Data Protection & GDPR Policy

GRA collects and uses personal information about staff, learners and other individuals which it required in order to enable to provide education and other associated purposes. In addition, there may be a legal requirement to collect and use information to ensure statutory obligations are complied with including the Data protection Act [1998] and the General Data Protection Regulation.

GRA is registered as Data Controllers, with the Information Commissioners Office [ICO] detailing the information held and its uses. GRA undertakes to obtain and process data fairly and lawfully by informing all subjects of the reasons for the data collection, the purposes for which the data are held, the likely recipients of the data and the data subjects’ right of access. Information about the use of personal data is printed on the appropriate collection form. If information is given verbally, the person collecting the data will explain the issues before obtaining the information.

The GDPR regulates the “processing” of personal information which has a very broad meaning and includes obtaining, storing, viewing, using, updating, disclosing and destroying any data held electronically, in structured manual records and to a limited extent to unstructured manual records. GRA is committed to using personal data responsibly to protect and keep secure from loss or destruction.

This policy outlines the responsibilities of all staff (including 3rd parties under contract, and or self- employed) with regard to the Data Protection Act (1998) and the General Data Protection Regulation. Staff are required to handle and process data in any of GRA’s records or systems in accordance with this policy.

GRA will:
– Ensure any new or planned projects that involve Personal Data are preceded with a Data Privacy Impact Assessment.
– Ensure training is provided relating to responsivities and awareness of GDPR including induction mandatory training and ongoing risk assessments and checking.
– Ensure that access controls are limited to role relevance.
– Ensure any personal data is collected in a fair and lawful way.
– Gain explicit consent where required.
– Explain at the outset why information is being collected, what it will be used for and with whom it will be shared.
– Ensure that only the minimum amount of information needed is collected and used.
– Ensure the information used is up to date and accurate.
– Ensure data held about individuals will be adequate, relevant and not excessive in relation to the purpose for which the data is being held. Data held about individuals will not be kept for longer than necessary for the purposes registered. It is the duty of the nominated Data Protection officer to ensure that obsolete data is properly erased
– Ensure information is kept safely.
– Ensure that if information is given verbally, the person collecting the data will explain the issues before obtaining the information
– Ensure the rights people have in relation to their personal data can be exercised.
– Dispose of data appropriate and without unnecessary delay.
– Ensure that anyone managing and handling personal information is trained to do so.
– Ensure that anyone wanting to make enquiries about handling personal information, whether a member of staff or service user, knows what to do.
– Any disclosure of personal data will be in line with relevant legislation, and internal policies and procedures.
– Any sharing of data to third parties is covered by a data sharing agreement.
– Data held will be as accurate and up to date as is reasonably possible. If a data subject informs GRA of a change of circumstances their record will be updated as soon as is practical.

Legislative connections with other policies
The following Policies are relevant to personal information:
– Learners Admissions policy.
– Learner Disciplinary.
– EDI / British Values statement.
– Safeguarding policy
GRA will adhere to its obligations under the Regulation relevant to the use and monitoring of electronic communications, which are predominantly:
– the Regulation of Investigatory Powers Act 2000;
– the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000;
– the Communications Act 2003;
– Data Protection Act 1998; and General Data Protection Regulation
– the Human Rights Act 1998;
– the Defamation Act 1996,
– the Equality Act 2010
– the Safeguarding Vulnerable Groups Act 2006.

Subject access
The Data Protection Acts extend to all data subjects a right of access to their own personal data. In order to ensure people only receive information about themselves it is essential that a formal system of requests is in place.
Requests for access must be made in writing. In order to ensure GRA has met the Security requirements of the GDPR the following information will be required before access is granted:
-relevant identifying details including, Full name, Date of birth, National insurance number
GRA may also require acceptable proof of identity. Subject Access Requests will be dealt with in line with the GDPR recommended timescales. GRA will aim to comply with requests for access to personal information as soon as possible, but will ensure it is provided within one month as required by the Regulation from receiving the written request. GRA will provide the information in a clear format that is easily understood and in a format suitable for the requesters needs. GRA may request further details to clarify the exact requirements prior to the start of the one month.
If an individual considers the details provided in response to a subject access request are incorrect or out of date, they should contact GRA in writing immediately

Authorised disclosures
GRA will, in general, only disclose data about individuals with their consent. However there are circumstances where GRA may need to disclose data without explicit consent. Such circumstances include:
– Learner data disclosed to authorised recipients including funders and awarding bodies
– Staff data disclosed to relevant authorities eg in respect of payroll and administrative matters
– Unavoidable disclosures eg to computer maintenance engineer.
– Only management are permitted to make external disclosures of personal data
– Police or other law enforcement or investigatory institutions
– Internal and / or external audit.

Data and computer security
GRA undertakes to ensure security of personal data by the following methods:
– Physical security: appropriate building security measures are in place, such as alarms, deadlocks and computer hardware cable locks. Only authorised persons are allowed in the computer rooms. Disks, sticks and printouts are locked away securely when not in use.
– Logical security: security software is installed on all computers containing personal data. Only authorised users are allowed access to the computer files and password changes are regularly undertaken. Computer files are backed up regularly.
– Procedural security: all staff [including 3 rd parties under contract and/or self-employed] are trained in their Data Protection and GDPR obligations and their knowledge updated as necessary. Computer printouts as well as source documents are shredded before disposal. Individual members of staff can be personally liable under law under the terms of the Data Protection Acts. They may also be subject to claims for damages from persons who believe they have been harmed as a result of inaccuracy, unauthorised use or disclosure of their data. A deliberate breach of this Data Protection & GDPR Policy, including unauthorised disclosure of personal date to a third party by any staff member [including 3 rd parties under contract and/or self-employed] will be treated as a disciplinary matter and may also involve personal criminal liability /legal action

Data Security Breaches
GRA takes the risk to security loss very seriously and adheres to the legal framework set down by the Information Commissioner’s Office and industry standards. In the event of a data breach or suspected data breach GRA management will respond and manage any such breach in line with GDPR recommendations. Actions may include:
– Containment and recovery – GRA will respond to the incident immediately which includes a recovery plan and, where necessary, implement procedures for damage limitation.
– Assessing the risks – GRA will assess any risks associated with a breach, as these could affect any procedures after the breach has been contained. In particular, GRA will assess the potential adverse consequences for individuals; how serious or substantial these are; and how likely they are to re occur.
– Notification of breaches – if appropriate GRA will inform a Data Subject about an information security breach, the ICO; other regulatory bodies; other third parties such as the police and the banks; or the media, as appropriate in the specific circumstances
– Evaluation and response – GRA will investigate the cause of the breach and also evaluate the effectiveness of any response made. If necessary, GRA will update its policies and procedures accordingly.

Complaints about the above should be made in accordance with GRA’s complaints procedure.

Further advice and information is available from the Information Commissioner’s Office

Monitoring and review of policy and procedures
This policy and related procedures is maintained by the Quality Team and will be updated where necessary to reflect updated legislation, feedback, improvements of operation and changes to the regulatory environment. If you have any comments and / or queries regarding the contents or the use of this policy, please contact the Quality team directly on: