Data Use and Management Policy

Introduction

 

Each of the services and products provided by the Federation for Industry Sector Skills and Standards (The Federation) collects, holds and manages data about individuals and organisations. We do this to provide a service to each person and organisation. We recognise our fundamental need to ensure that this information is accurate and secure. We go beyond the needs of any legislative requirements. The secure management of data is central to the way that we work and ingrained into the DNA of the Charity.

 

None of the information provided is used beyond the Federation, for marketing purposes.

 

This policy sets out how we collect, store and manage data and who is responsible for this. It also sets out how you can request your data and how, if it is incorrect, you can ensure we get it right. This includes ensuring how we protect your data.

 

 

Why we have this policy

 

This policy ensures the Federation and its partners:

  • Comply with all data protection legislation (GDPR and DPA 1998) and follow the good practice set out by the Information Commissioner
  • Protect the rights of customers, partners and staff
  • Are open about how it collects, stores, manages, processes and protects individuals’ and organisations’ data
  • Protect themselves from the risks of a data

 

What services does this policy cover?

 

This policy covers all the Federation’s products and services:

  • ACE (Apprenticeship Certificates England)
  • ACW (Apprenticeship Certificates Wales)
  • MAO (Modern Apprenticeship Online)
  • ACE360
  • HR Flow
  • The Assessors Guild (AG)

 

Data protection law

 

The Data Protection Act 1998 (DPA) implemented the EU Data Protection Directive in the UK. It introduced an extensive data protection regime by imposing broad obligations on those who collect personal data, as well as conferring broad rights on individuals about whom data is collected. It covers both paper based and electronic information.

 

The DPA sets out eight data protection principles, which require that:

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –
    • at least one of the conditions in Schedule 2 is met (e.g. consent, where necessary to carry out a contract with the individual, or for your “legitimate interests”) and
    • in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met (more stringent, e.g. explicit consent).
  2. Personal data shall be obtained only for one, or more, specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are
  4. Personal data shall be accurate and, where necessary, kept up to
  5. Personal data processed for any purpose, or purposes, shall not be kept for longer than is necessary for that purpose or those
  6. Personal data shall be processed in accordance with the rights of data subjects under this
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal

 

The Data Protection Act 1998 will be added to by the General Data Protection Regulation (GDPR) of the European Union in May 2018. The GDPR will become part of UK law and replace the DPA 1998. Our policy takes account of these changes. It provides additional protections to individuals and organisations. These include:

  • A clearer definition of:
    • Data Controller (This is the Federation). Responsible for all the data you provide (regardless of whether the Federation collects it)
    • Data Processor (those who collect and/or process the data you provide) This applies to the:
      • Certification Bodies and Training Providers for ACE/ACW/MAO
      • End Point Assessment Organisations, External Quality Assurance Organisations, Training Providers and Employers for ACE360
      • Employers (licence holders) and their employees for HR Flow, and
      • Members of the Assessors Guild (Assessors and End Point Assessment Organisations), Assessors, End Point Assessment Organisations and service providers to the Assessors Guild
    • An extension of the data covered. This is extended to cover all paper and online data, including electronic identifiers such as IP
    • Enhanced requirements to notify individuals and organisations affected by a data
    • Increased sanctions against those organisations shown to not meet the requirements of the GDPR.
    • The introduction of an “Accountability Principle”. It requires Data Controllers and Data Processors to be explicitly clear about how they comply with the data protection principles (e.g. by documenting decisions taken in respect of processing activities) and what their lawful basis is for collecting and processing personal data is. Organisations will be expected to put into place proportionate, but comprehensive, governance measures. This includes how long information will be held. There are 6 legal bases for collecting and processing data:
      • 6(1)(a) – Consent of the data subject (ACE/ACW)

 

  • 6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract (MAO/ACE360/AG/HR Flow)
  • 6(1)(c) – Processing is necessary for compliance with a legal obligation (ACE/ACW)
  • 6(1)(d) – Processing is necessary to protect the vital interests of a data subject or another person
  • 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (ACE/ACW)
  • 6(1)(f ) – Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
  • The need for the individual or organisation to give consent by some form of clear affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent. It must also be verifiable. This means that some form of record must be kept of how, and when, consent was given. Individuals and organisations have a right to withdraw consent at any
  • Any data held on individuals aged under 16 needs to demonstrate that consent was provided by not just the individual, but also their parent or
  • Some new rights and strengthened existing rights:
    • the right to be informed
    • the right of access
    • the right to rectification
    • the right to erasure
    • the right to restrict processing
    • the right to data portability
    • the right to object
    • rights in relation to automated decision making and

 

Our policy meets, and goes beyond, these legal requirements.

