Data Protection Policy

1.1 Policy Owner

The policy owner is the Cenit College UK Board of Directors.

1.2 Purpose

Cenit College UK is committed to safeguarding the rights and freedoms of individuals in connection with personal data, and in doing so complying with relevant data protection laws. The purpose of this policy is to set out the conditions that must be satisfied by Cenit College UK in relation to the obtaining, handling, processing, storage, transportation and destruction of personal information. It applies to data collected and stored for all employees, learners, and other stakeholders. Furthermore, this policy ensures that the organisation complies with the requirements of the relevant UK legislation, namely the UK General Data Protection Regulation (UK GDPR), the UK Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR).

1.3 Scope

This policy is applicable to processing activities in relation to personal and sensitive data carried out by Cenit College UK in the normal course of its business.

Specifically, this policy is applicable to:

Any individual who receives, handles, or processes personal data on behalf of Cenit College UK. This cohort includes direct employees (full and part time), tutors etc.,
Third party organisations that receive, handle or process personal data on behalf of Cenit College UK. This cohort is often referred to as a data processor or sub processor.

This Policy should be read in conjunction with

Privacy Notice

DfE Privacy Notice

This policy is designed to inform employees about their obligation to protect the privacy of individuals and the security of their personal information and how Cenit College UK will handle personal data that it collects in the normal course of business.

1.4 Definitions

Data: information which is stored electronically, on a computer, or in a certain paper based filing system

Data subjects: living individuals about whom Cenit College UK holds data

Controllers: are the organisations which determine the purposes for which and the manner in which personal is collected and processed (DfE are the Data Controller for all Bootcamp programmes)

Processors: include any person who processes personal data on behalf of a controller – (Cenit College UK act as processors for the DfE on Bootcamp programmes)

Sensitive or Special category data: includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. This data can only processed under strict conditions and will usually require the express consent of the person concerned.

1.5 Responsibilities

The Board of Directors are responsible for approving this policy and ensuring organisation wide compliance.

Financial Controller is responsible for maintaining all financial records.

All employees (full, part time, contracted) are responsible for ensuring compliance in their respective roles and duties and upon circulation of this policy reading and understanding its components.

The Data Protection Manager (we are not obligated to appoint a Data Protection Office by law) has the following responsibilities in accordance with article 69 of the UK GDPR and 37 of the UK DPA.

To inform and advise Cenit College UK and the employees who carry out processing of their obligations pursuant to GDPR and to other data protection legislation.
To monitor compliance with the GDPR, with other data protection legislation and with the policies of Cenit College UK in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.
To provide advice, where requested, as regards data protection impact assessment (DPIA) and to monitor their performance pursuant to Article 35 of the GDPR.
To cooperate with the Office of the Information Commissioner’s Office.
To act as a contact point for the Office of the Information Commissioner’s Office on issues relating to processing, including the prior consultation referred to in Article 35, and to consult, where appropriate with regard to any other matter.
To act as a liaison with the Office of the Information Commissioner’s Office in connection with personal data breaches, when requested by Cenit College UK.
In the performance of his/her tasks have due regard to the risk associated with processing operations, considering the nature, scope, context and purposes of processing.

1.6 Policy Statement

Cenit College UK processes and stores data in relation to the following.

Learners
Employees
Past employees
Applicants (employment and learners)
Services providers

This policy and associated procedures, controls and measures ensure that all Cenit College UK employees and contractors are fully aware of their Data Privacy commitments. Furthermore, it ensures they should carry out their duties in accordance with applicable legislation and should any issue arise the data protection manager is instantly informed, so any corrective action is taken immediately.

1.7 Data Protection Contact (Complaints and Enquiries)

All personal data enquires should be made to the Cenit College UK Data Protection Manager at the following email address: dataprotection@cenitcollege.co.uk

If a data subject is not satisfied with the information provided by Cenit College UK, they are entitled to make a complaint to the Information Commissioner’s Office.

