DATA PROTECTION AND WEBSITE POLICY
Data Protection
1. POLICY STATEMENT
Frontier Risks Group Ltd is committed to a policy of protecting the rights and privacy of individuals (includes learners, staff and others) in accordance with the Data Protection Act. The Training Company needs to process certain information about its staff, learners and other individuals it has dealings with for administrative purposes (eg to recruit and pay staff, to administer programmes of study, to record progress, to agree awards, to collect fees, and to comply with legal obligations to funding bodies and government). To comply with the law, information about individuals must be collected and used fairly, stored safely and securely and not disclosed to any third party unlawfully.
The policy applies to all staff and learners of the Training Company. Any breach of the Data Protection Act 1998 or the Training Company Data Protection Policy is considered to be an offence and in that event, Frontier Risks Group Ltd disciplinary procedures will apply. As a matter of good practice, other agencies and individuals working with the Training Company, and who have access to personal information, will be expected to have read and comply with this policy. It is expected that departments/sections who deal with external agencies will take responsibility for ensuring that such agencies sign a contract agreeing to abide by this policy.
2. BACKGROUND TO THE DATA PROTECTION ACT 1998
The Data Protection Act 1998 enhances and broadens the scope of the Data Protection Act 1984. Its purpose is to protect the rights and privacy of living individuals and to ensure that personal data is not processed without their knowledge, and, wherever possible, is processed with their consent.
3. DEFINITIONS
Personal Data relating to a living individual who can be identified from that information or from that data and other information in possession of the data controller. Includes name, address, telephone number, and id number. Also includes expression of opinion about the individual, and of the intentions of the data controller in respect of that individual. Sensitive Data- Different from ordinary personal data (such as name, address, telephone) and relates to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life, criminal convictions. Sensitive data are subject to much stricter conditions of processing. Data Controller - Any person (or organisation) who makes decisions with regard to particular personal data, including decisions regarding the purposes for which personal data are processed and the way in which the personal data are processed. Data Subject - Any living individual who is the subject of personal data held by an organisation. Processing - Any operation related to organisation, retrieval, disclosure and deletion of data and includes: Obtaining and recording data accessing, altering, adding to, merging or deleting data. Third Party - Any individual/organisation other than the data subject, the data controller (Training Company) or its agents. Relevant Filing System- Any paper filing system or other manual filing system, which is structured so that information about an individual is readily accessible. Please note that this is the definition of "Relevant Filing System" in the Act. Personal data as defined, and covered, by the Act can be held in any format, electronic (including websites and emails), paper- based, photographic etc. from which the individual's information can be readily extracted.
Responsibilities of the Data Protection Act
- The Training Company as a body corporate is the data controller under the new Act.
- Compliance with data protection legislation is the responsibility of all members of the Training Company who process personal information.
- Members of the Training Company are responsible for ensuring that any personal data supplied to the Training Company are accurate and up-to-date.
4. DATA PROTECTION PRINCIPLES
All processing of personal data must be done in accordance with the eight data protection principles.
- Personal data shall be processed fairly and lawfully. Those responsible for processing personal data must make reasonable efforts to ensure that data subjects are informed of the identity of the data controller, the purpose(s) of the processing, any disclosures to third parties that are envisaged and an indication of the period for which the data will be kept.
- Personal data shall be obtained for specific and lawful purposes and not processed in a manner incompatible with those purposes. Data obtained for specified purposes must not be used for a purpose that differs from those.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is held. Is Information, which is not strictly necessary for the purpose for which it is obtained, should not be collected. If data is given or obtained which is excessive for the purpose, it should be immediately deleted or destroyed.
- Personal data shall be accurate and, where necessary, kept up to date. Data, kept for a long time, must be reviewed and updated as necessary. No data should be kept unless it is reasonable to assume accurate. It is the responsibility of individuals to ensure that data held by the Training Company is accurate and up-to-date. Completion of an appropriate registration or application form etc will be taken, as an indication that the data contained therein is accurate. Individuals should notify the Training Company of any changes in circumstance to enable personal records to be updated accordingly. It is the responsibility of the Training Company to ensure that any notification regarding change of circumstances is noted and acted upon.
- Personal data shall be kept only for as long as necessary. (See Section 12 on Retention and Disposal of Data)
- Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act. (See Section 7 on Data Subjects Rights)
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of data. (See Section 9 on Security of Data)
- Personal data shall not be transferred to a country or a territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Data must not be transferred outside of the European Economic Area (EEA) - the EU Member States together with Iceland, Liechtenstein and Norway - without the explicit consent of the individual.
Members of the Training Company should be particularly aware of this when publishing information on the Internet, which can be accessed from anywhere in the globe. This is because transfer includes placing data on a web site that can be accessed from outside the EEA.
5. DATA SUBJECT RIGHTS
Data Subjects have the following rights regarding data processing, and the data that are recorded about them:
- To make subject access requests regarding the nature of information held and to whom it has been disclosed.
- To prevent processing likely to cause damage or distress.
- To prevent processing for purposes of direct marketing.
- To be informed about mechanics of automated decision taking process that will significantly affect them.
- Not to have significant decisions that will affect them taken solely by automated process.
- To sue for compensation if they suffer damage by any contravention of the Act.
- To take action to rectify, block, erase or destroy inaccurate data.
- To request the Commissioner to assess whether any provision of the Act has been contravened.
6. CONSENT
Wherever possible, personal data or sensitive data should not be obtained, held, used or disclosed unless the individual has given consent. The Training Company understands "consent" to mean that the data subject has been fully informed of the intended processing and has signified their agreement, whilst being in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information will not be a valid basis for processing. There must be some active communication between the parties such as signing a form and the individual must sign the form freely of their own accord. Consent cannot be inferred from non-response to a communication. For sensitive data, explicit written consent of data subjects must be obtained unless an alternative legitimate basis for processing exists. In most instances consent to process personal and sensitive data is obtained routinely by the Training Company (eg when a student signs a registration form or when a new member of staff signs a contract of employment). Any Training Company forms (whether paper-based or web based) that gather data on an individual should contain a statement explaining what the information is to be used for and to whom it may be disclosed. It is particularly important to obtain specific consent if an individual's data are to be published on the Internet as such data can be accessed from all over the globe.
Therefore, not gaining consent could contravene the eighth data protection principle. If an individual does not consent to certain types of processing (eg direct marketing), appropriate action must be taken to ensure that the processing does not take place. If any member of the Training Company is in any doubt about these matters, they should consult the Training Company Data Protection Officer.
7. SECURITY OF DATA
All staff are responsible for ensuring that any personal data (on others), which they hold, are kept securely and that they are not disclosed to any unauthorised third party (see Section 11 on Disclosure of Data for more detail). All personal data should be accessible only to those who need to use it. You should form a judgement based upon the sensitivity and value of the information in question, but always consider keeping personal data:
- in a lockable room with controlled access, or
- in a locked drawer or filing cabinet, or
- if computerised, password protected, or
- kept on disks which are themselves kept securely.
Care should be taken to ensure that PCs and terminals are not visible except to authorised staff and that computer passwords are kept confidential. PC screens should not be left unattended without password protected screen-savers and manual records should not be left where they can be accessed by unauthorised personnel. Care must be taken to ensure that appropriate security measures are in place for the deletion or disposal of personal data. Manual records should be shredded or disposed of as "confidential waste". Hard drives of redundant PCs should be wiped clean before disposal. This policy also applies to staff and learners who process personal data "off- site". Off-site processing presents a potentially greater risk of loss, theft or damage to personal data. Staff and learners should take particular care when processing personal data at home or in other locations outside the Training Centre.
8. RIGHTS OF ACCESS TO DATA
Members of the Training Company have the right to access any personal data, which are held by the Training Company in electronic format and manual records, which form part of a relevant filing system. This includes the right to inspect confidential personal references received by the Training Company about that person. Any individual who wishes to exercise this right should apply in writing to the Data Protection Officer. Any such request will normally be complied with within 40 days of receipt of the written request and, where appropriate, the fee. In order to respond efficiently to subject access requests the Training Company needs to have in place appropriate records management practices.
