General Data Protection Regulation
Our General Data Protection Regulation 2016 (GDPR) Policy outlines Eden Training Solution’s commitment in fully complying with the Regulation which came into effect on 25th May 2018.
The Key Principles of GDPR
- Lawfulness, fairness and transparency
We will only use valid grounds under the GDPR (known as a ‘lawful basis’) for collecting and using personal data. This is to meet our contractual obligations with the Education and Skills Funding Agency (ESFA) who are also fully compliant with GDPR.
The ESFA is responsible for funding education and skills in England for children, young people and adults. It is also responsible for delivery of key services in the education and skills sector in England including the apprenticeship service, the provision of information, advice and guidance through the National Careers Service, and the Learning Records Service.
Eden will only use personal data in a way that is fair. This means that we do not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned. All data collected is fully explained and collected at source with the individuals’ full consent.
We will be clear, open and honest with people from the start about how you will use their personal data.
2. Purpose limitation
We will be clear about what your purposes for processing are from the start.
We will record our purposes as part of your documentation obligations and specify them in your privacy information for individuals. This is fully outlined in the learner and employer sign up packs which is discussed as part of the sign-up process.
We will only use the personal data for a new purpose if either this is compatible with your original purpose, you get consent, or you have a clear basis in law.
3. Data minimisation
The data collected is adequate and is sufficient in properly fulfilling our stated purpose. The information collected is relevant and has a rational link to that purpose; and is limited to what is necessary as we do not hold more than we need for that purpose.
4. Accuracy
We will ensure that the data collected is accurate and that all reasonable steps have been taken to ensure the personal data we hold is not incorrect or misleading as to any matter of fact. Individuals have the right to request, check and amend/delete their data held with us as required.
If we discover that the personal data held is incorrect or misleading, then we would take reasonable steps to correct or erase it as soon as possible.
We would carefully consider any challenges to the accuracy of personal data.
5. Storage limitation
We will not keep personal data for longer than we are legally obliged to keep it.
We will continually review the need for, and be able to justify, how long we keep the personal data for. This will depend on your purposes for holding the data.
We will carefully consider any challenges to the retention of data. Individuals have a right to erasure if you no longer need the data.
6. Integrity and confidentiality (security)
We will ensure that we have appropriate security measures in place to protect the personal data we hold. We will ensure that data held on non Eden Training Solutions software by a third part is fully GDPR compliant.
We will process personal data securely by means of ‘appropriate technical and organisational measures’.
We will continue the cycle of continuous improvements and carry out the appropriate review risk analysis, organisational policies, and physical and technical measures.
We will consider all additional requirements about the security of our processing methods which will include all data processors.
We will evaluate the costs of implementation when deciding what measures to take, but these will be appropriate both to our circumstances and the risk our processing poses.
We will ensure our measures meet all confidentiality, integrity and availability processes of our systems and services and the personal data we process within them.
We will also ensure that we are able to restore access and availability to personal data in a timely manner in the event of a physical or technical incident.
Accountability
We have the appropriate records in place to be able to demonstrate our compliance.
We have in place the appropriate technical and organisational measures to meet the requirements of accountability.
We have:
- Adopted and implemented data protection policies;
- Checked our third party compliance with organisations that process personal data;
- Maintained documentation of our processing activities;
- Implemented appropriate security measures;
- Created processes for recording and, where necessary, reporting personal data breaches;
- Carried out data protection impact assessments for uses of personal data; and designated the responsibility of data protection and security to an Executive Board member.
In addition, where it is necessary for the Data Processor (Eden Training Solutions) to process any Personal Data of which the Data Controller (ESFA) then that Data Processor shall:
- a) Process such Personal Data on the other party’s behalf only to the extent reasonably necessary to enable compliance; The Data Controller will only collect your personal information where the law allows it, or we have a legal obligation to do so. Your personal information is collected to enable us to carry out the functions of the Department for Education (DfE); ESFA Privacy Notice.
2. b) Process such Personal Data only in accordance with the Data Controller’s instructions;
3. c) Notify the Data Controller as soon as reasonably practicable and in any event within not less than 3 Business Days of any and all requests received by it from Data Subjects and/or the United Kingdom Information Commissioner (or any other regulatory authority) and provide all reasonable assisted and co-operation which is requested by the Data Controller in respect of such request.