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK95AF

Helpline: 03031231113

1.8 Rights of the Data Subject

Under current legislation, data subjects have increased rights and data controllers are required to notify data subjects of their rights. Individuals have the right to:

Transparency of information. They should be informed about the collection and use of their personal data through privacy notices.
Access their personal information, for example via a subject access request.
Withdraw consent, where consent is the legal basis for data processing.
Have a right to rectification, erasure and restriction of data processing and be notified when this has taken place.
Request the restriction or suppression of their personal data, in certain circumstances.
Data portability, allowing individuals to reuse their data across different services, where feasible
Object to personal data processing, in certain circumstances

1.9 Consent for Data Processing

Where processing is based on consent, Cenit College UK will demonstrate that the data subject has consented to processing of his or her personal data, when asking permission to process their personal data. Where consent is given by the data subject (for example, the use of personal data for marketing purposes) Cenit College UK will maintain records evidencing this consent. Such consent must be clearly presented, understood, unambiguous, separate from any terms and conditions and freely given. This should be given in a positive form without pre-ticked boxes.

Such consent can be withdrawn at any time by the data subject. However, the withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

Cenit College UK will ensure that the following protocols are implemented regarding consent.

Consent will be recorded with the data, along with what the data subject was told at the time the consent was given, including time and date stamp.
Data Subjects are asked to ‘opt in’- no prefilled boxes should be displayed.
Clear and plain language should be used on all forms and information sources.
It shall be as easy to withdraw as to give consent.
The purpose for which the data is collected is explicit and lawful.
Consent should be periodically reviewed but cannot be relied upon over 6 months from when consent was last obtained.

Marketing: the clearest way Cenit College UK obtains consent is via tick an opt-in box confirming the data subject is happy to receive marketing emails. Communications will inform data subjects that they can withdraw their consent. Clear records on what a person has consented to shall be maintained.

1.10 Data Protection Principles

In the course of its business activities, any Cenit College UK employee or contractor processing personal data must comply with the seven data protection principles. The initial six provide that data must be:

Processed lawfully, fairly and in a transparent manner in relation to the data subject. Cenit College UK will always safeguard the rights and freedoms of the data subjects. The processing of data will be achieved in the following manner.
1. The data collected must be justified i.e., legal obligation, contractual necessity etc., and collected as part of the Cenit College UK lawful activities.
2. Or through informed and unambiguous consent from the data subject.
3. Where video or CCTV is used this information is used in a transparent manner
4. Data will not be disclosed to a third party other than to those who are contracting to Cenit College UK and operating on its behalf.

Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; Cenit College UK will fulfil this obligation by:
1. Only obtaining data for purposes which are specific, lawful, and clearly stated.
2. Cenit College UK must be able to clearly state the purpose for the data being processed.
3. Allow the Data Subject the right to question the purpose(s) for which Cenit College UK holds their data.
Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Cenit College UK will fulfil this obligation by ensuring their usage of the data will be compatible with the purposes for which the data was acquired.
Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data is inaccurate, having regard to the purposes for which it is processed, erased, or rectified without delay. Cenit College UK will fulfil this obligation by;
1. Ensuring that regular assessment of data accuracy and access is conducted through defined mechanisms such as audits, administrative and IT validation processes.
2. Conducting periodic reviews and audits to ensure that relevant data is kept accurate and up to date.
3. Ensuring that the data subjects have the means to verify the accuracy, currency and completeness of their personal data and are afforded the opportunity for correction action if required.
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; Cenit College UK will fulfil this obligation by;
1. Developing a data management records retention policy that clearly outlines personal data retention periods. This retention period will be based on the data collection purpose and its legal basis. This will be published by Cenit College UK and strictly implemented.
2. Conducting regular audits to ensure full compliance with the records retention policy.
3. Training staff in their responsibilities and obligations regarding retention of personal data
4. Developing and implementing a policy that addresses the measures for the secure destruction, deletion or archiving of personal data at the end of the retention period.
Processed to ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures. Cenit College UK will fulfil this obligation by;
1. employing appropriate standards of security to protect any personal data they hold. This included measures to protect against unauthorised access, alteration, or destruction of such data.
2. Ensure that staff are trained to know their obligations and responsibilities regarding personal data.
3. Ensuring that access and management of personal data is only accessible by permitted staff members with the given authorisation and password access that is reviewed and changed periodically.
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability principle”). Where Cenit College UK are acting as controllers, they will fulfil this obligation by:
1. Devising internal policies, code of conduct and a reporting mechanism on breaches of data and implementing privacy policies.
2. Carrying out periodic reviews of its accountability measures.
3. Complying with other principles (which will assist accountability) such as implementing appropriate technical and organisational measures, having concise accessible transparency information, and having clear record retention policies.

