Section 1 Introduction
1.1 Scope of the policy
DNA Skills is committed to preserving the privacy of its staff and apprentices, and to comply with the Data Protection Act (1998) and the General Data Protection Regulation.
The data protection principles are set out in the Data Protection Act (1998). Article 5 of the General Data Protection Regulation requires that personal data shall be:
1.2 Purpose of the policy
DNA Skills processes personal data to fulfil contractual obligations, salary and benefits, holiday and sickness, funding claims, performance and achievement, safeguarding, equality, diversity and inclusion, health & safety, accident reports, disciplinary, provision of education, support and advice to the apprentices and clients, to promote the services, for publications, financial and staffing records, and other statutory obligations. Processing of this data also includes the use of CCTV in order to monitor and maintain the security of the premises and for the prevention or detection of crime. This is not an exhaustive list.
1.3 A shared responsibility
It is important that all approved staff within a centre who are involved in the delivery of DNA Skills End-point Assessments and/or regulated qualifications are made aware of this policy and its range of possible outcomes, should they fail to comply with DNA Skills requirements as described above.
1.4 Reviewing the policy
We will review this policy regularly and where otherwise necessary, and may revise it as required in response to the findings of any review.
Section 2 Definitions
Personal data is defined as data relating to a living individual who can be identified from that data alone, or with other data held by DNA Skills or which DNA Skills is likely to receive. This includes sensitive data relating to an individual’s gender, age, ethnicity, disability, trade union membership, political opinions, religious or similar beliefs, physical or mental health, sexual life, commission or alleged commission of any offence or information concerning related criminal proceedings or outcomes.
The GDPR regulates the “processing” of personal information which has a very broad meaning and includes obtaining, storing, viewing, using, updating, disclosing and destroying any data held electronically, in structured manual records and to a limited extent to unstructured manual records. DNA Skills is committed to using personal data responsibly to protect and keep secure from loss or destruction.
The requirements DNA Skills has for processing personal data are recorded on the public register maintained by the Information Commissioner. DNA Skills notify and renew the notification on an annual basis as the law requires. If there are any interim changes, these will be notified to the Information Commissioner within 28 days. DNA Skills registration with the Information Commissioner’s Register of Data Controllers is: ZA752442, and can be found using this link: https://ico.org.uk/esdwebpages/search
Section 3 Policy Statement
This policy outlines the responsibilities of all staff (including 3rd parties under contract, and or self-employed / volunteers) with regard to the Data Protection Act (1998) and the General Data Protection Regulation
Staff are required to handle and process data in any of DNA Skills records or systems in accordance with this policy and in accordance with other related policies concerning the handling or processing of data.
Section 4 Implementation
To meet the responsibilities DNA Skills will:
Section 5 DNA Skills Policies and Legislative Connections
The following policies and guidance are relevant to personal information:
DNA Skills will adhere to its obligations under the Regulation relevant to the use and monitoring of electronic communications, which are predominantly:
Section 6 Data Security
DNA Skills has an Information Security Policy that staff must adhere to in order to ensure personal information is protected from unauthorised viewing and from loss (including computer documents, emails and paper copies by ensuring staff are provided with adequate awareness training and follow guidelines set out in the GDPR code of practice: -
DNA Skills will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. All EPA staff must take reasonable responsibility to ensure the data is accurate and up to date, relevant and not excessive. Any unauthorised disclosure of personal data to a third party by any staff member may result in disciplinary or legal action.
Failure to comply with DNA Skills policies and procedures for handling staff/apprentice data is a disciplinary offence which may be considered gross misconduct and may also involve personal criminal liability.
Section 7 Data Subject Rights/Subject Access Requests
Individuals have a right under the Regulation to ask DNA Skills if it holds their personal data, and if so, be provided with a copy of it. Any person wishing to exercise this right should apply in writing to DNA Skills, or via email at firstname.lastname@example.org.
In order to ensure DNA Skills has met the security requirements of the GDPR, the following information will be required before access is granted: relevant identifying details including, full name, date of birth, national insurance number. DNA Skills may also require proof of identity.
The following forms of ID will be acceptable: birth certificate, passport, or driving licence.
