DATA PROTECTION POLICY 2018
- INTRODUCTION AND PURPOSE
Data Protection Compliance Laws (GDPR, 2018), come into effect on the 25th May 2018.
QA Associates Limited as a ‘Data Controller’ and ‘Processor’ are registered with the Information Commissioners Office (ICO) Number Z9974298 and as a consequence are required to comply with the new legislation. QA Associates Ltd may be required to collect and use information about the people with whom we work. This personal information must be handled and dealt with properly, regardless of how it is collected, recorded and used, and whether it be on paper hard copies, in computer records and online files or recorded by any other means.
This policy has been written to acquaint employees and associates with their duties under the Act and to set out the standards expected by QA Associates in relation to processing of personal data and safeguarding individuals’ rights and freedoms. Primarily, QA Associates Ltd employees and associates will have access to data when marking of examination papers, undertaking assessment of learner work or internal quality assurance of learner work, the registration and certification of learners for a qualification and the training of learners
QA Associates Ltd regard the lawful and correct treatment of personal information as very important to our successful operation and to maintaining confidence between ourselves and those we carry out business with. We aim to fully endorse and adhere to the principles of the General Data Protection Regulation (GDPR, 2018).
This policy applies to the personal data of job applicants, existing and former employees, directors, volunteers and any other associates of the company. These are referred to in this policy as relevant individuals.
When we refer to the term “personal data”, we base this around the information that relates to an identifiable person who can be directly or indirectly identified from that information, for example, a person’s name, identification number, location, online identifier. It can also include pseudonymised data.
“Data processing” is regarded as any operation performed on personal data or on sets of data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Our ‘employees’ and ‘associates’ may be examiners, markers, assessors, internal verifiers, moderators or engaged in the administration of registration and certification of learners for a qualification or to mark examination assessments or assignments following training.
- EMPLOYEE/ASSOCIATE DUTIES AND RESPONSIBILITIES
In order to protect the personal data of relevant individuals, those within QA Associates Ltd who must process data as part of their role have been made aware of our policies on data protection. Additionally, we have designated employees with responsibility for reviewing and auditing our data protection systems.
Employees of QA Associates are expected to apply the following conduct:
i.Acquaint themselves with, and abide by, the GDPR Principles
ii.Read and understand this policy document
iii.Understand how to conform to the standard expected during employment
iv.Understand how to conform to the standard expected in relation to safeguarding data subjects’ rights (EG. the right to inspect personal data)
v.Understand what is meant by ‘sensitive personal data’, and know how to handle such dat
vi. Contact the Data Protection Officer if in any doubt, and not to jeopardise individuals’ rights or risk an infringement of the Data Protection policies.
4. DATA PROTECTION PRINCIPLES
Under GDPR, all personal data obtained and held by QA Associates Ltd must be processed according to a set of core principles. In accordance with these principles, employees and associates must ensure that:
i.Data processing will be fair, lawful and transparent
ii.Data is collected for specific, explicit, and legitimate purposes and shall not be further processed in any manner incompatible with those purposes.
iii.The data collected will be adequate, relevant and limited to what is necessary for the purposes of processing
iv. Data will be kept accurate and up to date, data found to be inaccurate will be rectified or erased without delay
v. Data is not kept for longer than is necessary for its given purpose
vi. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
vii. Where needed, QA Associates Ltd will comply with the relevant GDPR procedures*
for international transferring of personal data.
* Personal data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
‘Best practice’ guidelines are available for further reference in a supporting document which can be provided by the Managing Director, or other employees of QA Associates.
- TYPES OF DATA HELD
- QA Associates keep several categories of personal data on our employees and associates in order to carry out effective and efficient processes. We keep this data in a personnel file relating to each employee and associate and we also hold the data within our computer systems, for example, our holiday booking system.
Specifically, we hold the following types of data:
- Personal details such as name, address, phone numbers
- Information gathered via the recruitment process such as that entered into a CV or included in a CV cover letter, references from former employers, details on your education and employment history, etc.
- Details relating to pay administration such as National Insurance numbers, bank account details and tax codes
- Medical or health information
- Learner data held by QA Associates Limited is first name, family name, gender, date of birth, employer/organisation. These are held as identifiers.
- Information relating to your employment with us, including:
- Job title and job description
- Your wider terms and conditions of employment
- Details of formal and informal proceedings involving you such as letters of concern, disciplinary and grievance proceedings, your annual leave records, appraisal and performance information
- Internal and external training modules undertaken
Additionally, QA Associates Ltd obtain data, which may include personal data from learners, clients and third parties such as Awarding Bodies. This data is usually accessed when marking examination papers, undertaking assessment of learner work or internal quality assurance of learner work, the registration and certification of learners for a qualification and the training of learners. Wherever possible personal data will be redacted or replaced with an ID number when work is sent out for marking etc.
- EMPLOYEE/ASSOCIATE RIGHTS
You have the following rights in relation to the personal data that is held by QA Associates Ltd.
