E-Hairdressing General Data Protection Regulation (GDPR) & Privacy Policy

Company Statement

E-Hairdressing referred to hereafter as E-Hair Ltd incorporated and registered in England and Wales with company number 4931932 who registered office is 484 Babbacombe Road, TORQUAY TQ1 1HN.

As from May 2018 the Data Protection Act 1988 will be updated and reviewed – General Data Protection Regulation (GDPR).  GDPR covers all aspects of collecting, processing and accessing data and is in relation to how we handle any personal data which we obtain from you.  This covers our website, privacy policies, paper records and any computer records. Any personal information gathered will only be used in the context of your employment with us or the business we conduct with you.  One of the main changes is regarding consent – this must be freely given, specific, informed and unambiguous.  Communications from E-Hair Ltd are usually via email or SMS, but communication preference can be changed as and when requested by the individual.

We may process all the information we obtain from you to enable us to fulfil our contractual obligations to you. We may also request further information from third parties or disclose your details to other selected third parties, such as VTCT and/ or their regulators or industry bodies.  Any data breaches will be immediately reported by our Data Protection Officer to the ICO.

E-Hair Ltd. have a GDPR team in place to deal with all related matters and is overseen by our Data Protection Officer: Richard Cherry 01803 291000 or by email richard@e-hairdressing.co.uk

If you have provided us with any information that you no longer wish us to use, please contact us immediately.

In disclosing your personal details to us, you agree that we may process and in particular may disclose your personal data:

– As required by Law to any third parties

– Selected third parties who may process personal data jointly with us or on our behalf

–          Carry out statistical analysis

–          Pass to their regulator or industry bodies for the following purposes (a) to monitor equal opportunities relating to ethnicity or disability or for other such monitoring purposes;  or (b) to account for candidates where there is a requirement to do so; or (c) where there is a requirement for such bodies to contact a candidate directly and the information is not readily accessible by other means

–          Disclose and publish your details in directories which many contain information about E-Hair Ltd.

–          Disclose your personal details to third parties for the purpose of providing prizes, remuneration and qualifications for candidates

DATA PROTECTION POLICY

Relating to learners and employers

POLICY STATEMENT

This policy applies to all learners and employers.

Compliance with this policy is a condition of engagement in learning programmes and any deliberate breach of this policy will result in disciplinary action, which may include removal from employment and possible legal action. Any employee found to be accessing personal data without authority this will be treated as gross misconduct.

All data/information processed by the organisation is covered by this policy.

PRIVACY NOTICE

E-TRAINING & DESIGN LTD. Ltd holds personal data on learners and employers in order to facilitate their training and education and to provide funding information to the ESFA in support of their learning aims.
E-TRAINING & DESIGN LTD. Ltd is legally obliged to collect personal data from learners and employers in order to fulfil their obligations for delivering apprenticeships, other government funded training programmes and E-TRAINING & DESIGN LTD. certificated courses.

Sharing Personal Data
Data sharing is restricted to the following relevant third parties. Data is shared only when necessary and required in order for a learner to complete their programme of learning.

The ESFA, who are the Government body providing funding delivered by E-training & Design Ltd.
Awarding organisations for quality assurance, assessment and certification
Ofsted for the purpose of ensuring E-training & Design Ltd.is providing a quality service and learning experience.
Regulatory authorities, sector skills councils, professional bodies, and similar industry bodies;
Employers who are offering an apprenticeship position within their organisation. (Permission from the applicant must be obtained prior to sharing any personal data and CVs.)
We will ensure there is a contract in place with such third parties which includes obligations in relation to the confidentiality, security, and lawful processing of any personal data shared with them.

THE DATA PROTECTION ACT 1998 AND GDPR

This legislation protects people against the misuse of personal data, and covers both manual and electronic records. The Act requires that any personal data held should be:

processed fairly and lawfully;
obtained and processed only for specified and lawful purposes;
adequate, relevant and not excessive;
accurate and kept up to date;
held securely and for no longer than is necessary; and
not transferred to a country outside the European Economic Area unless there is an adequate level of data protection in that country.

The 2018 General Data Protection Reforms (GDPR) provides additional protection under law in the new digital age and allows individuals much greater control over their own data.

