Centre4, 17a Wootton Road, Grimsby,
North East Lincolnshire,
Tel: 01472 236680
Data Protection Policy
CPO Ltd is committed to a policy of protecting the rights and privacy of individuals (includes beneficiaries, staff and others) and of all personal and sensitive data for which it holds responsibility as the Data Controller, and the handling of such data in accordance with the data protection principles and the Data Protection Act. CPO Ltd needs to process certain information about its staff, beneficiaries and other individuals it has dealings with for administrative purposes (e.g. to recruit and pay staff, to administer programmes of study, to record progress, to agree awards and to comply with legal obligations to funding bodies and government). To comply with the law, information about individuals must be collected and used fairly, stored safely and securely and not disclosed to any third party unlawfully.
This policy applies to all staff, volunteers and beneficiaries of CPO Ltd. Any breach of the Data Protection Act 1998 or CPO Ltd’s Data Protection Policy is considered to be an offence and in that event, CPO Ltd’s disciplinary procedures will apply. As a matter of good practice, other agencies and individuals working with CPO Ltd, and those who have access to personal information, will be expected to have read and comply with this policy. It is expected that CPO’s Managing Director or CPO’s Operations Manager who deal with external agencies will take responsibility for ensuring that such agencies sign a contract agreeing to abide by this policy.
The Data Protection Act 1998 enhances and broadens the scope of the Data Protection Act 1984. Its purpose is to protect the rights and privacy of living individuals and to ensure that personal data is not processed without their knowledge, and, wherever possible, is processed with their consent.
This policy should be considered in conjunction with CPO’s other policies and procedures.
Changes to data protection legislation shall be monitored and implemented in order to remain compliant with all requirements.
1. Definitions (Data Protection Act 1998)
Data relating to a living individual who can be identified from that information or from that data and other information in possession of the data controller. Includes name, address, telephone number, and ID number. Also includes expression of opinion about the individual, and of the intentions of the data controller in respect of that individual.
Different from ordinary personal data (such as name, address, telephone) and relates to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life, criminal convictions. Sensitive data are subject to much stricter conditions of processing.
Any person (or organisation) who makes decisions with regards to particular personal data, including decisions regarding the purposes for which personal data are processed and the way in which the personal data are processed.
Any living individual who is the subject of personal data held by an organisation.
Any operation related to organisation, retrieval, disclosure and deletion of data and includes: Obtaining and recording data Accessing, altering, adding to, merging, deleting data Retrieval, consultation or use of data Disclosure or otherwise making available of data.
Any individual/organisation other than the data subject, the data controller or its agents.
Relevant Filing System
Any paper filing system or other manual filing system which is structured so that information about an individual is readily accessible. Please note that this is the definition of "Relevant Filing System" in the Act. Personal data as defined, and covered, by the Act can be held in any format, electronic (including websites and emails), paper-based, photographic etc. from which the individual's information can be readily extracted.
2. Responsibilities under the Data Protection Act
CPO Ltd as a body corporate is the Data Controller under the new Act. A data controller is defined as “The person who (either alone, or jointly, or in common with other persons) determines the purposes for which, and the way any personal data are, or are to be processed". You will note that the definition uses the term ‘person’ NOT ‘individual’. This can therefore mean a legal ‘person’ – such as a limited company
A Data Protection Compliance Officer has been appointed who is responsible for day-to-day protection matters and for developing specific guidance notes on data protection issues (see more under ‘CPO’s Data Protection Compliance Officer’)
The Senior Management and all those in managerial or supervisory roles are responsible for developing and encouraging good information handling practice within CPO Ltd. They are also responsible for ensuring staff have undertaken suitable security checks to work with our younger learners under the age of 16
Compliance with data protection legislation is the responsibility of all members of CPO Ltd who process personal information. All staff and volunteers should be aware of the principles of the Data Protection Act and ensure they are all familiar with policies and procedures relating to the use of personal data
CPO’s Board of Directors has a responsibility to ensure CPO complies with its legal obligations
CPO Ltd is responsible for ensuring that any personal data supplied is accurate and up-to-date
CPO’s Data Protection Compliance Officer
CPO Operations Manager is the named CPO Data Protection Compliance Officer and is responsible for notifying breaches or handling subject access requests. This person’s name is displayed on notice boards. This named person is given a clear remit to:
Be informed about Data Protection issues
Ensure that the organisation complies with its obligations
Train or brief other staff in what they are allowed to do, what they are not allowed to do, and what to do if they are in any doubt
3. Data Protection Principles
All relevant personnel and staff are made aware of the responsibilities as part of their induction. Staff and volunteers can access a copy of the policy in hard copy and on Intranet/server. Staff and volunteers are also requested to read a booklet on GDPR and sign and date to say they understand GDPR.