9. DISCLOSURE OF DATA
The Training Company must ensure that personal data are not disclosed to unauthorised third parties which includes family members, friends, government bodies, and in certain circumstances, the Police. All staff and learners should exercise caution when asked to disclose personal data held on another individual to a third party. For instance, it would usually be deemed appropriate to disclose a colleague's work contact details in response to an enquiry regarding a particular function for which they are responsible. However, it would not usually be appropriate to disclose a colleague's work details to someone who wished to contact them regarding a non-work related matter. The important thing to bear in mind is whether or not disclosure of the information is relevant to, and necessary for, the conduct of Training Company business. Best practice, however, would be to take the contact details of the person making the enquiry and pass them onto the member of the Training Company concerned. This policy determines that personal data may be legitimately disclosed where one of the following conditions apply:
- The individual has given their consent (eg a student/member of staff has consented to the Training Company corresponding with a named third party);
- Where the disclosure is in the legitimate interests of the institution (eg disclosure to staff - personal information can be disclosed to other Training Company employees if it is clear that those members of staff require the information to enable them to perform their jobs);
- Where the institution is legally obliged to disclose the data (eg HESA and HESES returns, ethnic minority and disability monitoring);
- Where disclosure of data is required for the performance of a contract (eg submitting a students data to an external governing body for assessment, etc).
The Act permits certain disclosures without consent so long as the information is requested for one or more of the following purposes:
- To safeguard national security*;
- Prevention or detection of crime including the apprehension or prosecution of offenders*;
- Assessment or collection of tax duty*;
- Discharge of regulatory functions (includes health, safety and welfare of persons at work)*;
- To prevent serious harm to a third party;
- To protect the vital interests of the individual, this refers to life and death situations.
* Requests must be supported by appropriate paperwork.
When members of staff receive enquiries as to whether a named individual is a member of the Training Company, the enquirer should be asked why the information is required. If consent for disclosure has not been given and the reason is not one detailed above (i.e. consent not required), the member of staff should decline to comment. Even confirming whether or not an individual is a member of the Training Company may constitute an unauthorised disclosure. Unless consent has been obtained from the data subject, information should not be disclosed over the telephone.
Instead, the enquirer should be asked to provide documentary evidence to support their request. Ideally a statement from the data subject consenting to disclosure to the third party should accompany the request. As an alternative to disclosing personal data, the Training Company may offer to do one of the following:
- Pass a message to the data subject asking them to contact the enquirer;
- Accept a sealed envelope/incoming email message and attempt to forward it to the data subject.
Please remember to inform the enquirer that such action will be taken conditionally: i.e. "if the person is a member of the Training Company" to avoid confirming their membership of, their presence in or their absence from the institution.
10. RETENTION AND DISPOSAL OF DATA
The Training Company discourages the retention of personal data for longer than they are required. Considerable amounts of data are collected on current staff and learners. However, once a member of staff or student has left the institution, it will not be necessary to retain all the information held on them. Some data will be kept for longer periods than others. Learners In general, electronic student records containing information about individual learners are kept indefinitely and information would typically include name and address on entry and completion, programmes taken, examination results, awards obtained. Departments should regularly review the personal files of individual learners in accordance with the Training Company's Records Retention Schedule. Staff In general, electronic staff records containing information about individual members of staff are kept indefinitely and information would typically include name and address, positions held, leaving salary. Other information relating to individual members of staff will be kept by the Personnel Department for 6 years from the end of employment. Information relating to Income Tax, Statutory Maternity Pay etc will be retained for the statutory time period (between 3 and 6 years). Departments should regularly review the personal files of individual staff members in accordance with the Training Company's Records Retention Schedule (Appendix VII). Information relating to unsuccessful applicants in connection with recruitment to a post must be kept for 12 months from the interview date. Personnel may keep a record of names of individuals that have applied for, be short-listed, or interviewed, for posts indefinitely. This is to aid management of the recruitment process. Disposal of Records Personal data must be disposed of in a way that protects the rights and privacy of data subjects (eg, shredding, disposal as confidential waste, secure electronic deletion).
