Sycamore Training Solutions

Data Protection Policy
 

What is ‘Data’ and ‘Data Protection’? 

 In the course of its activities Sycamore Training Solutions will collect, store and process personal data, and it recognises that the correct and lawful treatment of this data will maintain confidence in the organisation and will provide for successful business operations. 

The types of personal data that Sycamore Training Solutions may be required to handle include information about current, past and prospective employees, suppliers, customers and others with whom it communicates. The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the Data Protection Act (2018)  and other regulations. The Act imposes restrictions on how Sycamore Training Solutions may process personal data, and a breach of this legislation could give rise to criminal sanctions as well as bad publicity. 

What is the EU General Data Protection Regulation (GDPR)? 

The EU General Data Protection Regulation (GDPR) came into force across the European Union on 25th May 2018 and brought with it the most significant changes to data protection law in two decades. Based on privacy by design and taking a risk-based approach, the GDPR has been designed to meet the requirements of the digital age. The new regulation aims to standardise data protection laws and processing across the EU, affording individuals stronger, more consistent rights to access and control their personal information. This legislation has been enshrined in UK legislation with the Data Protection Act (2018) and the General Data Protection Regulations (2018).

 Defining Data Protection Terminology 

The following are definitions of terms relating to data protection:

 • Data is recorded information whether stored electronically, on a computer, or in certain paper-based filing systems. 

• Data Subjects for the purpose of this policy include all living individuals about whom Sycamore Training Solutions holds personal data. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal information.

• Personal Data means data relating to a living individual who can be identified from that data (or from that data and other information in possession of Sycamore Training Solutions). Personal data can be factual (such as a name, address or date of birth) or it can be an opinion (such as a performance appraisal). It can even include a simple e-mail address. It is important that the information has the data subject as its focus and affects the individual's privacy in some way. Mere mention of someone's name in a document does not constitute personal data, but personal details such as someone's contact details or salary would still fall within the scope of the Data Protection Act (2018). 

• Data Controllers are the people or organisations who determine the purposes for which, and the manner in which, any personal data is processed. They have a responsibility to establish practices and policies in line with the Act. David Thorpe, Managing Director at Sycamore Training Solutions, is the data controller of all personal data used in its business. 

• Data Users include employees whose work involves using personal data. Data users have a duty to protect the information they handle by following Sycamore Training Solutions' data protection and security policies at all times. 

• Data Processors include any person who processes personal data on behalf of a data controller. Employees of data controllers are excluded from this definition but it could include suppliers which handle personal data on Sycamore Training Solutions' behalf. 

• Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties. 

• Sensitive Personal Data includes information about a person's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned. 

Eight Principles of Data Protection 

Anyone processing personal data must comply with the eight enforceable principles of good practice. These provide that personal data must be: 

1. Processed fairly and lawfully 

2. Processed for only for the purposes which it has been collected 

3. Adequate, relevant and not excessive for the purpose 

4. Accurate 

5. Not kept longer than necessary for the purpose 

6. Processed in line with data subjects' rights 

7. Secure 

8. Not transferred to people or organisations situated in countries without adequate protection 

Fair and Lawful Processing 

The Data Protection Act (2018) is intended not to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of the data subject. The data subject must be told who the data controller is (in this case Sycamore Training Solutions), who the data controller's representative is (David Thorpe – Managing Director) the purpose for which the data is to be processed by Sycamore Training Solutions, and the identities of anyone to whom the data may be disclosed or transferred. For personal data to be processed lawfully, certain specific conditions have to be met. These include, among other things, requirements that the data subject has consented to the processing, or that the processing is necessary for the legitimate interest of the data controller or the party to whom the data is disclosed. When sensitive personal data is being processed, additional conditions must be met. In most cases the data subject's explicit consent to the processing of such data will be required. 

Processing for Limited Purposes 

Personal data may only be processed for the specific purposes notified to the data subject when the data was first collected or for any other purposes specifically permitted by the Data Protection Act (2018). This means that personal data must not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the data is processed, the data subject must be informed of the new purpose before any processing occurs. 

Adequate and Relevant Processing 

Personal data should only be collected to the extent that it is required for the specific purpose notified to the data subject. Any data which is not necessary for that purpose should not be collected in the first place. 

