Privacy

Our Data Protection and Privacy Policy

Data Protection Policy (GDPR)

 

OVERVIEW

 

RNA Training needs to collect, store and process personal data in order to carry out its functions and activities as a company. There are many reasons why we need to collect information e.g. Health and Safety, to register learners, to pay staff and organise training courses. However, all staff members within RNA Training are committed to protecting the confidentiality and integrity of the personal information it collects in line with GDPR legislation and the Data Protection Act 2018.

 

Under data protection law we have to provide details of how our organisation handles personal data about staff or customers, for the data protection register.

 

As an organisation that collects, uses and stores Personal Data about its employees, learners, suppliers, partners, and contractors, the company recognises that having controls around the collection, use, retention and destruction of Personal Data is important to comply with the company’s obligations under Data Protection Laws and in particular, its obligations under Article 5 of GDPR.

 

The Company has implemented this Data Protection Policy, to ensure all company staff are aware of what they must do to ensure the correct and lawful treatment of Personal Data.

 

All Company staff receive a copy of this Policy when they start and may receive periodic revisions of this Policy. This Policy does not form part of any member of the company’s contract of employment and we reserve the right to change this Policy at any time. All members of staff are obliged to comply with this Policy at all times.

 

If you have any queries concerning this Policy, please contact our Managing Director, who is responsible for ensuring the Company’s compliance with this Policy.

 

ABOUT THIS POLICY

 

This Policy (and the other policies and documents referred to in it) sets out the basis on which the company will collect and use Personal Data either where the company collects it from individuals itself, or where it is provided to the Company by third parties. It also sets out rules on how the Company handles uses, transfers and stores Personal Data.

 

It applies to all Personal Data stored electronically, in paper form, or otherwise.

 

DEFINITIONS


Company – RNA Training 20-22 Wenlock Road, London N1 5GU

 

Company Personnel – Any Company employee, worker or contractor who accesses any of the Company’s Personal Data and will include employees, consultants, contractors, subcontractors, agency staff or temporary staff hired to work on behalf of the Company.

   

Controller – Any entity (e.g. company, organisation or person) that makes its own decisions about how it is going to collect and use Personal Data. A Controller is responsible for compliance with Data Protection Laws. The Company acts as Controller in relation to areas such as the collection of employee details or enrolment information collected for its learners. It is the organisation itself which is the Controller not the staff.

 

Data Protection Laws – The General Data Protection Regulation (Regulation (EU) 2016/679) and all applicable laws relating to the collection and use of Personal Data and privacy and any applicable codes of practice issued by a regulator including in the UK, the Data Protection Act 2018.

 

Data Protection Officer – Our Managing Director – Robert Naylor is our Data Protection Officer and can be contacted on 07957 223843 or on email robert@rna-training.co.uk

 

EEA – Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK.

 

ICO – the Information Commissioner’s Office, the UK’s data protection regulator.

 

Individuals – Living individuals who can be identified, directly or indirectly, from information that the Company has. For example, an individual could be identified directly by name, or indirectly by gender, job role and office location if you can use this information to work out who they are. Individuals include employees, students, contractors and potential students. Individuals also include our partners and employers.

 

Personal Data – Any information about an Individual (see definition above) which identifies them or allows them to be identified in conjunction with other information that is held. It includes information of this type, even if used in a business context.

 

Personal data is defined broadly and covers things such as name, address, email address (including in a business context, email addresses of Individuals in companies such as firstname.surname@organisation.com), IP address and also more sensitive types of data such as trade union membership, health data, genetic data and religious beliefs. These more sensitive types of data are called “Special Categories of Personal Data” and are defined below. Special Categories of Personal Data are given extra protection by Data Protection Laws.

 

Processor – Any entity (e.g. company, organisation or person) which accesses or uses Personal Data on the instruction of a Controller.

A Processor is a third party that processes Personal Data on behalf of a Controller. This is usually as a result of the outsourcing of a service by the Controller or the provision of services by the Processor which involve access to or use of Personal Data. Company examples include, software support we receive for our company student record system, which contains Personal Data, and outsourcing delivery of learning where we define the purpose and the processing requirements involved.

