Table of Contents

Data Protection Policy. 1

1. Introduction. 2

2. Purpose of this Policy. 3

3. Scope of this policy. 4

Compliance with this Policy and the related policies and procedures set out in Schedule 2 is mandatory. Any breach of this Policy and any related policies and procedures may result in disciplinary action. 4

4. Further advice regarding this Policy. 5

5. Data Protection Principles. 6

6. Lawfulness, fairness and transparency. 7

7. Purpose limitation. 9

8. Data minimisation. 10

9. Accuracy. 11

10. Storage limitation. 12

11. Security, integrity and confidentiality. 13

12. Sharing personal data. 14

13. Transfers outside of the European Economic Area (EEA). 15

14. Data subject rights and requests. 16

15. Research exemption. 18

16. Accountability and record-keeping. 19

17. Data Protection Impact Assessments. 20

18. Direct marketing. 21

19. Changes to this policy. 22

Schedule 1 – Glossary. 22

1. Introduction

The protection of individuals via the lawful, legitimate and responsible processing and use of their personal data is a fundamental human right. Individuals may have a varying degree of understanding or concern for the protection of their personal data, but CyberNexus Training must respect their right to have control over their personal data and ensure it acts in full compliance with legislative and regulatory requirements at all times. If individuals feel they can trust CyberNexus Training as a custodian of their personal data, this will also help CyberNexus Training fulfil its wider objectives. The General Data Protection Regulation (GDPR), as supplemented by the Data Protection Act DPA 2018 (DPA), is the main legislation governing how CyberNexus Training collects and processes personal data. Failure to comply with this legislation may have severe consequences for CyberNexus Training, including potential fines of up to €20 million or 4% of CyberNexus Training’s total annual turnover, whichever is higher.

2. Purpose of this Policy

This Policy sets out how CyberNexus Training will process the personal data of its staff, learners, research participants, suppliers and other third parties. This Policy applies to all personal data that CyberNexus Training processes regardless of the format or media on which the data are stored or who it relates to. A glossary of the terms used throughout the Policy can be found in Schedule 1.

3. Scope of this policy

This Policy applies to all members of staff employed by CyberNexus Training, including honorary staff/associates, contractors, hourly paid teachers and any learners or interns who are carrying out work on behalf of CyberNexus Training (referred to herein as you/your) involving the handling personal data. You have a crucial role to play in ensuring that CyberNexus Training maintains the trust and confidence of the individuals about whom CyberNexus Training processes personal data (including its own staff), complying with CyberNexus Training’s legal obligations and protecting CyberNexus Training’s reputation. This Policy therefore sets out what CyberNexus Training expects from you in this regard.

Compliance with this Policy and the related policies and procedures set out in Schedule 2 is mandatory. Any breach of this Policy and any related policies and procedures may result in disciplinary action.

All members of staff, across all schools, faculties, professional services divisions, and all other areas of CyberNexus Training must read, understand and comply with this Policy when processing personal data in the course of performing their tasks and must observe and comply with all controls, practices, protocols and training to ensure such compliance. The Information Governance Manager and Data Protection Officer is responsible for overseeing the implementation and review of this Policy (and the related policies and procedures). They can be contacted as follows: contact@arods.co.uk If you do not feel confident in your knowledge or understanding of this Policy, or you have concerns regarding the implementation of this Policy, it is important that you raise this issue with your line manager as soon as possible or use the contact details above to seek advice.

