Data Protection Policy
Health & Safety Policy
Data Protection Policy
A) INTRODUCTIONUpdated on January 2021
We may have to collect and use information about people with whom we work. This personal information must be handled and dealt with properly, however it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means. We regard the lawful and correct treatment of personal information as very important to our successful operation and to maintaining confidence between us and those with whom we carry out business. We will ensure that we treat personal information lawfully and correctly. To this end we fully endorse and adhere to the principles of the General Data Protection Regulation (GDPR). This policy applies to the processing of personal data in manual and electronic records kept by us in connection with our human resources function as described below. It also covers our response to any data breach and other rights under the GDPR. This policy applies to the personal data of job applicants, existing and former employees, apprentices, volunteers, placement students, workers and self-employed contractors. These are referred to in this policy as relevant individuals.
B) DEFINITIONS
“Personal data” is information that relates to an identifiable person who can be directly or indirectly identified from that information, for example, a person’s name, identification number, location, online identifier. “Special categories of personal data” is data which relates to an individual’s health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership. It also includes genetic and biometric data (where used for ID purposes). “Criminal offence data” is data which relates to an individual’s criminal convictions and offences. “Data processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
C) DATA PROTECTION PRINCIPLES
Under GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:
a) processing will be fair, lawful and transparent
b) data be collected for specific, explicit, and legitimate purposes
c) data collected will be adequate, relevant and limited to what is necessary for the purposes of processing
d) data will be kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
e) data is not kept for longer than is necessary for its given purpose
f) data will be processed in a manner that ensures appropriate security of personal data including protection against unauthorized or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organization measures
g) we will comply with the relevant GDPR procedures for international transferring of personal data
D) TYPES OF DATA HELD
We keep several categories of personal data on our employees and learners in order to carry out effective and efficient processes. Specifically, for our staff we hold the following types of data:
a) personal details such as name, address, phone numbers, email address, date of birth, ethnicity, religion, next of kin, criminal convictions, identification etc.
b) information gathered via the recruitment process such as that entered into a CV/application form or included in a CV cover letter, references from former employers, details on your education and employment history etc.
c) details relating to pay administration such as National Insurance numbers, bank account details and tax codes
d) medical or health information
e) information relating to your employment with us, including:
i) job title and job descriptions
ii) your salary
iii) your wider terms and conditions of employment
iv)details of formal and informal proceedings involving you such as disciplinary and grievance proceedings, your annual leave , records, appraisal and performance information
v) internal and external training modules undertaken The categories of learner information that we collect, hold and share include:
1. Personal information (such as name, unique learner number and address)
2. Characteristics (such as ethnicity, language, nationality, country of birth and free meal eligibility)
3. Course information
4. Attendance information (such as sessions attended, number of absences and absence reasons)
5. Any relevant medical information that might be needed to assist with the administration of medicines
6. Special Educational Needs information
7. Previous qualifications for in case of International students
All of the above information is required for our processing activities.
E) EMPLOYEE & LEARNER RIGHTS
You have the following rights in relation to the personal data we hold on you:
a) the right to be informed about the data we hold on you and what we do with it;
b) the right of access to the data we hold on you.
c) the right for any inaccuracies in the data we hold on you, however they come to light, to be corrected. This is also known as ‘rectification’;
d) the right to have data deleted in certain circumstances. This is also known as ‘erasure’;
e) the right to restrict the processing of the data;
f) the right to transfer the data we hold on you to another party. This is also known as ‘portability’;
g) the right to object to the inclusion of any information;
h) the right to regulate any automated decision-making and profiling of personal data.
F) RESPONSIBILITIES
In order to protect the personal data of relevant individuals, those within our business who must process data as part of their role have been made aware of our policies on data protection. We have also appointed employees with responsibility for reviewing and auditing our data protection systems.
G) LAWFUL BASES OF PROCESSING
We acknowledge that processing may be only be carried out where a lawful basis for that processing exists and we have assigned a lawful basis against each processing activity. Where no other lawful basis applies, we may seek to rely on the employee’s consent in order to process data. Employees will be given clear instructions on the desired processing activity, informed of the consequences of their consent and of their clear right to withdraw consent at any time.