All processing of personal data must be done in accordance with the eight data protection principles.
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:
At least one of the conditions in Schedule 2 is met
In the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met
Those responsible for processing personal data must make reasonable efforts to ensure that data subjects are informed of the identity of the Data Controller, the purpose(s) of the processing, any disclosures to third parties that are envisaged and an indication of the period for which the data will be kept.
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes
Previously this rule was simple. You had to register what you were going to do and then you could only use data for the purpose(s) that you had registered. Under the amended Act, the Data Controller still has to have a ‘specified’ purpose or purposes, but they may not have to inform the Commissioner. This means that notification is now just one way in which you can specify a purpose. The other, if you are not required to notify, is specify the purpose directly to the Data Subject.
Examples of purposes include:
Staff administration – appointments, removals, pay discipline, superannuation, work management or other personnel matters in relation to the staff of the data controller
Consultancy and advisory services – giving advice or rendering professional services
Provision of goods, facilities or services
Personal data should be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
This principle essentially insists that data should be of good quality. Information which is not strictly necessary for the purpose for which it is obtained, should not be collected. If data is given or obtained which is excessive for the purpose, they should be immediately deleted or destroyed.
Personal data shall be accurate and, where necessary, kept up to date
This principle essentially insists that data should be of good quality. Data, which are kept for a long time, must be reviewed and updated as necessary. No data should be kept unless it is reasonable to assume that they are accurate. It is the responsibility of individuals to ensure that data held are accurate and up-to-date. Completion of an appropriate registration or application form etc will be taken as an indication that the data contained therein is accurate. Individuals should notify CPO Ltd of any changes in circumstance to enable personal records to be updated accordingly. It is the responsibility of CPO Ltd to ensure that any notification regarding change of circumstances is noted and acted upon.
Personal data processed for any purpose or purposes shall not be kept longer than is necessary for that purpose or those purposes
This principle raises the question ‘how long is it necessary to keep data?’ There is no hard and fast rule for deciding when to erase, destroy or archive data because it all depends on what is necessary for the purpose(s) for which it is being held.
When deciding on the best action, CPO follows certain considerations. This includes:
Is there a legal limit for holding the data? For example, occupational health and safety records now have to be held for 40 years. Information on employment selection must be held for the six months within which an unsuccessful candidate would have the right to bring a claim of discrimination.
Does the data get used according to a routine rhythm
Can you confidently describe the next occasion on which you are going to use the data? If not, it may not longer be necessary to keep it
Personal data shall be processed in accordance with the rights of data subjects under Act
These include the rights of access to their data, now including manual files, and the right to prevent processing in certain cases, especially where direct marketing is concerned.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or dame to, personal data
This imposes a duty to have appropriate security. It now applies to manual as well as computerised records. We may have to restrict access to files by staff or volunteers, unless they have a good reason, as well as people outside the organisation. Security measures could include drawing up policies and procedures and training staff to follow them. More technical security measures include physical access control, such as locks on doors and filing cabinets, as well as computer passwords and back up procedures. The notification procedures demand that certain information about measures is provided
Personal data shall not be transferred to a country or a territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data
Data must not be transferred outside of the European Economic Area (EEA) - the fifteen EU Member States together with Iceland, Liechtenstein and Norway - without the explicit consent of the individual. Staff of CPO Ltd should be particularly aware of this when publishing information on the Internet, which can be accessed from anywhere in the globe. This is because transfer includes placing data on a web site that can be accessed from outside the EEA.
4. Data Subject Rights
Data subjects have the following rights regarding data processing, and the data that is recorded about them:
To make subject access requests regarding the nature of information held and to whom it has been disclosed
To prevent processing likely to cause damage or distress
To prevent processing for purposes of direct marketing
To be informed about mechanics of automated decision making process that will significantly affect them
Not to have significant decisions that will affect them taken solely by automated process
To sue for compensation if they suffer damage by any contravention of the Act
To take action to rectify, block, erase or destroy inaccurate data
To request the Commissioner to assess whether any provision of the Act has been contravened
CPO shall be transparent about the intended processing of any data being collected on individuals and communicate these intentions.
Wherever possible, personal data or sensitive data should not be obtained, held, used or disclosed unless the individual has given consent. CPO Ltd understands "consent" to mean that the data subject has been fully informed of the intended processing and has signified their agreement, whilst being in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information will not be a valid basis for processing. There must be some active communication between the parties such as signing a form and the individual must sign the form freely of their own accord. Consent cannot be inferred from non-response to a communication. For sensitive data, explicit written consent of data subjects must be obtained unless an alternative legitimate basis for processing exists.
