​​
Introduction

Under the General Data Protection Regulation (GDPR) both Abbey First Aid Solutions Ltd and our registered Trainer/Assessors have a responsibility to ensure compliancy in respect of the learner data that is collected and processed during the administration, delivery and award of training. These guidelines states how both Abbey First Aid Solutions and our approved Trainer/Assessors to collect, store and process learner data. The guidelines have been split into sections to allow easy access to important information and procedures:

Section 1 – Roles and definitions under the GDPR
Section 2 – Collecting learner’s data
Section 3 – Processing learner’s data
Section 4 – Storing learner’s data
Section 5 – Securely transferring data
Section 6 – Retention periods for learner’s data Section 7 – Securely disposing of data
Section 8 – Data breaches and notification

Section 1 – Roles and definitions under the GDPR

What data is covered under this contract?

All learner data collected through the booking and completion of official course paperwork/documentation is included within this policy and includes the following processes:

The collection of learner’s personal data through any official correspondence or documentation such as the Learner Workbook or Learner Registration Form. This includes name, email address and date of birth. Gender and a postcode is only collected if a learner requests entry of their achievement onto their Personal Learning Record
The collection of learner’s special category data when a reasonable adjustment is granted. This is only collected and stored when a reasonable adjustment is granted and only includes any disability, medical condition or learning need
The storage of course paperwork/documentation
Upload and maintenance of electronic records of a learner’s achievement on to Abbey First Aid Solutions database
The transfer of course paperwork/documentation

What data is not covered under these guidelines?

The requirements stated within this policy are purely in relation to the booking, administration and certification of Abbey First Aid Solutions courses and First Aid Awards qualifications and data that is collected during course delivery and on official course paperwork/documentation. All data outside of this scope is not covered with this policy.






Personal Data and Special Category Data

The GDPR state that there are two types of data that Abbey First Aid Solutions and approved Trainer/Assessors collect, store and process:

Personal Data

Includes name, email address and date of birth; gender and postcode may be collected if required for entry onto a learner’s Personal Learning Record.

Special Category Data

Special category data is only collected when the learner is applying for a reasonable adjustment and is data relating to the learner’s health including any disabilities, medical conditions or learning needs they may have.
Please note that within these guidelines the word ‘data’ refers to both personal data and special category data.

Section 2 - Collecting learner’s data

How do we collect a learner’s data?

A learner’s data must only be collected on official correspondence and course paperwork/documentation.

Course paperwork/documentation has been designed to only request the minimum required data to allow Abbey First Aid Solutions and Trainer/Assessors to administrate and award a learner’s achievement.

Special category data must only be recorded during the application for a reasonable adjustment and is required for no other purpose.

Section 3 - Processing learner’s data

Trainer/Assessors are required to process learner data as part of the administration of the qualification/course that learner has chosen to undertake.

Abbey First Aid Solutions will only process learner data for the purpose of entering it onto First Aid Awards portal for certification and record keeping purposes.

Abbey First Aid Solutions will electronically store a record of learner’s achievements on our own database but only data that is collected from official course paperwork/documentation and only for the purpose of record keeping.

Section 4 - Storing learner’s data

What data do we need to keep?

All data is generated through the correspondence and the completion of official course paperwork/documentation. Full course paperwork packs must be retained for three years and six months from the final date of the course to provide evidence of a learner’s achievement.

How do we securely hold course paperwork/documentation?

Course paperwork/documentation can be stored in either hard copy ‘paper’ format or in an electronic document such as Word or PDF.

Hard copy ‘paper’ format

When data is stored in hard copy format Abbey First Aid Solutions will ensure that this is kept securely and take appropriate action to prevent unauthorised access.

All of Abbey First Aid Solutions staff/Trainer/Assessors must ensure that paperwork/documentation is:

Securely transported from the course venue to their premises by an authorised person, such as the Trainer/Assessor, or through a secure carrier, such as Royal Mail Special Delivery service
Not left unattended
Securely protected
Promptly transferred to a secure storage area with access only by authorised persons
Securely disposed of, as stated below, should it be electronically scanned

Electronic format

When data is stored in electronic format, appropriate security measures must be taken to protect learner’s data.