4. Further advice regarding this Policy

The Information Governance Manager and Data Protection Officer, or other relevant local contacts, can be contacted for general advice and if you:

5. Data Protection Principles

The GDPR is based on a set of core principles that CyberNexus Training must observe and comply with at all times from the moment that personal data are collected until the moment that personal data are archived, deleted or destroyed. CyberNexus Training must ensure that all personal data are:

  1. Processed lawfully, fairly and in a transparent manner (Lawfulness, fairness and transparency)
  2. Collected only for specified, explicit and legitimate purposes (Purpose limitation)
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is to be processed (Data minimisation)
  4. Accurate and where necessary kept up to date (Accuracy)
  5. Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed (Storage limitation)
  6. Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (Security, integrity and confidentiality)

Additionally, CyberNexus Training must ensure that:

  1. Personal data are not transferred outside of the EEA (which includes the use of any website or application that is hosted on servers located outside of EEA) to another country without appropriate safeguards being in place (see Transfers of personal data outside of the EEA)
  2. CyberNexus Training allows data subjects to exercise their rights in relation to their personal data (see Data subject rights and requests)

CyberNexus Training is responsible for, and must be able to demonstrate compliance with, all of the above principles (see Accountability and record-keeping).

6. Lawfulness, fairness and transparency

Lawfulness and fairness In order to collect and process personal data for any specific purpose, CyberNexus Training must always have a lawful basis for doing so. Without a lawful basis for processing, such processing will be unlawful and unfair and may also have an adverse impact on the affected data subjects. No data subject should be surprised to learn that their personal data has been collected, consulted, used or otherwise processed by CyberNexus Training. Processing personal data will only be lawful where at least one of the following lawful bases applies:

  1. The data subject has given their consent for one or more specific purposes
  2. The processing is necessary for the performance of a contract to which the data subject is a party (for instance a contract of employment or registration with CyberNexus Training)
  3. To comply with CyberNexus Training’s legal obligations
  4. To protect the vital interests of the data subject or another person (this will equate to a situation where the processing is necessary to protect the individual’s life)
  5. To perform tasks carried out in the public interest or the exercise of official authority (generally teaching and research in CyberNexus Training’s case)
  6. To pursue CyberNexus Training’s legitimate interests where those interests are not outweighed by the interests and rights of data subjects (only available to CyberNexus Training in some circumstances)

CyberNexus Training must identify and document the lawful basis relied upon by it in relation to the processing of personal data for each specific purpose or group of related purposes.
Consent as a lawful basis for processing There is no hierarchy between the lawful bases for processing above, of which a data subject’s consent is only one. Consent may not be the most appropriate lawful basis depending on the circumstances. In order for a data subject’s consent to be valid and provide a lawful basis for processing, it must be:

A data subject must be able to withdraw their consent as easily as they gave it. Once consent has been given, it will need to be updated where CyberNexus Training wishes to process the personal data for a new purpose that is not compatible with the original purpose for which they were collected. Unless CyberNexus Training is able to rely on another lawful basis for processing, a higher standard of explicit consent (where there can be no doubt that consent has been obtained, for example a signed document or a Yes/No option accompanied by clear consent wording) will usually be required to process special categories of personal data (see glossary for definition), for automated decision-making and for transferring personal data outside of the EEA. Where CyberNexus Training needs to process special categories of personal data, it will generally rely on another lawful basis that does not require explicit consent; however, CyberNexus Training must provide the data subject with a fair processing notice explaining such processing. If CyberNexus Training is unable to demonstrate that it has obtained consent in accordance with the above requirements, it will not be able to rely upon such consent.
Transparency The concept of transparency runs throughout the GDPR and requires CyberNexus Training to ensure that any information provided by CyberNexus Training to data subjects about how their personal data will be processed is concise, easily accessible, easy to understand and written in plain language. Where CyberNexus Training has not been transparent about how it processes personal data, this will call the lawfulness and fairness of the processing into question. CyberNexus Training can demonstrate transparency through providing data subjects with appropriate privacy notices or fair processing notices before it collects and processes their personal data and at appropriate times throughout the processing of their personal data. The GDPR sets out a detailed list of information that must be contained in all privacy notices and fair processing notices, including the types of personal data collected; the purposes for which they will be processed; the lawful basis relied upon for such processing (in the case of legitimate interests, CyberNexus Training must explain what those interests are); the period for which they will be retained; who CyberNexus Training may share the personal data with; and, if CyberNexus Training intends to transfer personal data outside of the EEA, the mechanism relied upon for such transfer (see Transfers of personal data outside of the EEA). Where CyberNexus Training obtains any personal data about a data subject from a third party (for example, CVs from recruitment agents for potential employees or DBS checks in relation to CyberNexus Training’s Fitness to Practise Procedures) it must check that it was collected by the third party in accordance with the GDPR’s requirements and on a lawful basis where the sharing of the personal data with CyberNexus Training was clearly explained to the data subject. All privacy notices and fair processing notices should be reviewed by the Information Governance Manager and Data Protection Officer (contact@arods.co.uk).