In most instances consent to process personal and sensitive data is obtained routinely by CPO Ltd (e.g. when a beneficiary signs a registration form or when a new member of staff signs a contract of employment). Any CPO Ltd forms (whether paper-based or web-based) that gather data on an individual should contain a statement explaining what the information is to be used for and to whom it may be disclosed. It is particularly important to obtain specific consent if an individual's data are to be published on the Internet as such data can be accessed from all over the globe. Therefore, not gaining consent could contravene the eighth data protection principle.
Consent must also be obtained for the use of photographs or film footage of an individual before such data can be made public in the way of promotional material or website content etc.
If an individual does not consent to certain types of processing (e.g. direct marketing), appropriate action must be taken to ensure that the processing does not take place.
If any member of CPO Ltd is in any doubt about these matters, they should consult the CPO Ltd’s Data Protection Officer.
6. Security of Data
Please note: This section of this policy only addresses security issues relating to personal data. More general security procedures can be found in the relevant Security policy.
Two security breaches CPO must guard against are:
Anyone seeing or using information they shouldn’t
Data getting damaged, lost or destroyed
All staff are responsible for ensuring that any personal data (on others) which they hold is kept securely and that they are not disclosed to any unauthorised third party (see Section 8 on Disclosure of Data for more detail).
Staff members are expected to provide a suitable photograph that can be displayed on an identity tag. Upon leaving employment with the company, individuals must return this ID pass to management.
All personal data should be accessible only to those who need to use it. You should form a judgement based upon the sensitivity and value of the information in question, but always consider keeping personal data:
In a lockable room with controlled access, or
In a locked drawer or filing cabinet, or
If computerised, password protected, or
Kept on disks, which are themselves kept securely
Care should be taken to ensure that PCs and terminals are not visible except to authorised staff and that computer passwords are kept confidential. PC screens should not be left unattended without password protected screen-savers and manual records should not be left where they can be accessed by unauthorised personnel.
Care must be taken to ensure that appropriate security measures are in place for the deletion or disposal of personal data that is no longer required. Manual records should be shredded or disposed of as "confidential waste". Hard drives of redundant PCs should be wiped clean before disposal (see section 9 on Disposal and Retention of Data for more detail).
This policy also applies to staff and volunteers who process personal data "off-site". Off-site processing presents a potentially greater risk of loss, theft or damage to personal data. Staff should take particular care when processing personal data at home or in other locations outside the CPO Ltd building. A confidential client file involves CPO in having a system for signing in and out to further monitor security of this information.
General organisational measures to ensure security of data include training, supervision and management systems. When a notification has to be made to the Commissioner, this must include a statement about security measures. The Commission has indicated that BS7799 (the British Standard for Information Security Measurement) will provide the most suitable benchmark.
The measures we take will depend on the sensitivity of the data processed. CPO’s approach will be like that used in any risk assessment. For example:
How many people could be harmed by a specific risk?
How likely is it to happen?
How great would the danger be if it did?
Any risk and impact assessments shall be conducted in accordance with guidance given by the ICO:
7. Rights of Access to Data
Members of CPO Ltd have the right to access any personal data which are held by CPO Ltd in electronic format and manual records which form part of a relevant filing system. This includes the right to inspect confidential personal references received by CPO Ltd about that person.
To meet with the GDPR requirement on Subject Access Requests, CPO recognises that individuals will have more information on how their data is processed and that this information will be available in a clear and understandable way.
CPO will make individuals aware of their rights to request data access, through induction for staff and volunteers - or via a datasheet for service users. Any individual who wishes to exercise this right should apply in writing to the Data Protection Officer.
CPO will respond to Subject Access Requirements and the DSAR’s must be executed “without undue delay and at the latest within one month of receipt of the request.” Subject access requests must give all the information relating to purposes that should have been provided upon collection.
CPO reserves the right to charge a fee for data subject access requests (currently £10). Any such request will normally be complied with within 40 days of receipt of the written request and, where appropriate, the fee. Fees will apply in the event that the access request is considered manifestly unfounded or excessive.
Any breaches will be documented and security measures put in place to prevent them happening again.
8. Disclosure of Data
CPO operates with a mind to only disclose personal data on a ‘need to know’ basis.