 

 

Scope of the Federation’s Data Use & Data Management policy

 

This policy applies to:

  • All Federation
  • All contractors to the Federation, using any data provided to them by the
  • Data processors, as defined in the section

 

Its scope applies to all:

  • Personal and contact data (including name, address (postal and email), telephone numbers, date of birth, gender, ethnicity, language/form of communication, marital status).
  • Employer details and contact
  • Training Provider details and
  • Qualifications taken and
  • Leave and sickness information for employees on HR
  • Skills and competences and ratings based on past performance (including information about Special Educational Needs).
  • Documents relating to an individual.
  • Any other data required for the individual service

 

Purposes for which data can be used

 

The data that the Federation holds, as Data Controller, can only be used for the following purposes:

  • Ensuring the correct issuing of Apprenticeship Framework certificates in England, Scotland and Wales.
  • Investigation into fraudulent claims of public funds for Apprenticeship Frameworks in England and
  • Managing the secure exchange of information, to improve the efficiency of the Apprenticeship Standards system in England.
  • Managing the storage of information relating to Technical and Apprenticeship assessment and the views of Employers and Apprentices, regarding that
  • Managing the storage and analysis of employee records for individual businesses and the provision of benchmarking data for the users of HR
  • Providing information to users of Federation services about ACE360, the Assessors Guild and HR Flow.
  • Research into the demand and supply of skills, competences, qualifications and Apprenticeship certificates

 

The data that the Federation holds as Data Controller cannot be used for the following purposes:

  • Marketing to individuals and organisations by third

 

Data protection risks

 

This policy helps to protect the Federation, as the Data Controller, and its partners, as Data Processors, from some very real security risks, including:

  • Breaches of confidentiality. For instance, information being given out
  • Failing to offer choice. For instance, all individuals and organisations should be free to choose how the Federation uses data relating to
  • Reputational damage. For instance, the Federation, and as a consequence, individuals and organisations could suffer if hackers successfully gained access to sensitive

 

 

Responsibilities at the Federation

 

Every member of the Federation team is aware of their data responsibilities, but some have additional responsibilities and accountabilities:

  • The Board of Directors and Trustees is ultimately responsible for ensuring that the Federation meets its legal
  • The Finance, Audit and Risk (FAR) Committee of the Federation manages the Data Use and management policy on behalf of the Board of Directors and
    • Hearing any appeals against decisions made by the Managing Director regarding requests from individuals and organisations about data held by the Federation relating to
  • The Managing Director is also the Data Protection Officer (and reports to the FAR Committee) and is responsible for:
    • Developing with the Finance, Audit and Risk Committee this policy and reviewing the data protection risks with the Board at every meeting (as part of its Risk Register).
    • Managing the implementation of this policy (via the Director of Operations).

 

  • Hearing any appeals against decisions made by the Director of Operations regarding requests from individuals and organisations about data held by the Federation relating to
  • Reviewing and approving/signing any contracts or agreements with third parties that involve the sharing of the Federation’s
  • Dealing with any data use and data management queries from the
  • Reviewing the reason/s for, and rectifying, any issues that might lead to a data
  • The Director of Operations is responsible for the day to day implementation of this policy. Specifically this includes:
    • Reviewing annually all data use and data management procedures to ensure they meet the objectives of this policy and, at least, meet the Federation’s legal
    • Arranging data protection training and advice for Federation staff and providing guidance documents to the users of the Federation’s
    • Handling data use and data management questions from staff and the users of the Federation’s
    • Dealing with requests from individuals to see the data the Federation holds about
  • The ICT Manager is responsible for:
    • Ensuring all systems, services and equipment used for storing and processing data meet acceptable security
    • Performing regular checks and scans to ensure security hardware and software is up to date and functioning
    • Evaluating any third party services the Federation is considering using to store or process
  • The Sales Manager and the Customer Services Manager are responsible for:
    • Drafting any data use and data management statements attached to communications from the Federation (this includes emails and letters).
    • Working with all relevant staff to ensure that any public materials and marketing adhere to the Federation’s Data Use and Data Management policy
    • Data is used for Federation marketing purposes must first be checked against industry suppression files and the facility for system users to “unsubscribe” must be
  • Staff using, or advising on the use of, data are responsible for ensuring that:
    • The only people able to access data, covered by this policy, should be those who need it for their
    • No data should be shared outside the Federation without the permission of the individual or the organisation, unless they have consented that others can provide and/or use it on their
    • The Federation provides training to all employees so that they understand their responsibilities when handling
    • All employees keep all data secure and password guidelines (to contain at least 12 alphanumeric characters, contain both upper and lower case letters, contain at least one number (0-9) and at least one special character (!,!$%^&*()_+|~-=\`{}[]:”;'<>?,/).
    • Data is never to be disclosed to unauthorised people, inside or outside the
    • When working with data, all employees should ensure the screens of their computers and laptops are always locked when not
    • Data should not be shared outside of the Federation and should never be sent by email without the permission of the Data Protection
    • Data must be encrypted before being transferred electronically. The Federation’s ICT Manager can advise on how to do this internally or
    • No data should be saved to the local disk drive on the computer or laptop of an employee. All data should be stored and accessed via the Federation’s secure

