Data Protection
Data Protection Law controls what Challenge-trg Skills does with the personal information provide by individuals who work for us, study with us or access services we provide.
Our Privacy Statement describes what we do with the personal information we are provided with. You may be asked to give us personal information to become a student, client or to use the services we offer.
1.0 Introduction
Challenge-trg Skills is responsible for compliance with UK General Data Protection Regulation (UK GDPR): is based on the EU GDPR (General Data Protection Regulation ((EU) 2016/679)) which came into effect on 25 May 2018 and applied in the UK until 1 January 2021. EU GDPR was amended on 01 January 2021 by regulations under the European Union (Withdrawal) Act 2018, to reflect the UK’s status outside the EU, it sits alongside and supplements the UK GDPR. Personal Data is subject to the legal safeguards specified in the UK GDPR.
The organisation processes personal data in accordance with the following data protection principles:
. The organisation processes personal data lawfully, fairly and in a transparent manner.
. The organisation collects personal data only for specified, explicit and legitimate purposes.
. The organisation processes personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
. The organisation keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
. The organisation keeps personal data only for the period necessary for processing.
. The organisation adopts appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.
The organisation tells individuals the reasons for processing their personal data, how it uses such data and the legal basis for processing in its privacy notices. It will not process personal data of individuals for other reasons.
1.1 Where the organisation processes special categories of personal data or criminal records data to perform obligations or to exercise rights in employment law, this is done in accordance with a policy on special categories of data and criminal records data.
The organisation will update personal data promptly if an individual advises that their information has changed or is inaccurate.
Personal data gathered is held in the individual’s personnel, learner and customer files (in hard copy or electronic format, or both), and on HR systems. The organisation keeps a record of its processing activities in respect of personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).
Personal data is data which relates to an identified or identifiable natural person.
2.0 Individual Rights
As a data subject, individuals have a number of rights in relation to their personal data.
2.1 Subject access requests
Individuals have the right to make a subject access request. If an individual makes a subject access request, the organisation will tell them:
. Whether or not their data is processed and if so why, the categories of personal data concerned.
. To whom their data is or may be disclosed, including to recipients located outside the European Economic Area (EEA).
. For how long their personal data is stored (or how that period is decided).
. The individual’s rights to rectification or erasure of data, or to restrict or object to processing.
The organisation will also provide the individual with a copy of the personal data undergoing processing.
To make a subject access request, the individual should send the request to the company’s main office address. In some cases, the organisation may need to ask for proof of identification before the request can be processed. The organisation will inform the individual if it needs to verify their identity and the documents it requires.
The organisation will normally respond to a request within a period of one month (30 days) from the date it is received.
If a subject access request is manifestly unfounded or excessive, the organisation is not obliged to comply with it. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which the organisation has already responded. If an individual submits a request that is unfounded or excessive, the organisation will notify him/her that this is the case and whether or not it will respond to it.
2.2 Other rights
Individuals have a number of other rights in relation to their personal data. They can require the organisation to:
. Rectify inaccurate data.
. Stop processing or erase data that is no longer necessary for the purposes of processing.
. Stop processing or erase data if the individual’s interests override the organisation’s legitimate grounds for processing data (where the organisation relies on its legitimate interests as a reason for processing data).
. Stop processing or erase data if processing is unlawful.
. Stop processing data for a period if data is inaccurate or if there is a dispute about whether or not the individual’s interests override the organisation’s legitimate grounds for processing data.
3.0 Data Security
The organisation takes the security of personal data seriously. The organisation has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties.
Where the organisation engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
4.0 Individual Responsibilities
Individuals are responsible for helping the organisation keep their personal data up to date. Individuals should let the organisation know if data provided to the organisation changes, for example, if an individual moves house or changes his/her bank details.
Individuals may have access to the personal data of other individuals and of our customers and clients in the course of their employment, contract, volunteer period, or apprenticeship. Where this is the case, the organisation relies on individuals to help meet its data protection obligations to staff and to customers and clients.
4.1 Individuals who have access to personal data are required:
. To access only data that they have authority to access and only for authorised purposes.
. Not to disclose data except to individuals (whether inside or outside the organisation) who have appropriate authorisation.
. To keep data secure (for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction).
. Not to remove personal data, or devices containing or that can be used to access personal data, from the organisation’s premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device.