- The right to be informed about the data we hold on you and what we do with it
- The right of access to the data we hold on you. More information on this can be found in the section headed “Access to Data” below
- The right for any inaccuracies in the data we hold on you, however they come to light, to be corrected. This is also known as ‘rectification’;
- The right to have data deleted in certain circumstances. This is also known as ‘erasure’;
- The right to restrict the processing of the data;
- The right to transfer the data we hold on you to another party. This is also known as ‘portability’;
- The right to object to the inclusion of any information;
- The right to regulate any automated decision-making and profiling of personal data.
- DATA SECURITY
There are multiple aspects to Data Security which all employees and associates of the company must adhere to when handling data obtained through external contact with other companies. Failure to follow the Company’s rules on data security may be dealt with via the Company’s disciplinary procedure. Appropriate sanctions include dismissal with or without notice dependent on the severity of the failure.
7.1 Employees and Associates of the company must be aware that ‘hard copies’ of personal information should be kept in a locked filing cabinet, drawer, or safe.
7.2 Employees and Associates should also be aware of their roles and responsibilities when processing of data, which has been referenced in section 3.
7.3 All employees and associates are instructed to store files or written information of a confidential nature in a secure manner so that they are only accessed by people who have a need and a right to access them and to ensure that screen locks are implemented on all PCs, Laptops & Tablets when unattended. No files or written information of a confidential nature are to be left where they can be read by unauthorised people.
7.4 Where data is computerised, it should be coded, encrypted or password protected both on a local hard drive and on a network drive that is regularly backed up. If a copy is kept on removable storage media, that media must itself be kept in a locked filing cabinet, drawer, or safe.
7.5 Employees and associates must always use the passwords provided to access the computer system and not abuse them by passing them on to people who should not have them.
7.6 Personal data relating to employees and associates should not be kept or transported on laptops, USB sticks, or similar devices, unless prior authorisation has been received. Where personal data is recorded on any such device it should be protected by:
- Ensuring that data is recorded on such devices only where absolutely necessary.
- Using an encrypted system — a folder should be created to store the files that need extra protection and all files created or moved to this folder should be automatically encrypted.
- Ensuring that laptops or USB drives are not left where they can be stolen.
- ACCESS TO DATA
As stated previously, employees and associates have a right to access the personal data that we hold on them. To exercise this right, employees and associates should make a ‘Subject Access Request’. QA Associated Ltd will comply with the request without delay, and within one month, unless, in accordance with legislation, we decide that an extension is required. Those who make a request will be kept fully informed of any decision to extend the time limit.
No charge will be made for complying with a request unless the request is manifestly unfounded, excessive or repetitive, or unless a request is made for duplicate copies to be provided to parties other than the employee making the request. In these circumstances, a reasonable charge will be applied.
- DATA DISCLOSURES
In some circumstances, QA Associates Ltd may be required to disclose certain data/information to any person. It is important to note that these kinds of disclosures will only be made when strictly necessary for the purpose.
- The circumstances leading to such disclosures include:
- Any employee benefits operated by third parties
- Disabled individuals – whether any reasonable adjustments are required to assist them at work
- Individuals’ health data – to comply with health and safety or occupational health obligations towards the employee
- Statutory Sick Pay purposes
- HR management and administration – to consider how an individual’s health affects his or her ability to do their job
- The smooth operation of any employee insurance policies or pension plans
- Assist law enforcement or a relevant authority to prevent or detect crime or prosecute offenders or to assess or collect any tax or duty.
- THIRD PARTY PROCESSING
Where QA Associates Ltd engage third parties to process data on our behalf, we will ensure, via a data processing agreement with the third party, that the third party takes such measures in order to maintain the Company’s commitment to protecting data.
New employees or associates must read and understand the policies on data protection as part of their induction or probationary period. All employees receive training covering basic information about confidentiality, data protection and the actions to take upon identifying a potential data breach. The nominated data controller and protection officers for the QA Associates Ltd are trained appropriately in their roles under the GDPR. All employees and associates who need to use the computer system are trained to protect individuals’ private data, to ensure data security, and to understand the consequences to them as individuals and the Company of any potential lapses and breaches of the Company’s policies and procedures.
- DATA PROTECTION CONTACTS
For general enquiries about the new GDPR policies and the data protection policies currently put in place by QA Associates Ltd, our details can be found below:
81 Hickton Road
Telephone: 01773 748866
- DISCIPLINARY CONSEQUENCES FOR BREACH OF THIS POLICY
Unlawful obtaining or disclosure of personal data (including the transfer of personal data outside the EEA in contravention of paragraph 4.4.2 above) or any other breach of the current GDPR policies, staff will be treated seriously by QA Associates and may lead to disciplinary action up to, and including dismissal.
The QA Associates Data Protection Officer is the Quality Manager.
- REVIEW OF THE POLICY
This policy will be reviewed every 12 months by the Managing Director.