 

Special Categories of Personal Data – Personal Data that reveals a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data (i.e. information about their inherited or acquired genetic characteristics), biometric data (i.e. information about their physical, physiological or behavioural characteristics such as facial images and fingerprints), physical or mental health (including learning difficulties or disabilities), sexual life or sexual orientation and criminal convictions. Special Categories of Personal Data are subject to additional controls in comparison to ordinary Personal Data.

 

COMPANY PERSONNEL’S GENERAL OBLIGATIONS

 

All Company Personnel must comply with this policy.

 

Company Personnel must ensure that they keep confidential all Personal Data that they collect, store, use and come into contact with during the performance of their duties.

 

Company Personnel must not release or disclose any Personal Data:

  • outside the Company; or
  • inside the company to Company Personnel not authorised to access the Personal Data,


without specific authorisation from their manager or the Managing Director; this includes by phone calls or in emails.

 

Company Personnel must take all steps to ensure there is no unauthorised access to Personal Data whether by other Company Personnel who are not authorised to see such Personal Data or by people outside the Company.

 

DATA PROTECTION PRINCIPLES

When using Personal Data, Data Protection Laws require that the Company complies with the following principles. These principles require Personal Data to be:

  • processed lawfully, fairly and in a transparent manner;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • adequate, relevant and limited to what is necessary for the purposes for which it is being processed;
  • accurate and kept up to date, meaning that every reasonable step must be taken to ensure that Personal Data that is inaccurate is erased or rectified as soon as possible;
  • kept for no longer than is necessary for the purposes for which it is being processed; and
  • processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

 

These principles are considered in more detail in the remainder of this Policy.

 

The company will continue to review and develop its compliance under GDPR and will complete in-year audits to monitor internal processes.

 

LAWFUL USE OF PERSONAL DATA

 

The company lawfully processes Personal Data under the legal basis set out in Article 6 of the GDPR.

 

The majority of processing by the company is done because it is necessary for the performance of the contract we have entered into with the data subject or it is pursuit of a legitimate business interest. We limit the information we collect to ensure we only collect what is needed to perform this duty effectively and without penalty. The Company also seeks to obtain the consent from individuals for the purpose of company activities, either where explicit consent is required (where it is specific, freely given and informed) or where we consider it important that the individual is made aware of the processing even if consent is not required. Our Privacy notices form part of our learner enrolment process and the new employee induction process and is designed to ensure all staff and learners are fully informed of how their data will be used.

 

Every information asset containing Ordinary personal data held by the company has been detailed in our What, Why and Who document. This details the lawful basis for the collection and processing of all the information we hold.

 

The company also reserves the right to use other legal basis in its operational day to day activities where processing is necessary for compliance with legal obligations or in order to protect the vital interests of individuals.

 

If the Company changes how it uses Personal Data, the Company needs to update this record and may also need to notify Individuals about the change. If Company Personnel therefore intend to change how they use Personal Data at any point they must notify the Managing Director who will decide whether their intended use requires amendments to be made and any other controls which need to apply.

 

TRANSPARENT PROCESSING – PRIVACY NOTICES


The Company endeavours to be as transparent about the processing of individual data as it can be, and demonstrates this with ae Privacy Notice available to staff at their induction and to students at their enrolment on the Academy.

Our Privacy Notices provide individuals with a summary of:

  • the purpose for collecting the information
  • the safeguards we put in place to protect your data and the company environment
  • your rights in relation to the data we collect
  • how long we retain your data for, and
  • any third parties we share the information with.

   

RNA Training Privacy Notice


Here at RNA Training, we take your privacy seriously and will only use your personal information to provide the products and services you have requested from us. This may include providing your personal information to an academic institution or professional body when you have successfully achieved a qualification. We will not supply your personal details to any other organisation.

 

Your rights under GDPR and the Data Protection Act with regards to the personal data we keep are:

 

Right to access personal information

Any individual has a right to ask for a copy of the personal information held about them. This means that you can ask for the information that RNA Training holds about you. This is known as the right of ‘subject access’. Please contact Robert Naylor, our Managing Director -robert@rna-training.co.uk

 

Right to restrict processing of personal information

In some situations, you have the right to require us to restrict the processing of your personal information. We may restrict your personal information by temporarily moving the information to another processing system, making the information unavailable to users, or temporarily removing published information from a website. We may also use technical methods to ensure the personal information is not subject to further processing and cannot be changed. When we have restricted processing of personal information, this will be clearly indicated on our systems.