H) DATA DISCLOSURES
The Company may be required to disclose certain data/information to any person. The circumstances leading to such disclosures include:
a) any employee benefits operated by third parties;
b) disabled individuals – whether any reasonable adjustments are required to assist them at work;
c) individuals’ health data – to comply with health and safety or occupational health obligations towards the employee;
d) for Statutory Sick Pay purposes;
e) HR management and administration – to consider how an individual’s health affects his or her ability to do their job;
f) the smooth operation of any employee insurance policies or pension plans;
g) to assist law enforcement or a relevant authority to prevent or detect crime or prosecute offenders or to assess or collect any tax or duty. These kinds of disclosures will only be made when strictly necessary for the purpose.
I) DATASECURITY
All our employees are aware that hard copy personal information should be kept in a locked filing cabinet, drawer, or safe. Employees are aware of their roles and responsibilities when their role involves the processing of data. All employees are instructed to store files or written information of a confidential nature in a secure manner so that are only accessed by people who have a need and a right to access them and to ensure that screen locks are implemented on all PCs, laptops etc. when unattended. No files or written information of a confidential nature are to be left where unauthorized people can read them. Where data is computerized, it should be coded, encrypted or password protected both on a local hard drive and on a network drive that is regularly backed up. If a copy is kept on removable storage media, that media must itself be kept in a locked filing cabinet, drawer, or safe. Employees must always use passwords provided to access the computer system and not abuse them by passing them on to people who should not have them. Personal data relating to employees should not be kept or transported on laptops, USB sticks, or similar devices, unless prior authorization has been received. Where personal data is recorded on any such device it should be protected by:
a) ensuring that data is recorded on such devices only where absolutely necessary.
b) using an encrypted system — a folder should be created to store the files that need extra protection and all files created or moved to this folder should be automatically encrypted.
c) ensuring that laptops or USB drives are not left where they can be stolen.
Failure to follow the Company’s rules on data security may be dealt with via the Company’s disciplinary procedure. Appropriate sanctions include dismissal with or without notice dependent on the severity of the failure.
J) THIRD PARTY PROCESSING
Where we engage third parties to process data on our behalf, we will ensure, via a data processing agreement with the third party, that the third party takes such measures in order to maintain the Company’s commitment to protecting data.
K) REQUIREMENT TO NOTIFY BREACHES
All data breaches will be recorded on our Data Breach Register. Where legally required, we will report a breach to the Information Commissioner within 72 hours of discovery. In addition, where legally required, we will inform the individual whose data was subject to breach. More information on breach notification is available in our Breach Notification policy.
L) TRAINING
New employees must read and understand the policies on data protection as part of their induction. All employees receive training covering basic information about confidentiality, data protection and the actions to take upon identifying a potential data breach. The nominated data controller/auditors/protection officers for the Company are trained appropriately in their roles under the GDPR. All employees who need to use the computer system are trained to protect individuals’ private data, to ensure data security, and to understand the consequences to them as individuals and the Company of any potential lapses and breaches of the Company’s policies and procedures.
M) RECORDS
The Company keeps records of its processing activities including the purpose for the processing and retention periods in its HR Data Record. These records will be kept up to date so that they reflect current processing activities.
O) DATA PROTECTION COMPLIANCE
Our appointed compliance officers in respect of our data protection activities are: George Mathew, Tanvir Ahmed.
We may have to collect and use information about people with whom we work. This personal information must be handled and dealt with properly, however it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means. We regard the lawful and correct treatment of personal information as very important to our successful operation and to maintaining confidence between us and those with whom we carry out business. We will ensure that we treat personal information lawfully and correctly. To this end we fully endorse and adhere to the principles of the General Data Protection Regulation (GDPR). This policy applies to the processing of personal data in manual and electronic records kept by us in connection with our human resources function as described below. It also covers our response to any data breach and other rights under the GDPR. This policy applies to the personal data of job applicants, existing and former employees, apprentices, volunteers, placement students, workers and self-employed contractors. These are referred to in this policy as relevant individuals.
B) DEFINITIONS
“Personal data” is information that relates to an identifiable person who can be directly or indirectly identified from that information, for example, a person’s name, identification number, location, online identifier. “Special categories of personal data” is data which relates to an individual’s health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership. It also includes genetic and biometric data (where used for ID purposes). “Criminal offence data” is data which relates to an individual’s criminal convictions and offences. “Data processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
C) DATA PROTECTION PRINCIPLES
Under GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:
a) processing will be fair, lawful and transparent
b) data be collected for specific, explicit, and legitimate purposes
c) data collected will be adequate, relevant and limited to what is necessary for the purposes of processing
d) data will be kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
e) data is not kept for longer than is necessary for its given purpose
f) data will be processed in a manner that ensures appropriate security of personal data including protection against unauthorized or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organization measures
g) we will comply with the relevant GDPR procedures for international transferring of personal data
D) TYPES OF DATA HELD
We keep several categories of personal data on our employees and learners in order to carry out effective and efficient processes. Specifically, for our staff we hold the following types of data:
a) personal details such as name, address, phone numbers, email address, date of birth, ethnicity, religion, next of kin, criminal convictions, identification etc.