Accurate and up-to-date Data 

Personal data must be accurate and kept up to date. Information which is incorrect or misleading is not accurate and steps should therefore be taken to check the accuracy of any personal data at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date data should be destroyed. 

Timely Processing 

Personal data should not be kept longer than is necessary for the purpose. This means that data should be destroyed or erased from Sycamore Training Solutions' systems when it is no longer required. Data must be processed in line with data subjects' rights to; 

• Request access to any data held about them by a data controller 

• Prevent the processing of their data for direct-marketing purposes 

• Ask to have inaccurate data amended 

• Prevent processing that is likely to cause damage or distress to themselves or anyone else 

Data Security 

Sycamore Training Solutions must ensure that appropriate security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. Data subjects may apply to the courts for compensation if they have suffered damage from such a loss. The Data Protection Act (2018) requires Sycamore Training Solutions to put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data may only be transferred to a third-party data processor if they agree to comply with those procedures and policies, or if they put in place adequate measures themself. Maintaining data security means guaranteeing the confidentiality, integrity and availability of the personal data, defined as follows: 

• Confidentiality means that only people who are authorised to use the data can access it. 

• Integrity means that personal data should be accurate and suitable for the purpose for which it is processed. 

• Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on the Sycamore Training Solutions' central computer system instead of individual PCs. 

Dealing with Subject Access Requests 

A formal request from a data subject for information Sycamore Training Solutions holds about them must be made in writing. 

Data Breaches 

If you have a reasonable suspicion that there is or has been a suspected breach of this Data Protection Policy, or if such a breach is brought to your attention, you must follow the procedure set out below; 

1. Escalate the issue to your line manager as soon as you become aware of or suspect a breach 

2. The line manager must then immediately inform the Data Protection Compliance Manager of the nature of the issue 

3. Where appropriate, the Data Protection Compliance Manager will form an incident team made up of relevant staff members 

4. The incident team will agree the appropriate course of action and response to the incident and will report the incident to the SMT if issue is of a serious nature and; 

5. Appropriate action/response will be made in accordance with the recommendations of the incident team 

6. The Data Protection Compliance Manager (David Thorpe – Managing Director at Sycamore Training Solutions, 07794851173) is responsible for ensuring that all reported incidents and actions are logged 

7. If you have any queries about this procedure or this Data Protection Policy generally, then please contact the Data Protection Compliance Manager for further assistance 

GDPR Compliance Statement 

What is the EU General Data Protection Regulation (GDPR)? 

The EU General Data Protection Regulation (GDPR) came into force across the European Union on 25th May 2018 and brought with it the most significant changes to data protection law in two decades. Based on privacy by design and taking a risk-based approach, the GDPR has been designed to meet the requirements of the digital age. The new regulation aims to standardise data protection laws and processing across the EU; affording individuals stronger, more consistent rights to access and control their personal information. 

Our Commitment 

Sycamore Training Solutions are committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have a robust and effective data protection program in place which complies with existing law and abides by the data protection principles. However, we recognise our obligations in updating and expanding this program to meet the requirements of the GDPR. Sycamore Training Solutions are dedicated to safeguarding the personal information under our remit and in developing a data protection regime that is effective, fit for purpose and demonstrates an understanding of, and appreciation for the Regulation. Our objectives for GDPR compliance have been summarised in this statement and include the development and implementation of data protection roles, policies, procedures, controls and measures to ensure maximum and ongoing compliance. 

Demonstrating GDPR Compliance

Sycamore Training Solutions have a consistent level of data protection and security across our organisation and we have audited each of our procedures to ensure that these are compliant with the GDPR. We have completed the following action to ensure compliance: 

Information Audit 

We have carried out a company-wide information audit to identify and assess what personal information we hold, where it comes from, how and why it is processed and if and to whom it is disclosed. 

Policies & Procedures 

We have revised data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including: 

Data Protection 

Our main policy and procedure document for data protection has been audited to meet the standards and requirements of the GDPR.

 Accountability and governance measures are in place to ensure that we understand and adequately disseminate and evidence our obligations and responsibilities, with a dedicated focus on privacy by design and the rights of individuals. 

Data Retention & Erasure 

We have audited our retention policy and schedule to ensure that we meet the ‘data minimisation’ and ‘storage limitation’ principles and that personal information is stored, archived and destroyed compliantly and ethically. We have dedicated erasure procedures in place to meet the ‘Right to Erasure’ obligation and are aware of when this and other data subject’s rights apply along with any exemptions, response timeframes and notification responsibilities. 

