Softwash Training Solutions Privacy Policy

General Data Protection Regulations (GDPR) Policy

INTRODUCTION

Softwash Training Solutions Ltd is fully committed to compliance with GDPR data protection and its responsibilities therein. This policies aim is to manage Data as a result of the company business operations. All information and data acquired in the course of company business activities will remain confidential and will not be released to any other party without the express written permission of whom it relates.

SCOPE

The policy applies to the keeping and processing of personal data, both in manual form and on computer, including personal data held on employees as well as students/candidates.

Data: means information in a form which can be processed. It includes automated data (information on computer or information recorded with the intention of putting it on computer) and manual data (information that is kept as part of a relevant filing system, or with the intention that it should form part of a relevant filing system). Relevant filing system: means any set of information that, while not computerised, is structured by reference to individuals, or by reference to criteria relating to individuals, so that specific information relating to a particular individual is readily accessible. Personal data: means data relating to a living individual who is or can be identified from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. Data Controller: A data controller is the individual or legal entity which controls the contents and use of personal data. The school can be considered to be the data controller, with the principal acting for the board of management in exercising the functions involved.

The policy applies to all employees, directors, managers, students/candidates and others insofar as the measures under the policy relate to them.

RATIONALE

Why is it necessary to devise a data protection policy at this time? e.g.

  • Businesses are obliged to comply with General Data Protection Regulations (“018) (henceforth referred to as GDPR)
  • Students/candidates must be given access to records kept by the company relating to the progress of the student/candidate in his or her course program.
  • The company will maintain an attendance register of all students attending course programs.
  • The company will maintain a record of both attendance and non-attendance on a course program on the attendance register.
  • The company data controller may supply personal data kept by him or her, or information extracted from such data, to the data controller of another prescribed body if he or she is satisfied that it will be used for a “relevant purpose” only.
  • Students/candidates must be given access to records kept by the company relating to the progress of the student/candidate in his or her course program.
  • The company will maintain an attendance register of all students attending course programs.
  • The company will maintain a record of both attendance and non-attendance on a course program on the attendance register.
  • The company data controller may supply personal data kept by him or her, or information extracted from such data, to the data controller of another prescribed body if he or she is satisfied that it will be used for a “relevant purpose” only.

See Section B.3 under Key Measures below.

MISSION STATEMENT

Softwash Training Solutions Ltd. seeks to enable each student/candidate to; Develop to their full potential. We will provide a safe and secure environment for learning.. Promote respect for the diversity of values, beliefs, traditions, languages and ways of life in society.

COMPANY GOALS AND OBJECTIVES

The objectives may include the following:

  1. To ensure that the company complies with the GDPR.
  2. To ensure compliance by the company with the rules of data protection as set down by GDPR.
  3. To ensure that the data protection rights of students/candidates, employees and others affected by our work activities are safeguarded.  

A. Details of all personal data which will be held, the format in which it will be held and the purpose(s) for collecting the data in each case

The personal data records held by Softwash Training Solutions may include: Employee records: These may include:

  • Name, address and contact details, NI and/or PPS number
  • Original records of application and appointment
  • Record of appointments to promotion posts
  • Details of approved absences (career breaks, parental leave, study leave etc.)
  • Details of work record (qualifications, courses taught etc)
  • Details of complaints and/or grievances including consultations or competency discussions, action/improvement/evaluation plans and record of progress. Note: a record of grievances may be maintained which is distinct from and separate to individual personnel files.

Format: The formats in which these records will be kept are manual record (personal file within filing system), computer record (database) or both.

Purpose: For keeping employee records in which to facilitate the payment of employees, to facilitate additional payments in the future, a record of promotions made etc. Student/candidate records: These may include:

  • Information which may be sought and recorded at course application, including:
  • name, address and contact details, NI and/or PPS number
  • Emergency contact details
  • any relevant special conditions (e.g. special educational needs, health issues etc.) which may apply
  • Information on current employment and company details
  • Course assessments
  • Attendance Records
  • Other records as required such as records of any injuries/accidents etc whilst on our courses.

Format: The formats in which these records will be kept are manual record (personal file within filing system), computer record (database) or both.

Purpose: For keeping student/candidate records to enable each student/candidate to develop his/her full potential, to comply with legislative or administrative requirements. To ensure that eligible students can benefit from the relevant additional teaching and support where required. To enable the appropriate person to be contacted in the case of emergency etc.

Board of Management records: These may include:

  • Name, address and contact details of each member of the board of management
  • Records in relation to appointments to the board
  • Minutes of board of management meetings and correspondence to the board, this may include references to particular individuals.