 

Data storage

 

If in doubt about data storage any questions should be addressed to the ICT Manager or in his/her absence to the Data Protection Officer.

 

When data is stored on paper, and being processed, it should not be left unattended on a printer or desk where it could be viewed by unauthorised people. When it is not being used, data should be held in a locked cabinet or secure facility and not be accessible to unauthorised people. All printed data that is no longer required must be shredded in the office or via a secure third party contractor.

 

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts. To meet these requirements:

  • All our data is held in secure UK based
  • Data should be protected by strong passwords that are changed regularly and are not
  • No data should be stored on removable media, without the written permission of the Data Protection Officer, the Director of Operations or the ICT
  • Data should only be stored on live or development systems and on designated drives and servers.
  • Servers containing the data of the Federation are held at a secure location behind multiple firewalls and away from the office location (excepting the need to retain back up data at the office location).
  • All servers and secure storage devices containing data should be protected by approved and tested software and
  • We will retain your data for a maximum of 7 years after the closure of your account or the provision of our final service. During this time the data might be archived from the live
  • Data should be backed up daily. The ability to rebuild the system and reload data should be tested twice a
  • No data should be saved onto laptops, tablets, mobile phones, CDs or memory

 

Data accuracy

 

For both our operations, and in order to meet the requirements of the GDPR and DPA, the Federation, its staff, the Certification Bodies and system users must take reasonable steps to ensure that data is accurate and up to date:

  • Data will only be held in the systems the Federation operates in order to maintain data
  • Data can only be accessed by those with relevant permissions and access will require a password.
  • Both the staff of the Federation and all system users should take every opportunity to ensure that data is kept up to
  • Data entered onto ACE via the ADTF (Automated Data Transfer Facility) needs to be
  • System users of HR Flow and the Assessors Guild will be reminded to review and update core data each time they access the
  • All data that is no longer valid will be removed. For example, if a telephone number can no longer be accessed then it should be removed from a

 

Data requests by individuals or organisations

 

All individuals or organisations are entitled to ask about data held about them by the Federation. They can:

  • Ask what information the Federation holds about them and
  • Ask how to gain access to
  • Be informed how to keep it up to
  • Be informed on how the Federation is meeting its data protection

 

Such a request for information is called a “subject access request”. All such requests must be forwarded to the Director of Operations and their receipt logged.

 

Applications for subject access data can be made by email to info@fisss.org or by post. The title of the email should state that it is a “subject access request”. The Federation will aim to provide the relevant data within 10 working days.

 

The Federation will always verify the identity of a person making a subject access request before providing any information.

 

In certain circumstances the GDPR and the DPA allows data to be disclosed to law enforcement agencies (and in the cases of ACE/ACW/MAO to the relevant funding bodies) without the consent of the data subject. The Federation will only disclose data if the request is found to be legitimate and will seek advice from the Board and/or from the charity’s legal advisers, where necessary.

 

Privacy Policy

 

When you use the Federation’s services, you trust us with your information. This Privacy Policy is meant to help you understand what data we collect, why we collect it and what we do with it. This is important; we hope you will take time to read it carefully.

