Telephone: 024 7671 5143

JBC Skills Training Ltd:- Data Protection Policy 2019

Scope

JBC SKILLS TRAINING is committed to protecting the rights and privacy of individuals in accordance with the Data Protection Act 1998 and the General Data Protection Regulations 2018. JBC SKILLS TRAINING processes information about its staff, learners, employers and other individuals it has dealings with for a range of administrative purposes (e.g. to recruit and pay staff, administer programmes of learning and comply with legal obligations of funding bodies and Government). In order to comply with the law, information about individuals must be collected and used fairly, stored safely and securely, retained for only so long as is necessary and not disclosed to any third party unlawfully.

All "processing" of personal data (includes collection, holding, retention, destruction and use of personal data) are governed by the Data Protection Act 1998 and the General Data Protection Regulations 2018. It applies to all personal data - whether it is held on a computer or similar automatic system or whether they are held as part of a manual file. Personal data is defined as information relating to an identifiable living individual and can be held in any format, electronic (including websites and emails), paper-based, photographic etc. from which the individual's information can be readily extracted.

Under the Data Protection Act 1998, all organisations that process personal information are required to notify the Information Commissioner's Office. JBC SKILLS TRAINING’s Notification describes the various types of processing of personal information and defines the persons or bodies to which the information may be disclosed - the registration number is ZA022273.

The General Data Protection Regulations 2018 afford further protection of the privacy of personal data, including the right to erase personal data and withdraw consent.

It is an offence to process personal data except in strict accordance with the eight principles of data protection and the rights of data subjects. Further information on the Data Protection Act can be found at https://www.legislation.gov.uk/ukpga/1998/29/contents and the General Data Protection Regulations at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Failure to comply with the above could result in the prosecution not only of JBC SKILLS TRAINING but also of the individual concerned.

It follows, therefore, that all staff who are concerned with, or have access to, such data have an obligation to ensure that they are processed according to the eight principles of data protection and the rights of data subjects.

This means, among other things, that staff must treat all data carefully and must not disclose personal data to unauthorised persons (this will often include parents and carers of learners).

JBC SKILLS TRAINING does not authorise any employee or agent of JBC SKILLS TRAINING to hold or process any personal data on its behalf. Users of personal data should consider the legal position before attempting to process personal data.

In cases of doubt or difficulty staff should in the first instance contact a Director of JBC SKILLS TRAINING.

REMEMBER - TREAT PERSONAL DATA WITH CARE
DON'T PASS ON PERSONAL INFORMATION TO UNAUTHORISED PERSONS

Eight Data Protection Principles

JBC SKILLS TRAINING is committed to making sure that:

Data Security

JBC SKILLS TRAINING’s data security refers to the protective digital privacy measures that are applied to prevent unauthorised access to computers, databases and websites. This includes:

Contain characters from three of the following four categories:

- English uppercase characters (A through Z
- English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Non-alphabetic characters (for example, !, $, #, %)

All staff, upon obtaining employment, will receive information on data security and JBC SKILLS TRAINING’s data privacy arrangements as a component of the induction process as well as interim update training.

Procedure for Data Breach

Whilst every care is taken to safeguard personal data from incidents (either accidentally or deliberately), compromise of information, confidentiality, integrity or availability may result in harm to individuals, reputational damage, detrimental effect on service provision, legislative compliance and/or financial cost.
Data security breaches include confirmed or suspected incidents, an event or action which may compromise the confidentiality, integrity or availability of systems or data which may cause or potentially cause harm to JBC SKILLS TRAINING’s information assets and/or reputation.

Any individual member of staff who accesses, uses or manages JBC SKILLS TRAINING’s information is responsible for reporting a data breach and information security incidents immediate to a Director.

If the breach occurs outside of normal office hours, it must be reported as soon as is practicable.

The report must include full and accurate details of the incident, when the breach occurred (date/time), person reporting it, nature of the information, the number of individuals involved. An Incident Report Form should be completed as part of the reporting procedure.

