DATA PROTECTION POLICY
RHN Training is committed to working in accordance with the General Data Protection Regulation and with the highest standards of ethical conduct.
This policy outlines the behaviours and standards required of the; organisation, all employees, workers and third parties in relation to the collection, retention, transfer, disclosure, use and destruction of any personal data.
Data Protection Principles
We are committed to adhering to the Data Protection Principles which state:
-
Data must be processed lawfully, fairly and in a transparent manner
-
Data must be obtained for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
-
Data processed must be adequate, relevant and limited to what is necessary
-
Data must be accurate and, where necessary, kept up to date, every reasonable step must be taken to ensure data that are inaccurate, are erased or rectified without delay.
-
Data must not be kept for longer than is necessary for the purposes for which the data are processed.
-
Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, using appropriate technical or organisational measures.
Information is kept and processed about individuals for legal purposes (such as for payroll), for administration purposes and for the purposes of day-to-day people-management. The Company is aware that in order to process personal data, or sensitive personal data the Company must rely on the data being:
-
necessary of the performance of a contract, or;
-
in preparation for a contract, or;
-
to comply with our legal obligations, or;
-
for our legitimate business interests or;
-
to perform a task carried out in the public interest or in the exercise of an official authority.
If the organisation wishes to hold and process data which does not fall within conditions listed above then it will seek to obtain the consent of the individual.
Personal Data
The Organisation collects and processes the following personal data:
-
name
-
address
-
bank details
-
NI number
-
Contact information
-
Emergency contact information
The purposes for which your personal data is processed include;
-
Recruitment
-
Promotion
-
Redeployment
-
Personal or career development including appraisals
-
Running Payroll
-
Calculation of certain benefits including pensions
-
Disciplinary or grievance issues
-
Performance management purposes and performance reviews
-
Recording of communications with employees and their representatives
-
In case of an emergency
-
Compliance with legislation
-
Provision of references to financial institutions, to facilitate entry onto educational courses and or to assist future potential employers and
-
Staffing levels and career planning
Sensitive personal data
Includes:
-
Racial or ethnic origin
-
Religious or similar beliefs
-
Trade union membership
-
Physical or mental health conditions
-
The commission or alleged commission of any offence by you.
Sensitive personal data will be processed where it is necessary to enable the company to meet its legal obligations and in particular to ensure adherence to health and safety and vulnerable groups protection legislation or for equal opportunities monitoring purposes.
Right of Access
Individuals have the right to access information stored about them. Employees can ask for access to their own personal details held electronically or held manually. Employees who wish to see their records should give notice electronically, in writing, using the Subject Access Request Form which can be requested from Robert Carter. RHN Training has up to 1 month to provide the information following the subject access request, which it will usually do in electronic format.
In complex cases, or where there are numerous related requests, we will liaise with the individual to inform them of progress, and if it is not possible to complete the request within 1 month, inform the individual of the delay, the reasons for the delay and reserve the right to extend the timescale for completion by up to a further 2 months.
In the event that data is retained with third parties, we will ensure that the request is communicated and actioned by the third party in line with the timescales outlined above, unless impossible or would require disproportionate effort.
We reserve the right to charge a fee or refuse to a respond to a request if it is manifestly unfounded or excessive. Similarly, we reserve the right to withhold personal data if disclosing it would adversely affect the rights and freedoms of others.
Rectification of Data
We are committed to keeping data that is accurate and up to date. Data will be checked for accuracy where possible, and any data that is in accurate, out of date or unnecessary will be corrected or erased as appropriate.
Where an individual identifies that their personal data is incorrect, or incomplete or where they are aware that their personal data has changed, they must inform the organisation as soon as possible. We will then take steps to rectify any inaccuracies as soon as possible, and at the latest within 1 month.
In complex cases, or where there are numerous cases, we will liaise with the individual to inform them of progress, and if it is not possible to complete the request within 1 month, inform the individual of the delay and the reasons for the delay and reserve the right to extend the timescale for completion by up to a further 2 months.
In the event that data has been disclosed to third parties, we will ensure that the request for rectification is communicated and actioned by the third party in line with the timescales outlined above, unless this is impossible or would involve disproportionate effort.
The Right to be Forgotten
Also known as ‘the right to erasure’, the right to be forgotten doesn’t provide an absolute right to be forgotten, but data subjects have a right to have personal data erased and to prevent processing in some circumstances i.e.
-
Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed;
-
When the individual withdraws consent;
-
When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing;
-
The personal data was unlawfully processed;
-
The personal data has to be erased in order to comply with a legal obligation;
-
The personal data is processed in relation to the offer of information society services to a child.
If you wish to ask for your own personal data to be partially/fully erased and no longer processed, please write to Robert Carter with full details of your request. RHN Training has up to 1 month to respond to you and either delete the data or explain why it is unable to comply with your request. Circumstances where we may be unable to comply include where it is required to retain the information by law, or if the data is needed in connection with legal proceedings.
In complex cases, or where there are numerous related requests, we will liaise with you to inform you of progress, and if it is not possible to respond to your request within 1 month, inform you of the delay, the reasons for the delay and reserve the right to extend the timescale for completion by up to a further 2 months, if necessary.
In the event that data is retained with third parties, we will ensure that the request is communicated and if appropriate actioned by the third party in line with the timescales outlined above.
Security of Data
We are committed to taking steps to ensure that personal data is protected, and to prevent any unauthorised access, accidental loss, destruction, unlawful processing, equipment failure or human error, and will do this through the continual monitoring of our security systems and by regular training and awareness raising.
Any data breaches or near misses, will be managed according to our procedure on managing breaches
Data Retention
The Company is committed to ensuring that subject data is kept for no longer than necessary and only kept as long as it’s relevant and necessary for legitimate purposes. As soon as data is no longer necessary for the purposes for which it was originally collected, it will be securely deleted, unless it is necessary to keep the data.
We do not intentionally keep data longer than necessary and when data is no longer required, we are committed to securely deleting it as soon as possible.
For more information and our retention guidelines, please speak with Robert Carter.
Data Breaches
All staff are responsible for data protection and should be alert to any actual, suspected, threatened or potential data protection breaches. As soon as a data protection breach has been discovered, where possible, the member of staff should complete a Data Protection Breach Reporting Form (to the fullest extent possible at that time), which provides full details concerning the breach. This form should then be passed to Robert Carter, Managing Director as soon as possible and within 24 hours of the discovery of the breach. If you need help completing the form, or are unable to complete the form, then any delay should be avoided and instead the matter should be reported immediately, either verbally or using electronic means, such as email. Failure to comply with this may result in disciplinary action up to and including dismissal without notice.
For more information regarding managing data protection breaches please speak with Robert Carter, Managing Director.
Transferring Personal Data to a Country Outside the EEA
RHN Training uses Outlook for emails an online application. This means that emails may transfer outside of the EEA. We have security in place to protect emails in line with GDPR.
Data Protection Officer
Robert Carter, Managing Director is the Data Protection Officer, who will support the organisation to manage Data Protection. Any queries or concerns can be addressed directly to Robert Carter.
Monitoring
We are committed to monitoring this policy and will update it as appropriate.
Any queries or concerns can be addressed directly to the Data Protection Officer.