You can require us to restrict processing in the following circumstances:

  • We are processing your personal data unlawfully and you do not want us to delete the information but restrict it instead
  • You are concerned that the information we hold about you is inaccurate. You can ask us to restrict the information until we are able to determine whether the information is accurate or inaccurate
  • We no longer need the information for the purposes for which we collected it, but they are needed by you for the establishment, exercise or defence of legal claims
  • You have objected to the processing (see below) and we need to decide whether the legitimate interests we have to process the information override your fundamental rights.
  • Processing you think is unlawful


If you tell us that you think we are processing your personal information unlawfully, but you do not want the information to be erased, you have the right to require us to restrict the processing of that information. We will ask you for an explanation about why you think the processing is unlawful and may also ask that you provide evidence to support this view.

 

Processing of personal information you think is inaccurate

You can tell us if you think the personal information, we are processing about you, is factually inaccurate. You can require us to restrict how we use your personal information until we can verify the accuracy of the information. We will ask you for an explanation about why you think the information is inaccurate and may also ask that you provide some supporting evidence of the alleged inaccuracy. If we find that the personal information, we are processing about you, is inaccurate we will take appropriate steps to correct the information.

 

Personal information no longer needed by RNA Training, but needed by you in connection with a legal claim

In most circumstances, we will securely delete or dispose of personal information when we no longer need it for our legitimate business purposes. Our approach to retention is outlined below. However, if personal information we no longer need, would assist you in establishing, exercising or defending a legal claim, you can require us to keep the information for as long as necessary. We may ask you to provide an explanation and any available supporting evidence that a legal claim is on-going or contemplated.

  

Right to object to processing

You have the right to object to RNA Training processing your personal data in the following circumstances:

Personal information used for direct marketing. If we are using your personal information to send you direct marketing, you have the right to object at any time. If you exercise this right, we will stop processing your personal information for direct marketing purposes. However, unless invited by you to provide information, RNA Training does not use direct marketing.


Automated decision making and profiling.

‘Profiling’ is automated use of personal data held on computer to analyse or predict things which have a legal effect, or other similarly significant effect, on the individual. Examples would include economic situation, health, personal preferences or interests and location. You have the right not to be subject to a solely automated decision (that is, a decision made electronically, with no human intervention), and this may include profiling (although there is no general right to object to profiling). If you are concerned, RNA training has made a solely automated decision about you, you can object. We do not however, use automatic decision making in our systems.


Right to erasure of personal data (“the right to be forgotten”)

In the following circumstances, you have the right to require that RNA Training securely deletes or destroys your personal information:

  • If the personal information we hold about you is no longer necessary for the purposes for which we originally collected it
  • The processing is based on consent - if you have previously given your consent to RNA Training collecting and processing your personal information, and you notify us that you withdraw your consent. Please note: withdrawing your consent does not mean the processing of your personal data which occurred before the withdrawal was unlawful
  • We are processing your personal information for direct marketing purposes, and you want us to stop
  • If you think RNA Training has processed your personal information unlawfully
  • If you think any of the above situations apply, we may ask you for an explanation and further information to verify this.


Right to data portability

If you have provided your information to RNA Training, you have the right to request and receive a copy of that information in a structured, commonly-used and machine-readable format. You also have the right to ask us to send the information we hold about you to another organisation. Please contact Robert Naylor, our Managing Director -robert@rna-training.co.uk

 

Your right to complain to a national data protection regulator (data protection supervisory authority)

If you think we have processed your personal information unfairly or unlawfully, or we have not complied with your rights under GDPR, you have the right to complain to a national data protection regulator. Complaints about how we process your personal information can be considered by the UK data protection regulator, the Information Commissioner’s Office (ICO). The ICO can be contacted using the following details:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Website: www.ico.org.uk 

Email: casework@ico.org.u

Share by: