HSF Training Limited uses the following methodology to demonstrate its commitment to ensuring data security, personal and customer privacy and its alignment to the requirements of the General Data Protection Regulation 2018 (GDPR) in respect of handling and processing personal data.
Our Contact details are:
HSF Training Ltd can be contacted by:
Phone: +44 (0)191 5022515
Post: 5 Austin Boulevard, Quay West Riverside Business Village, Sunderland, SR5 2AL.
Data collection: HSF Training Ltd (HSF) is registered with the UK Information Commissioner’s Office as a Data Controller. Its registration number is Z8876123. We have conducted a risk assessment and determined our lawful basis for processing personal information as Legitimate Interests.
We will collect data provided to us from our individual and contract clients and suppliers. Personal data may be included in the data you provide about learners and client/supplier employees and contacts. It is important that contractual arrangements are made with those individuals and they are made aware that by adding individuals’ personal data to HSF Training Ltd’s systems or by sending personal data via email or by other methods to HSF Training Ltd, they give consent to us processing the data and they confirm that they have obtained the appropriate consent from the relevant individuals for the personal data to be processed using HSF Training Ltd’s Learner system.
HSF Training Ltd will retain and use this data to perform the contract between us whilst you remain a customer and may use it further where it is within our legitimate interests, for example where an Awarding Organisation suspects malpractice.
We do not sell personal information about any of our customers, to any party, for any reason.
Personal data (learner)
- May be collected following information requests from HSF Training Ltd to respond to correspondence, provide information on other products/services in accordance with communication preferences, improve customer service, to meet contractual commitments, to notify clients about any changes to the site or our services, such as improvements or changes that may affect either;
- Information may be provided to us with personal data about learners when learner details are added to courses. The personal data is usually limited to the details required for us to undertake the basic functions of an accredited training centre and the certification process.
- These details will usually include a learner’s name, date of birth, gender and qualification awarded. In line with our regulatory/awarding body requirements and requirements to deliver future services such as certificate re-prints and the confirmation of awards, this basic learner-level data will be held by HSF Training Ltd indefinitely.
- Learners may also contact us to request certificate replacements. In these circumstances, a record of a learner’s address is taken so that the replacement certificate can be sent. This is held on file for a maximum of 6 months before it is destroyed or deleted
- Information processed as part of a learner’s qualification, such as physical exam papers, will be held for a maximum of five years in the form of scanned copies.
- Personal data captured as part of a quality visit (such as video evidence of training) will be used for the purpose and outcomes of the visit, and then destroyed or deleted.
Business/contract data contacts
Businesses may provide us with information about contacts who will administer the activities associated with HSF Training Ltd on behalf of the business. These details may include:
- employee numbers
- email addresses
- telephone numbers
- billing information
- information about other personnel and contacts for the business. For example:
- organisational charts,
- health and safety and other policies which may include personal data, e.g. the names of those with specific health and safety responsibilities.
It is important that our clients seek permission from the relevant personnel if any personal data is supplied to us. This information will only be retained for as long as we provide a service to a business client. If business contacts leave the organisation, it is the organisation’s responsibility to inform us, so that personal details and accounts can be disabled and removed.
Data storage, computers and electronic communications (excluding website)
- All e-mail enabled computers run up-to-date proprietary branded, antivirus software.
- Virus scans are conducted daily, prior to any electronic communications taking place.
- No emails with an attachment are sent unless specifically requested, or required as part of a work agreement, such as a progress report, attendance lists or learner scores/certificates.
- Details of our policies regarding data collection and storage are available from our website and are also available by contacting us in writing by either email at firstname.lastname@example.org or in writing to: HSF Training Ltd. 5 Austin Boulevard, Quay West Riverside Business Village, Sunderland, SR5 2AL
- All personal data that is stored in electronic format is stored in secure, password protected files, either in our bespoke learner management system or in password protected files stored in our dedicated and secure Dropbox for Business system.
- Passwords for protected data are changed regularly and sensitive data is only able to be accessed via these passwords by nominated HSF Training Ltd personnel who have received in-depth training regarding data information use and sharing.
Website data collection and security
- When the website is accessed by users, data traffic is encrypted using up to date secure socket layer (SSL) technology so that it can only be accessed by the end user.
- All sensitive information on the website, such as passwords used for ‘backend’ data input and for managing e-learning programmes, are encrypted by a proprietary encryption system.
