General Data Protection Regulation (GDPR) Policy
Named Data Protection Officer: Barry Syder, Director, Syder and Young Ltd.
Data Protection Principles
Data must be collected for a specific reason (see Section 1)
All data must be processed fairly (see Section 1)
Its usage should be limited to relevant processes only (see Section 1)
All data should be up to date and accurate (see Section 1)
It must not be retained for longer than is necessary (see Section 1)
It must be protected by sufficient security measures (see Section 5)
Data Protection Rights
the right to be informed (see Section 1)
the right of access (see Section 3)
the right to rectification (see Section 3)
the right to erasure (see Section 6)
the right to restrict processing (see Section 3)
the right to data portability (see Section 3)
the right to object (see Section 3)
the right not to be subject to automated decision-making including profiling (see Section 7)
Section 1
Short Courses:
The only data we hold relates to your name, place of work, work email address and mobile number which you provide to us when you make a booking, or when a booking is made on your behalf. This information is recorded on spreadsheets on a secure password-protected computer which is backed up to a secure cloud-based server. Your information is used only for administration of the event by employees and associate trainers of Syder and Young Ltd. Your email address is not shared with any other party. We gather post-event feedback electronically via Survey Planet. The feedback is summarised and shared with the commissioner of the course. The feedback is anonymised so scores, comments and training needs cannot be associated with a particular delegate.
Qualification and Development Programmes:
The data we collect via the enrolment form is that which we need to carry out your registration with the awarding body of the qualification. This includes name, date of birth, address details and disability/ethnic origin (this latter information is used by the awarding body for monitoring purposes). We also collect data relating to your contact details (e.g. your mobile number so we can contact you in the event of a workshop being cancelled. The data you provide is used only by staff and associate trainers of Syder and Young Ltd and (excepting the awarding body) is not shared with any other party. Your data and results of assessments are held for three years after certification in line with the requirements of the awarding body.
Recruitment:
The data we hold is restricted to that provided in the application form/covering letter/CV that you provide to us. That information is only used only for shortlisting and the interview process and is not shared with any other party except for the client for whom we are handling the recruitment. The shortlisting is carried out manually - we do not use any form of automated processing. The data may be held in both electronic and printed formats. The records relating to a vacancy are retained for 12 months after an appointment has been made and then all data is destroyed (see Section 6).
Consultancy:
We often hold potentially sensitive data relating to our consultancy work (e.g. reports regarding the performance of an organisation). However, this is usually in electronic format subject to the security restrictions in Section 5 and the information is never shared with third parties except with the expressed permission of the client organisation.
Section 2: The lawful basis on which we hold and use your data: The lawful basis on which we hold and use your data is your consent.
Section 3: How we handle access requests: We do not usually charge for complying with an access request. We will comply within one month of receiving the request. We will however refuse or charge for requests that are manifestly unfounded or excessive. If we do refuse a request, we will tell you why and that you have the right to complain to the supervisory authority and to a judicial remedy. We will do this without undue delay and at the latest, within one month. Your data will be provided in the form of a pdf document. We will rectify any errors immediately on being informed. However, we will respect your right to restrict processing of the data until this has been carried out.
Section 4: Data breaches: It is the responsibility of the Data Protection Officer to detect, report and investigate any personal data breach. The Data Protection Officer will notify the ICO (Information Commissioner’s Office) of any breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
Section 5; Security; Syder and Young Ltd operates from two private offices in the homes of the Directors. Public access is therefore rare. All electronic data is held on password protected IT equipment with appropriate anti-virus software. All files are saved to a secure cloud-based storage system.
Section 6: Section 6: Disposal: We use a registered waste carrier to shred confidential waste including CD/DVD discs (registration number: CB/CN5177QD) and can produce Waste Transfer Notes.
Section 7: Other information: We do not use automated decision-making including profiling.