7. Purpose limitation

CyberNexus Training must only collect and process personal data for specified, explicit and legitimate purposes that have been communicated to data subjects before the personal data have been collected. CyberNexus Training must ensure that it does not process any personal data obtained for one or more specific purposes for a new purpose that is not compatible with the original purpose. Where CyberNexus Training intends to do so, it must inform the data subjects before using their personal data for the new purpose and, where the lawful basis relied upon for the original purpose was consent, obtain such consent again.

8. Data minimisation

The personal data that CyberNexus Training collects and processes must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is to be processed. You must only process personal data when necessary for the performance of your duties and tasks and not for any other purposes. Accessing personal data that you are not authorised to access, or that you have no reason to access, may result in disciplinary action and in certain circumstances, may constitute a criminal offence. You may only collect personal data as required for the performance of your duties and tasks and should not ask a data subject to provide more personal data than is strictly necessary for the intended purposes. You must ensure that when personal data are no longer needed for the specific purposes for which they were collected, that such personal data are deleted, destroyed or anonymised. You must observe and comply with CyberNexus Training’s Records Management and Retention Policy and Records Retention Schedule.

9. Accuracy

The personal data that CyberNexus Training collects and processes must be accurate and, where necessary, kept up-to-date and must be corrected or deleted without delay when CyberNexus Training discovers, or is notified, that the data are inaccurate. You must ensure that you update all relevant records if you become aware that any personal data are inaccurate. Where appropriate, any inaccurate or out-of-date records should be deleted or destroyed.

10. Storage limitation

The personal data that CyberNexus Training collects and processes must not be kept in a form that identifies a data subject for longer than is necessary in relation to the purposes for which it was collected (except in order to comply with any legal, accounting or reporting requirements). Storing personal data for longer than necessary may increase the severity of a data breach and may also lead to increased costs associated with such storage. CyberNexus Training will maintain policies and procedures to ensure that personal data are deleted, destroyed or anonymised after a reasonable period of time following expiry of the purposes for which they were collected. You must regularly review any personal data processed by you in the performance of your duties and tasks to assess whether the purposes for which the data were collected have expired. Where appropriate, you must take all reasonable steps to delete or destroy any personal data that CyberNexus Training no longer requires in accordance with CyberNexus Training’s Records Management Policies. All privacy notices and fair processing notices must inform data subjects of the period for which their personal data will be stored or how such period will be determined. You must observe and comply with CyberNexus Training’s Records Management and Retention Policy and Records Retention Schedule.

11. Security, integrity and confidentiality

Security of personal data The personal data that CyberNexus Training collects and processes must be secured by appropriate technical and organisational measures against accidental loss, destruction or damage, and against unauthorised or unlawful processing. CyberNexus Training will develop, implement and maintain appropriate technical and organisational measures for the processing of personal data taking into account the:

CyberNexus Training will regularly evaluate and test the effectiveness of such measures to ensure that they are adequate and effective. You are responsible for ensuring the security of the personal data processed by you in the performance of your duties and tasks. You must ensure that you follow all procedures that CyberNexus Training has put in place to maintain the security of personal data from collection to destruction. You must ensure that the confidentiality, integrity and availability of personal data are maintained at all times:

