We are committed to protecting the privacy and security of personal information. This policy describes how we collect and use personal information in accordance with the General Data Protection Regulation and other UK data protection laws
- For the purposes of this document, we are a Data Processor and Data Collector. This means we are responsible for deciding how we hold and use personal information
- Our privacy notice tells you what we do with your personal information, why we need it, who we share it with and how long we keep it for
- Full compliance with this policy is mandatory and any breach may result in disciplinary action
- Employees have an obligation to ensure they do not disclose or release sensitive personal information to any unauthorised person
Your personal information is the information that identifies you. We collect this information when you apply to our learning opportunities so we can keep in touch, and when we sign you up on a learning programme. We will also collect more information whilst you are learning with us, such as your attendance and progress.
We will ensure that your privacy is fully protected and that your information is secure. In order to stop unauthorised access or sharing we have put in place physical, electronic and managerial procedures to safeguard and secure information that we collect.
Third Party Compliance
Under the GDPR, data controllers are responsible for their own compliance as well as that of third party processors.
As such, we ensure the security practices of any potential third party and agree to the measures it will take to secure its systems.
Our agreement will also state that third parties:
- Will act only on our documented instructions
- Won’t contract a sub-processor without our prior approval
- Will delete or return all personal data to us at the of the agreement.
Data controllers must be accountable for the way third parties process personal data. In the event of a security incident, it’s not good enough to deny any wrongdoing and lay the blame entire on the supplier.
When reviewing our relationship with third parties, we commit to:
- Ensuring that third-party vendors take security and compliance seriously, let alone are GDPR compliant
- Clearly define all areas and activities in which the GDPR is in scope, and have third-party vendors agree to assurances that their processes meet the Regulation’s requirements
- Confirm with third-party vendors that they will not outsource any GDPR-relevant scoped services without written approval
- Regularly audit third-party vendors’ processes to ensure on-going compliance.
Why do we collect personal information about you?
We collect information to allow us to carry out our work delivering training and apprenticeships.
We require this information to deliver our service to you and for the Department for Education, Ofsted (our Regulatory body) and our funders, such as the Education & Skills Funding Agency, so they can check that we deliver training to the required standards and to provide the right payments to us for delivering the training. When government funded or accredited the information we are required to obtain is much greater.
Be mindful, sometimes our funders or Ofsted may contact you directly to talk to you about your learning with Raise the Bar or ask what has happened since finishing your learning programme, for example whether you have a job or are doing some other training.
When it comes to commercial learning the information we request is minimal of both our learners and clients. This is the replicated as in our speaker business, the minimum information only will be requested.
What sort of information do we ask for?
- Your name, age or date of birth
- Your contact details including address, email address and telephone numbers
- National Insurance Number
- Your ethnicity or national origin
- Emergency contact or next of kin details
- Educational achievements
- Employment history
- Health information
- Support needs
- Household situation
- Information such as post code, your preferences and interests
- Other information relevant to customer surveys and/or offers
We may also collect other information about you in the course of your training or apprenticeship such as:
- IT equipment use including internet access.
- Information about attendance, including any sickness absence.
We hold information that you have provided to us directly via our website, via direct contact with one of our employees or associates, or via one of our partners such as an event management company (if you have provided consent for them to pass on your details to Raise the Bar.
This can include:
- Your full name
- Job title
- Business email
- Postal addresses
- Business phone numbers.
We also collect information when you buy our services, and when you provide feedback.
We keep this information secure in our IT systems. Some information may be in paper files such as an enrolment form or a workbook.
What do we use the information for?
- We will use the information collected from you to enable enrolment and participation through to completion in our training and apprenticeship programmes and secure funding for your programme.
- We will use your information for our own internal record keeping.
- We may use your information to improve our products and services.
- We will use your information to ensure we protect your health, safety and welfare.
Who do we share your information with?
We will need to share some of your information with other people and organisations. This may include your personal contact details, your attendance and progression in training, your achievements, or employment progress. The people we regularly share this information with are:
- Ofsted (the Regulatory Body for Training & Education)
- Department for Education (DfE)
- Employers (potential and current)
- Funding agencies such as the Education & Skills Funding Agency (ESFA)
- Awarding Bodies who verify your qualification and award your Certificates
- Referrers (such as Job Centres, Connexions, other referring agencies)
- Tutors and trainers, including sub-contracted training providers, andI other Raise the Bar staff such as people in Finance or Business Admin
- Auditors and Inspectors
There may be occasions when we are legally required to share information with statutory agencies such as the Police, Local Authorities, Courts or HMRC. This may be in relation to educational statistics, safeguarding risks, criminal or civil proceedings or fraud. Information can be shared without your consent in these circumstances.
We will not share your information with third parties unless requested. For example we may be required to share details of your attendance and participation with your Referrer (this may be a Job Centre or other agency who has referred you to us), with your Employer, with your Parents or Guardian. We will usually tell you when we are doing this, but by giving your consent to us processing your information on the consent form with this notice, you are agreeing to this information being shared.
There may be other occasions when we are requested to provide information we hold on you, and we will seek your explicit consent to do this. We do not share your information with bodies outside of the EU.
We only use the information to contact you about Raise the Bar training programmes, products, events and seminars that may be relevant to you and your business.
Your information may be shared with a limited number of organisations such as our technology suppliers all with the required data protection standards.
If you buy our services or products we will only use your information to carry out the requirements of the contract. In some cases, we will need to provide your data to a limited number of organisations involved in the delivery of an apprenticeship, such as our technology suppliers, the Education & Skills Funding Agency, Ofsted and the relevant qualification awarding bodies.
We are required by the Education and Skills Funding Agency to retain your information for seven years for auditing and funding purposes. This is stored securely and fully deleted from our systems once this time has passed.
Where do we store your information?
We keep your information secure in our IT systems. Some information may be in paper files such as an enrolment form or a workbook.
Your data will not be transferred to, stored at, or processed in a destination outside the European Economic Area (EEA). We will store your information on databases or physical files held in locations that have been tested for electronic and physical security and access is only permitted to those who need access to the data.
We maintain appropriate administrative, technical and physical safeguards to protect personal data against accidental or unlawful destruction, accidental loss, unauthorised alteration, unauthorised disclosure or access, misuse and any other unlawful form of processing.
How do we transfer your information?
Our data storage capacity uses generally accepted industry standards to protect all the information we store including during transfer and transmission. This includes firewalls, secure data transfer sites such as password protected cloud storage and transfer platforms.
As we are a business with employees, entities and service providers internationally we may need to transfer the personal data you provide to us to other countries which may be outside the European Economic Area (EEA).
The data protection laws in such countries may not be as comprehensive and provide the same level of protection for your personal data as those within the European Economic Area. In these instances, we will take the proper steps to guarantee that your personal data is handled as described in this Privacy Notice.
How long do we keep your information?
We will keep your details and the documents or file associated with your learning programme for a period of seven years from the end of the programme as per ESFA guidelines.
Any financial documents related to funding of your programme must be retained for the period set by the funding body (e.g. Education & Skills Funding Agency). This is usually for up to 15 years after the financial year end in which the programme ends as a minimum.
If your learning record or workbook is part of our internal quality checking, then we must retain those documents for a period of 4 years from the date they were quality assessed in order to provide them to an external quality assessor.
We will never store your personal information for longer than is necessary to deliver the services we offer.
You have the right to:
- Object to processing of personal data that is likely to cause, or is causing, damage or distress
- Prevent processing for the purpose of direct marketing
- Object to decisions being taken by automated means
- In certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
- Claim compensation for damages caused by a breach of the data protection regulations
- Object to your personal data being processed
- Request to request erasure from our records, but only to a certain extent where some of the data we hold is required to be retained for the purposes of complying with our legal obligations, Statutory Funding Rules, insurance purposes, HMRC requirements.
Where the processing of your data is based on your consent, you have the right to withdraw this consent at any time.
Personal data breaches
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.
Personal data breaches can include:
- Access by an unauthorised third party
- Deliberate or accidental action or inaction by a controller or processor
- Sending personal data to an incorrect recipient
- Computing devices containing personal data being lost or stolen
- Alteration of personal data without permission
- Loss of availability of personal data
If we recognise that a personal data breach has occurred we will instigate our response plan. Responsibility for managing and investigating breaches has been allocated to the company directors and staff are aware that they should escalate a security incident directly to the directors so they can determine whether a breach has occurred. All breaches will be recorded even if they do not need to be reported to the Supervisory Authority (ICO).
Website access and usage
Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity. For further information visit www.aboutcookies.org or www.allaboutcookies.org. You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. However, in a few cases some of our website features may not function as a result.
|Version No||Issue Date||Reviewer||Notes|
|1||June 2020||James Cannon|
|1.1||September 2020||James Cannon||Amended with 3rd Party Compliance|