Skills Academy Wales Privacy Notice - Version 3 - Protection and Use of Employer Data
Updated June 2022
Data Protection Act 2018 and the UK General Data Protection Regulation
1 The Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (GDPR) regulate the processing of personal data in any format, including both digital and hard copy personal data and all other formats, by sub-contractors who are contracted to deliver training programmes on behalf of Neath Port Talbot College (known as NPTC Group of Colleges) under the branding name of Skills Academy Wales (‘the Partnership’).
‘Personal data’ is any information relating to a living individual, and 'processing' is any activity carried out involving personal data, including holding and storing it. This statement applies under both the DPA and GDPR or any successor legislation to the GDPR or the DPA.
2 This notice is provided for employers, work placement providers and any other businesses (referred to in this notice as ‘Customers’) engaging with the Partnership for the purpose of training programmes delivered under the Neath Port Talbot College work-based learning contract.
3 This statement establishes the Partnership procedures governing the collection and release of Customer data and is provided to Customers at the application and registration stages. It includes information about how Customer data is used, and where it is supplied by the Partnership to the Welsh Government and other external parties.
4 Sub-contractors are contracted to deliver training programmes under the Neath Port Talbot College work-based learning contract. These sub-contractors act as data controllers for all personal data that the individual organisation holds and processes. Neath Port Talbot College is considered as a separate data controller, having sole responsibility for all personal data that it holds and processes, except where it is done in the capacity of a data processor on behalf of another data controller.
5 For further information about the data which the Partnership holds and its use, or if you wish to exercise your rights under GDPR, please contact:
Skills Academy Wales Manager
Skills Academy Wales
NPTC Group of Colleges
Dwr Y Felin Road
Phone: 0330 818 8108
6 During the contract period the Partnership may obtain, hold and process personal data relating to potential or actual Customers, their staff, and other parties including personal details, business contact details, financial details, health and safety records, insurance records and employment and training records. Where necessary, it may obtain, hold and process the sensitive personal data (the term used by the DPA) and special category data (the term used by GDPR) of Customers including racial or ethnic origin, religious or philosophical beliefs, biometric data, and physical or mental health.
7 Personal data and sensitive personal data/special category data held by the Partnership relating to Customers is obtained directly from an employee of the Customer, or in some cases from a third party involved in the services provided by the Partnership that has obtained the information in the first instance, for example a learner, Business Wales, the National Training Federation for Wales, Careers Wales and the Welsh Government.
8 The Partnership holds the personal data and sensitive personal data/special category data of its Customers in order to implement and manage all services and processes relating to Customers, including but not limited to health and safety vetting and monitoring, incident and accident reporting and other services such as advertising vacancies, sifting job applications and managing funding incentive applications. Only information required for these purposes is obtained and processed, and without it the Partnership may not be able to provide its services. Information is passed between various sections of the Partnership for operational reasons as is necessary and proportionate for intended purposes.
9 Customer personal data is collected and processed by the Partnership as it is necessary for the performance of the contract under which the Partnership provides services to Customers. Some processing activities may also be carried out under a legal obligation (for example, disclosing personal data to external parties under statutory powers), where it is necessary to protect the vital interests of the Customer or another party (for example, disclosures to external parties to ensure the safety and wellbeing of individuals), where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (for example, collecting or disclosing information in order to meet regulatory or statutory requirements), or where it is necessary for legitimate interests pursued by the Partnership or a third party (the legitimate interests will relate to the efficient, lawful and proportionate delivery of services and will not be to the detriment of the interests or rights of individuals). Where any of these legal bases do not apply, the consent of an individual to process their personal data will be sought.
10 Where Customers’ sensitive personal data/special category data is collected and processed by the Partnership this will be on the legal basis of explicit consent of the Customer, employment or social security/protection requirements, protecting the vital interests of the Customer or another party, the exercise or defence of a legal claim, reasons of substantial public interest, purposes of medical or health care, or where the information has been made public by the Customer. Any processing will be proportionate and relate to the provision of services by the Partnership. When this data is used for monitoring and reporting purposes it will be anonymised or pseudonymised if possible.
11 The Partnership may disclose Customers’ personal data and sensitive personal data/special category data to external agencies to which it has obligations; for example the Welsh Government and to other arms of central or local government, to the Health and Safety Executive, Sector Skills Councils and potentially other such organisations for defined purposes. It may also disclose information to examining bodies, legal representatives, Police or security agencies, suppliers or service providers, survey and research organisations engaged by the Partnership, and regulatory authorities.
