1. Introduction

Data controller: The Access Academy, Chalvey Community Centre, Ladbrooke Rd, Chalvey, Slough SL1 2SR


The Access Academy is registered in accordance with the legal requirements of the General Data Protection Regulation (GDPR) 2018. This means that we follow strict procedures specified by this legislation when collecting and handling information about individuals. We are registered with the Information Commissioner as The Access Academy (this is our ‘Data Controller Name’).


Our ICO registration number (also known as our notification number) is

 

  1. Privacy Notice

All personal information data held by The Access Academy must be:

  • fairly and lawfully processed, for relevant purposes only;
  • secure, accurate and up to date;
  • not kept longer than necessary;
  • processed in accordance with the individuals rights;
  • not transferred to countries outside the European Economic area, unless
    there is adequate protection.

The Access Academy will only share your personal data with other organisations where there is a clear requirement to do so; we will never pass on your details to other companies for marketing purposes. These organisations, who are themselves subject to data protection legislation, may include:

  • CPCAB Ltd – the CPCAB Awarding Body;
  • The Learning Records Service;
  • A court of law under direction.

Some of the information you supply will be used by:

  • CPCAB (the awarding organisation associated with your course) in carrying out its functions when verifying your Unique Learner Number and uploading your achievement data (if any) to your Personal Learning Record.

  1. Fair Processing Data

We process personal information to enable us to provide education and training to our customers and clients; to promote our services, to maintain our own accounts, records and to support and manage our employees and self-employed contracted tutors.

The Access Academy collect and process data on behalf of candidates, The Access Academy centre staff and The Access Academy course tutors.


The purposes for gathering this data are known under GDPR law as “lawful bases” and include:

  • Performance of a contract with the data subject;
  • Compliance with legal obligations;
  • Occasionally other lawful bases may also be relevant.

An internal document known as an “information audit” lists individual pieces of data with the rationale for processing them, a retention period, a description of its format and how consent was obtained.

We process information relevant to the above reasons/purposes. This may include:

  • personal details
  • family details
  • business activities of the person whose personal information we are
    processing
  • lifestyle and social circumstances
  • financial details
  • training details
  • education and employment details
  • goods and services

We also process sensitive classes of information that may include:

  • physical or mental health details
  • racial or ethnic origin
  • religious or other beliefs
  • trade union membership – in particular the National Union of Students – NUS

We process personal information about:

  • customers
  • clients
  • students
  • trainers
  • employees and self-employed contracted tutors
  • suppliers
  • professional advisers and consultants
  • complainants, enquirers

We sometimes need to share the personal information we process with the
individual themself and also with other organisations. Where this is necessary, we are required to comply with all aspects of the Data Protection Act (DPA). What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons

Where necessary or required we share information with:

  • business associates and other professional advisers
  • educators and examining bodies such as CPCAB
  • current, past or prospective employers
  • family, associates and representatives of the person whose personal data we are processing
  • employment and recruitment agencies
  • financial organisations
  • credit reference agencies
  • debt collection and tracing agencies
  • suppliers and service providers;
  • persons making an enquiry or complaint
  • other companies in the same group
  • central government

  1. Security of Data

  2. Rectification of your data

Candidate data is gathered by the centre, The Access Academy and requests to CPCAB to make alterations may be accepted up to the point of certification 1.

Please note that after this time certificates can only be re-printed in a different name where the candidate is initiating a new identity, for example as part of gender reassignment; this policy is designed to ensure the integrity of the qualification and to prevent fraud.

Tutor data is gathered by the centre, The Access Academy and relevant data is forwarded to CPCAB via the online tutor CV template. Tutors are requested to check periodically that the data held by The Access Academy and CPCAB remains accurate.

Staff data may be amended at any point on request; supporting information may be required as appropriate.

A replacement certificate can only be issued in the new name where there is clear evidence to support the case, such as a formal confirmation that the centre, The Access Academy was provided with change of name via an enrolled deed poll during the course. The usual replacement certificate fee (see CPCAB website) will apply in such cases. Contact The Access Academy for more information.

Marketing information (email addresses) may be amended on request.

  1. Deletion of your data

You are able to request that the dataThe Access Academy holds on your behalf is deleted. In the absence of such a request, candidate data is retained over time in order to monitor standards, prevent fraud and provide replacement certificates for example. Candidates are reminded that if you request to have your data deleted it may not be possible to issue a replacement certificate in the future or to verify their achievement. A request to delete data may be refused if it is required in order to provide data to regulatory authorities or as part of a direction from a court of law. The Access Academy Archiving Policy (available on request) explains the retention periods for assessment material and the rationale behind the decisions.