 

As you use our services, we want you to be clear how we’re using information and the ways in which you can protect your privacy. Our Privacy Policy explains:

  • What information we collect and why we collect
  • How we use that
  • The choices we offer, including how to access and update

 

If you have any questions contact info@fisss.org.

 

 

Information that we collect

We collect information to provide better services to all of our users. We collect information in the following ways:

  • Information you give us. Some of our services require you to sign up for a service and a licence (HR Flow and the Assessors Guild) to use that service. When you do, we’ll ask for personal and contact information, like your name and contact details (address, email address, mobile and telephone numbers) and other details to store with your account. When you make a payment we will not collect or keep your payment details. These will be managed by an FCA regulated organisation, on our behalf. For the Assessors Guild you can take full advantage of the sharing features we offer by creating a publicly visible Assessors profile, which may include your name and photo, skills, competencies, areas of specialism, geographical availability and contact details. What you choose to include is up to
  • Information you give others. Some of our services mean that you will authorise a third party (normally a training provider) to provide information into our systems. To do this you need to have signed a consent form (on paper or electronically) and that will enable them to provide information for ACE, ACW, and ACE360, on your behalf
  • Information we collect from your usage. As you use our services there will be a number of other ways we collect information that tell us about how you use our services. These will only be used to improve the service that you use. These include:

o     Log information

When you use our services or view content provided by the Federation, we automatically collect and store certain information in server logs. This includes:

  • Details of how you used our service, such as your data input history and search queries.
  • Telephony and email log information, such as your phone number, email address, time and date of calls/emails, duration of calls and nature of the
  • IP address.
  • Device event information, such as crashes, system activity, hardware settings, browser type, browser language, the date and time of your request and referral URL.
  • Cookies that may uniquely identify your browser or your user

o     Unique learner, user or member number

Certain services include a unique reference number. This number and information about your usage/account means we can keep a record of your usage history and will enable us to improve our services to you.

 

o     Cookies and similar technologies

We use various technologies to collect and store information when you visit our services, and this may include using cookies or similar technologies to identify your browser or device.

 

When information is associated with your account, we treat it as personal information and it is covered by the GDPR and the DPA. More information about how you can access, manage or delete information that is associated with your account has been provided previously in the Federation’s Data Use & Data Management Policy.

 

 

How we use information that we collect

We use the information we collect from all of the services we provide to maintain, protect and improve them and to inform the development of new ones.

 

The specifics of why we collect data and how we process data is set out below.

 

Service Legal basis for collecting data Reason for collecting data Data processing activity
ACE 6(1)(a) – Consent of the data subject 6(1)(c) – Processing is necessary for compliance with a legal obligation 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller To verify Apprenticeship regulations in England are adhered to and relevant qualifications are achieved to issue an Apprenticeship completion certificate. Collection and verification of both electronic and paper qualification data against Apprenticeship Framework qualification requirements. Collection and verification of Apprentice consent form. Review of Apprentice/Employer/Training Provider data against approved Government regulations and Registers. Research into Apprenticeship certificate completion patterns and trends.
ACW 6(1)(a) – Consent of the data subject 6(1)(c) – Processing is necessary for compliance with a legal obligation 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller To verify Apprenticeship regulations in Wales are adhered to and relevant qualifications are achieved to issue an Apprenticeship completion certificate. Collection and verification of both electronic and paper qualification data against Apprenticeship Framework qualification requirements. Review of Apprentice/Employer/Training Provider data against approved Government regulations and Registers. Research into Apprenticeship certificate completion patterns and trends.
MAO 6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract To verify Modern Apprenticeship regulations in Scotland are adhered to and relevant qualifications are achieved to issue a Modern Apprenticeship completion certificate. Collection and verification of both electronic and paper qualification data against Modern Apprenticeship Framework qualification requirements. Review of Apprentice/Employer/Training Provider data against approved Government regulations and Registers. Research into Apprenticeship certificate completion patterns and trends.
ACE360 6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract To provide the organisations involved in managing the delivery and assessment of English Apprenticeship standards with a secure data warehouse Electronic and manual data entry for verification against pre-set English Apprenticeship standard and End-Point Assessment Organisation pre-set criteria. Sampling and statistical analysis of data by External Quality Assurance Organisations to deliver their contractual requirements (as defined by the Institute for Apprenticeships) Research into Apprenticeship training and assessment patterns and trends.
AG 6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract To support the purpose and objects of the Assessors Guild for both individual and Corporate Members and enable the delivery of Membership services Collect and validate individual and corporate member records Present individual member profiles to gain new assignments and job roles Present freelance and job opportunities to individual members Present CPD activities to members
HR

