General Data Protection Policy (GDPR) 2018
Prostart Training is committed to the protection of all personal and sensitive data for which it holds responsibility as the Data Controller and the handling of such data in line with the data protection principles and the Data Protection Act (DPA). https://ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/
Changes to data protection legislation shall be monitored and implemented in order to remain compliant with all requirements.
Personal and Sensitive Data:
All data within Prostart’s control shall be identified as personal, sensitive or both to ensure that it is handled in compliance with legal requirements and access to it does not breach the rights of the individuals to whom it relates. The definitions of personal and sensitive data shall be as those published by the ICO for guidance: https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/
We must process personal data fairly and lawfully in accordance with individuals’ rights. This means that we should not process personal data unless the individual whose details we are processing has consented to this happening. This consent can be revoked at any time.
The principles of the Data Protection Act shall be applied to all data processed:
- Processed fairly and lawfully
- Obtained only for lawful purposes, and is not further used in any manner incompatible with those original purposes
- Accurate and, where necessary, kept up to date,
- Adequate, relevant and not excessive in relation to the purposes for which it is processed
- Not kept for longer than is necessary for those purposes
- Processed in accordance with the rights of data subjects under the DPA
- Protected by appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss, destruction or damage
- Not transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection of the personal information
What are the lawful bases for processing?
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Prostart will ensure any use of personal data is justified using at least one of the conditions for processing and this will be specifically documented. All staff who are responsible for processing personal data will be aware of the conditions for processing. The conditions for processing will be available to data subjects in the form of a privacy notice.
If a data subject wishes to withdraw consent they must complete the Withdrawal of Consent form; Q:\Quality Assurance\GDPR\Withdrawal of Consent Form.docx
Criminal record checks
Any criminal record checks are justified by law. Criminal record checks cannot be undertaken based solely on the consent of the subject.
Fair Processing / Privacy Notice:
We shall be transparent about the intended processing of data and communicate these intentions via notification to staff, parents and learners prior to the processing of individual’s data.
Notifications shall be in accordance with ICO guidance and, where relevant, be written in a form understandable by those defined as ‘Children’ under the legislation.
The intention to share data relating to individuals to an organisation outside of Prostart shall be clearly defined within notifications and details of the basis for sharing given. Data will be shared with external parties in circumstances where it is a legal requirement to provide such information.
Any proposed change to the processing of individual’s data shall first be notified to them.
In order to assure the protection of all data being processed and inform decisions on processing activities, we shall undertake an assessment of the associated risks of proposed processing and equally the impact on an individual’s privacy in holding data related to them.
Risk and impact assessments shall be conducted in accordance with guidance given by the ICO:
Security of data shall be achieved through the implementation of proportionate physical and technical measures. Nominated staff shall be responsible for the effectiveness of the controls implemented and reporting of their performance.
The security arrangements of any organisation with which data is shared shall also be considered and these organisations shall provide evidence of the competence in the security of shared data.
The processing of all data must be:
- Necessary to deliver our services
- In our legitimate interests and not unduly prejudice the individual’s privacy
- In most cases this provision will apply to routine business data processing activities.
Our Terms of Business contains a Privacy Notice to learners on data protection.
- Sets out the purposes for which we hold personal data on learners and employees
- Highlights that our work may require us to give information to third parties such as expert witnesses and other professional advisers
- Provides that customers have a right of access to the personal data that we hold about them
Sensitive personal data
In most cases where we process sensitive personal data we will require the data subject’s explicit consent to do this unless exceptional circumstances apply or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work). Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.
- Accuracy and relevance
We will ensure that any personal data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.
Your personal data (data subject)
You must take reasonable steps to ensure that personal data we hold about you is accurate and updated as required. For example, if your personal circumstances change, please inform the Data Protection Officer so that they can update your records.
Data Access Requests (Subject Access Requests):
All individuals whose data is held by us, has a legal right to request access to such data or information about what is held provided there is no undue burden and it does not compromise the privacy of other individuals. A data subject may also request that their data is transferred directly to another system. This must be done for free within 30 days.
If you receive a subject access request, you should refer that request immediately to the DPO, we may ask you to help us comply with these requests.
Please contact the Data Protection Officer if you would like to correct or request information that we hold about you. There are also restrictions on the information to which you are entitled under applicable law.
Processing data in accordance with the individual’s rights
- You should abide by any request from an individual not to use their personal data for direct marketing purposes and notify the DPO about any such request.
- Do not send direct marketing material to someone electronically (e.g. via email) unless you have an existing business relationship with them in relation to the services being marketed.
- Please contact the DPO for advice on direct marketing before starting any new direct marketing activity.
- In the absence of the DPO the Subject Access Request Form can be found here: Q:\Quality Assurance\GDPR\Subject Access Request Form.docx
We shall respond to data access requests within a month and they should be made in writing to:
Name: Maria Pannullo
Address: 28 High Street, Long Eaton, Nottingham, NG10 1LL
Right to be forgotten
A data subject may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.
Prostart recognises that the secure disposal of redundant data is an integral element to compliance with legal requirements and an area of increased risk.
All data held in any form of media (paper, tape, electronic) shall only be passed to a disposal partner with demonstrable competence in providing secure disposal services.
All data shall be destroyed or eradicated to agreed levels meeting recognised national standards, with confirmation at completion of the disposal process.
Disposal of IT assets holding data shall be in compliance with ICO guidance:
Data audit and register
Regular data audits to manage and mitigate risks will inform the data register. This contains information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.
All members of staff have an obligation to report actual or potential data protection compliance failures to the DPO immediately. This allows us to:
- Investigate the failure and take remedial steps if necessary
- Maintain a register of compliance failures
- Notify the Supervisory Authority (SA) of any compliance failures that are material either in their own right or as part of a pattern of failures
The DPO has overall responsibility for this policy. The DPO will monitor it regularly to make sure it is being adhered to.
V6 March 18