Format: The format in which these records will be kept are manual record (personal file within filing system), computer record (database) or both.

Purpose: for keeping board of management records may include: a record of board appointments, documenting decisions made by the board etc.

B. Details of arrangements in place to ensure compliance with the eight rules of data protection

The section sets down the arrangements in place to ensure that all personal data records held by the company are obtained, processed, used and retained in accordance with GDPR:

  1. Obtain and process information fairly
  2. Keep it only for one or more specified, explicit and lawful purposes
  3. Use and disclose it only in ways compatible with these purposes
  4. Keep it safe and secure
  5. Keep it accurate, complete and up-to-date 6. Ensure that it is adequate, relevant and not excessive
  6. Retain it for no longer than is necessary for the purpose or purposes
  7. Give a copy of his/her personal data to that individual on request.

The minimum age at which consent can be legitimately obtained for processing and disclosure of personal data under GDPR. “As a general rule in the area of training and education, a student/candidates aged eighteen or older may give consent themselves. A student/candidate aged from twelve up to and including seventeen may also give consent themselves and, in addition, consent should also be obtained from the student/candidate's parent or guardian.

1. Obtain and process information fairly

  • Procedures are in place to ensure that employees, students and candidates are made fully aware when they provide personal information of the identity of the persons who are collecting it, the purpose in collecting the data, the persons or categories of persons to whom the data may be disclosed and any other information which is necessary so that processing may be fair (as stated above, the sample statement in Appendix 1 will be included on relevant forms where personal information is being requested).
  • Personal information is processed fairly in accordance with GDPR, with consent being obtained from employees, students and candidates where required.
  • All sensitive personal information is processed fairly in accordance with GDPR, with explicit consent being obtained from employees, students and candidates, where required.

See Appendix 1 for the statement which is included on relevant forms when personal information is being requested within the course administration process.

2. Keep it only for one or more specified, explicit and lawful purposes

  • We will ensure the persons whose data is collected know the reason/s why it is collected and kept.
  • The purpose for which the data is collected and kept is a lawful one.
  • Management are aware of the different sets of data which are kept and the specific purpose of each.

3. Use and disclose it only in ways compatible with these purposes

  • Data will only be used in ways consistent with the purpose/s for which it was obtained.
  • Data will only be disclosed in ways consistent with that purpose.
  • Exceptions to disclosure rule:
    • Data can be disclosed when required by law
    • Data can generally be disclosed to an individual himself/herself or with his/her consent (see 8 below).

4. Keep it safe and secure

  • Appropriate security measures must be taken against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction.
  • Access to the information (including authority to add/amend/delete records) restricted to authorised staff on a “need to know” basis.
  • Only trainers/assessors and the management team have access to student/candidate data and this is based on a “need to know” policy.
  • All computer systems password protected.
  • All information on computer screens and manual files will be kept out of view of visitors or customers to the company offices.
  • Back-up procedures and systems are in operation for computer held data, including off-site back-up.
  • Employees are made aware of the company security measures, and will comply with them.
  • Confidential and sensitive waste papers, printouts etc. are disposed of carefully by shredding.
  • Steps are taken to ensure that no unauthorised person can access data from computers which are no longer in use or subject to change of use.
  • Every employee is responsible for security.
  • There are periodic reviews of the measures and practices in place.
  • Company premises secure when unoccupied.  Computer systems have virus and hacker protection packages in place.

5. Keep it accurate, complete and up-to-date:

  • Clerical and computer procedures are in place to ensure high levels of data accuracy
  • Appropriate procedures are in place, including periodic review and audit, to ensure that each data item is kept up-to-date?

6. Ensure that it is adequate, relevant and not excessive:

  • Information held is adequate in relation to the purpose/s for which it is kept
  • Information held is relevant in relation to the purpose/s for which it is kept
  • Information held is not excessive in relation to the purpose/s for which it is kept

7. Retain it for no longer than is necessary for the purpose or purposes:

It is company policy that personal data should not be kept for any longer than is necessary to fulfil the function for which it was first recorded. Retention times cannot be rigidly prescribed to cover every possible situation and employees need to exercise their individual judgement in this regard in relation to each category of records held. However, the following particular requirements should be met:

  • Course admin, student/candidate information files and data may be kept for up to 10 years and then disposed of securely.
  • Pay, taxation and related employee personnel records should be retained indefinitely within the company records.
  • Where litigation may potentially arise in the future (e.g. in relation to accidents/personal injuries involving employees, students/candidates or accidents occurring on company property or training venue), the relevant records should be retained until the possibility of litigation ceases.

