People, Opportunities, Change
General Data Protection Regulation (GDPR) Policy
Statement of Intent
CTS Training recognises that data protection under GDPR and information security is an integral part of our quality standards and contributes significantly to the experience of all customers within our programmes.
We are committed to meeting the standards set by relevant legislation, our Funding Bodies, and Stakeholders regarding data protection in the provision of services for our customers. We will promote best-practice approaches to data protection and will expect our sub-contractors and suppliers to do the same.
We will use contractual arrangements to ensure that sub-contractors and suppliers operate effective data protection management systems.
We will also promise that we will:
• Value the personal information entrusted to us and make sure we respect that trust.
• Consider and address the privacy risks first when we are planning to use or hold personal information in new ways, such as when introducing new systems.
• Be open with individuals about how we use their information and to whom we give it.
• Make it easy for individuals to access and correct their personal information.
• Keep personal information to the minimum necessary and delete it when we no longer need it.
• Have effective safeguards in place to make sure personal information is kept secure and does not fall into the wrong hands.
• Provide training to staff who handle personal information and treat it as a disciplinary matter if they misuse or do not look after personal information properly.
• Put appropriate financial and human resources into looking after personal information to make sure we can live up to our promises; and
• Regularly check that we are living up to our promises and report on how we are doing.
This GDPR Data Protection Policy will be reviewed at least annually and more frequently if necessary due to significant internal, external, or legislative changes.
Data Protection Policy
Each employee will be given such information, instructions, and training as necessary. This will ensure they are aware of their contractual responsibilities in relation to personal data and inform them that if any personal data is improperly disclosed, destroyed, or obtained, this constitutes an act of misconduct.
The Policy
CTS’s Senior Management team fully endorses GDPR and is committed to information security within the company.
CTS Training will:
• Recognise its legal obligations for the request, storage, use, and disclosure of information under GDPR. All due diligence will be exercised regarding how information is processed and shared regarding the safeguarding of vulnerable individuals. Any such information will be treated in the strictest of confidence, with the right to reserve sharing of the information with external agencies who have a personal stake in the welfare of that individual. Information may also be shared internally with those members of staff who have direct responsibility for a vulnerable individual.
• Hold employees’ DBS records for a maximum of six months (either in hardcopy or electronic form) before being securely destroyed. The above information should be read in conjunction with CTS’s Safeguarding Policy.
• Distribute and publicise this Policy throughout the company and elsewhere as is deemed appropriate.
• Ensure all requests for data are undertaken in line with the ‘Subject Access Request’ Guidance.
• Ensure appropriate policies/guidance/information is available to staff to safeguard personal information e.g., through the Staff Handbook and separate policies e.g., Acceptable ICT Use Policy.
• Investigate any breaches of information security and take the appropriate action.
• Ensure we maintain registration with the Information Commissioner’s Officer as a ‘data processor’ and of any significant changes to data collection, handling, storage, or use.
Responsibility
The Chief Executive Officer has overall responsibility for GDPR / Information Security. However, day-to-day coordination of data protection/issues falls upon the MI Manager and is, therefore, the nominated representative.
All CTS employees have specific responsibility for ensuring the confidentiality of all personal and business-sensitive information.