Data Protection & Privacy Policy

3.23     Data Protection and Privacy Policy

Eliesha is required to process certain information about individuals with whom we have dealings, for our own administrative purposes and to comply with our legal obligations. For example, we need to keep personal data about our employees, associates and delegates in order to carry out our function as a training organisation. We are committed to ensuring that this processing is undertaken with respect for the rights and privacy of individuals in accordance with current data protection and privacy law.

Eliesha may collect and use personal data of learners, apprentices, partners, our employees or other stakeholders, and we may also receive information regarding them from their employer, other training providers and previous employers where you are applying for employment with Eliesha. We collect and use personal data in order to meet legal requirements and legitimate interests set out in Data Protection Legislation, including those in relation to Article 6 and Article 9 of the GDPR

Which data is collected?

The categories of information that Eliesha may collect, hold and share include the following:

Personal information – e.g. names, addresses, dates of birth, telephone numbers and email addresses
Characteristics – e.g. ethnicity, language, nationality, country of birth
Attendance information
Assessment information – e.g. Exam and/or Functional Skills results
Relevant medical information e.g. for employees

When collecting data, Eliesha will inform whether you are required to provide this data or if consent is needed. Where consent is required, Eliesha will provide you with specific and explicit information with regards to the reasons the data is being collected and how the data will be used.   

How do we use personal information?

Personal information is used by Eliesha to meet its legal requirements and legitimate interests including fulfilling its contractual obligations to its clients and partners and to meet its statutory responsibilities.

The personal data of learners, apprentices, partners, our employees or other stakeholders is collected and used for the following reasons:  

To support learner and apprentice learning
To monitor and report on learner and apprentice progress
To provide appropriate Information, Advice and Guidance
To assess the quality of our service
To comply with the law regarding data sharing
To safeguard our learners, apprentices, employees, partners and other stakeholders
To ensure compliance with our statutory, contractual and regulatory obligations  

Information will be securely destroyed after it is no longer required for these purposes.

Will information be shared?

Information may be shared with third parties for education, training, employment and well-being related purposes, including for research. Third parties may include the Education and Skills Funding Agency, other statutory bodies, awarding organisations, the employer and training partners. This will only take place where the law allows it and the sharing is in compliance with Data Protection Legislation including GDPR.

Eliesha has robust processes in place to ensure the security and confidentiality of any data shared with third-parties. Where Eliesha transfers data to a third party sub-processor, the same data protection standards that Eliesha upholds are imposed on the sub-processor.

Eliesha will not share personal information with any third parties without your consent, unless the law allows us to do so, for example, under Article 6(f) (Legitimate Rights) of the GDPR.

Data Protection Law

All staff are required to comply with the Data Protection Act, the EU General Data Protection Regulation, the Privacy and Electronic Communication Regulations, the EU e-Privacy Regulation and other related legislation as may be enacted in parallel with or to replace these laws.

Key Definitions

Personal Data. This is information that can identify a living person that is held either electronically or in paper form. This can include delegate records, staff employment details, associates’ details and images.
Data Controller. The data controller decides how and why personal data is to be used, and is legally required to comply with the law. Eliesha is the data controller for the personal data it uses.
Data Subject. This is an identifiable living individual who is the subject of personal data.
Processing. In relation to personal data, this means obtaining, recording or holding the data or carrying out any operation or set of operations on the data.

Principles and Duties

a. Transparency

Whenever we collect personal data, we will take appropriate measures to provide data subjects with the information required to ensure they understand the nature of the processing and how to exercise their rights in relation to that processing.

b. Consent

Where we are relying on consent as a legal basis for processing personal data, individuals’ consent will be collected in a manner that ensures it is freely given, specific, informed and unambiguous.

c. Purpose Limitation / Data Minimisation / Storage Limitation / Accuracy

We will only collect and use personal data for specific legitimate purposes, and it will be kept only for as long as we need it for those purposes. We will not collect excessive or irrelevant information. We will ensure that personal data we collect and process will be accurate and kept up to date, where necessary.

d. Security

We will have appropriate security measures in place to protect personal data, taking account of the nature of the data and the harm that might be caused if it was lost. These security measures will be regularly tested, assessed and evaluated to ensure they maintain an appropriate level of security for personal data.
Personal data will be accessible only to those people who need to use it as part of their work. Unauthorised or unlawful access to, use or disclosure of personal data may lead to disciplinary action, and in some cases could be considered as gross misconduct. In serious cases it could also be a criminal offence.
We will provide prompt and effective notification to the relevant supervisory authority and to data subjects, where necessary, in the event of a personal data breach. We will cooperate fully with any regulatory investigations that result from a breach.

e. Rights

Data subjects will be able to exercise fully their rights to access, rectification, erasure, restriction, portability and objection, and their rights with regard to automated decision making and profiling.

f. Marketing

Electronic, telephone and other marketing will be carried out in accordance with the law.

g. Data Protection by Design and Default

We will implement appropriate technical and organisational measures to ensure that data protection principles are incorporated into the development and operation of personal data processing activities.
Data protection impact assessments will be carried out for any new processing activity that is likely to result in a high risk to the rights of the data subjects whose personal data is involved in the processing.

h. Accountability

We will maintain appropriate records to allow us to demonstrate our compliance with these principles and duties, including records of processing activities under our control. A Data Protection Officer will be designated to fulfil the tasks set out in law. The Data Protection Officer will be provided with the resources and support necessary to carry out those tasks.

i. International Transfers

Eliesha does not transfer personal data outside of the European Economic Area.

Roles and Responsibilities

a. Finance Director

The Finance Director has overall responsibility for ensuring that Eliesha’s legal obligations are met and has responsibility for internal and external governance and corporate accountability.

The Finance Director has been designated as the officer with overall responsibility for policy compliance and is Eliesha’s Information Risk Owner and Data Protection Officer.

b. Data Protection Officer

Fulfil the statutory tasks of a Data Protection Officer and report on compliance to the Board of Directors.
Advise on policy and draw up procedures and guidance in line with best practice.
Promote and monitor policy compliance.
Coordinate and respond to requests and queries received from data subjects.
Facilitate appropriate training for all relevant staff.

c. Managers and Data Owners

Managers and data owners have a responsibility for ensuring that data protection issues within their areas are managed in a way that meets the provisions of this policy.

d. All Staff and Associates

Be aware of data protection requirements and what they mean to Eliesha.
Follow the policy and procedures for handling personal data.
Consult with the Finance Director for advice and guidance when necessary.
Report data breaches to the Finance Director as soon as possible, in line with procedure and guidance.
A breach of this policy could result in disciplinary action.

Relationships with Existing Policies

Information Security Policy

Policy Owner – Ann Burnhope, Finance Director

Policy Approved - 15 May 2018

Policy Review Date – 15 May 2020

Our accreditations, affiliations and certifications

CMI ILM Approved Centre Apprenticeships Iosh Agored Cymru SGS ISO 14001 SGS ISO 9001 Cyber Essentials Certifed Plus
Back to top