Flow

6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract To support the purpose and objects of HR Flow Ltd. By enabling the delivery of an Employee record system Collect and provide statistical analysis of employee records in individual businesses Benchmark individual businesses against other groups of businesses

 

When you contact the Federation, we keep a record of your communication to help solve any issues you might be facing. We may use your email address to inform you about our services, such as letting you know about upcoming changes or improvements.

 

We use information collected from cookies and other technologies to improve the quality of our services.

 

 

Transparency and choice

 

People have different privacy concerns. Our goal is to be clear about what information we collect, so that you can make meaningful choices about how it is used. For example, you can review and control the information in your account and either change it or let us know it is incorrect so we can change it.

 

You may also set your browser to block all cookies, including cookies associated with our services or to indicate when a cookie is being set by us. However, it’s important to remember that many of our services may not work properly if your cookies are disabled.

 

 

Accessing and updating your personal information

Whenever you use our services, we aim to provide you with an opportunity to update your information. If information is wrong, we strive to give you ways to update it quickly or to delete it – unless we have to keep that information for legitimate business or legal purposes. When updating your information, we may ask you to verify your identity before we can act on your request.

 

Where we can provide information access and correction, we will do so free of charge, except where it would require a disproportionate effort. We aim to maintain our services in a manner that protects information from accidental or malicious destruction. Because of this, after you delete information from our services, we may not immediately delete residual copies from our active servers and may not remove information from our backup systems. For ACE and ACW we are required to retain records for 7 years before deleting them.

 

 

Information that we share

We do not share personal information with companies, organisations and individuals outside of the Federation, unless one of the following circumstances applies:

·          With your consent

We will share information with organisations or individuals outside the Federation when we have your consent to do so. We require “opt-in consent” for the sharing of any information.

·          For research

We provide information to some research organisations who use it to research it to develop the skills policies of the four UK nations. You can ask for your data not to be shared. Any data that is shared will only be shared with trusted organisations who fulfil our data security, confidentiality and security requirements.

·          For legal reasons

We will share personal information with the Governments of the UK and agencies thereof and organisations or individuals outside the Federation if we have a belief in good faith that access, use, preservation or disclosure of the information is reasonably necessary to:

  • meet any applicable law, regulation and legal process or Governmental
  • enforce applicable Terms of Service, including investigation of potential
  • detect, prevent or otherwise address fraud, security or technical
  • protect against harm to the rights, property or safety of the Federation, our users or the public, as required or permitted by

 

We may share anonymised information publicly and with our partners, like the Government, to ensure the development of skills policies, for the benefit of the nation concerned.

 

 

Information security

 

We work hard to protect the Federation and our users from unauthorised access to or unauthorised alteration, disclosure or destruction of information that we hold. In particular:

  • We encrypt many of our services using SSL (Secure Sockets Layer). It is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.
  • We may offer you 2 step verification when you access your account.
  • We regularly review our information collection, storage and processing practices, including physical security measures, to guard against unauthorised access to systems. This is carried out at least
  • We restrict access to personal information to the Federation’s employees and to those you have given consent to view the information, who need to know that information in order to process it for us and they are subject to strict contractual confidentiality obligations. They may be disciplined, or their contract terminated, if they fail to meet these

 

 

When this Privacy Policy applies

Our Privacy Policy applies to all of the services offered by the Federation.

 

 

Compliance and cooperation with regulatory authorities

We regularly review our compliance with our Privacy Policy. We also ensure that we meet the GDPR and DPA. When we receive formal, written complaints, we will contact the person who made the complaint to follow up. We work with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the transfer of personal data that we cannot directly resolve with our users.

 

 

Changes

Our Privacy Policy may change from time to time. We will not reduce your rights under this Privacy Policy without your explicit consent. We will post any Privacy Policy changes on this page and, if the changes are significant, we will provide a more prominent notice (including, for certain services, email notification of Privacy Policy changes). We will also keep prior versions of this Privacy Policy in an archive for your reference.

 

We keep your personal information private and safe — and put you in control.

 

Data Use and Data Management Policy.