In line with the above, it is suggested that the information on student/candidate files might, as a general rule, be retained for a period of six years only after the student has completed their training course.

8. Give a copy of his/her personal data to that individual on request

On making an access request any individual (subject to the restrictions in Notes A and B below) about whom you keep personal data, is entitled to:

  • a copy of the data which is kept about him/her
  • know the purpose/s for processing his/her data
  • know the identity of those to whom the data is disclosed
  • know the source of the data, unless it is contrary to public interest
  • know the logic involved in automated decisions
  • a copy of any data held in the form of opinions, except where such opinions were given in confidence.

To make an access request, an individual must:

  • apply in writing
  • give any details which might be needed to help identify him/her and locate all the information you may keep about him/her
  • pay an access fee if the company wishes to charge one.

There are a number of exceptions to the general rule of Right of Access, including those specified in Notes A and B below.

Handling access requests:

  • Their is a named person responsible for handling access requests (Maureen Conway).
  • a copy of any data held in the form of opinions, except where such opinions were given in confidence. There are procedures in place to provide applicants with access to personal data about themselves in accordance with the Data Protection Acts as detailed above?
  • There is criteria set down on what is sufficient to prove identity in order to access personal data, and this is the production of a photo ID, passport or driving licence. Without this access will be denied.
  • Information will be supplied promptly and within 40 days of receiving the request or, in respect of examinations data, within 60 days of receiving the request or 60 days of first publication of the results (whichever is the later).
  • Information provided will be in a format which is clear to the ordinary person to understand.
  • Is the individual informed within 40 days of the request if no information is held on them?
  • Is the fee charged (if any) refunded to the individual if the request is not complied with or if it is necessary to rectify, supplement or erase the personal data concerned?

Note A: Access requests by students/candidates

  • Students/candidates are entitled to access their personal information in accordance with the GDPR.

Note B: Exceptions to note:

Employees should note that data protection regulations prohibit the supply of:

  • health data to a patient in response to a request for access if that would cause serious harm to his or her physical or mental health. The regulations also provide that such data is to be communicated only by, or after consultation with, an appropriate "health professional", normally the patient's own doctor

LINKS TO OTHER POLICIES AND PROCEDURES

Company policies and procedures need to be consistent with one another, within the framework of the overall company Plan. Relevant policies and procedures are already in place, being developed or reviewed, should be examined with reference to the data protection policy and any implications which it has for them should be addressed. The following policies may be among those considered:

  • Occupational Health and Safety Operations Manual
  • Course Trainer/Assessor Pack
  • Student/Candidate Course Pack
  • Student/Candidate Grievance procedure
  • Code of Professional Conduct.

REVIEW AND EVALUATION

This policy will be reviewed and evaluated on an annual basis or if there is any change in legislation or procedures. Practical indicators which may be used to gauge the impact and effectiveness of this policy might include the extent to which:

  • Students/candidates and employees are aware of the policy
  • Requests for access to personal data are dealt with effectively
  • Personal data records are accurate
  • Personal data records are held securely
  • Personal data records are retained only for as long as necessary.

Appendix 1

GDPR Statement for inclusion on relevant forms when personal information is being requested

The information collected on this form will be held by Softwash Training Solutions Ltd.  in manual and in electronic format. The information will be processed in accordance with General Data Protection Regulations 2015.

The purpose of holding this information is for administration purposes and to facilitate the student/candidates training needs.

Disclosure of any of this information  will take place only in accordance with legislation or regulatory requirements. Explicit consent will be sought from the student/candidate if the company wishes to disclose this information to a third party for any reason.

Students/candidates have a right to access the personal data held on them by the company and to amend or correct it if necessary.

I consent to the use of the information supplied as described.

 

Print Name of Student/Candidate:        _________________________

 

Signed Student/Candidate:                    _________________________

 

Date:                                                        _________________________

Appendix 1

Appendix 2 - Measures We Have Taken on this Website to Protect Your Personal Information

  • We will not sell, rent, or pass on your information to any third parties without your express consent.
  • You may contact us at any time to view, amend or delete your personal data, or to exclude it from the usages listed above.
  • To protect your identity, we have "anonymized" your IP address, meaning we never collect your full IP address - this enables us to differentiate you from other website visitors, but does not enable us (or anyone else) to identify you as an individual.
  • We protect your data through SSL certification: any data that is transmitted from our website is encrypted through Secure Socket Layer technology.

 

 

 +44 (0)7900 251019

 bookingsoftwashtraining@gmail.com 

  

  

 Candidate
Registration

 Register