Frequently Asked Questions
Why do you hold my information?
We use Personal Information for the following reasons:
- To bid for, arrange and deliver contracts. For example, we will need and use the contact details of colleagues, learners and employers we work with, for work related purposes for the duration of contracts;
- To advise people about our services and invite them to take advantage of what we offer. We therefore keep a limited database of contact information for marketing purposes;
- To administer our business. For example, we keep details of people who work with us for invoicing, payment, tax and payroll/HR purposes;
- To support our colleagues, learners and employers,
- To comply with legal or regulatory requirements.
What types of information do you collect and hold?
Eden will only use personal data in a way that is fair. This means that we do not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned. All data collected is fully explained and collected at source with the individuals’ full consent.
- Employer and job title (learners and mentors);
National insurance No and Date of Birth (learners);
Financial details relating to the Employer (Levy payroll details); - We may also hold some sensitive classes of information such as gender and ethnicity, so we can review and improve our services to diverse groups;
- We do not buy or sell mailing lists. However, we would disclose information on request to the Police or any other statutory authority or regulator who has a reasonable need for these data to effectively conduct their business e.g. criminal investigations and/or for funding purposes.
- This data is collected partly electronically and partly in a paper format.
What personal identifiable data do you process?
We will process the personal data of learners which includes personally identifiable information defined in the existing Data Protection Directive (DPD), such as identification numbers and data specific to the individual’s identity (e.g. name, DOB, NI No, home address).
We will only use personal data in a way that is fair. This means that we do not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned. All data collected, processed and stored is fully explained on sign up with the individuals’ full consent.
We will only process such Personal Data on the other party’s behalf only to the extent reasonably necessary to enable compliance. Our Data Controller will only collect personal information where the law allows it, or we have a legal obligation to do so. This is to meet our contractual obligations with the Education and Skills Funding Agency (ESFA) Apprenticeship Funding Rules for Training Providers
We will record our purposes as part of your documentation obligations and specify them in your privacy information for individuals. This is fully outlined in the learner and employer sign up packs which is discussed as part of the sign-up process. Documentation includes, an Individual Learner Record (ILR) and Learner Application Form.
Who do you share my information with?
We only share data with the Education and Skills Funding Agency (ESFA) in line with the requirements of the Department for Education (DfE) to comply with our contractual obligations.
How is my information processed?
The processing system is called Maytas which is an industry recognised Management Information System which is securely maintained.
How is my information stored?
The data held on our Management Information database Maytas is stored on their servers and details of GDPR compliance can be found at Maytas GDPR Compliance
Hard copies are stored in a secured location within our Head Office premises Eden Training Solutions Limited, 1st Floor, Bridge House, 28 Wheldon Road, Castleford WF10 2JD. Only authorised Data Processors can access hard copy Personal Information for the purpose of Data Processing in accordance with the Data Protection Officer’s instructions. Only the Data Protection Officer and Deputy Data Protection Officer are approved key holders.
What security measures do you have in place to ensure personal identifiable data is secured and protected?
Access to our Management Information System (MIS) is controlled by our Data Protection Officer. Only authorised Data Processors can access digital Personal Information for the purpose of Data Processing in accordance with the Data Protection Officer’s instructions. Multi-layered security encryption systems are in place and supported by firewalls, intrusion detection and identity/access management systems (user access credentialing).
Hard copy files are stored in a securely locked room. Only authorised Data Processors can access hard copy Personal Information for the purpose of Data Processing in accordance with the Data Protection Officer’s instructions. Only the Data Protection Officer and Deputy Data Protection Officer are approved key holders.
Who is your Data Protection Officer and how can I contact them?
Eden Training Solution’ s nominated Data Protection Officer (DPO) is Scott Goddard (Director of Systems) Contact telephone: 07764 966224 or via ScottGoddard@eden-ts.com.
How do I know what information you hold about me?
If you want to know what information we hold about you, you can ask for it (make a subject access request).
What do I do if I think the information about me is incorrect?
We would ask you for clarification information which would be presented to the Data Protection Officer for review and where appropriate updates would be made.