- All personal data can only be accessed by the relevant end users by way of unique user names and passwords that must be entered when a user logs in to the systems.
- We may automatically collect the following information when you visit our website:
- IP (Internet Protocol) address,
- login information,
- browser type,
- time zone settings,
- browsers and operating systems used;
- information about your visit, such as the pages visited or documents downloaded.
- HSF Training Ltd’s online systems have security measures in place to help protect against the loss or misuse of any data under our control.
- Payment card information is never stored on HSF Training Ltd’s systems and is only used to authorise the specific transaction through HSF Training Ltd’s card payment authority (PayPal) and then removed. The secure credit/debit card processing service for this site has been provided by https://www.paypal.com/uk/. Details may be transferred to Paypal for the sole purpose of processing any transactions instigated by the customer.
- Under no circumstances will credit/debit card information be passed on, sold or loaned to any third party.
- Credit/debit card information is kept for the duration of the transaction in question only.
- If a customer is in any doubt, we are happy to take credit/debit card payments over the phone or accept payment by cheque or bank transfer.
- It is the customer’s responsibility to ensure that they have established a secure connection before supplying any credit/debit card information.
Where we store data
- All data in HSF Training Ltd’s systems is stored either on a secure set of servers hosted by our hosting provider (based in the USA) or in a secure, dedicated cloud based system (Dropbox for Business).
- Data in the hosting providers system is frequently backed up and stored in the provider’s backup / disaster recovery facility. This is in a secure server hosting facility with the necessary environmental, physical and technical controls in place to ensure unapproved access is prevented.
- HSF Training Ltd’s email data is stored with Microsoft located in EU data-centres and follows Microsoft standard security and backup processes.
The nature of our business necessitates the use of some paper-based systems, such as booking forms, course registers, feedback forms and completed assessment records. Certain accounts records are also paper based. To ensure the security of the data contained within these, the following measures are in place:
- Data captured in paper format is kept to a minimum and is only what is necessary, as outlined above, e.g. student names are required on all courses, but dates of birth are only requested for some accredited courses.
- Only authorised employees have access to certain information captured – e.g. purchase order numbers on booking forms. Other employees and associate trainers are supplied only with the information needed to run a course and, where appropriate, fulfil regulatory/awarding body requirement. For example, a client may book a first aid revalidation course and supply a list of proposed attendees and current certificate expiry dates. These would be supplied to the trainer who must state these on the register to verify delegates are within the allowed renewal period.
- All trainers store completed paperwork securely prior to returning it to HSF Training Ltd for processing, e.g. in a locked storage area.
- Prior to processing, hard copies of course paperwork are held in a secure office to which only authorised HSF Training Ltd personnel have access.
- Data required is entered onto and paperwork scans are stored using our secure electronic systems (as outlined above). The retention of paperwork scans is a requirement of some awarding organisations and is necessary to verify queries post course, such as an employer checking that someone physically attended a course can be evidenced by showing a completed assessment form. This data is stored for a maximum of 5 years then permanently deleted.
- Once fully processed – usually once certificate receipt has been confirmed by the client – all paperwork is destroyed using a cross cut shredder.
- Accounting procedures and information provided by customers are stored securely for a period in line with current tax and VAT requirements. Following this, all paperwork is destroyed using a cross cut shredder.
We may use personal data collected for functions such as:
- Communicating activities between our clients, HSF Training Ltd and in some cases, relevant awarding bodies. For example:
- To inform the client of course or exam results and to send certificates
- Reporting statistical data, for example completed course feedback from learners, number of people trained, examination success rates
- Identifying relevant people with whom we should communicate to organise training course dates, times and venues
- Communicating regulatory changes and updates, and, if permitted, marketing/updating HSF Training Ltd products and/or services
- Purchasing and delivery of training and products
- The client’s contact details will be retained for as long as we provide a service to them, e.g. responding to future certificate date queries
- If contacts leave a client’s business, it is the client’s responsibility to inform HSF Training Ltd so that personal details and accounts can be disabled and removed.
- HSF Training Ltd maintains a marketing database that contains the basic details of individuals and businesses who have consented to HSF Training Ltd sending information about new products or services to them, usually via email. We may also contact (businesses) existing customers who have bought or discussed buying similar training or consultancy services from us in the past.
