The European Union General Data Protection Regulations (GDPR) which was adopted by the European Union in 2016 will automatically come into force on 25th May 2018. The Government is introducing a UK Data Protection Bill (currently in draft) which incorporates and supplements the GDPR to create a UK data protection regime pre and post Brexit.
To comply with the law staff who process personal information must ensure they follow Data Protection Principles. The obligation to keep information confidential arises out of the common law duty of confidentiality, professional obligations and staff/third party contracts. All staff with access to confidential personal information must keep that information safe and secure.
CCBT Ltd. holds an online database. It is encrypted and password protected. Access to the database is limited to key personnel only.
CCBT Ltd hold contact details of current and past students, referees and payment accounts (for emailing and printing of receipts).
CCBT Ltd also holds email or postal details of individuals who request an online prospectus or a printed copy.
The Database offers options for any individual account to be deleted or omitted from email, mailing list or study group.
CCBT Ltd. does not share its Database with other third parties.
CCBT Ltd. does not conduct email marketing.
CCBT Ltd. does write to students via email about course developments.
CCBT Ltd. relies on past and present students to inform it of any changes or updates to individual contact details.
Purpose and Scope
This document sets out CCBT Ltd commitment to the confidentiality of personal information and its responsibilities regarding the disclosure of such information. It aims to ensure that all staff whether directly employed or self- employed within the College are aware of their responsibilities towards the confidentiality of personal information.
Data Protection Principles:
- Personal data shall be
- Fairly and lawfully processed
- Processed for specific purposes only
- Adequate relevant and not excessive
- Not kept longer than necessary
- Processed in accordance with the data subject’s rights
- Not transferred to countries outside the EU without adequate protection.
The Act requires CCBT Ltd to register as a Data Controller with the Office of the Information Commissioner detailing the purpose for which personal information is used and use of data beyond that specified in the registration is unlawful. An annual fee is paid to the ICO’s to maintain notification on the register.
Disclosure of Personal Information
Whether personal information can be disclosed to others is dependent on a number of factors, including, whether the student has consented to the information being shared, to whom the information is being disclosed and the reason for its disclosure.
In order to ensure the confidentiality of personal information, systems and procedures are in place to control access to such information. Such controls are essential to ensure that only authorised persons have physical access to computer hardware and equipment and access to either electronic or paper records containing confidential information about individuals.
Staff members who process personal data about clients, staff, student applicants, or any other individual must comply with the requirements of this policy.
Staff members must ensure that:
all personal data is kept securely;
no personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party;
personal data is kept in accordance with the College’s record keeping retention policy
any queries regarding data protection, including subject access requests and complaints, are promptly directed to the Data Protection Officer (Avy Joseph)
any data protection breaches are swiftly brought to the attention of the Owner and/or Data Protection Officer
where there is uncertainty around a Data Protection matter, advice is sought from the Data Protection Officer
Staff who are unsure about who are the authorised third parties to whom they can legitimately disclose personal data should seek advice from the Owner and /or Data Protection Officer.
Where a third-party Data Processor is used
The Data Processor must provide sufficient guarantees about its security measures to protect the processing of personal data;
reasonable steps must be taken that such security measures are in place;
a written contract establishing what personal data will be processed and for what purpose must be set out;
a data processing agreement must be signed by both parties.
The College is responsible for the use made of personal data by anyone working on its behalf. Such staff must be appropriately vetted for the data they will be processing. In addition the College must ensure that:
any personal data collected or processed, undertaken for the College is kept securely and confidentially.
all personal data processed (e.g. application forms) held by the college, including any copies that may have been made.
the College receives prior notification of any disclosure of personal data to any other organisation or any person who is not a direct employee of the College
all practical and reasonable steps are taken to ensure that self- employed contractors do not have access to any personal data beyond what is essential for the work to be carried out properly.
Self-employed contractors must familiarise themselves with the principles of GDPR before they start.
ensuring that their personal data provided to the College is accurate and up to date.
Subject Access Requests
The College is required to permit individuals to access their own personal data held by the College via a subject access request. Any individual wishing to exercise this right should do so in writing to the Data Protection Officer.
The College aims to comply with requests for access to personal information as quickly as possible but will ensure that it is provided within 14 days of receipt of the request.
Data Protection breaches
Where a Data Protection breach occurs, or is suspected, it should reported immediately to the Data Protection Officer at CCBT Ltd.