. Not to store personal data on local drives or on personal devices that are used for work purposes.
Failing to observe these requirements may amount to a disciplinary offence, which will be dealt with under the organisation’s disciplinary procedure. Significant or deliberate breaches of this policy, such as accessing employee or customer data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.
5.0 Equality and Data Collection and Monitoring
Although there is no legal duty to collect monitoring information against individual protected characteristics, in order to demonstrate due regard to the aims of the general equality duty held by Challenge-trg, Challenge-trg Skills will sometimes collect equality data upon which to measure its equality and diversity profile.
Equality monitoring relates to one or more of the nine protected characteristics established by the 2010 Equality Act: age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex and sexual orientation and if monitored properly, particularly in relation to recruitment, can help the organisation to better balance its workforce and develop fair opportunities for all. Equality monitoring for staff and volunteers will also assist Social Enterprise Kent to identify and address any inequalities in the application of employment and placement practices.
Challenge-trg Skills will keep all collected equality data pertaining to individuals confidential and securely stored whilst awaiting periodic analysis in line with the above aims, after which it will be destroyed.
6.0 Storage of Records
The Company stores most of its records online, on AWS servers which are located in London UK and protected by firewalls and virus software. Permission levels for Company employees to access specific files and folders within the server (and other software used by the Company, such as PICS, Salesforce) is managed by the Company’s IT Manager, delegated by the Board. Any unusual requests for access will require authorisation by a Company Director..
Records held electronically are stored in the cloud on AWS servers based in London UK.
Certain Company records are still required to be stored in paper form.
These records are stored on site at:
Challenge‑trg Skills Ltd; Unit 9 Metro Triangle, Mount Street, Nechells, Birmingham B7 5QT
Electronic documents are stored in a secure cloud base location:
AWS Servers based in London UK
Addendum
The ESF Programme Action Note 018/18 sets out the lawful basis for processing personal data under ESF.
The General Data Protection Regulation (GDPR) and ESF Who All ESF beneficiary organisations, European Social Fund Division and Greater London Authority. What The UK is updating its data protection legislation and it will come into force on 25 May 2018. The new laws aim to update current data protection legislation including the Data Protection Act 1998, increase the privacy protection of all UK and EU citizens and reduce the risk of data breaches. It will apply to all public and private organisations processing personal data. Established key principles of data privacy will remain relevant in the new data protection laws but there are also changes that will affect commercial arrangements, both new and existing, with suppliers. The new General Data Protection Regulation 2018 ((EU) 2016/679) (GDPR), which forms part of the new data protection legislation, specifies that any processing of personal data, by a data processor, should be governed by a contract with certain provisions included. All ESF projects and partners should check Annex A: Q&A Briefing on General Data Protection Regulation (GDPR) and ESF to find out more about what action they will need to take. Projects will need to comply with new GDPR regulations / requirements from 25 May 2018 and should, in the first instance, refer to Annex A: Q&A briefing for further details. Cleared Janet Downes / Dan Mumford Action Please read the supplementary Annex A: Q&A Briefing on General Data Protection Regulation (GDPR) and ESF. Contact For questions please contact: ESF.2014-2020@dwp.gsi.gov.u
More information can be found at the following:
This Action Note provides an update to information provided in Action Note 018/18 – and includes details on action to take with regards to data right of access requests (RARs) (formerly known as subject access requests or SARs) and personal data security breaches.
This guidance explains the requirement for, and the process by which contact details for all participants on European Social Fund (ESF) and Youth Employment Initiative (YEI) provision must be submitted to the Managing Authority (MA). This document covers: · The regulatory and legal basis behind the requirement to collect and share participant data, including contact details; · The requirement for the participant privacy notice to be used with all ESF and YEI participants; · What contact details need to be collected and how they will be reported to the MA; · The handling of contact details for certain ‘sensitive’ groups. This guidance applies to both ESF and ‘match’ funded participants. 1.1. Who should use this guidance? This guidance should be used by all grant beneficiary organisations, including ‘direct bid’ organisations, Co-Financing Organisations (CFOs) and partners and Intermediate Bodies (IBs). Grant beneficiary organisations will be expected to provide contact details data for all delivery partners or projects within their operation. The grant beneficiary organisation will be responsible for the quality of the data submitted.