We may also, following a suitable assessment and balancing test (for example through ensuring suitable legitimate market targeting) directly market products to businesses where there is minimal privacy impact and where people in the business would not be surprised or likely to object to the marketing we are conducting. Any e-marketing conducted will comply with legal and ethical standards. Any business contacted will be able to unsubscribe from future marketing at any point as identified below.
- HSF Training Ltd use a secure data compliant proprietary marketing and mailshot facility ‘Mailchimp’ for marketing purposes and to distribute blogs and newsletters to businesses who have opted to receive these services:
- All MailChimp forms, regardless of opt-in method, collect the email address, IP address, and timestamp associated with everyone who submits the form.
- All HSF Training Ltd marketing emails that are sent provide the receiver with the ability to unsubscribe from receiving future emails.
- Alternatively, subscribers can opt-out by sending a request specifying their request to email@example.com
No personal data regarding any clients, client employees, students, HSF Training Ltd employees or associate trainers is sold to any party for any reason.
- Other than as set out in in this policy, we will never distribute or share personal data that is held on our system with any third parties other than HSF Training Ltd’s employees, consultants and associates.
Customer personal data
We may share personal data with regulatory bodies in respect of:
- Awarding Organisations (where accredited qualifications are delivered), there are some legal requirements regarding certain personal information being required to ensure the authenticity of learners taking accredited examinations, such as dates of birth.
- One of the awarding organisations we use provides a certificate verification service that allows members of the public to check that a certificate presented to them is valid and has been produced by this awarding organisation. The website address for this service is https://checkcert.highfieldqualifications.com. The personal data provided to individuals using this service is a learner’s forename and surname, the qualification they attained, and the date of award.
HSF Training Ltd employees and associate trainers
Employees and associate tutors provide HSF Training Ltd with information about their experience and qualifications that confirm their ability to teach the qualifications and suitably complete other associated work activities, including awarding body associations. Additionally, employment law and payroll requirements necessitate the holding of certain information. As such, HSF Training Ltd hold a substantial set of personal details about employees and associate trainers. These may include:
- email addresses
- telephone numbers and other contact information;
- teaching and training qualification certificates;
- proof of professional qualifications;
- employment history and training experience
- This data may be required for either/both legal and regulatory purposes to ensure that we meet the necessary conditions of an approved awarding organisation training centre.
- We have sought permission from each staff and associate member before holding this information and sharing any of their personal data with Client and Awarding Organisations.
- This data remains on HSF Training Ltd’s systems for as long as the individuals continue to work for HSF and for as long as is necessary to verify their competency to train for us, e.g. a client may request evidence of our trainer’s competency to teach a certain subject some time after the course took place.
If any of the above require their personal data to be removed from HSF Training Ltd’s systems because they are no longer fulfilling the role, they are required to inform HSF Training Ltd so that relevant data can be removed from our systems.
Providing information and responding to requests
- HSF Training Ltd support people’s requests to have personal data corrected or completed, transferred to another organisation, prohibited for certain uses, or removed completely in a timely manner (within 7 working days of requests being received).
- Where requested by an individual or business, HSF Training Ltd commit to informing the relevant parties how their personal data is being stored and what it is used it for. If asked, and following suitable checks regarding the authenticity of the person or business requesting the information, we will share the personal data we hold on an individual or business, or offer them way to access it
Data breach incident management
- In line with our regulatory requirements as an accredited training centre, HSF Training Ltd has a set of processes for issue and incident management, including data breaches.
- These processes include the required notifications to be sent to awarding organisations and to customers.
- This will be reviewed as part of the changes for the forthcoming General Data Protection Regulation 2018
HSF Training Ltd is in the process of adapting its policies and procedures to ensure it is compliant with the GDPR by 25 May 2018. In the meantime, we will comply with the Data Protection Act 1998. This document has been produced to represent our current status and will be reviewed and updated as processes are developed.
Employees & Associates
- All employees and associates are responsible for ensuring that any personal data they are required to process as part of their job role is handled in accordance with the principles of legislation
- The contravention of any of these principles by any member of staff will be viewed as serious misconduct, and as such the member of staff will be subject to disciplinary action
- If any employee or associate becomes aware of the misuse of personal data by anyone, within HSF Training Ltd or otherwise, this must be reported without delay to one of the directors.
- Hutchinson & K. Hutchinson
Directors, HSF Training Ltd
21 May 2018 (Version 10)