Subject Access Requests will be dealt with in line with the GDPR recommended timescales. DNA Skills will aim to comply with requests for access to personal information as soon as possible, but will ensure it is provided within one month as required by the Regulation from receiving the written request. DNA Skills will provide the information in a clear format that is easily understood and in a format suitable for the requesters needs. DNA Skills may request further details to clarify the exact requirements prior to the start of the one month.
If an individual considers the details provided in response to a subject access request are incorrect or out of date, they should contact DNA Skills immediately.
Anyone whose personal information is processed by DNA Skills has the right to know:
It is a criminal offence under the GDPR for any user to alter, illegally access, deface or remove any record (including e-mails) following receipt of an information request. DNA Skills will take necessary action against any individual who is found to have carried out this act, which may result in disciplinary or legal action. Other criminal acts under GDPR may also result in disciplinary or criminal proceedings; definitions can be found at www.ico.org.uk
If you have any queries or concerns regarding DNA Skills management of personal data, then you can contact DNA Skills directly.
Any comments or complaints will be dealt with through DNA Skills complaints procedure. DNA Skills will maintain records of all complaints and their outcome.
If you are still unhappy after having made a complaint individuals can contact the Information Commissioner through their website: www.ico.org.uk .
Section 8 Data Sharing
There are occasions when it is necessary for DNA Skills to share data with other organisations or people and where consent is required DNA Skills will seek and gain this from the Data Subject except where exemptions apply i.e.:
For further information, access the website of the Information Commissioner’s Office: https://ico.org.uk/
Section 9 Retention and Disposal of Data
DNA Skills will retain information about staff and apprentices for as long as is reasonable and necessary to comply with the law and for legitimate business needs. This will include information needed in connection with administering pensions and taxation, for potential or current disputes or litigation regarding employment, in the case of job applicants, in relation to any complaints or claims regarding the selection process, and information required for job references.
DNA Skills will dispose of data in line and conjunction with the JISC recommended data retention principles for Further Education and any legal and funding audit requirements. Once the retention period has elapsed, DNA Skills will ensure that any information is destroyed by secure means, i.e. by shredding, pulping or burning for hard copy, deletion etc. for electronic/digitised copy. DNA Skills will use a reputable ISO Accredited company and obtain destruction certification.
Section 10 Data Security Breach Procedure
DNA Skills takes the risk to security loss very seriously and adheres to the legal framework set down by the Information Commissioner’s Office and industry standards. DNA Skills has a Breach Management Procedure to be followed in the event of a data breach or suspected data breach to ensure DNA Skills responds and manages effectively any breach in line with the GDPR recommendations. Actions may include:
Notification of breaches – if appropriate DNA Skills will inform a Data Subject about an information security breach, the ICO; other regulatory bodies; other third parties such as the police and the banks; or the media.
Section 11 Mandatory Disclosure and Confidentiality
11.1 Mandatory Disclosure
It is imperative that the integrity of our assessments are maintained. We are aware that partner organisations often work with more than one End-Point Assessment Organisation (EPAO), and that therefore more than one EPAO may be at risk when things go wrong.
Our regulators have outlined some specific conditions that we must meet to protect the integrity across the sector. This includes the requirements that where certain things are identified (such as malpractice), or certain actions taken (such as when sanctions are applied) the regulators and other relevant EPAOs who may be affected must be informed.
Depending on the seriousness of the matter, we may be required to declare to our regulators (e.g. Ofqual) that we are no longer compliant due to an act or omission by partners which has put us in breach. In this event, we may have regulatory action directed against us, such as monetary penalties. In accordance with the Contract, we reserve the right to direct such financial penalties against partners, should they be as a result of the act or omission
We may need to access confidential information. We will ensure that such information is kept secure and only used for the purposes of the investigation and in line with relevant data protection legislation. We will not normally disclose the information to third parties unless required to do so, e.g. to our regulators and/or the police or other relevant statutory bodies.
Section 12 Contacts
Your contact for this policy
If you have any queries about the contents of the policy, please contact our DNA Skills EPA Team:
Telephone: 01344 944675
DNA Skills EPA Team
7 Lakeside Business Park
© 2021 All Rights Reserved