Data Protection and GDPR
As an organisation we have to comply with data protection legislation. From Friday 25 May 2018, the Data Protection Act 1998 will be superseded by the EU General Data Protection Regulations (GDPR) and the UK Data Protection Act 2018 and other supporting data protection legislation (e.g. Privacy Electronic Communications Regulations (PECR)).
As we process a large quantity of personal data we are required to have a Data Protection Officer (DPO). The Data Protection Officer will report directly to the Managing Director. Positive Futures and the Positive Futures Group are registered with the Information Commissioner’s Office (ICO), the UK’s data protection authority, as follows:
Positive Futures (N.E.) Limited - Registration No: ZA216639
Enhance Training Academy Limited - Registration No: ZA213907
Data protection legislation places obligations on us to protect your personal information. we have to make sure we process personal data in line with data protection principles and ensure that your rights as Individuals (Data Subjects) are met. These are outlined in our Data Protection (GDPR) Policy.
We will follow current data protection and other legislative guidance when dealing with requests from Individuals (Data Subjects) to exercise their data rights.
The right to be informed
We will tell you what we are doing with your personal data, why we need to collect it, what we will do with it and who we will share it with. We will give you this information in our Privacy Notices (see below). Where we need to collect, process or share your personal information for any purpose not outlined on the Privacy Notices, we will provide separate information and obtain consent where necessary.
- Privacy Notice - Learners (Coming soon)
- Privacy Notice - Staff (Coming soon)
The right to access
This is known as a Data Subject Access Request. Full details are available in our Data Protection (GDPR) Policy.
If you wish to request information we hold about you, we would prefer you to complete a Data Subject Access Form and email it for the attention of the Data Protection Officer; however any request in writing or email from the Individual (Data Subject) will be considered as a valid request, as long as it contains the relevant information to enable us to deal with your request.
If you are not known to the relevant Departmental Head, we may ask to see proof of your identity. The following forms of identity will be accepted;
- A copy of your passport
- A copy of your driving licence
- A copy of your Bank, Building Society or credit card statement in the Data Subject's name dated in the last 3 months
- A copy of your Council Tax bill
If you are requesting information on behalf of someone else you must complete the Data Subject Access Request Form and provide written evidence that you have the Data Subject’s authority to ask for the information on their behalf, e.g. signature on the Data Subject Access Form, a letter written by them, evidence of Power of Attorney, etc.
If your Data Subject Access Request is approved, you will be provided with either a printout or a photocopy of paper records. Where information is requested to be provided by email, we will only agree to this if it can be sent via an approved secure method.
We will respond to your request within 30 days, where we are unable to approve your request for information or are unable to provide the information within 30 days, we will notify you. Verification of identity of the person/organisation making the request will be required.
Requests for disclosure of personal information in connection with investigation of crime or any other enforcing body investigation should be made on a Police and Enforcing Bodies Disclosure Request Form and emailed for the attention of the Data Protection Officer. ID will be requested and verified.
Information will normally be provided free of charge. However, there may be certain circumstances when a charge can be made: for example, where the request is manifestly unfounded or excessive, we may charge a ‘reasonable fee’ for the administrative costs of complying with the request. We can also charge a reasonable fee if an Individual (Data Subject) requests further copies of their data following a request. We will follow guidance from the ICO to determine if a charge applies and advise you prior to collating the information.
The right to rectification
For amendments to your personal information such as updating details we have collected from you for normal business processing, e.g. contact details; change of address; emergency/next of kin; contact details; course details and medical details etc. please contact the relevant Department to tell them what is incorrect and ask for it to be corrected.
For anything that is not considered routine business processing, please contact the Data Protection Officer who will take steps to action your request.
We will aim to deal with requests for rectification as soon as possible. We will respond within one month; this will be extended by two months where the request for rectification is complex.
The right to erasure/deletion
Requests for the erasure (deletion) or removal of personal data where there is no lawful basis for its continued processing, should be made to the relevant Department. We have the right to refuse a request for erasure under certain circumstances – please refer to the Data Protection (GDPR) Policy for further details.
We will aim to deal with right to erasure requests within one month. Where we are unable to complete the request within this timescale, we will inform the individual.
The right to restriction
Requests to restrict us from processing your personal data can be made, however there may be reasons why we may not be able to comply. If a request is determined to be valid, we will take steps to immediately restrict processing of personal data as set out in our Data Protection (GDPR) Policy.
The right to data portability
Details on this are outlined in the Data Protection (GDPR) Policy. Requests should be made to the relevant Department. We will aim to respond within one month or within one month advise the individual if we need to extend the timeframe by two months, where the request is complex, or a number of requests have been received.
The right to objection
You may object to processing under certain circumstances, please refer to the Data Protection (GDPR) Policy. Requests should be made to the relevant Department. We will aim to deal with requests within one month and advise you if we cannot meet this timescale.
The rights in relation to profiling and automated decision-making
Profiling and automated decision-making are two different things, although automated decision-making can include profiling. We will specify any profiling or automated decision-making in our Privacy Notices or other communication as necessary. Further information is in our Data Protection (GDPR) Policy.
Reporting a concern
If you are unhappy with the way we have processed your personal information, or feel that your request for information or to exercise your data rights have not been dealt with appropriately, please contact the Data Protection Officer in the first instance. If you are unhappy with the outcome of your complaint, you can escalate your complaint to the Information Commissioner's Office (ICO).
The contact details for the Data Protection Officer and ICO are;
- DPO, Positive Futures, Novus Business Centre, Judson Road, Peterlee, Co Durham, SR8 2WJ
- Office tel: 0191 5878156
- ICO helpline: 0303 123 1113
- See the ICO Concerns website for more information