By this, we mean CPO must ensure that personal data are not disclosed to unauthorised third parties which includes family members, friends, government bodies, and in certain circumstances, the Police. All staff, volunteers and students should exercise caution when asked to disclose personal data held on another individual to a third party. For instance, it would usually be deemed appropriate to disclose a colleague's work contact details in response to an enquiry regarding a particular function for which they are responsible. However, it would not usually be appropriate to disclose a colleague's work details to someone who wished to contact them regarding a non-work related matter. The important thing to bear in mind is whether or not disclosure of the information is relevant to, and necessary for, the conduct of CPO Ltd business. Best practice, however, would be to take the contact details of the person making the enquiry and pass them onto the member of CPO Ltd concerned.
This policy determines that personal data may be legitimately disclosed where one of the following conditions apply:
The individual has given their consent (e.g. a student/member of staff has consented to CPO Ltd corresponding with a named third party, such as another provider, or a PR agent for VOXX);
Where the disclosure is in the legitimate interests of the institution (e.g. disclosure to staff - personal information can be disclosed to other CPO Ltd employees if it is clear that those members of staff require the information to enable them to perform their jobs);
Where the institution is legally obliged to disclose the data (e.g. HESA and HESES returns, ethnic minority and disability monitoring);
Where disclosure of data is required for the performance of a contract (e.g. informing a student's sponsor of course changes/withdrawal etc.)
The Act permits certain disclosures without consent so long as the information is requested for one or more of the following purposes:
To safeguard national security*;
Prevention or detection of crime including the apprehension or prosecution of offenders*;
Assessment or collection of tax duty*;
Discharge of regulatory functions (includes health, safety and welfare of persons at work)*;
To prevent serious harm to a third party;
To protect the vital interests of the individual. This refers to life and death situations
*Requests must be supported by appropriate paperwork
When members of staff receive enquiries as to whether a named individual is a member of CPO Ltd, the enquirer should be asked why the information is required. If consent for disclosure has not been given and the reason is not one detailed above (i.e. consent not required), the member of staff should decline to comment. Even confirming whether or not an individual is a member of CPO Ltd may constitute an unauthorised disclosure.
Unless consent has been obtained from the data subject, information should not be disclosed over the telephone. Instead, the enquirer should be asked to provide documentary evidence to support their request. Ideally, a statement from the data subject consenting to disclosure to the third party should accompany the request.
As an alternative to disclosing personal data, CPO Ltd may offer to do one of the following:
pass a message to the data subject asking them to contact the enquirer;
accept a sealed envelope/incoming email message and attempt to forward it to the data subject
Please remember to inform the enquirer that such action will be taken conditionally: i.e. "if the person is a member of CPO Ltd” to avoid confirming their membership of, their presence in or their absence from the institution.
If in doubt, staff should seek advice from CPO’s Managing Director or CPO’s Operations Manager /Data Protection Officer.
9. Retention and Disposal of Data
CPO Ltd discourages the retention of personal data for longer than they are required. Considerable amounts of data are collected on current staff, volunteers and students. However, once a member of staff, volunteer or student has left the institution, it will not be necessary to retain all the information held on them. Some data will be kept for longer periods than others.
The person responsible for CPO HR regularly reviews the personal files of individual staff members in accordance with the CPO’s policy.
The table below demonstrates how long we will keep various pieces of data. Medical records will carry their own retention times.
Suggested Retention Period
Personnel files, including training records and notes of disciplinary and grievance hearings
6 years from end of employment
References and potential litigation
Application forms/interview notes
At least 6 months from the date of the interviews
Time limits on litigation
Facts relating to redundancies where less than 20 redundancies
3 years from the date of redundancy
Facts relating to redundancies where 20 or redundancies
12 years from the date of redundancy
Limitation Act 1980
Income Tax and NI returns, including correspondence with tax office
At least 3 years after the end of the financial year to which the records relate
Income Tax (Employment) Regulations 1986
Statutory Maternity Pay records and calculations
Statutory Maternity Pay (General) Regulations 1986
Statutory Sick Pay records and calculations
Statutory Sick Pay (General) Regulations 1982
Wages and Salary records
Taxes Management Act 1970
Accident books, and records and reports of accidents
3 years after the date of last entry
Management of HASWA (H&S) Regulations
Health records where reason for termination of employment is connected with health, including stress-related illness
Limitation period for personal injury claims
Medical records kept by reason of the Control of Substances Hazardous to Health regulation 1994
Learner records, including academic achievements, and conduct
This varies depending on the requirements of the funder for a particular project. This information can be obtained from CPO’s Data Protection Officer
CPO Ltd discourages the retention of personal data for longer than they are required
As long as the individual continues to engage. Where engagement has stopped, information should be kept for no longer than 1yr after the last contact with CPO
Disposal of Records
Personal data must be disposed of in a way that protects the rights and privacy of data subjects (e.g., shredding, disposal as confidential waste, or secure electronic deletion).
