Introduction

Explosive Learning Solutions Ltd. (ELS) is committed to data security and the fair and transparent processing of personal data. This privacy policy and notice sets out how ELS treats personal data in compliance with applicable data protection law, in particular the General Data Protection Regulation (EU) 2016/679 (GDPR) and the UK Data Protection Act 2018 (DPA).

Please read this policy carefully as it contains important information on how and why ELS may collect, store, use and share your personal data, your rights in relation to your personal data, how to contact us, and how to contact supervisory authorities in the event that you would like to report a concern about the way in which we process your personal data.

Background

ELS needs to collect person-identifiable information about individuals in order to carry out its functions and fulfil its objectives. Personal Data is defined as ‘information which relates to a living individual and from which they can be identified, either directly or indirectly’.

Personal data at ELS can include:

  • employees (past, present and prospective)
  • delegates (ELS employees or those of our clients, and both current and prospective learners)
  • associates (either actively working for us or seeking job opportunities)
  • clients (in both the learning and consultancy space and also security clearances).

Under the DPA and GDPR, ELS has a legal duty to protect any personal data it processes. ELS uses encryption software to safeguard data on all computers and laptops, and keeps strict security standards to prevent any unauthorised access to it.

Purpose

The purpose of this policy is to enable ELS to:

  • comply with the law in respect of the data it holds about individuals
  • protect the personal data of ELS’ employees, delegates, associates, clients and other individuals
  • respect the individuals rights
  • protect the organisation from the consequences of a breach of its responsibilities
  • conform to current legislation and accreditation
  • follow good practice and be open and honest with the individuals whose data is held.

Scope

This policy applies to:

  • the ELS offices
  • directors and employees of ELS
  • delegates using ELS IT systems
  • associates using ELS IT systems
  • any other persons who collect or process data on behalf of ELS or use ELS IT systems.

The policy will ensure that personal data is processed, handled, transferred, disclosed and disposed of lawfully and covers all classifications of personal data whether electronic or on paper.

Explosive Learning Solutions Ltd will:

  • provide training and support for employees and associates who handle personal data, so that they can act confidently and consistently
  • will not hold data longer than necessary
  • will report any data losses to the ICO and the data subject in the event of a loss.

Definition of Data Protection Terms

Data is recorded information whether stored electronically, on a computer, or in certain paper-based filing systems including all forms of media messaging (e.g. iMessage, WhatsApp) and digital imagery (photographs, videos etc.).

Data subjects for the purpose of this policy include all living individuals about whom ELS holds personal data. A data subject does not need to be a UK national or resident. All data subjects have legal rights in relation to their personal information.

Personal data means data relating to a living individual who can be identified from that data (or from that data and other information in possession of the company). Personal data can be factual (such as a name, address or date of birth) or it can be an opinion (such as a performance appraisal). It can even include an e-mail address. It is important that the information has the data subject as its focus and affects the individual’s privacy in some way. Mere mention of someone’s name in a document does not constitute personal data, but personal details such as someone’s contact details or salary would still fall within the scope of the Acts.

Data controllers are the people or organisations who determine the purposes for which, and the manner in which, any personal data is processed. They have a responsibility to establish practices and policies in line with the Acts. 

Data Users include employees whose work involves using personal data. Data users have a duty to protect the information they handle by following the company’s data protection and security policies at all times.

Data Processors include any person who processes personal data on behalf of a data controller. Employees of data controllers are excluded from this definition but it could include suppliers which handle personal data on the company’s behalf.

Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties.

Sensitive Personal data includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned.

Your data protection rights

Note that you have the right to object to the processing of your personal data on the basis of legitimate interests as set out below, as under data protection law, you have rights including:

Your right of access – You have the right to request a copy of the personal data that we hold about you by contacting us at the email or postal address given. Please include with your request information that will enable us to verify your identity. We will respond within 1 month of request. Please note that there are exceptions to this right. We may be unable to make all data available to you if, for example, making the data available to you would reveal personal data about another person, if we are legally prevented from disclosing such data; if there is no basis for your request, or if your request is excessive.

Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure – You have the right to request the deletion of your personal data where, for example, the personal data is no longer necessary for the purposes for which it was collected, where you withdraw your consent to processing, where there is no overriding legitimate interest for us to continue to process your personal data, or your personal data has been unlawfully processed. If you would like to request that your personal data be erased, please contact us using the contact details provided.

Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information.

Your right to object to processing – In certain circumstances, you have the right to object to the processing of your personal data where, for example, your personal data is being processed on the basis of legitimate interests and there is no overriding legitimate interest for us to continue to process your personal data, or if your data is being processed for direct marketing purposes. If you would like to object to the processing of your personal data, please contact us using the contact details provided.

Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.  However, please note that the GDPR sets out exceptions to these rights. If we are unable to comply with your request due to an exception we will explain this to you in our response.

Please contact us at:  4 The Terraces Library Ave Harwell Science & Innovation Campus, Didcot OX11 0SG, if you wish to make a request.

GDPR Principles

The 7 GDPR key principles (GDPR Article 5) are at the core of our approach to processing personal data:

Lawfulness, fairness and transparency.  Personal data will be processed lawfully, fairly and in a transparent manner in relation to individuals.

Purpose limitation.  Personal data will be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.

Data minimisation.  Personal data collected will be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

Accuracy.  Personal data collected will be accurate and, where necessary, kept up to date; every reasonable step will be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay

Storage limitation.  Personal data collected will be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals

Integrity and confidentiality (security).  Personal data collected will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Accountability.  The controller (ELS) and the nominated Data Protection Officer shall be responsible for, and be able to demonstrate compliance with these principles and this policy.

Data Protection Responsibilities

The Directors of ELS, as the ‘Data Controller’ permit the organisation’s employees to use computers and relevant filing systems in connection with their duties. The Directors have a legal responsibility for the notification process and compliance of the DPA and GDPR.

Data Protection Officer’s (DPO) responsibilities

The Directors have delegated data protection compliance to the Data Protection Officer. The DPO has the following responsibilities:

  • briefing the Directors on Data Protection responsibilities
  • reviewing Data Protection and related policies
  • advising other staff on Data Protection issues
  • ensuring that Data Protection induction and training takes place
  • handling subject access requests
  • approving unusual or controversial disclosures of personal data
  • approving contracts with Data Processors
  • ensuring that legislation and accreditation policies are adhered to and updated as per:
    • the Data Protection Act
    • the ICO
    • Cyber Essentials
    • client governance and policies.

The Data Protection Officer is:  XXX

The Data Protection Officer can be contacted by the following means:

In writing to: 

4 The Terraces Library Ave
Harwell Science & Innovation Campus
Didcot
OX11 0SG

By telephone:  01235 861805
By email:  xxx

The type of personal information we collect
We may collect and process personal data you provide to us. This may include personal information, which may include identifiers, contacts and characteristics (for example, name, job role, areas of interest, email address and other contact details).  ELS will always seek consent (in some form) to gather and hold any pertinent personal information; your consent will never be assumed.

We may collect data if and when you:

  • provide us with any details required for the maintenance of your security clearance
  • complete a form on our website
  • correspond with us by phone, email, or in writing
  • attend an event organised by us, or engage with us at an event we are participating in
  • complete a course offered by us, particularly those involving official accreditation
  • report a problem to us
  • sign up to receive further communications from us
  • create an account of any kind with us
  • enter into a contract with us to receive or provide products and/or services.

How we get the personal information and why we have it

When we ask you to supply us with personal data we will make it clear whether the personal data we are asking for must be supplied so that we can provide any products and/or services to you, or whether the supply of any personal data we ask for is mandated for any reason, or whether the supply of any such data is entirely optional.

The majority of the personal information we may process is provided to us directly by you in order to:

  • Work alongside people for Associate work.
  • Work alongside people for Security work.
  • Maintain security clearances.
  • Ensure that companies and individuals comply with various levels of vetting, accreditation and certification required by areas of our business.
  • Plan, schedule and conduct training courses.
  • Support people in the assessment of their apprenticeships.
  • Undertake consultancy work.
  • Undertake research work.
  • Respond to enquiries and concerns.
  • Maintain communications with you, with your consent.

    We may (rarely) also receive personal information indirectly, from the following sources in the following scenarios:

  • if you are a tutor, associate, apprentice, or learner
  • from a related centre, customer, employer, employer provider, or training provider.

We may share this information with various examination and certification boards.

Personal data about other people

Please note that, if you provide personal data to us about any person other than yourself, such as your relatives, next of kin, advisers or suppliers, you must ensure that they understand how their personal data will be processed, and that they have given their permission for you to disclose it to us and for you to allow us, and our third party service providers, to process it.

Special category data

In exceptional circumstances, we may also collect and/or be provided with special category data, such as data about your physical or mental health or condition. For example, we may collect and/or be provided with special category data to enable us to administer requests for reasonable adjustments in relation to our function as an End Point Assessment Organisation (EPAO), or in relation to an investigation, complaint, or appeal. Such data will only be collected and/or provided to us if you have provided your explicit consent.

Lawful Bases for retention

Under GDPR, the lawful bases we rely on for processing this information are that we have:

  • your consent to do so. You are able to remove your consent at any time. You can do this by contacting the Data Protection Officer (see above for ways to contact the Data Protection Officer)
  • a contractual obligation to hold certain information
  • a legal obligation to hold certain information
  • a legitimate interest in holding certain information.

How we store your personal information

Your information is securely stored on either a secure database or on a secure server.

We will keep your personal data for the duration of any contract between us. Thereafter, we will keep personal data in order to:

  • provide information about your relationship with ELS
  • respond to any questions, complaints or claims made by you, on your behalf or about you
  • share information with you regarding the status and renewal of qualifications, certification, accreditation and any related timelines
  • comply with any relevant third party record retention requirements (e.g. those of a regulator)
  • comply with any contractual, legal, audit, and other regulatory requirements, or any orders from competent courts or authorities.

We will also keep personal data relating to our quality assurance processes, investigations, appeals and complaints, in order to comply with applicable contractual, legal, audit and other regulatory requirements, or any orders from competent courts or authorities.

ELS keeps personal data for no longer than as is necessary for the above purposes.

The types of information we may keep, how long we may keep it for, who may access/process it and any disposal procedures we may subsequently use at the end of any stated period are detailed at Annex A, Schedule of Data.

Bank and Credit Card details

ELS do not retain/hold the bank and credit card details of individuals, but conduct live processing only. The banking information of other companies will only be retained if it is a contract stipulation to do so AND consent has been granted.   

Should you wish to complain

If you have any concerns about our use of your personal information, you can make a complaint to the Data Protection Officer. You are able to remove your consent at any time. You can do this by contacting the Data Protection Officer (see above for ways to contact the Data Protection Officer).

If you believe that your data protection rights may have been breached, and we have been unable to resolve your concern, you may also lodge a complaint with the ICO if you are unhappy with how we have used your data.

The ICO’s address:            

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk

Changes to our policy

This policy will be reviewed and amended, as required, on a regular basis. Any changes we may make to our policy in the future will be highlighted and, where appropriate, notified to you by email. This document is available on request.