Abbey First Aid Solutions must ensure that electronic records and documents are stored on a computer/server/cloud system that is protected by suitable security software and that physical computers are in secure locations with access only available to authorised persons.

It is crucial that the security software is maintained and that important security updates are quickly installed.

Appropriate measures must be in place to cover staff working from home or accessing systems, containing learner data, from remote locations.

All systems must be protected and only accessed through a secure log in system with users having unique user name and passwords.

Loss of data

Abbey First Aid Solutions will take all possible actions to prevent the accidental or deliberate loss of data.

Course paperwork/documentation in electronic format must be appropriately backed up either internally or remotely through the internet.

Course paperwork/documentation in hard copy format must be securely stored and a backup copy generated if being sent through a secure courier.
 
Section 5 - Securely transferring data?

Course paperwork/documentation may need to be transferred in either hard copy or electronic format. Audit requests from Abbey First Aid Solutions may require the Trainer/Assessor to transfer copies of paperwork/documentation which can be done electronically or in hard copy.
Hard copy ‘paper’ format

Trainer/Assessors must ensure that hard copies of data are secure when being transferred and that measures are taken to prevent loss of data. Secure mail services such as Royal Mail’s Special Delivery service should be used. Trainer/Assessors must ensure a backup copy of any paperwork/documentation is taken before the hard copies are sent to prevent data being lost in transit.

Electronic format

When transferring course paperwork/documentation and data through electronic formats, Trainer/Assessors have the following options available:

Transfer through email

Paperwork/documentation and other documents must not be sent via email without being encrypted. ‘Zipped’ folders and documents must be encrypted, and a suitable alphanumeric password created, before being sent and this can be achieved using software such as ‘WinZip’.
The password must be sent via a different medium than the documents, such as telephone.

Transfer through a file hosting service, for example ‘Drop Box’

Paperwork/documentation and other documents can be shared using file hosting services such as Drop Box, Microsoft 365, etc.

The Trainer/Assessor can create an account with the file hosting service and upload documents to the service which can then be shared with Abbey First Aid Solutions

When using such services, the Trainer/Assessor must add a password and expiry time to documents and communicate the link and password in separate mediums, for example the link can be emailed, and the password communicated by telephone.

Section 6 - Retention periods for learner’s data

Course paperwork/documentation including assessment papers, must be kept by Abbey First Aid Solutions for three years and six months from the final date of the course.

Records are maintained to allow any complaints/appeals/confirmation of achievement requests to be dealt with, as well as for auditing purposes.

Abbey First Aid Solutions will securely dispose of course paperwork/documentation once this date has been reached.

Section 7 - Securely disposing of data

Data, whether in paper or electronic format, must be disposed of in an appropriate manner.
 
 
Paper based data

All paperwork/documentation that contains learner data must be disposed of in a secure way.

Paperwork/documentation must be either:

Shredded onsite by a nominated person and the waste securely disposed of OR
Collected and disposed of by a specialist business providing Abbey First Aid Solutions with a certificate of destruction

Electronically based data

Electronic based records within a database, or any IT document such as Word or PDF, must be deleted in full and removed from all systems in their entirety including any ‘recycle bins’ that the data may be unknowingly backed up into.

Trainer/Assessors must ensure all archived or backed up versions are also deleted in their entirety. There must be no way that the data is able to be retrieved.
 
Section 8 - Data breaches and notification

Under the GDPR Abbey First Aid Solutions has a legal duty to notify the ICO should a data breach occur.

What is a data breach?

A data breach is described in the GDPR as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

The following example situations would be considered a data breach:

Access to personal data by an unauthorised person or organisation
Deliberate or accidental deletion of data
Sending data to the wrong person
Computers, phones or any electronic equipment on which data is stored, being lost or stolen
Paper files, on which data is written, being lost or stolen
Changing a person’s data without their permission
Loss of availability of data