b) information gathered via the recruitment process such as that entered into a CV/application form or included in a CV cover letter, references from former employers, details on your education and employment history etc.
c) details relating to pay administration such as National Insurance numbers, bank account details and tax codes
d) medical or health information
e) information relating to your employment with us, including:
i) job title and job descriptions
ii) your salary
iii) your wider terms and conditions of employment
iv)details of formal and informal proceedings involving you such as disciplinary and grievance proceedings, your annual leave , records, appraisal and performance information
v) internal and external training modules undertaken The categories of learner information that we collect, hold and share include:
1. Personal information (such as name, unique learner number and address)
2. Characteristics (such as ethnicity, language, nationality, country of birth and free meal eligibility)
3. Course information
4. Attendance information (such as sessions attended, number of absences and absence reasons)
5. Any relevant medical information that might be needed to assist with the administration of medicines
6. Special Educational Needs information
7. Previous qualifications for in case of International students
All of the above information is required for our processing activities.
E) EMPLOYEE & LEARNER RIGHTS
You have the following rights in relation to the personal data we hold on you:
a) the right to be informed about the data we hold on you and what we do with it;
b) the right of access to the data we hold on you.
c) the right for any inaccuracies in the data we hold on you, however they come to light, to be corrected. This is also known as ‘rectification’;
d) the right to have data deleted in certain circumstances. This is also known as ‘erasure’;
e) the right to restrict the processing of the data;
f) the right to transfer the data we hold on you to another party. This is also known as ‘portability’;
g) the right to object to the inclusion of any information;
h) the right to regulate any automated decision-making and profiling of personal data.
F) RESPONSIBILITIES
In order to protect the personal data of relevant individuals, those within our business who must process data as part of their role have been made aware of our policies on data protection. We have also appointed employees with responsibility for reviewing and auditing our data protection systems.
G) LAWFUL BASES OF PROCESSING
We acknowledge that processing may be only be carried out where a lawful basis for that processing exists and we have assigned a lawful basis against each processing activity. Where no other lawful basis applies, we may seek to rely on the employee’s consent in order to process data. Employees will be given clear instructions on the desired processing activity, informed of the consequences of their consent and of their clear right to withdraw consent at any time.
H) DATA DISCLOSURES
The Company may be required to disclose certain data/information to any person. The circumstances leading to such disclosures include:
a) any employee benefits operated by third parties;
b) disabled individuals – whether any reasonable adjustments are required to assist them at work;
c) individuals’ health data – to comply with health and safety or occupational health obligations towards the employee;
d) for Statutory Sick Pay purposes;
e) HR management and administration – to consider how an individual’s health affects his or her ability to do their job;
f) the smooth operation of any employee insurance policies or pension plans;
g) to assist law enforcement or a relevant authority to prevent or detect crime or prosecute offenders or to assess or collect any tax or duty. These kinds of disclosures will only be made when strictly necessary for the purpose.
I) DATASECURITY
All our employees are aware that hard copy personal information should be kept in a locked filing cabinet, drawer, or safe. Employees are aware of their roles and responsibilities when their role involves the processing of data. All employees are instructed to store files or written information of a confidential nature in a secure manner so that are only accessed by people who have a need and a right to access them and to ensure that screen locks are implemented on all PCs, laptops etc. when unattended. No files or written information of a confidential nature are to be left where unauthorized people can read them. Where data is computerized, it should be coded, encrypted or password protected both on a local hard drive and on a network drive that is regularly backed up. If a copy is kept on removable storage media, that media must itself be kept in a locked filing cabinet, drawer, or safe. Employees must always use passwords provided to access the computer system and not abuse them by passing them on to people who should not have them. Personal data relating to employees should not be kept or transported on laptops, USB sticks, or similar devices, unless prior authorization has been received. Where personal data is recorded on any such device it should be protected by:
a) ensuring that data is recorded on such devices only where absolutely necessary.
b) using an encrypted system — a folder should be created to store the files that need extra protection and all files created or moved to this folder should be automatically encrypted.
c) ensuring that laptops or USB drives are not left where they can be stolen.
