Recital 74 of the General Data Protection Regulation (GDPR) states that……
‘The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established. In particular the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with the Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons’
To this end, Learning4Life has adopted the Policy as specified below.
An essential activity within Learning4Life is the requirement to gather and process information about its learners who have contact with Learning4Life, in order to enable it to provide education and other associated functions.
In addition, there may be a legal requirement to collect and use information to ensure that Learning4Life complies with its statutory obligations.
The GDPR defines special category information as ‘information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and genetic and biometric data’.
Before processing ‘special category’ information Learning4Life will identify and document the lawful basis for processing this information. Learning4Life will only process special categories of personal information in certain situations.
This will be done in accordance with Data Protection Law and other related government legislation.
Learning4Life – acting as custodians of personal data – recognise their moral duty to ensure that it is handled properly and confidentially at all times, irrespective of whether it is held on paper or by electronic means. This covers the whole lifecycle, including:
- The obtaining of personal data;
- The storage and security of personal data;
- The use of personal data;
- The disposal/destruction of personal data.
Learning4Life also has a responsibility to ensure that data subjects have appropriate access to details regarding personal information relating to them.
By following and maintaining strict safeguards and controls, Learning4Life will:
- Acknowledge the rights of individuals to whom personal data relate, and ensure that these rights may be exercised in accordance with Data Protection Law;
- Ensure that individuals are fully informed about the collection and use of personal data through the publication of Learning4Life’s Privacy Notice;
- Collect and process personal data which is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Ensure that adequate steps are taken to ensure the accuracy and currency of data;
- Ensure that for all personal data, appropriate security measures are taken – both technically and organisationally – to protect against damage, loss or abuse;
- Ensure that the movement of personal data is done in a lawful way – both inside and outside the organisation and that suitable safeguards exist at all times.
In order to support these objectives, Learning4Life will:
- Have a “Senior Information Risk Owner” (SIRO) to ensure that there is accountability and that Information Risk is recognised at a Senior Level;
- Have a designated “Data Protection Officer” (DPO) to meet Learning4Life’s obligations under Article 37 of GDPR
- Ensure that all activities that relate to the processing of personal data have appropriate safeguards and controls in place to ensure information security and compliance with the Data Protection Law;
- Ensure that all contracts and service level agreements between Learning4Life and external third parties (including contract staff – where personal data is processed) include the relevant Data Protection clauses and appropriate Organisational and Technological measures will be put in place to safeguard the data;
- Ensure that all staff (including volunteer staff) acting on Learning4Life’s behalf understand their responsibilities regarding information security under the Act, and that they receive the appropriate training/instruction and supervision so that they carry these duties out effectively and consistently and are given access to personal information that is appropriate to the duties they undertake;
- Ensure that all third parties acting on Learning4Life’s behalf are given access to personal information that is appropriate to the duties they undertake and no more;
- Ensure that any requests for access to personal data are handled courteously, promptly and appropriately, ensuring that either the data subject or their authorised representative have a legitimate right to access under Data Protection Law, that their request is valid, and that information provided is clear and unambiguous;
- Ensure that all staff are aware of the Data Protection Policy and Guidance;.
- Review this policy and the safeguards and controls that relate to it annually to ensure that they are still relevant, efficient and effective.
- This Policy and Procedure and the Subject Access Information material will be made available in other formats where necessary.
Please follow this link to the ICO’s website https://ico.org.uk/ which provides further detailed guidance on a range of topics including individual’s rights, exemptions from the Act, dealing with subject access requests, how to handle requests from third parties for personal data to be disclosed etc.