11. PUBLICATION OF TRAINING COMPANY INFORMATION
It is recognised that there might be occasions when a member of staff, a student, or a lay member of the Training Company, requests that their personal details in some of these categories remain confidential or are restricted to internal access. All individuals should be offered an opportunity to opt-out of the publication of the above (and other) data. In such instances, the Training Company should comply with the request and ensure that appropriate action is taken.
12. DIRECT MARKETING
Any department or section that uses personal data for direct marketing purposes must inform data subjects of this at the time of collection of the data. Individuals must be provided with the opportunity to object to the use of their data for direct marketing purposes (eg an opt-out box on a form).
WEBSITE POLICY
1. INTRODUCTION
This Privacy Policy explains what information Frontier Risks Group Ltd and its related entities (“Frontier Risks”) collect about you and why, what we do with that information, how we share it, and how we handle the content you place in our products and services. It also explains the choices available to you regarding our use of your personal information and how you can access and update this information.
Frontier Risks (FRG) (“We”, “us”, or “our”) are strongly committed to issues of privacy and this policy sets out our approach to the collection, storage, usage and transfer or disclosure of collected information. To ensure that we are deserving of your continuing trust, we provide this Privacy Policy and promise not to collect, use, share, or retain your personal data in a manner inconsistent with these terms.
Please review this Privacy Policy carefully as you, the user or visitor, must agree to it in its entirety in order continue to access our Services, which include our website, www.frontierrisks.com; distancelearning.frontierrisks.com
2. SERVICES
This policy applies to any visitors to our websites or users of our Services provided via this web address. This web site is also one of our Services.
3. THE INFORMATION THAT WE COLLECT
- Personal Data. When you visit our web site, we obtain your explicit consent to our use of cookies and other tracking technologies, through your interaction with the notification that is displayed when you visit our web site. Such technologies record information about visitors, such as IP address, referring URL, unique browser characteristics, and cookie information. While the information collected by trackers is not linked by us to your name or identity, all visitors and users should be aware that the information may be sufficient to allow third party marketing networks to provide advertising that would be more relevant to you. We also collect certain personal data, which you voluntarily provide when you use the web site to communicate with us or register for a user account to access our Services. This data can be used to identify you, such as your name, e-mail address, mailing address, and telephone number.
- Special Categories of Sensitive Personal Data. Our Services do not collect data considered to be sensitive personal data, especially as defined by European Law. Accordingly, our Services do not knowingly collect any information about your race, national origin, sexual preference or practices, disabilities, political affiliations, philosophical beliefs, trade-union memberships, or health.
- We Do Not Collect Information from Children or Market to them. You must be 18 or older to access our Services. We do not intentionally market to, solicit, provide services to, or store the information of minors.
4. HOW WE USE YOUR INFORMATION
We may use your information to:
- Enhance or improve user experience of our Services;
- In accordance with the performance of any agreement with you;
- Learn information about our audience, such as the rough geographic location of our visitors, what devices they are using to access our services, the times of visits, and whether they are repeat visitors;
- Process transactions with you;
- Send e-mails and updates to you about our Services;
- Perform any other function that we believe in good faith is necessary to protect the security or proper functioning of our Services.
Before retaining your information for any period longer than necessary to fulfil the stated uses, or before changing the stated uses of your personal information, we will obtain the explicit consent of all users. Visitors who are not users will be notified of changes to this policy through the publication of the date of this policy’s drafting, and prior versions shall be available for viewing on this website.