You must ensure that you observe and comply with our Information security Policy. You must not attempt to circumvent any administrative, physical or technical measures CyberNexus Training has implemented as doing so may result in disciplinary action and in certain circumstances, may constitute a criminal offence.
Reporting personal data breaches In certain circumstances, the GDPR will require CyberNexus Training to notify the ICO, and potentially data subjects, of any personal data breach. CyberNexus Training has put in place appropriate procedures to deal with any personal data breach and will notify the ICO and/or data subjects where CyberNexus Training is legally required to do so. If you know or suspect that a personal data breach has occurred, you must contact the Information Governance Manager and Data Protection Officer, and IT Services if relevant, immediately to report it and obtain advice, and take all appropriate steps to preserve evidence relating to the breach. You must ensure that you observe and comply with CyberNexus Training’s personal data breach procedure.

12. Sharing personal data

You are not permitted to share personal data with third parties unless CyberNexus Training has agreed to this in advance, this has been communicated to the data subject in a privacy notice or fair processing notice beforehand and, where such third party is processing the personal data on our behalf, CyberNexus Training has undertaken appropriate due diligence of such processor and entered into an agreement with the processor that complies with the GDPR’s requirements for such agreements. The transfer of any personal data to an unauthorised third party would constitute a breach of the Lawfulness, fairness and transparency principle and, where caused by a security breach, would constitute a personal data breach. Do not share any personal data with third parties, including the use of freely available online and cloud services for work-related purposes, unless you are certain that the conditions outlined above apply. Seek advice from the Information Governance Manager and Data Protection Officer, or IT Services, if you are unsure.

13. Transfers outside of the European Economic Area (EEA)

The GDPR prohibits the transfer of personal data outside of the EEA in most circumstances in order to ensure that personal data are not transferred to a country that does not provide the same level of protection for the rights of data subjects. In this context, a “transfer” of personal data includes transmitting, sending, viewing or accessing personal data in or to a different country. CyberNexus Training may only transfer personal data outside of the EEA if one of the following conditions applies:

You must ensure that you do not transfer any personal data outside of the EEA except in the circumstances set out above and provided that CyberNexus Training has agreed to this in advance.

14. Data subject rights and requests

The GDPR provides data subjects with a number of rights in relation to their personal data. These include:

subject has withdrawn their consent (where relevant); the data subject has objected to the processing; the processing was unlawful; the personal data have to be deleted to comply with a legal obligation; the personal data were collected from a data subject under the age of 13, and they have reached the age of 13

You must be able to identify when a request has been made and must verify the identity of the individual making a request before complying with it. You should be wary of third parties deceiving you into providing personal data relating to a data subject without their authorisation. You must immediately forward any request made by a data subject (even if you are uncertain whether it represents a request as set out above) to the Information Governance Manager and Data Protection Officer. CyberNexus Training will only have 30 days to respond in most circumstances.

15. Research exemption

Some of the rules outlined above do not apply when personal data is being used for research purposes due to an exemption contained in the GDPR and DPA 2018. This exemption applies if the following conditions are met:

If these conditions apply then the following rules can be applied:

16. Accountability and record-keeping

CyberNexus Training is responsible for and must be able to demonstrate compliance with the data protection principles and CyberNexus Training’s other obligations under the GDPR. This is known as the ‘accountability principle’. CyberNexus Training must ensure that it has adequate resources, systems and processes in place to demonstrate compliance with CyberNexus Training’s obligations including:

CyberNexus Training must keep full and accurate records of all its processing activities in accordance with the GDPR’s requirements. You must ensure that you have undertaken the necessary training providing by CyberNexus Training and, where you are responsible for other members of staff, that they have done so. You must further review all the systems and processes under your control to ensure that they are adequate and effective for the purposes of facilitating compliance with CyberNexus Training’s obligations under this policy. You must ensure that you observe and comply with all policies and guidance which form CyberNexus Training’s Information Governance Framework.

