This policy explains how Learning & Skills Solutions uses the personal information collected from you for the operation of the company business. It also describes how long that information is kept for and the limited circumstances in which we might disclose it to third parties.
The organisation has appointed Data Protection Controller, with responsibility for data protection compliance within the organisation. Questions about this policy, or requests for further information, should be directed to the Data Controller in the first instance.
Contact: 01206 769099
What information do we collect?
This section tells you what personal data we may collect from you when you use our Services.
When you register as a client of Learning & Skills Solutions we will collect:
- Your personal details, including name and address, email addresses, phone number, gender and possibly and image.
- The names and telephone numbers of clients and associates.
- National Insurance Number
- CCTV images of you may be captured on our premises.
How to access your data
As a data subject, individuals have a number of rights in relation to their personal data.
- whether or not his/her data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from the individual;
- to whom his/her data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;
- for how long his/her personal data is stored (or how that period is decided);
- his/her rights to rectification or erasure of data, or to restrict or object to processing;
- his/her right to complain to the Information Commissioner if he/she thinks the organisation has failed to comply with his/her data protection rights; and
- whether or not the organisation carries out automated decision-making and the logic involved in any such decision-making.
The organisation will also provide the individual with a copy of the personal data undergoing processing. This will normally be in electronic form if the individual has made a request electronically, unless he/she agrees otherwise.
To make a Subject Access Request, the individual should send the request to David Moye. In some cases, the organisation may need to ask for proof of identification before the request can be processed. The organisation will inform the individual if it needs to verify his/her identity and the documents it requires.
If a Subject Access Request is manifestly unfounded or excessive, the organisation is not obliged to comply with it. Alternatively, the organisation can agree to respond but, the data subject may be charged a fee if extra costs are incurred to retrieve data, which will be based on the administrative cost of responding to the request. A Subject Access Request is likely to be manifestly unfounded or excessive where it repeats a request to which the organisation has already responded. If an individual submits a request that is unfounded or excessive, the organisation will notify him/her that this is the case and whether or not it will respond to it. Furthermore, if the organisation cannot facilitate a request based on limitations with its IT functionality the organisation will notify the individual accordingly stating what aspect of the request they can respond to. We will respond to the request within the Thirty (30) day period however, if this request takes longer than the regulation timeline, then the data subject will be notified and will be updated, and the request provided at the earliest opportunity. It should be noted that due to the business practices and the pure nature of the business model of Learning and Skills Solutions, that some data may not be requested under a Subject Access Request for legal reasons. If it is felt that a request may not be granted or fulfilled, then the data subject will be informed.
Personal data will be stored for the shortest time necessary (retention Period). Under the GDPR you have the following rights to request information from the company:
- Right of access to the data (Subject Access Request)
- Right for the rectification of errors
- Right to erasure of personal data (please note, this is not an absolute right
- Right to restrict of processing or to object to processing
- Right to portability
Learning & Skills Solutions have several lawful basis for processing, these are deemed as:
- Legitimate interest
Learning & Skills Solutions will only hold and process data that they feel that they have the correct consent for. The data subject has the right at any time to withdraw the consent, this consent can be withdrawn from any department within the organisation. For those under Sixteen (16) years of age, then consent will be required from an adult or guardian to process information relating to that data subject.
The organisation takes the security of HR-related personal data seriously. The organisation has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties.
Where the organisation engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. Our staff and associates undergo regular Data and GDPR training, to ensure that our policies and procedures are compliant with all aspects of data protection. Our servers are held in a restricted area and are managed and monitored by IT and cyber data experts. This service is done so by a recognised and accredited ITSO. Encryption for our data and emails are used at all times. Our employees and associates have a responsibility to control and hold data commensurate to our security, data and cyber policies and OFSTED guidelines.
Sharing personal information
As an organisation we do not share any information held with third parties unless consent is given by the data subject or is needed to be done so within the conduct of accreditation or training. We do not conduct profiling or marketing using an individual’s personal details for the conduct of our business. We will only share information with the following organisations is it felt that we have a legal obligation or are instructed to do so from an authority requiring specific information on a data subject.
- Police force within the United Kingdom
- A government department or agencies
- A local authority
- A consultant or medical profession
Your data may be transferred to countries outside the European Economic Area (EEA). If any data is transferred outside the EEA it is based on the contractual obligations to third parties and processed in accordance with your data rights.