All staff should be aware that any breach of data security may result in disciplinary action in line with company policy.

The Managing Director will establish the severity of the breach and appoint an investigating officer as appropriate. The investigation will gather information, assess the extent of the incident, limit the damage the breach could cause, identify who needs to be notified and determine a course of action. An investigation will take place within 2 working days of the breach being >discovered/reported.

Notification

The investigating officer will consult with relevant colleagues to determine whether the Information Commissioner’s Office require notification. If so, this will be completed within 72 hours.

Data Subject Rights

Procedure for Subject Access Requests

Individuals wishing to access their personal information should submit a request in accordance with the following notes:


1. Make a request, in writing, to the Managing Director (see below for contact details).

2. The request should include details and provide documented evidence of who the individual is (e.g. driving licence, passport, birth certificate). It should also provide as much detail as possible regarding the information in question (e.g. where and by whom information is believed to be held, specific details of information required etc).

3. It is required to state WHY an individual wishes to access the information: the details required are merely those that will aid the efficient location and retrieval of information.

4. Once the Managing Director receives a subject access request, all efforts will be made to fully comply within a calendar month. In any event, you will receive all the information that has been located and can be released within that period along with an explanation for any information that cannot be provided at that time.

5. In accordance with the Data Protection Act 1998 and General Data Protection Regulations 2018, JBC SKILLS TRAINING does not usually release information held about individuals without a legal obligation, legitimate interest or individual consent. Therefore if information held about you also contains information related to a third party, JBC SKILLS TRAINING will make every effort to anonymise the information. If this is not possible, and JBC SKILLS TRAINING has been unable to secure the relevant consent, JBC SKILLS TRAINING may decide not to release the information.


All queries should be directed to JBC SKILLS TRAINING’s Managing Director in the first instance.

Name: Managing Director
Email: info@jbctraining.co.uk
Postal Address: JBC Skills Training Limited,
Stoneleigh House,
66-70 Earlsdon Street,
Coventry CV5 6EJ
Telephone: 024 7671 4850

Reporting a breach

Any suspected or actual data breach must be promptly reported to a Company Director using this format:-

Section 1: To be completed by the individual reporting the incident or appropriate Manager
Name of person reporting the incident:
Date of incident discovery:
Location of incident:
Contact details of person reporting the incident (email; telephone):
Brief description of the incident/details of the information loss:
Number of data subjects affected (if known):
Brief details of any action taken at the time of the discovery:
Signature:
Date:

Section 2: To be completed by the a Company Director>
Received by:
Date:
Forwarded for action to:
Date:
Signature:
Date:

Section 3: To be completed by the Investigating Officer
Received by:
Date:
Signature:
Date:
Data Breach Report Form
Appendix 1

Section 4: To be completed by the Investigating Officer as part of the investigation
Name of Investigating Officer:
Date:
Incident No:
Details of the IT systems, equipment, devices, records involved in the security breach:
Details of the information loss:
Extent of information loss:
Extent of loss on business operations, legal liabilities, reputational consequences:
Number of data subjects:
Implications (if any) on contractual security arrangements:
Nature of the sensitivity of the data (including any special categories – ethnic origin, religious belief, gender, health, sexual orientation):
Information that could be used to commit identity fraud (personal bank information, national identifiers including NI number, copies of passport, birth certificate):
Information relating to vulnerable adults or children:
Information relating to individuals, including work performance, remuneration, personal life that could cause distress to an individual if disclosed:
Information relating to progress of students or discipline or sensitive information which could adversely affect individuals:
Signature:
Date:

Section 5: To be completed by the Investigating Officer as part of the outcome of the investigation
Name of Investigating Officer:
Date:
Incident No:
Extent of information loss:
Reported to internal stakeholders (specify who):
Action taken by responsible persons:
Notification to ICO: Yes / No If Yes Details:
Notification to Data Subjects: Yes / No If Yes Details:
Notification to external stakeholders: Yes / No If Yes Details