INTRODUCTION AND BACKGROUND TO THE POLICY
The purpose of our General Data Protection Regulation 2018 (GDPR) Policy is to outline Velocity 1st’s desire and commitment in fully complying with the Regulation which came into effect on 25th May 2018.
This Policy sets out the clear direction that Velocity 1st will take in continually developing its practice in order to maintain a positive impact on protecting data and regarding the processing of personal data including personally identifiable information defined in the existing Data Protection Directive (DPD), such as identification numbers and data specific to the individual’s identity.
The key principles of GDPR
1. Lawfulness, fairness and transparency
We will only use valid grounds under the GDPR (known as a ‘lawful basis’) for collecting and usingpersonal data. This is to meet our contractual obligations with the Education & Skills Funding Agency (ESFA) who are also fully compliant with GDPR.
The ESFA is responsible for funding education and skills in England for children, young people and adults. It is also responsible for delivery of key services in the education and skills sector in England including the apprenticeship service, the provision of information, advice and guidance through the National Careers Service, and the Learning Records Service.
Velocity will only use personal data in a way that is fair. This means that we do not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned. All data collected is fully explained and collected at source with the individuals’ full consent.
We will be clear, open and honest with people from the start about how you will use their personal data.
2. Purpose limitation
We will be clear about what your purposes for processing are from the start.
We will record our purposes as part of your documentation obligations and specify them in your privacy information for individuals. This is fully outlined in the learner and employer sign up packs which is discussed as part of the sign-up process.
We will only use the personal data for a new purpose if either this is compatible with your original
purpose, you get consent, or you have a clear basis in law.
3. Data minimisation
The data collected is adequate and is sufficient in properly fulfilling our stated purpose.
The information collected is relevant and has a rational link to that purpose; and is limited to what is necessary as we do not hold more than we need for that purpose.
We will ensure that the data collected is accurate and that all reasonable steps have been taken to ensure the personal data we hold is not incorrect or misleading as to any matter of fact. Individuals have the right to request, check and amend/delete their data held with us as required.
If we discover that the personal data held is incorrect or misleading, then we would take reasonable steps to correct or erase it as soon as possible.
We would carefully consider any challenges to the accuracy of personal data.
5. Storage limitation
6. Integrity and confidentiality (security)
We will not keep personal data for longer than we are legally obliged to keep it.
for. This will depend on your purposes for holding the data.
We will carefully consider any challenges to the retention of data. Individuals have a right to erasure if you no longer need the data.
We will ensure that we have appropriate security measures in place to protect the personal data we hold. We will ensure that data held on non Velocity 1st software by a third part is fully GDPR compliant.
We will process personal data securely by means of ‘appropriate technical and organisational measures’.
We will continue the cycle of continuous improvements and carry out the appropriate review risk analysis, organisational policies, and physical and technical measures.
We will consider all additional requirements about the security of our processing methods which will include all data processors.
We will evaluate the costs of implementation when deciding what measures to take, but these will be appropriate both to our circumstances and the risk our processing poses.
We will ensure our measures meet all confidentiality, integrity and availability processes of our systems and services and the personal data we process within them.
We will also ensure that we are able to restore access and availability to personal data in a timely manner in the event of a physical or technical incident.
We have the appropriate records in place to be able to demonstrate our compliance.
We have in place the appropriate technical and organisational measures to meet the requirements of accountability. We have:
• Designated the responsibility of data protection and security to an Executive Board member.
In addition, where it is necessary for the Data Processor (Velocity 1st) to process any Personal Data of which the Data Controller (ESFA) then that Data Processor shall:
- a) process such Personal Data on the other party’s behalf only to the extent reasonablynecessary to enable compliance;. The Data Controller will only collect your personal information where the law allows it, or we have a legal obligation to do so. Your personal information is collected to enable us to carry out the functions of the Department for Education (DfE); Download ESFA Privacy Notice.
- b) process such Personal Data only in accordance with the Data Controller’s instructions;
- c) notify the Data Controller as soon as reasonably practicable and in any event within not less than 3 Business Days of any and all requests received by it from Data Subjects and/or the United Kingdom Information Commissioner (or any other regulatory authority) and provide all reasonable assisted and co-operation which is requested by the Data Controller in respect of such request.
Naturally we want to embody best practice in good information governance and data protection, so we want to tell you that:
• We are fully compliant with ESFA guidance on the transfer of personal data and do not hold or process any information outside of the UK.
We use Personal Information for the following reasons:
- To bid for, arrange and deliver contracts. For example, we will need and use the contact details of colleagues, learners and employers we work with, for work related purposes for the duration of contracts;
- To advise people about our services and invite them to take advantage of what we offer. Wetherefore keep a limited database of contact information for marketing purposes;
- To administer our business. For example, we keep details of people who work with us for invoicing, payment, tax and payroll/HR purposes;
- To support our colleagues, learners and employers,
- To comply with legal or regulatory requirements.
Examples of information we hold include
the Police or any other statutory authority or regulator who has a reasonable need for these data to effectively conduct their business e.g. criminal investigations and/or for fundingpurposes.