  1. Data breaches

The Access Academy takes its responsibilities in respect of the retention of data seriously and undertakes to handle any data breach promptly, thoroughly and transparently. In the event of a data breach The Access Academy will:

  • identify the scale of the breach; and
  • identify the sensitivity of the data.

Depending on the outcome, The Access Academy will, if appropriate:

  • Notify the Information Commissioner’s Office;
  • Notify the data subject(s);
  • Formally record any lessons learned; and
  • Initiate an appropriate action plan, such as extra security measures or
    staff training.

  1. Data portability

Under the new GDPR legislation you are able to apply for your own data to be provided to you in a format that will allow you to share it with another organisation, such as a different training centre or awarding organisation. In practice the data we hold on you is limited and we recognise that it’s unlikely that this service will be helpful to you but do please get in touch if you’d like to explore this option.

It may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of the data protection act.

  1. General Security

The Access Academy operates a range of processes to ensure that the data it processes is retained securely. They include, amongst others:

  • Staff computers are password protected at log-in;
  • Sensitive documents are further password protected, for example
    external assessment papers, staff annual reviews, financial documents
    etc.
  • SAR requests and replacement certificates require a range of ID to be
    submitted in support of each request;

There is a separate internal policy that relates to the procedures that apply when a member of staff leaves The Access Academy employment.

  1. Data storage e equipment

Redundant equipment does not leave The Access Academy premises until all of the files stored – whether they contain personal data or not – have been permanently erased beyond any possibility of retrieval. In the case of hard disks, for example, this means securely re-formatting each disk. Redundant data storage devices are rendered physically useless before disposal. Any redundant hard copy which contains personal data is also destroyed securely.

  1. Subject Access Requests

We acknowledge your right to be informed by us whether your personal data is being processed by The Access Academy and, if so, to be given by us a description of the personal data involved and the purposes for which it is being (or is to be) processed.

You can apply for copies of your personal data under the Subject Access Request (SAR) scheme. SAR requests must be received in writing and copies of the data will be provided electronically; if you are unable to access an electronic response please ask for advice.

Please note that under the 2018 GDPR and the 1998 Data Protection Act awarding organisations and, CPCAB, are not required to disclose marked scripts (external assessment papers) to applicants. In other words, candidates have no right of access to marked scripts (EA papers); information recorded by candidates during an academic, professional or other examination is exempt from the scheme and it is both CPCAB and The Access Academy policy not to disclose candidate scripts (exam papers) or recorded sessions to candidates.

The Access Academy will remove any references that might allow another individual to be identified, unless that person has consented (in writing) to such a disclosure. If it is not possible to provide copies of any other information, for example because to do so would identify another person and compromise their rights to confidentiality, you will be given an explanation of the decision.

The SAR request form at the end of this policy gives more information, including how you can provide proof of your identity. We undertake to respond to such requests within one month. Please be aware that The Access Academy reserves the right to refuse any requests that may be considered excessive or manifestly unfounded.

  1. The Access Academy is a CPCAB Recognised Centre and Acts as Joint Data Controller

The Access Academy is one of the Centres approved to offer CPCAB qualifications and as such are responsible for gathering data on candidates and tutors, some of which is shared with CPCAB; in this way The Access Academy and CPCAB operate as joint data controllers and have an equal obligation to be compliant with General Data Protection Regulations.

The Access Academy takes special care where any recordings are made of counselling skills or practices, because they may contain sensitive material revealed by the candidate, although candidates should bear in mind that their work is designed to be used as assessment material and may be viewed by others, such as CPCAB External Verifiers.In a legal challenge, although rare, it may be necessary to share sensitive data with a court of law, which has the power to over-rule GDPR.

  1. Your Right to Complain

You are able to complain about the data held by The Access Academy on your behalf if it is:

  • Inaccurate. Please note that it is the responsibility of The Access Academy staff to upload personal data to the CPCAB Portal on behalf of learners and inaccurate information may lead to incorrectly printed certificates and/or failure to upload Learner Achievement Data. See also footnote, page 1.
  • Inappropriate. If you feel that it is not appropriate for The Access Academy to hold any of your personal information, please liaise withThe Access Academy for advice.
  • Insecure. Data held byThe Access Academy is securely stored (see section 4, above) but candidates should be aware that their work both within The Access Academy course and centre and in external assessment is regarded as assessable material and may be seen by others.

For further information from The Access Academy please contact: The Access Academy, Data Controller Email: info@theaccessacademy.co.uk

For further information (or queries) about the Act:
Office of the Data Protection Commissioner
Wycliff House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel: 01625 545700 E-mail: mail@dataprotection.gov.uk
www.informationcommissioner.gov.uk