5. ACCESSING, EDITING, AND REMOVING YOUR INFORMATION
If you create an account with us, you are able to review, edit, delete, and export, the personal data that you have provided to us by logging into your account for Services and utilizing options in your user profile. Although most changes may occur immediately, information may still be stored in a web browser’s cache. We take no responsibility for stored information in your cache, or in other devices that may store information, and disclaim all liability of such. In addition, we may, from time to time, retain residual information about you in our backups where it may be impractical or impossible for us to access this information, or we may retain information regarding our past transactions with you for our own records.
6. HOW AND WHY WE USE COOKIES
We use cookies to create a session and remember a type of user as they access this web site. We obtain explicit consent from you through your interaction with the notification that is displayed when you visit our web site. Cookies provide additional security and convenience beyond simply identifying users based on their IP address, such as individual settings about your preferences, or information necessary to deliver the user experience. For this reason, it is necessary that you enable cookies in your browser, and you hereby acknowledge that we have informed you of our use of cookies and that you consent to our use of cookies in relation to your computer system. You may disable cookies, but we cannot guarantee that the web site or Services will function properly.
Because browsers and devices are constantly changing, we cannot provide detailed instructions on how to disable cookies on every device, however, you may find this article useful: http://www.wikihow.com/Disable-Cookies. You may also wish to use an internet search engine, and enter a text search for “How to disable cookies”. Please be advised that disabling cookies, using a “private browsing” feature, or even using specialized browsers and virtual private network connections will not provide complete anonymity on the Internet.
7. WE DO NOT CONTROL THIRD-PARTY WEBSITES
We may post links to third party websites within our Services. Such posting is in no way an endorsement of the privacy terms or policies that relate to these websites. We bear no responsibility for the data collected or used by any advertiser or third-party website at these URLs. We do not screen these third-party websites or web services, and you release us from any liability for the conduct of these third-party websites. Please be aware that this Privacy Policy and the rest of the Agreement do not create any rights enforceable by third parties. Please review the privacy policy and terms of service for each site you visit through third party links.
8. LIMITED THIRD PARTIES WILL HAVE ACCESS TO YOUR DATA
Although you are entering into an agreement with us to disclose your information to us, we do occasionally use third party individuals and organizations to assist us for web hosting, e-newsletters and google analytics.
Throughout the course of our provision of our Services to you, we may delegate our authority to collect, access, use, and disseminate your information. For example, our web host stores the information that you provide us, and we may hire outside contractors to perform maintenance or assist users in securing our Services. To the extent that we use third parties to process your data, we utilise safeguarding measures and mechanisms to ensure that your personal data is always safe and secure.
It is, therefore, necessary that you grant the third parties we may use in the course of our business the same rights that you afford us under this Privacy Policy. For this reason, you hereby agree that for every authorization which you grant to us in this Privacy Policy, you also grant to any third party that we may hire, contract, or otherwise retain the services of for the purpose of operating, maintaining, repairing, or otherwise improving or preserving our website or its underlying files or systems. You agree not to hold us liable for the actions of any of these third parties, even if we would normally be held vicariously liable for their actions, and you agree that you must take legal action against them directly should they commit any wrong against you.
Without limiting the parties that we that we may use, you specifically authorise us to collect, store, share, and otherwise, use your information in conjunction with Google Analytics, for further information follow this link: https://www.google.com/policies/privacy/
9. SOCIAL MEDIA PLATFORMS
Communication, engagement and actions taken through external social media platforms that this website and its owners participate on are custom to the terms and conditions as well as the privacy policies held with each social media platform respectively. Users are advised to use social media platforms wisely and communicate/engage upon them with due care and caution in regard to their own privacy and personal details. This website nor its owners will ever ask for personal or sensitive information through social media platforms and encourage users wishing to discuss sensitive details to contact them through primary communication channels such as by telephone or email. This website may use social sharing buttons which help share web content directly from web pages to the social media platform in question. Users are advised before using such social sharing buttons that they do so at their own discretion and note that the social media platform may track and save your request to share a web page respectively through your social media platform account.