All data shall be destroyed or eradicated to agreed levels meeting recognised national standards, with confirmation at completion of the disposal process.
Disposal of IT assets holding data shall be in compliance with ICO guidance: https://ico.org.uk/media/for-organisations/documents/1570/it_asset_disposal_for_organisations.pdf
Notification is the responsibility of the Registrar and the Data Protection Officer. Details of CPO Ltd's notification are published on the Information Commissioner's website. Anyone who is, or intends, processing data for purposes not included should seek advice from the Data Protection Officer.
Our data processing activities will be registered with the Information Commissioner’s Office (ICO as required of a recognised Data Controller. Details are available from the ICO: https://ico.org.uk/about-the-ico/what-we-do/register-of-data-controllers/
Changes to the type of data processing activities being undertaken shall be notified to the ICO and details amended in the register.
As some of our learners are under the age of 16, notifications shall, where relevant, be written in a form understandable by those defined as ‘Children’ under the legislation. https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/
Breaches of personal or sensitive data shall be notified immediately to the individual(s) concerned and the ICO. Our 72 hour breach notification policy is set out below:
72 Hour Breach Notification
According to the regulation, a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. The wilful destruction or alteration of data is as much a breach as theft.
In the event of a personal data breach, CPO’s Data Controller must notify the appropriate supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it”. If notification is not made within 72 hours, the Controller must provide a “reasoned justification” for the delay. In regards of CPO, the appropriate authorities could include ICO, the CCG and/or Local Authority.
Notice is not required if “the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals”. Importantly, when a Data Processor experiences a personal data breach, it must notify the Controller but otherwise has no other notification or reporting obligation.
Should the Controller determine that the personal data breach “is likely to result in a high risk to the rights and freedoms of individuals”, it must also communicate information regarding the personal data breach to the affected data subjects. Under Article 32, this must be done “without undue delay”.
The GDPR provides exceptions to this additional requirement to notify data subjects in the following circumstances:
The Controller has “implemented appropriate technical and organisational protection measures” that “render the data unintelligible to any person who is not authorised to access it, such as encryption”.
The Controller takes actions subsequent to the personal data breach to “ensure that the high risk for the rights and freedoms of data subjects” is unlikely to materialise.
When notification to each data subject would “involve disproportionate effort”, in which case alternative communication measures may be used.
11. Publication of Information
All members of CPO Ltd should note that CPO Ltd publishes a number of items that include personal data, and will continue to do so. The personal data is:
Names of all members of CPO Ltd company directors
Names, job titles and academic and/or professional qualifications of members of staff
Awards and Honours
Internal Telephone Directory
Photographs, programmes and videos or other multimedia versions of ceremonies
Information in prospectuses (including photographs), annual reports, staff newsletters, etc.
Staff information on CPO Ltd website (including photographs)
It is recognised that there might be occasions when a member of staff, volunteers and students, or a lay member of CPO Ltd, requests that their personal details in some of these categories remain confidential or are restricted to internal access. All individuals should be offered an opportunity to opt-out of the publication of the above (and other) data. In such instances, CPO Ltd should comply with the request and ensure that appropriate action is taken.
Any images of staff or pupils should only be captured at appropriate times. Unless consent from parents/pupils/staff/other beneficiaries has been given, CPO shall not utilise such images for publication or communication to external sources.
12. Direct Marketing
Any staff member that uses personal data for direct marketing purposes must inform data subjects of this at the time of collection of the data. Individuals must be provided with the opportunity to object to the use of their data for direct marketing purposes (e.g. an opt-out box on a form). Usually, with regards to CPO, marketing will be limited to the offer of optional additional courses or opportunities.
13. Audit and Compliance Checks
CPO actively works to follow good data protection practice and meet with data protection obligations. CPO has effective controls and compliance in place alongside fit for purpose policies and procedures to support data protection obligations. We systematically check that we follow data protection legislation as it applies to CPO and are always working on how we can improve.
Examples of areas which CPO complies to include:
Data protection governance, and the structures, policies and procedures to ensure compliance with data protection legislation;
The processes for managing both electronic and manual records containing personal data;
The processes for responding to any request for personal data, including requests by individuals for copies of their data as well as those made by third parties, and sharing agreements;
The technical and organisational measures in place to ensure that there is adequate security over personal data held in manual or electronic form;
The provision and monitoring of staff data protection training and the awareness of data protections requirements.
Useful web addresses:
Guide to the General Data Protection Regulation (Information Commissioner's Office)
This information is also available in other formats, languages and picture format upon request.
CPO Data Protection Policy
Updated 4th February 2022