Data Breaches 

Our breach procedures ensure that we have safeguards and measures in place to identify, assess, investigate and report any personal data breach at the earliest possible time. Our procedures are robust and have been disseminated to all employees, making them aware of the reporting lines and steps to follow. 

Subject Access Request (SAR) 

We have audited our SAR procedures to accommodate the 30-day timeframe for providing the requested information and for making this provision free of charge. Our procedures detail how to verify the data subject, what steps to take for processing an access request, what exemptions apply and a suite of response templates to ensure that communications with data subjects are compliant, consistent and adequate. 

Legal Basis for Processing 

We have reviewed all processing activities to identify the legal basis for processing and ensuring that each basis is appropriate for the activity it relates to. Where applicable, we also maintain records of our processing activities, ensuring that our obligations under Article 30 of the GDPR and Schedule 1 of the Data Protection Bill are met. 

Privacy Notice/Policy 

We have audited our Privacy Notice(s) to ensure they comply with the GDPR, ensuring that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information. 

Obtaining Consent 

We have revised our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information. We have developed stringent processes for recording consent, making sure that we can evidence an affirmative opt-in, along with time and date records; and an easy to see and access way to withdraw consent at any time. 

Direct Marketing 

We have audited the wording and processes for direct marketing, including clear opt-in mechanisms for marketing subscriptions; a clear notice and method for opting out and providing unsubscribe features on all subsequent marketing materials. However, at present, Sycamore Training Solutions do not engage in any direct marketing activities with our customers. 

Processor Agreements 

Where we use any third-party to process personal information on our behalf (i.e. payroll, accountancy, recruitment, hosting etc.), we have drafted compliant Processor Agreements and due diligence procedures for ensuring that they (as well as we), meet and understand their/our GDPR obligations. These measures include initial and ongoing reviews of the service provided, the necessity of the processing activity, the technical and organisational measures in place and compliance with the GDPR. 

Data Subject Rights 

In addition to the policies and procedures mentioned above that ensure individuals can enforce their data protection rights, we provide easy to access information via our website of an individual’s right to access any personal information that Sycamore Training Solutions processes about them and to request information about: 

• What personal data we hold about them 

• The purposes of the processing 

• The categories of personal data concerned 

• The recipients to whom the personal data has/will be disclosed • How long we intend to store your personal data for 

• If we did not collect the data directly from them, information about the source 

• The right to have incomplete or inaccurate data about them corrected or completed and the process for requesting this 

• The right to request erasure of personal data (where applicable) or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use  

• The right to lodge a complaint or seek judicial remedy and who to contact in such instances 

Information Security and Technical Measures 

Sycamore Training Solutions takes the privacy and security of individuals and their personal information very seriously and take every reasonable measure and precaution to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures, including: 

• SSL 

• Access controls and passwords 

• Encryptions 

GDPR Roles and Employees 

Sycamore Training Solutions have designated David Thorpe (Managing Director) as our Data Protection Officer (DPO), with responsibility for promoting awareness of the GDPR across the organisation, assessing our GDPR readiness, identifying any gap areas and implementing the new policies, procedures and measures. Sycamore Training Solutions understands that continuous employee awareness and understanding is vital to the continued compliance of the GDPR and have involved our employees in our preparation plans. If you have any questions about our compliance with GDPR, please contact David Thorpe (Managing Director) on 07794851173 or at hello@sycamoretrainingsolutions.co.uk 

Sycamore Training Solutions - Existing Data Practices 

Sycamore Training Solutions do not engage in any direct marketing with our customers. Any discussion about our services are customer led through our open and transparent enquiry system which is accessed via our website. We do not engage with any ‘cold calling’ marketing. We do not add any of our customers details to any mailing list and we do not sell or make available any of our customer’s information to third parties. Data which we hold about our customers is only used for the intended purpose. The main reasons for the use of data which we hold is to: 

• Make contact with customers pending any service we are going to provide for them 

• Invoice customers following the provision of services 

• Produce accredited certificates to include the names of participants of services 

• Post certificates to the identified customer contact Hard copies of attendance sheets and feedback forms are securely scanned and provided to our customer by secure and encrypted email services. Hard copies are then destroyed by shredding.