Failure to follow the Company’s rules on data security may be dealt with via the Company’s disciplinary procedure. Appropriate sanctions include dismissal with or without notice dependent on the severity of the failure.
J) THIRD PARTY PROCESSING
Where we engage third parties to process data on our behalf, we will ensure, via a data processing agreement with the third party, that the third party takes such measures in order to maintain the Company’s commitment to protecting data.
K) REQUIREMENT TO NOTIFY BREACHES
All data breaches will be recorded on our Data Breach Register. Where legally required, we will report a breach to the Information Commissioner within 72 hours of discovery. In addition, where legally required, we will inform the individual whose data was subject to breach. More information on breach notification is available in our Breach Notification policy.
L) TRAINING
New employees must read and understand the policies on data protection as part of their induction. All employees receive training covering basic information about confidentiality, data protection and the actions to take upon identifying a potential data breach. The nominated data controller/auditors/protection officers for the Company are trained appropriately in their roles under the GDPR. All employees who need to use the computer system are trained to protect individuals’ private data, to ensure data security, and to understand the consequences to them as individuals and the Company of any potential lapses and breaches of the Company’s policies and procedures.
M) RECORDS
The Company keeps records of its processing activities including the purpose for the processing and retention periods in its HR Data Record. These records will be kept up to date so that they reflect current processing activities.
O) DATA PROTECTION COMPLIANCE
Our appointed compliance officers in respect of our data protection activities are: George Mathew, Tanvir Ahmed.
Health & Safety Policy
Policy StatementUpdated on January 2021
Midlandstar is committed to achieving high standards of health and safety. We expect staff, learners, visitors, and the other employers we work with to share this commitment and to understand that they have legal and moral obligations to enforce and adhere to this policy.
Duties of all staff
The duties of all Midlandstar staff are to:-
• Ensure that this Health & Safety Policy is implemented on a day-to-day basis and that sufficient resources are made available to achieve this
• Report promptly any accidents, incidents, unsafe conditions or practices and potential risks to their line manager
• Personally demonstrate good standards of health & safety practice
• Take particular care in all practical teaching areas
• Promote good practice through the quality of learning and understanding of health & safety
Duties of all learner and course delegates
Learners and course delegates have a duty to look after their own wellbeing. They are held to be equally responsible for the health & safety of others or those who may be affected directly or indirectly by their behaviour on Midlandstar premises. They will:-
• Familiarise themselves with all health and safety information provided by Midlandstar and their employer
• Follow and act upon any instructions that are given either verbally or in writing by an Midlandstar member of staff in connection with health and safety.
• Bring to the attention of a member of Midlandstar staff any difficulty in understanding health and safety information or instructions.
• Co-operate fully at all times with Midlandstar to ensure that statutory obligations are met.
• Report immediately to a member of Midlandstar staff any hazard, potential hazard, breakdowns in practice or procedures, unsafe conditions or defects to equipment which may affect health and safety in the workplace or training centre.
• Report any accidents or incidents they are involved in.
• Ensure that where necessary/required the relevant PPE is used in the interests of health and safety.
• Advise their trainer/assessor of any personal difficulties associated with the use of any equipment provided.
• Provide Midlandstar and their employer (where relevant) with any medical information which may affect personal health and safety or welfare.
Portable electrical equipment is in use by Midlandstar. It is subjected to periodic inspection to ensure its continued safety in use. If any person identifies a worn cable, defective plug or any issue with electrical equipment which does not work correctly, it is their duty to report the hazard to their line manager, immediate supervisor or Centre Manager/Director/Owner.
Fire alarms will be tested weekly by a member of Midlandstar staff. If a fire is discovered on Midlandstar premises:-
• Sound the alarm
• Leave the building by the nearest exit and do not delay by collecting your belongings.
• Go to the fire assembly point
• Ring the Fire Service (dial 9 and then 999 from a company phone)
• Do not re-enter the building until the ‘all clear’ is given
• Trained staff who feels competent may wish to tackle a fire using the equipment provided but do not attempt to fight any fire in isolation.
In the event of a person being injured and requiring first aid, a qualified first aider should be contacted. Smoking is only permitted in designated areas outside the premises.
Personal Protective Equipment (PPE) is issued for protection where it is not possible to remove all the risks from a process or operation by other means. PPE does not remove all the risks and caution must still be exercised when carrying out an activity.
