Data Use and Management Policy

Overview of our Privacy Policy

When you use our services, you trust us with your information. This Privacy Policy is meant to help you understand what data we collect, why we collect it and what we do with it. This is important. We hope you will take time to read it carefully.

As you use our services, we want you to be clear how we’re using information and the ways in which you can protect your privacy. Our Privacy Policy explains:

• what information we collect and why we collect it; and how we use that information.
• Information that we Collect

We collect information to provide better services to all of our users. We collect information in the following ways:

• Information you give us.Most of our services require you to sign up for a qualification or service. When you do, we’ll ask for personal and contact information, such as your name and contact details (address / email address / mobile and telephone numbers) and other details to store with your account.
• Information we share
  When you sign up for a qualification, we will ask for your permission to share data with third parties, typically Skills Development Scotland, SQA and People 1st. To do this you need to have signed a consent form that will enable us to provide information to them for a funding application, registration and certification for a qualification or for a Modern Apprenticeship, on your behalf.

Transparency and Choice

People have different privacy concerns. Our goal is to be clear about what information we collect, so that you can make meaningful choices about how it is used. For example, you can review and control the information in your account and either change it or let us know if it is incorrect so we can change it.

Information Security

We work hard to protect all our data, users, staff and candidate files from unauthorised access or unauthorised alteration, disclosure or destruction of information that we hold. In particular:

• we regularly review our information collection, storage and processing practices, including physical security measures, to guard against unauthorised access to systems; this is carried out at least annually;
• we restrict access to personal information to our employees and to SDS, SQA, REHIS and People 1st, to whom you will have given consent to view your information.

Introduction

Each of the services and products provided by Blyde Welcome is for the continuance of our commercial business. We do collect, hold and manage data about individuals and organisations. We do this to provide a service to each person and organisation. We recognise our fundamental need to ensure that this information is accurate and secure. We go beyond the needs of any legislative requirements. The secure management of data is central to the way that we work.

None of the information provided is used beyond the needs of Blyde Welcome .

This policy sets out how we collect, store and manage data and who is responsible for this. It also sets out how you can request your data and how, if it is incorrect, you can ensure we get it right. This includes ensuring how we protect your data.

Why we have this policy

This policy ensures that we:

• comply with all data protection legislation (GDPR 2018 and DPA 1998) and follow the good practice set out by the Information Commissioner;
• protect the rights of customers, partners and staff;
• are open about how we collect, store, manage, process and protect individuals’ and organisations’ data;
• protect ourselves from the risks of data theft.

What services does this policy cover?

• This policy covers all our services:
• SQA registration and certification (once shared, this is responsibility of SQA);
• SDS registration (once shared, this is the responsibility of SDS);
• MA registration and certification (once shared, this is the responsibility of people 1st);
• maintenance of candidate records, learning and portfolio; and
• maintenance of employer records to maintain contact during employees’ qualifications.

Data Protection Law

The General Data Protection Regulation (GDPR) of the European Union replaced the Data Protection Act 1998 in May 2018. It introduced an extensive data protection regime by imposing broad obligations on those who collect personal data, as well as conferring broad rights on individuals about whom data is collected. It covers both paper based and electronic information.

Our policy takes account of these changes. It provides additional protections to individuals and organisations. These include a clearer definition of:

• Data Controller (this is Blyde Welcome ). We are responsible for all the data you provide
• Data Processor (those who collect and/or process the data you provide) This applies to the following agencies:
  • Skills Development Scotland
  • People 1st
  • Scottish Qualifications Authority
  • REHIS
• the data covered. This is extended to cover all paper and online data, including electronic identifiers such as IP addresses.
• Enhanced requirements to notify individuals and organisations affected by a data breach
• Increased sanctions against those organisations shown to not meet the requirements of the GDPR.
• The introduction of an ‘Accountability Principle’. It requires Data Controllers and Data Processors to be explicitly clear about how they comply with the data protection principles (eg by documenting decisions taken in respect of processing activities) and what their lawful basis is for collecting and processing personal data is. Organisations will be expected to put into place proportionate, but comprehensive, governance measures. This includes how long information will be held.
• The need for the individual or business to give consent by some form of clear affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent. It must also be verifiable. This means that some form of record must be kept of how, and when, consent was given. Individuals and organisations have a right to withdraw consent at any time.
• Some new rights and strengthened existing rights:
  • the right to be informed
  • the right of access;
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to data portability;
  • the right to object; and
  • rights in relation to automated decision making.