E-training & Design Ltd. is committed to compliance with the principles and the responsibilities under GDPR. All data collected by E-training & Design Ltd. will comply with these principles set out in Article 5 of the GDPR. All data must be:

processed lawfully, fairly and in a transparent manner in relation to individuals;

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

The 2018 GDPR provides the following rights for individuals and forms a key element of this policy:

Right to be informed: Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.

Right of Access: Individuals have the right to access their personal data and supplementary information, which allows individuals to be aware of and verify the lawfulness of the processing.

Right to Rectification: The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.

Right to erasure: The GDPR introduces a right for individuals to have personal data erased, also known as ‘the right to be forgotten’. The right is not absolute and the legal

responsibilities of E-training & Design Ltd. a provider contracted to the ESFA for funding of Apprenticeships and other training programmes take precedent.

Right to restrict processing: Individuals have the right to request the restriction or suppression of their personal data. However, this is not an absolute right and only applies in certain circumstances.

Right to data portability: Allows individuals to obtain and reuse their personal data for their own purposes across different services. It enables them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability

Right to object: Individuals may object to the data processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority; direct marketing (including profiling); or processing for purposes of scientific/historical research and statistics.

4. CONTACTS AND RESPONSIBILITIES

Responsibility for the Processing of Personal Data
The organisation’s Data Controller is the Training Manager who is responsible for ensuring all
personal data is controlled in compliance with the GDPR legislation.

Employees who manage personal data of a learner or employer are referred to as Processors
and must comply with this policy and adhere to the procedures laid down by the Data
Controller.

Regular audits on data processing will be carried out under the supervision of the Data Controller.

When a breach of this policy occurs it should be reported to the Data Controller immediately so
that he can inform the ICO. A breach that is not malicious will be dealt with sensitively and in
proportion.

Malicious and purposeful violations of personal data will result in a disciplinary and could lead to
summary dismissal.

What personal data do we collect?
We collect a learner’s name, gender, date of birth, proof of eligibility, ethnicity, learning needs and any health issues that might impact on learning. We may also collect other categories of personal data if required in relation to a specific qualification or programme, and personal data if required to carry our quality assurance processes, investigations, complaints and appeals. This personal data is provided to us by individuals when they first register with E-training & Design Ltd.
In exceptional circumstances, we may be provided with sensitive personal data, such as information about mental health. In such circumstances this data is only obtained and used to enable us to respond appropriately to an individual’s needs.

How do we use personal data?
We will use an individual’s personal data where this is necessary to pursue our legitimate interests as a provider of training services, including to:
provide information on products and/or services;
undertake administration in relation to products and/or services for which an individual has registered;
provide learners with an online portfolio / record of learning;
contact learners directly in relation to our quality assurance processes, investigations, appeals, and complaints;
contact learners directly in relation to new and existing products, services, news, awards and events offered by E-training & Design Ltd.
provide information, advice and guidance on progression and destinations.
We may also process personal data if required by law, including where we are obliged to respond to requests by government or law enforcement authorities, or for the prevention of crime or fraud.

How long will we keep personal data?
We will retain personal data relating to learning, assessment, and certification to enable us to provide information about your learning or a replacement certificate.

We will retain personal data relating to our quality assurance processes, appeals, or investigations for a period of 7 years to ensure we are able to comply with any contractual, legal, audit and other regulatory requirements, or any orders from competent courts or authorities.

Where do we store personal data and how is it protected?
We take reasonable steps to protect personal data from loss or destruction. We also have procedures in place to deal with any suspected data security breach. We will notify the learner and any applicable regulator of a suspected data security breach where we are legally required to do so.

Concerns or complaints
If you believe that your data protection rights may have been breached, and we have been unable to resolve your concern, you may lodge a complaint with the applicable supervisory authority or to seek a remedy through the courts. Please visit https://ico.org.uk/concerns/ for more information on how to report a concern to the UK Information Commissioner’s Office.

Changes to our Policy
Any changes made to our policy in the future will be communicated to employers and learners by e-mail and/or post.

Related Policies
Confidentiality Policy
Email and Internet Policy
Disciplinary Policy
Equal Opportunities Policy