Anyone who obtains personal information ‘data’ about other individuals is a ‘data controller’ and is thus regulated by the Data Protection Act 2018. The Act controls what can lawfully be done with information. 
It also gives individuals certain rights to control how information about them is obtained, used, stored and distributed. These rights include the right to find out what information a data controller has about them, and to ask for copies of data.

 

We will appoint a data protection compliance officer.

 

A request for access to any personal data that relates to you should be commutated either verbally or in written form.

 

On receipt of a request it is our policy to provide copies of all data that we are obliged to disclose as soon as is reasonably possibly but in any event within 40 days of receipt of your request being received by the data protection compliance team at head office. In unusual situations we may need to extend this time frame but you will be notified if this is necessary.

 

Should you wish to bring any inaccuracy in disclosed data to our attention you must do so as soon as possible either verbally or in writing. In appropriate circumstances you may find that arranging an appointment to hand us your written notification of any inaccurate data is preferable.

 

It is our policy to ensure that all data is as accurate as possible and all necessary steps to ensure that this is the case and to rectify any inaccuracies will be taken.
 
Initial enquiries regarding Data Protection should be emailed to:  mydata@achievementtraining.com

 

 

Our obligations

The principles for processing of personal data are that data must be:

  1. Fairly and lawfully processed;
  2. Processed for limited purposes;
  3. Adequate, relevant and not excessive;
  4. Accurate;
  1. Not kept longer than necessary;
  2. Processed in accordance with the data subject’s rights;
  3. Secure; and
  4. Not transferred to countries without adequate protection.

ATL are committed to following these principles and that is why your consent has been obtained so that all our data processing in relation to data of which you are the subject is lawful.

We will process data about you only so far as is necessary for the purpose of managing our business. Data will not be disclosed to anyone else other than our authorised employees, agents, contractors or advisors (except as required by law) unless you expressly authorise its disclosure. We will only obtain data about you that we require for the purpose of managing our business and dealing with you as an employee/learner of that business. 

We will take all reasonable steps to ensure that the data we process is accurate. Data will be retained as necessary during the course of your employment/learning and records will be retained for up to seven years after the data that you leave the employment/centre in case legal proceedings arise during that period. Data will only be retained for a period of longer than six years if it is material to legal proceedings or should otherwise be retained in our interests after that period.

We will process data in accordance with your rights under the Act. Data will be kept in a secure system, whether manual or computerised, to the best of our ability at all times.

It should be noted that where ATL receives a Freedom of Information (FOI) request relating to ESFA contract data, we can not directly respond until we have been authorised in writing by the Department for Education.

The Act prohibits the transfer of data outside the European Economic Area to countries that do not have similar security protections of data except in some circumstances or with the subject’s consent. ATL ensures that all data is held within the EEA or countries that conform to similar levels of security. 

What data do we hold?

We are necessarily a data controller in relation to all the information that we obtain about you as part of the process of providing you with employment/learning.

In order to manage our business, we keep records about our employees/learners that necessarily include the following information:

 

Employees & Learners:
Employees:
  • Name
  • Date of birth
  • Sex
  • Address
  • Next of kin
  • Sickness record
  • Disciplinary record
  • CV
  • References
  • Qualifications
  • Rate of pay
  • Bank details
  • Performance record
  • Appraisals
  • Criminal records

 

Your consent:

It is a requirement under the Act that you consent to our processing data about you. Some data is referred to in the Act as “sensitive personal data”. This means personal data consisting of information as to:

  • the racial or ethnic origin of the data subject;
  • his/her political opinions;
  • his/her religious beliefs or other beliefs of a similar nature;
  • whether he/she is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992);
  • his/her physical or mental health or condition;
  • his/her sexual life;
  • the commission or alleged commission by him/her of any offence; or 
  • any proceedings for any offence committed or alleged to have been committed by him/her, the disposal of such proceedings or the sentence of any court in such proceedings.

 

Your rights under the Act

The Act gives you the following rights as a data subject:

Access to data

    • To be told whether personal data on you is being processed by requesting this either verbally or in writing;
    • To be given a description of the data and its recipients and to have a copy of the data as soon as is reasonably possible of the request;
    • To be informed about the logic used to make automated decisions using the data. For example some employers will scan CV’s submitted for certain information in order to select candidates for further consideration and this right would entitle the candidate to know what the criteria used was unless this would necessitate divulgence of a trade secret;
    • The data subject must provide the data controller with any information reasonably requested to enable the data controller to be satisfied as to the data subject’s identity and in order to locate the information; and
    • Where disclosure of data would necessarily mean that information relating to a third party would be disclosed the data controller may refuse to disclose it unless the third party consents or it is reasonable to disclose the information without such consent. 

Rectification of data

The Data Protection Act allows for individuals to have inaccurate personal data rectified, or completed if it is incomplete. An individual can make a request for rectification verbally or in writing. ATL will respond and rectify this within one calendar month to a request. In rare circumstances we may refuse this request for rectification if there is good reason to do so.

Information

The Act provides that Data will not be fairly processed unless the data controller ensures that as far as reasonably practicable the data subject has or has ready access to:

  • The identity of the data controller;
  • Any representative of the data controller;
  • The purpose(s) for which the data is intended to be processed;
  • Any other information necessary to enable the processing to be fair.

However any data subject whose employer has not notified the Office of the Information Controller that he is a data controller and had these details entered in the public register is entitled to be given (within 21 days of making a written request) “relevant particulars” which are:

  • The data controller’s name and address;
  • The name and address of any representative of the data controller;
  • a description of the personal data being or to be processed and the category of data subjects to which they relate;
  • a description of the intended purpose of the processing;
  • a description of the intended recipients of the data;
  • a list of the countries outside the European Economic area that will or may be in receipt of the data from the data controller.

Direct Marketing

A data subject has the right to require in writing that the data controller within a reasonable time cease or not begin processing data of which he is the subject for the purpose of direct marketing.

Right to stop data processing

A data subject has the right to require that a data controller cease or not begin data processing where the processing is causing or likely to cause unwarranted and substantial damage or unwarranted and substantial distress to the data subject or another by giving notice in writing specifying why the data processing is or will be the cause of distress or damage and the purpose and manner of processing to which objection is made. The data controller will then respond with a written notice stating either that he has or intends to comply with the request or why he regards the notice as unjustified and the extent to which he has or intends to comply with it. However where the data subject has consented to the data processing or it is necessary for the performance of a contract to which he is a party he requests it with a view to entering a contract or the data controller has a non contractual legal obligation which requires him to carry it out, the data subject has no right under this section to stop the data processing. The data controller will though respect this request and at the earliest legal opportunity delete this data in lines with contractual / legal obligations.