17. Data Protection Impact Assessments

A Data Protection Impact Assessment (DPIA), also known as a Privacy Impact Assessment, is a process to help identify and minimise the data protection risks involved in projects, processes and activities involving the processing of personal data. DPIAs are required for processing likely to result in high risk to the individuals and their personal data, and where new technologies are involved. In practice, CyberNexus Training requires a DPIA for any projects involving the use of personal data, including new systems, solutions and some research studies. A DPIA must:

DPIAs need to be assessed and signed off by the Data Protection Officer and, where relevant, IT Services. CyberNexus Training’s Data Protection Impact Assessment Policy provides full details and a template for conducting a DPIA.

18. Direct marketing

In addition to CyberNexus Training’s obligations under the GDPR, it is also subject to more specific rules in relation to direct marketing by email, fax, SMS or telephone. CyberNexus Training must ensure that it has appropriate consent from individuals to send them direct marketing communications, and that when a data subject exercises their right to object to direct marketing it has honoured such requests promptly. You must ensure that you understand or consult with [Name/Job Title/the DPO] on CyberNexus Training’s legal obligations in relation to direct marketing before embarking upon any direct marketing campaign.

19. Changes to this policy

CyberNexus Training may make amendments to this policy at any time without notice, so please ensure you view the latest version.

 

Schedule 1 – Glossary

automated processingany form of processing (including profiling) that is undertaken by automated means to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning their performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements
consentany freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the processing of personal data about them
controllerthe person or organisation that determines the purposes and means of processing personal data
criminal convictions and offencespersonal data relating to criminal convictions, the commission or alleged commission of an offence, proceedings for the commission or alleged commission of an offence and sentencing
Data Protection Impact Assessment (DPIA)a tool is used to identify and reduce the risks of a processing activity that must be undertaken in certain circumstances specified in the GDPR, also known as ‘Privacy Impact Assessments). (See CyberNexus Training’s Data Protection Impact Assessment policy)
data subjectan individual to whom personal data relates and who can be identified or is identifiable from personal data
Data Protection Officer (DPO)a person required to be appointed in specific circumstances under the GDPR and who must have expert knowledge of data protection law and practice, being the organisation’s main representative on data protection matters
DPA 2018the UK Data Protection Act 2018
EEAthe 28 countries in the European Union and Iceland, Lichtenstein and Norway
explicit consenta higher standard of consent that requires a very clear and specific statement rather than an action which is suggestive of consent
fair processing noticesa notice setting out information that must be provided to data subjects before collecting personal data from them, including notices aimed at a specific group of individuals or notices that are presented to a data subject on a ‘just- in-time’ basis (also known as ‘privacy notice’ or ‘data protection notice’)
GDPRthe General Data Protection Regulation (Regulation (EU) 2016/679)
personal dataany information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal data includes criminal convictions and offences data, special categories of personal data and pseudonymised personal data but excludes anonymous data or data that has had an individual’s identity permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour
personal data breacha breach of security lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed and which compromises the confidentiality, integrity, availability and/or security of the personal data
privacy noticessee fair processing notices above
process, processes, processingany activity or set of activities which involves personal data including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or making available, alignment or combination, restriction, erasure or destruction
pseudonymised, pseudonymisationreplacing information that directly or indirectly identifies an individual with one or more artificial identifiers (for example, a numerical identifier or other code) or pseudonyms so that the data subject cannot be identified without combining the identifier or pseudonym with other information which has been kept separately and securely. Personal data that have been pseudonymised is still treated as personal data (unlike personal data which has been anonymised)
[Related policies and procedures]the related policies and procedures listed in Schedule 1 – Glossary
special categories of personal datapreviously known as “sensitive personal data” under the Data Protection Act 1998, this means information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and, for the purposes of this policy personal data relating to criminal offences and convictions.
staffCyberNexus Training’s agents, consultants, contractors, employees, representatives, trustees and other representatives, including hourly paid staff and learners holding a position of employment