In general, it is a requirement to:
• wear or use PPE when it is required by legislation or code of practice
• ensure that PPE is worn in accordance with any training or instruction that has been given
• take reasonable care of PPE to ensure it remains in good condition
• report any defects to your immediate supervisor as soon as they are noticed
• ensure that others who may be affected by activities are either isolated from contact or are issued with temporary PPE Midlandstar will undertake risk assessments to identify significant hazards that may arise in the workplace.
Trainers and assessors working on behalf of Midlandstar are responsible for conducting risk assessments on curriculum activities to ensure safety of the learners.
Young people (under the age of 18) may be at greater risk due to factors such as a lack of maturity and experience. Therefore, it is particularly important to undertake a risk assessment on activities to be undertaken by a young person. In addition a young person must not be asked to undertake activities beyond their physical or mental ability or where lack of experience and training would mean they are unlikely to recognise the risks.
Midlandstar is committed to achieving high standards of health and safety. We expect staff, learners, visitors, and the other employers we work with to share this commitment and to understand that they have legal and moral obligations to enforce and adhere to this policy.
Duties of all staff
The duties of all Midlandstar staff are to:-
• Ensure that this Health & Safety Policy is implemented on a day-to-day basis and that sufficient resources are made available to achieve this
• Report promptly any accidents, incidents, unsafe conditions or practices and potential risks to their line manager
• Personally demonstrate good standards of health & safety practice
• Take particular care in all practical teaching areas
• Promote good practice through the quality of learning and understanding of health & safety
Duties of all learner and course delegates
Learners and course delegates have a duty to look after their own wellbeing. They are held to be equally responsible for the health & safety of others or those who may be affected directly or indirectly by their behaviour on Midlandstar premises. They will:-
• Familiarise themselves with all health and safety information provided by Midlandstar and their employer
• Follow and act upon any instructions that are given either verbally or in writing by an Midlandstar member of staff in connection with health and safety.
• Bring to the attention of a member of Midlandstar staff any difficulty in understanding health and safety information or instructions.
• Co-operate fully at all times with Midlandstar to ensure that statutory obligations are met.
• Report immediately to a member of Midlandstar staff any hazard, potential hazard, breakdowns in practice or procedures, unsafe conditions or defects to equipment which may affect health and safety in the workplace or training centre.
• Report any accidents or incidents they are involved in.
• Ensure that where necessary/required the relevant PPE is used in the interests of health and safety.
• Advise their trainer/assessor of any personal difficulties associated with the use of any equipment provided.
• Provide Midlandstar and their employer (where relevant) with any medical information which may affect personal health and safety or welfare.
Portable electrical equipment is in use by Midlandstar. It is subjected to periodic inspection to ensure its continued safety in use. If any person identifies a worn cable, defective plug or any issue with electrical equipment which does not work correctly, it is their duty to report the hazard to their line manager, immediate supervisor or Centre Manager/Director/Owner.
Fire alarms will be tested weekly by a member of Midlandstar staff. If a fire is discovered on Midlandstar premises:-
• Sound the alarm
• Leave the building by the nearest exit and do not delay by collecting your belongings.
• Go to the fire assembly point
• Ring the Fire Service (dial 9 and then 999 from a company phone)
• Do not re-enter the building until the ‘all clear’ is given
• Trained staff who feels competent may wish to tackle a fire using the equipment provided but do not attempt to fight any fire in isolation.
In the event of a person being injured and requiring first aid, a qualified first aider should be contacted. Smoking is only permitted in designated areas outside the premises.
Personal Protective Equipment (PPE) is issued for protection where it is not possible to remove all the risks from a process or operation by other means. PPE does not remove all the risks and caution must still be exercised when carrying out an activity.
In general, it is a requirement to:
• wear or use PPE when it is required by legislation or code of practice
• ensure that PPE is worn in accordance with any training or instruction that has been given
• take reasonable care of PPE to ensure it remains in good condition
• report any defects to your immediate supervisor as soon as they are noticed
• ensure that others who may be affected by activities are either isolated from contact or are issued with temporary PPE Midlandstar will undertake risk assessments to identify significant hazards that may arise in the workplace.
Trainers and assessors working on behalf of Midlandstar are responsible for conducting risk assessments on curriculum activities to ensure safety of the learners.
Young people (under the age of 18) may be at greater risk due to factors such as a lack of maturity and experience. Therefore, it is particularly important to undertake a risk assessment on activities to be undertaken by a young person. In addition a young person must not be asked to undertake activities beyond their physical or mental ability or where lack of experience and training would mean they are unlikely to recognise the risks.