Shortened Links in Social Media
This website and its owners through their social media platform accounts may share web links to relevant web pages. By default some social media platforms shorten lengthy urls [web addresses]. This is an example: http://bit.ly/zyVUBo. Users are advised to take caution and good judgment before clicking any shortened urls published on social media platforms by this website and its owners. Despite the best efforts to ensure only genuine urls are published many social media platforms are prone to spam and hacking and therefore this website and its owners cannot be held liable for any damages or implications caused by visiting any shortened links.
Resources and Further Information
- Data Protection Act 1998
- Privacy and Electronic Communications Regulations 2015
- Twitter Privacy Policy
- Facebook Privacy Policy
- Google Privacy Policy
- Linkedin Privacy Policy
10. WE MAY HAVE TO RELEASE YOUR INFORMATION FOR LEGAL PURPOSES
At times, it may become necessary to release your information in response to a request from a government agency or a private litigant with valid authority. You agree that we may disclose your information to a third party where we believe, in good faith, that we must do so for purposes of a civil action, criminal investigation, or other legal matter pursuant to a request by a competent authority. In the event that we receive a subpoena affecting your privacy, we may notify you to give you an opportunity to legally intervene, or we may attempt to block the subpoena ourselves, but we are not obligated to do either. We may also proactively report you, and release your information to, third parties where we believe that it is prudent to do so for legal reasons, such as our belief that you have engaged in illegal or fraudulent activities. You release us from any damages that may arise from or relate to the release of your information in response to a request from law enforcement agencies or private litigants.
11. YOU AGREE TO RECEIVE MESSAGES FROM US UNLESS YOU TELL US OTHERWISE
Providing your email address or physical address to us establishes a relationship with us through which we may contact you. Providing this information also demonstrates your consent that we may use this information for purposes disclosed in this Privacy Policy. You may unsubscribe from certain communications by notifying us that you no longer wish to receive solicitations or information and we will endeavour to prevent you from receiving further such communication.
12. WE ARE SECURE, AND WE RECOMMEND YOU ALSO TAKE PRECAUTIONS
We have in place all generally accepted standards of technology and operational security in order to protect the personal information submitted to the Site from loss, misuse, alteration or destruction and to ensure compliance with the requirements of all applicable data protection and privacy legislation. However, we make no representations as to the security or privacy of your information and all users of the Site submit personal information to the Site at the user’s own risk. It is in our interest to keep our Services secure, but we strongly recommend that you use anti-virus software, firewalls, unique passwords, and other precautions to protect yourself from security threats.
13. DATA CONTROLLER
Frontier Risks Group Ltd (registered in England under registration no/ 07669974 and with a registered address at 4 and 6 Market Place, Chapel en le frith, SK23 0EN) is the data controller of any personal data collected through the Site and will process such information in accordance with the provisions of the Data Protection Act and General Data Protection Regulation 2018 and to the applicable data protection law. Any enquiries relating to data protection issues should be sent to our legal team at [email protected]
14. YOUR INFORMATION MAY BE TRANSFERRED INTERNATIONALLY
Your information may be transferred to, and maintained on, computers located outside of your state, province, country or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. If you are located outside the European Union and provide information to us, you acknowledge that we transfer personal information to the European Union and process it there. Your use of our website constitutes consent to this Privacy Policy and represents your agreement to that transfer.
15. UPDATES TO THIS PRIVACY POLICY.
We may amend this Privacy Policy from time to time. When we amend this Privacy Policy, a brief description of any material modification and the date it went into effect will be placed in the
“Historical Modifications” section at the end of the Privacy Policy, as appropriate. You must read that section each time you use our Services and your continued use of our Services shall constitute your acceptance of any such amendments. Under no circumstances shall you have the right or ability to amend, modify, supplement, or alter this Privacy Policy in any way.
16. TERMS OF USE
Note also that your use of the FRG Site is subject to our Terms of Use, which contain disclaimers and limitations of liability. We recommend that you also review the Terms of Use before accessing our Sites.
For any enquiries relating to this policy, please contact: Frontier Risks Group, 7 Market Street, Whaley Bridge, High Peak, SK23 7AA