Statement of Purpose
SAFE Training Ltd is registered on the Data Protection register as this is a statutory requirement for every organisation that holds personal information.
Registration was first completed on 14th May 2010. It is renewed automatically on an annual basis and paid by direct debit; a confirmation goes to the Operation Managers email account.
This policy sets out how we will look after your (data subject’s) information. This includes what you tell us about yourself, what we learn about you, and the choices you make about what marketing you want us to send to you. It also provides details of your privacy rights and how to exercise those rights with SAFE.
This policy applies to all data processed by SAFE, and affects anyone that may be considered a data subject that is processed by SAFE. This includes employees, learners, subcontractors and centre personnel.
Registration for SAFE Training Ltd states that the company holds personal data in 5 key areas:
- Staff Administration;
- Advertising , Marketing and Public Relations;
- Accounts and records;
- Education; and,
- Consultancy and Advisory Services.
SAFE Training Ltd’s registration details are:
Registration number: Z8323271
It is the Operations Managers’ responsibility to ensure the entry in the Register is current and fit for purpose. The annual registration must be maintained.
All staff should be briefed on the importance of the Data Protection Policy and should sign as part of their job description that they understand their role as regards to data protection.
We aim to ensure that all personal data:
1. Shall be processed fairly and lawfully and in particular, shall not be processed unless specific conditions are met;
2. Shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes;
3. Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed;
4. Shall be accurate and where necessary, kept up to date;
5. Shall not be kept for longer than is necessary for that purpose or those purposes;
6. Shall be processed in accordance with the rights of data subjects under the Act;
7. Shall be kept secure i.e. protected by an appropriate degree of security; and,
8. Shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection.
We will process your data when we have a legal basis for processing it. In doing so, we will take appropriate technical and organisational measures to prevent your data from inappropriate disclosure. When a data breach occurs, we will take steps to inform you without unnecessary delay. In processing your information we may provide it to relevant third parties such as our suppliers and enforcement agencies where we have a legal basis for doing so. We will never sell your personal information.
Where do we get your personal data and what personal data do we collect?
We may collect and process the following personal data:
Information which you freely provide to us
For example when you:
- Complete a survey or form,
- Correspond with us by phone, e-mail, or in writing,
- Order one of our products,
- Sign up to receive newsletters and marketing information from us,
- Apply to work for us,
- Enter into a contract with us to receive certification services.
We may need to collect personal information by law, or to enter into or fulfil a contract we have with you. If you choose not to give us this personal information, it may delay or prevent us from fulfilling our contract with you, or doing what we must do by law. It could mean that we cancel a service you have with us. We sometimes ask for information that is useful, but not required by law or a contract. We will make this clear when we ask for it. You do not have to give us these extra details and it won’t affect the products or services you have with us.
Information we receive from other sources/third parties
As part of our role, we routinely collect and process personal data that is provided to us by our customers without direct access to data subjects. If you are a customer or sub- contractor, we may receive information about you from your learning provider, or employer when they register to receive products and/or services from us. By providing personal information to us, you give consent to SAFE to process the data as set out within this document, and you confirm that you have obtained the appropriate consent from the relevant individuals for the personal data to be processed accordingly by SAFE. We reserve our right to refuse to process information received from you if we have reasonable suspicion that data subjects have not provided consent, or where we feel that there is no legitimate basis for processing.
Information about other people
If you provide information to us about any person other than yourself, such as your relatives, next of kin, your advisers or your suppliers, you must ensure that they understand how their information will be used, and that they have given their permission for you to disclose it to us and for you to allow us, and our outsourced service providers, to use it. We may refuse to process information about other people if we have reasonable suspicion that they have not provided their consent, or where we feel that there is no legitimate basis for processing.
Sensitive personal data
Sensitive personal information includes information about your racial or ethnic origin, political opinions, religious or similar beliefs, trade union activities, physical or mental health condition, sexual orientation, details of any commission or alleged commission of offences and genetic or biometric data.
In certain cases, we may need to process sensitive personal data from you. We aim to minimise collecting this information so far as possible, and will only collect and process this information if it is absolutely essential to do so, for example to confirm your qualification achievement or certification history. We aim to do so on the basis of your explicit consent unless there is a legal basis not to inform you, for example, where informing you would contravene money laundering legislation.
Personal data held for equal opportunities monitoring purposes
Where personal data obtained is to be held for equal opportunities monitoring purposes, all such data will be made anonymous.
Why do we process your data?
When we ask you to supply us with personal data we will make it clear whether the personal data we are asking for must be supplied so that we can provide the products and services to you, or whether the supply of any personal data we ask for is optional.
To take steps to fulfil or linked to a contract:
- To provide products and/or services which we are contractually obliged to provide to you, your client or the organisation you work for in relation to the contract;
- To keep you updated with any information required in relation to contracted products and/or services between us;
- Discharge our duties as an employer.
Legal obligations/Public interest
- To monitor certification achievement standards over time,
- To maintain records of achievement and confirm your or your business’s achievements,
- To fulfil any regulatory or statutory obligations of the organisation, such as to provide information, respond to any lawful or proportionate request by government authorities, law enforcement or statutory bodies,
- To promote public confidence in certification (for example to detect, deterring and preventing fraud or malpractice).
Vital interests of the data subject
To protect the safety and security of yourself or others as outlined within our QMS.
Overriding legitimate interests
These interests may include our or a third party’s interests, for example:
- For the purposes of good governance,
- To audit, analyse and protect systems and data from misuse,
- To improve or develop our products and/or services,
- To monitor, analyse, and improve sales, organisational performance and business performance,
- To request for your consent to be contacted by us about relevant products/services,
- To conduct prospective research relevant to our products or services,
- To collect outstanding debt owed to us,
- To resolve arising issues, complaints, claims, or disputes between us and you or your client.
We will rely on your consent to provide marketing or information which is not directly relevant to your contract with us, and to process or transfer sensitive information where it is not required by a legal, public interest or overriding legitimate interest obligation.
Each marketing email that is sent provides you with the ability to unsubscribe from receiving marketing emails at any time. Alternatively, you can change your preferences by sending a request to firstname.lastname@example.org (please note that you cannot opt out of notifications/information related to a contract for products or services unless you terminate the contract itself).
Automated decision making
Although SAFE uses automated means to process some information and assessments, no decision is currently taken entirely by means of ‘automated decision making’ as defined by the GDPR. SAFE may from time to time promote/provide information on social media websites such as LinkedIn and Facebook which may conduct ‘automated decision making’ in relation to our communication notices we post on those sites. Your interactions with us on those platforms are subject to the terms and conditions of the respective sites, and you do so at your own risk. We will not store or transfer your interaction within those sites outside of the relevant social media unless there is a proportionate and necessary legal basis for processing. If you have any concerns about how your information is used and the notifications you receive on those sites, you are advised to contact them directly.
Sharing with third parties
We may disclose and share your personal information with:
- Our service providers or contractors to the extent where it is required to deliver certification services to you, or to uphold any overriding legitimate interest,
- External auditors, to the extent where it is necessary to assess our compliance arrangements,
- Law enforcement agencies, statutory organisations, governmental bodies or other relevant organisations where we have a legal or public interest obligation to do so,
- Investigatory and fraud protection agencies, to verify your identity, prevent fraud and/or other criminal offences,
- To anyone we deem necessary to protect your vital interests, including the security/safety of yourself or other persons, as consistent with applicable law,
- Debt collection agencies, to protect our legitimate business interests, for example to collect outstanding debt from your organisation,
- An acquiring entity, in connection with a sale, joint venture or other transfer of some or all of our company or assets (subject to the commitment of the acquiring entity to comply with this policy),
- In other situations with your consent.
Statutory bodies and government agencies we work with may include but is not limited to Her Majesty’s Revenue and Customs (HMRC), Department for Work and Pensions, United Kingdom Accreditation Service (UKAS), ActionFraud, Serious Fraud Office (SFO), Health and Safety Executive (HSE), Information Commissioner’s Office (ICO).
All of our service providers and contractors are contractually required to implement appropriate technical and organisational measures to meet the requirements of applicable law, and to process information only in compliance with it.
Whistleblowing and malpractice
In accordance with the conditions of approval, we may report to third parties such as other certification bodies and statutory bodies where we have reasonable grounds for suspecting that you have contravened SAFE’s Data Protection Policy or committed a relevant criminal offence. We will only share your information with organisations so far as is reasonable to investigate any allegations that may affect the delivery of our products or services, or to fulfil our legal obligations under any conditions of recognition applied by a statutory body.
To protect personal information, you are urged to:
- Notify us of any changes to your information/status to ensure your information is accurate and up to date,
- Keep passwords safe,
- Only access our services using secure networks,
- Maintain updated internet security and virus protection software on your devices and computer systems,
- Contact us immediately if you suspect a security or privacy concern or issue.
We may immediately suspend or terminate your access without notice if we become aware that you are in breach of our Terms and Conditions or of this Policy.
Purposes for which personal data may be held (employees)
Personal data relating to employees may be collected primarily for the purposes of:
- Recruitment, promotion, training, redeployment, and/or career development;
- Administration and payment of wages and sick pay;
- Calculation of certain benefits including pensions;
- Disciplinary or performance management purposes;
- Performance review;
- Recording of communication with employees/students and their representatives;
- Compliance with legislation;
- Provision of references to financial institutions, to facilitate entry onto educational courses and/or to assist future potential employers,
- Staff, volunteers and students, staffing levels and career planning.
All SAFE employees and relevant contractors are required to keep up to date with training and updates provided by the ICO regularly for advice and guidance on data protection issues and to aid CPD. Unauthorised access, amendment, deletion or transfer of records will be treated as gross misconduct/malpractice by SAFE.
Exercising your data rights
We aim to deal with any concerns which you may have about your information effectively and efficiently as part of our day to day operations with you.
If you have a concern about the way your data is used which cannot be addressed by the SAFE representative you work with, write to email@example.com, to formally exercise your legal rights, this will be taken up by the Director and Operations Manager for review and action where appropriate. We won’t normally charge a fee unless it was reasonable and within the confines of the law.
For more information about how your rights apply, please see the ICO guidance at ico.org.uk/for-organisations/guide-tothe-general-data-protection-regulation-gdpr/individual-rights/.
We aim to respect your request wherever possible however, please note that there are exception to when these rights may apply. If we are unable to comply with your request due to an exception, we will explain this to you in our response.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
We will usually respond to your request within 30 days of the receipt of your request, or at most, 60 days, if the information we hold about you is excessive.
Event of a breach
In the event of a breach of your personal information, we will take reasonable steps to inform you wherever possible. We will also make best endeavours to inform the ICO within 72 hours of first finding the breach. Our recovery time objective (RTO) is 1 working day for minor breaches and 5 working days for serious breaches. This may be longer in serious or complex cases.
Retention of records
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any regulatory duty, public interest, or overriding legitimate interest. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
We take very seriously any improper collection or misuse of personal or business information. Please report it to us in accordance with SAFE’s QMS Policies at firstname.lastname@example.org. You can also complain to us in accordance with the SAFE Complaints Policy. If you believe that your data protection rights may have been breached, and we have been unable to resolve your concern, you may lodge a complaint with the applicable supervisory authority or to seek a remedy through the courts. Please visit ico.org.uk/concerns/ for more information on how to report a concern to the UK Information Commissioner’s Office.