Our policy meets, and goes beyond, these legal requirements.

Scope of our Data Use and Data Management Policy

This policy applies to Blyde Welcome and all our data controllers and data processors.
Its scope applies to all:

• personal and contact data (including name, address – postal and email; telephone numbers; date of birth; gender, ethnicity, language / form of communication; marital status);
• employer details and contact numbers/email addresses;
• qualifications achieved previously;
• information on equalities and special educational needs;
• documents relating to an individual; and any other data required for the individual candidate, employer or qualification.

Purposes for which Data can be Used

• The data that Blyde Welcome holds, as Data Controller, can only be used for the following purposes:
• ensuring the correct entry of candidate and employer details in online databases for SDS, SQA and People 1st ;
• managing the storage of information relating to day-to-day qualification delivery, maintaining contact with candidates and their employers;
• managing the storage and analysis of candidate and employer records for provision of information to employers on availability of courses; and
• providing information to SDS, People 1st and SQA regarding individual candidates.

Blyde Welcome cannot use this information for marketing to individuals and organisations by third parties.

Data Protection Risks

This policy helps to protect Blyde Welcome as the Data Controller, and its partners, as Data Processors, from some very real security risks, including:

• breaches of confidentiality; for example, information being given out;
• failing to offer choice; for example, all individuals and organisations should be free to choose how we use their data; and
• reputational damage; for example, Blyde Welcome, and as a consequence, individuals and organisations could suffer if hackers successfully gained access to sensitive data.

Our Responsibilities

Every member of Blyde Welcome is aware of their data responsibilities, but some have additional responsibilities and accountabilities:

• The Head of Centre, Celia Smith, is ultimately responsible for ensuring that the business meets its legal responsibilities, and the following:
  • reviewing annually, all data use and data management procedures to ensure Blyde Welcome meets the objectives of this policy;
  • handling data use and data management questions from staff and the users of data and information;
  • ensuring all systems, services and equipment used for storing and processing data meet acceptable security standards; and
  • working with all relevant staff to ensure that any public materials and marketing adheres to the company’s Data Use and Data Management policy.
• Data used for marketing purposes must first be checked and the facility for system users to ‘unsubscribe’ must be made clear to all contacts.
• Staff using, or advising on the use of data are responsible for ensuring that:
  • the only people able to access data, covered by this policy, should be those who need it for work purposes;
  • no data should be shared outside the business without the permission of the individual or the organisation;
  • when working with data, all employees should ensure the screens of their computers and laptops are always locked when not in use;
  • data should be encrypted before being transferred electronically; and
  • all data is password protected so that only Blyde Welcome employees have access to it.

Data Storage

If in doubt about data storage, any questions should be addressed to the Head of Centre or in her absence one of the Assessors.

When data is stored on paper, and being processed, it should not be left unattended on a printer or desk where it could be viewed by unauthorised people. When it is not being used, data should be held in a locked cabinet or secure facility and not be accessible to unauthorised people. All printed data that is no longer required must be shredded or destroyed without leaving the office.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts. To meet these requirements:

• all data should be protected by strong passwords that are changed regularly and are not easy to guess;
• no data should be stored on removable media, without the written permission from Celia Smith, Head of Centre;
• data should only be stored on live systems and on designated drives and servers; and
• we will retain your data for a maximum of 7 years after the closure of your account or the provision of our final service. During this time the data will be archived and retained in locked filing cabinets.

Data Accuracy

For our operation, and in order to meet the requirements of the GDPR and DPA, Blyde Welcome and our staff, the certification, funding bodies and system users, must take reasonable steps to ensure that data is accurate and up to date.

• Data will only be held in the systems whilst the qualification is live.
• Data can only be accessed by those with relevant permissions, and access will require a password.
• All data that is no longer valid will be removed.

Data requests by Individuals or Organisations
Any individuals or organisation is entitled to ask about data held about them by us.

They can:

• ask what information the company holds about them and how it is used;
• ask how to gain access to this information;
• be informed how we keep it up-to-date; and
• be informed as to how we are meeting data protection requirements.

Such a request for information is called a ‘subject access request’. All such requests must be forwarded to the Head of Centre. We will always verify the identity of a person making a subject access request before providing any information.