1.11 Data Subjects Access Requests

The right of access gives individuals the right to obtain a copy of their data. It helps data subjects understand what data is being collected about them, and whether it is lawful. An individual can make a data subject access request in writing or verbally, including on social media. A request is valid if it is clear that an individual is asking for their own personal data, they do not need to refer to legislation or use specific wording.

Any member of staff who received a request must forward it to the Data Protection Manager immediately. This is because Cenit College UK must comply with the request without undue delay and in most cases within one month of receiving the request. There is provision to extend for further subject to certain conditions. Other factors to take into account include:

Whether Cenit College UK is the Controller and can provide such information (where another party is the controller, the request should be passed on)
the supply of appropriate evidence of their identity when Cenit College UK is the Controller (Cenit College UK will usually require a photocopy of the relevant person’s passport notarised plus an original copy of a utility bill showing the requestor’s current address.)

Cenit College UK may also withhold personal information that is requested to the extent that it is permitted to do so by legislation.

1.12 Breach Notification

It is the responsibility of all employees to ensure that personal data is collected, used, processed, stored, transferred and shared only in accordance with this Policy. If you become aware of any actual or suspected personal data breach or compromise, any breach of this policy or complaint by a client of an actual breach, regardless of severity, the Data Protection Manager must be informed immediately. All actual and potential data breaches must be raised, investigated and handled in an urgent and confidential manner.

1.13 Training

All staff must attend data protection training at least annually.

1.14 Security

Ensure the correct email address has been used before you click send
Use blind copy when sending emails to large groups (Safeguard Send used within Cenit College UK)
Be careful using group email addresses
Never send offensive emails about other people, their private lives or anything else that could bring Cenit College UK into disrepute
Check callers identity before handing out information
Limit information provided over the phone
Shred all confidential waste
Update personal information promptly
Computers must be locked when away from your desk

1.15 Monitoring and Review

The QA Manager will monitor this policy as part of their annual QA audit to ensure the effectiveness of this policy.

The Data Protection Manager (DPM), in conjunction with the Board of Directors, will monitor and approve this policy on an ongoing basis using the following mechanisms.

Review of data protection enquiries, complaints, requests, breaches, withdrawals of consent.
Integration with other policies such as Privacy Statement, Subject Access Request Policy, Records Retention schedule.

Cookie	Duration	Description
__stripe_mid		Stripe sets this cookie to process payments.
__stripe_sid		Stripe sets this cookie to process payments.
cookielawinfo-checkbox-advertisement		Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics		Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Analytics" category.
cookielawinfo-checkbox-functional		The GDPR Cookie Consent plugin sets the cookie to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary		Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Necessary" category.
cookielawinfo-checkbox-others		Set by the GDPR Cookie Consent plugin, this cookie stores user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance		Set by the GDPR Cookie Consent plugin, this cookie stores the user consent for cookies in the category "Performance".
CookieLawInfoConsent		CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
m		Stripe sets this cookie for fraud prevention purposes. It identifies the device used to access the website, allowing the website to be formatted accordingly.
PHPSESSID		This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
rc::a		This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
rc::c		This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.

Cookie	Duration	Description
_fbp		Facebook sets this cookie to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising after visiting the website.
last_pys_landing_page		PixelYourSite plugin sets this cookie to manages the analytical services.
last_pysTrafficSource		PixelYourSite plugin sets this cookie to manage the analytical services.
pys_first_visit		PixelYourSite plugin sets this cookie to manage the analytical services.
pys_landing_page		PixelYourSite plugin sets this cookie to manages the analytical services.
pys_session_limit		PixelYourSite plugin sets this cookie to manage the analytical services.
pys_start_session		PixelYourSite plugin sets this cookie to manage the analytical services.
pysTrafficSource		PixelYourSite plugin sets this cookie to manage the analytical services.
vuid		Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.

Cookie	Duration	Description
pbid		Description is currently not available.
wcml_client_currency		Description is currently not available.
wcml_client_currency_language		Description is currently not available.