VeloVirtual needs to keep certain information pertaining to clients and in doing so, aims to fulfil its obligations under the Data Protection Act 2018 to the fullest extent.

The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. This document also highlights key data protection procedures within the organisation.

Principles
This policy covers VeloVirtual management, quality assurers, tutors and assessors. In line with the Data Protection Act 2018 principles, VeloVirtual will ensure that personal data will:

• Be obtained fairly and lawfully and shall not be processed unless certain conditions are met
• Be obtained for a specific and lawful purpose
• Be adequate, relevant but not excessive
• Be accurate and kept up to date
• Not be held longer than necessary
• Be processed in accordance with the rights of data subjects
• Be subject to appropriate security measures
• Not be transferred outside the European Economic Area (EEA) unless that country or territory also ensures an adequate level of protection.

Processing Information
The definition of ‘processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes some paper based personal data as well as that kept on computer.

The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. VeloVirtual will seek to abide by this code in relation to all the personal data it processes, i.e.

• Accountability: those handling personal data follow publicised data principles to help gain public trust and safeguard personal data.
• Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data.
• Consent: The collection and use of personal data must be fair and lawful and in accordance with the DPA’s eight data protection principles.
• Personal data should only be used for the purposes agreed by the data subject. If personal data is to be shared with a third party or used for another purpose, the data subject’s consent should be explicitly obtained.
• Access: Everyone should have the right to know the roles and groups of people within an organisation who have access to their personal data and who has used this data.
• Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data life span.

Fair Processing Information
All personal data obtained and processed by VeloVirtual will be utilised for the purposes of maintaining clients’ details during the course of their engagement with VeloVirtual and for a period of 2 years following completion of the training programme for the purposes of regulation and quality assurance as required by PD:Approval, Awarding Organisations and other relevant industry regulators for statutory external quality assurance requirements.

At all times, this data will be processed only by authorised company personnel and will be stored and treated with the utmost security and confidentiality.

The information relates to all information held about an identifiable person, even if that information falls outside the scope of The Data Protection Act 2018.  The information includes:

• Names
• Postal addresses
• Email addresses
• Telephone numbers
• Health screening data (if relevant)
• Attendance data
• Evaluation data

Procedure
Access to Individuals Personal Data: The Data Protection Act 2018 provides an individual with the right to have access at reasonable intervals to personal data held within computerised and manual records.

Data Storage
Information and records relating to service users will be stored securely and will only be accessible to authorised individuals.

Information will be stored for only as long as it is needed or required statute and will be disposed of appropriately.

It is VeloVirtual’s responsibility to ensure all personal data is non-recoverable from any computer system previously used within the company, which has been passed on/sold to a third party.

Data Access and Accuracy
All Individuals have the right to access the information VeloVirtual holds about them. VeloVirtual will take reasonable steps to ensure that this information is kept up to date by asking data subjects whether there have been any changes.

In addition, VeloVirtual will ensure that:

• It has a Data Protection Officer with specific responsibility for ensuring compliance with Data Protection
• Everyone processing personal information understands that they are contractually responsible for following good data protection practice
• Everyone processing personal information is appropriately trained to do so
• Everyone processing personal information is appropriately supervised
• Anybody wanting to make enquiries about handling personal information knows what to do
• It deals promptly and courteously with any enquiries about handling personal information
• It describes clearly how it handles personal information
• It will regularly review and audit the ways it holds, manages and use personal information
• It regularly assesses and evaluates its methods and performance in relation to handling personal information
• All staff are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against them

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 2018.