can still be released.
Personal data should always be of direct relevance to the person requesting the information. A document discussing more general concerns may not be defined as personal data.
From 1st January 2005, when the Freedom of Information Act came into force, a request for personal information can include unstructured as well as structured records – for example, letters, emails etc. not kept within an individual’s personal files, or filed by their name, but still directly relevant to them. If these would form part of a wider record it is advisable to file these within structured records as a matter of course and to avoid excessive administrative work. These can be requested if sufficient information is provided to identify them.
Anyone who requests to see their personal data has the right to question the accuracy of matters of fact within the data, and to ask to have inaccurate information deleted or changed. They may also question opinions, and their comments will be recorded, but opinions do not need to be deleted or changed as a part of this process.
The Centre will document all requests for personal information with details of who dealt with the request, what information was provided and when, and any outcomes (letter requesting changes etc.) This will enable staff to deal with a complaint if one is made in relation to the request.
Training organisations, hold information on learners in order to run their educational systems and in doing so have to follow the GDPR. This means, among other things that the data held about learners will only be used for specific purposes allowed by law; to include where the welfare of a child or young person is at risk through suspected abuse or terrorist acts (see PREVENT strategy guidance).
Learners, as data subjects, have certain rights under the GDPR, including a general right of access to personal data held on them, with parents exercising this right on their behalf if they are too young to do so themselves. If parents want to request to access the personal data held about their learner, they should contact the relevant organisation in writing:
– For further information on addresses and contact information refer to the PAAH website, provider contact information.
Under the Freedom of Information Act 2000, all training providers should have a ‘publication scheme’ – essentially a formal list of the types of non-personal information which the organisation produces or holds, and which is readily accessible to personnel, learners, employers and parents or other enquirers.
PAAH will provide a hard copy and also post on their website an overview of the information they hold relating to learners, staff and partners.
PAAH will link this document via their website to a list of publications with details of contacts and costs, and any appropriate downloads.
The named person with overall responsibility for published information is the Designated Data Officer.
The Freedom of Information Act came into force on 1st January 2005. Under this Act, all training providers which receive a written or emailed request for information which they hold or publish, are required to respond within 20 working days.
PAAH centres will provide information on where to access the information required e.g. the website link, or details of a charge if the publication/ information is charged, or send any free information. If the item is charged the centre does not need to provide it until the payment is received.
A refusal of any information requested will state the relevant exemption which has been applied or that the centre does not hold the information, and will explain what public interest test has been made, if this applies.
If the information is published by another organisation (for example, Ofsted reports) the PAAH will direct the enquirer to the organisation which supplied the information or publication unless it is legal and possible to provide the information direct (for example, a copy of the summary of an Ofsted report).
It will not be legal to photocopy a publication in its entirety and supply this to an enquirer unless PAAH owns the copyright, or the document has no copyright – this is particularly important where the original publication was a charged item.
PAAH will keep the original request and note against this who dealt with the request and when the information was provided.
Any complaint about the provision of information will be handled by the Designated Data Officer or another Director of PAAH or a relevant centre Director. All complaints should be in writing and documented.
All enquirers should be advised that they may complain to PAAH if they are unhappy with the way their request has been handled.
Write to the PAAH Registered Office and ask for a copy of the information they hold about you. The organisation is legally required to provide you with a copy of the information they hold about you if you request it.
There are some situations when organisations are allowed to withhold information, e.g.
if the information is about:
the prevention, detection or investigation of a crime
national security or the armed forces
the assessment or collection of tax
judicial or ministerial appointments
In this event PAAH doesn’t have to say why they are withholding information.
Company directors will monitor the GDPR Policy. In the case of learners, the individual organisation will monitor the process. The PAAH Data Director (or Link Director) should be kept informed. The individual centre is responsible for retaining records related to data protection or freedom of information requests or complaints and these will be shared with PAAH in line with the procedures stated in this policy.
The Quality Team reviews the policy and documentation bi-annually (or earlier if required).
Communications, either written or electronic, will notify subcontractors, training centres, learners and employers of all reviews and any outcomes from the reviews. The updated policy will be submitted to PAAH Directors meetings for approval/ratification. The completed policy will be displayed in all training rooms and be available on a VLE where possible.
This policy will be impact assessed for equality and diversity and records will be maintained.
This policy will be reviewed to ensure it fully safeguards learners, personnel and other partners in relation to their levels of safety, health, achievement, enjoyment, contribution and well-being.
Directors, Personnel, PAAH Funded Organisations, its learners or partner organisations have the right to lodge a complaint or grievance about the process or outcome of the data protection and freedom of information policy. Grievances or complaints made to PAAH in relation to this policy are dealt with under the Grievances and Complaints Policy.
Personnel, learners, employers or PAAH Funded centres who are not satisfied with the action taken by PAAH and feels it right to question the matter further, may consider the following possible contact points:
If you think your data has been misused or that the organisation holding it hasn’t kept it secure and you are unhappy with their response or if you need any advice you should contact the Information Commissioner’s Office (ICO).
Helpline 0303 123 1113
The ICO can investigate your claim and take action against anyone who has misused personal data.
Additionally you could contact:
Education and Skills Funding Agency
The Equality and Human Rights Commission
ACAS
The employee’s Trade Union
The Citizens Advice Bureau and/or law centre/firm
Relevant professional bodies or regulatory organisations