12 The Partnership may also use Customer’s personal data as follows:
a) To contact Customers who have identified an apprentice as having a disability or learning difficulty in order to confidentially discuss available support.
b) To provide progress and attendance reports relating to the appropriate learner/s who are employed/placed with the Customer.
c) Disclosing information about Customers for the purpose of promoting the Partnership but only with the consent of the Customer if they are personally identified.
d) For the purpose of entering Customers for external awards and competitions, usually with the consent of the Customer.
e) Publication of the names of Customers in the award ceremony programme.
f) Supply personal and financial details to providers of financial services engaged by the Partnership, for example for the payment of funding incentives, refunds and similar services.
g) Disclosing information to external parties for safeguarding and duty of care purposes, for example to medical practitioners and law enforcement agencies.
h) Registration with the appropriate Sector Skills Council in order to apply for the apprenticeship completion certificate on the learners behalf.
i) Subject to review on a case-by-case basis, providing contact details to third party companies and organisations formally engaged by the Partnership to provide enhanced levels of service to support core activities.
j) To contact external companies that the Customer is contracted to work for to investigate and obtain evidence of any health and safety incidents/accidents that occur on the external companies’ site.
13 The Partnership requires all Customers to participate in its health and safety monitoring system. It is a contractual requirement that the Partnership monitors the health and safety standards of the Customer who employs an apprentice or takes a learner on a work placement. It also aids the Partnership in its duty of care and support provisions.
14 In some instances the Partnership may transfer the Customers’ personal data to third parties located in other countries, including some outside of the European Economic Area. Any such transfers will be strictly in relation to the delivery of the Partnership’s core services. IT services used by the Partnership may involve the transfer or hosting of Customer personal data overseas. All instances of overseas transfers of personal data are subject to appropriate technical safeguards and contractual provisions incorporating appropriate assurances to ensure the security of the data and full compliance with legislative and regulatory requirements.
15 Some sections of the Partnership undertake processes involving Customer personal data that include elements of profiling or automated decision-making. An example would include a Business Development Team who have processes in place to determine the nature of communications sent to Customers in order to offer curriculum and commercial courses. These processes will only be used if Customers give consent to receive direct marketing material.
16 A basic Customer record will be kept permanently by the Partnership, with more detailed records kept for defined retention periods. Details of the retention periods attributed to different elements of Customer records can be obtained upon request.
17 If you have any queries about the use of Customer personal data outlined above then please contact the Skills Academy Wales Manager; email@example.com or 0330 818 8108.
18 Individuals whose personal data and sensitive personal data/special category data is held by the Partnership have the following rights regarding their data:
a) The right to request access to their personal data held by the Partnership.
b) The right to have inaccurate or incomplete personal data rectified.
c) The right to erasure of personal data – this will only apply where there is no legitimate reason for the Partnership to continue to process the personal data. There will usually be a requirement for the Partnership to keep a basic Customer record indefinitely.
d) The right to restrict the processing of personal data – individuals have the right to block the processing of their personal data by the Partnership in specific situations.
e) The right to data portability – Customers have the right to request provision of some elements of their information in digital form in order to provide it to other organisations.
f) The right to object – Customers can object to the processing of their personal data by the Partnership in certain circumstances, including the sending and receipt of direct marketing material.
g) The right to object to automated decision making and profiling – individuals have the right to object to decisions taken by automatic means without human intervention in some circumstances.
All requests to exercise any of these rights should be made to the Skills Academy Wales Manager.
19 Where the processing of personal data or sensitive personal data/special category data is based on the consent of the Customer, they have the right to withdraw their consent at any time by contacting the sub-contractor who obtained that consent or the Skills Academy Wales Manager.
20 If a Customer is unhappy with the Partnership’s handling of their personal data, or believes that the requirements of the DPA or GDPR may not be fully complied with, they should contact the Skills Academy Wales Manager in the first instance. The Partnership’s formal complaint procedure can be invoked if appropriate, and Customers also have the right to submit a complaint to the Information Commissioner’s Office; further details can be found at www.ico.org.uk .
Submission Of Your Data to The Welsh Government
21 It is a statutory requirement for the Partnership to send some of the information we hold about the Customer to the Welsh Government (WG). WG collects, and is responsible for, the database in which the Customers’ information is stored. WG uses this information itself for its own purposes. WG also shares the information with third parties for specified and lawful purposes. It may charge other organisations to whom it provides services and data. All uses of WG information must comply with the Data Protection Act 2018 and the General Data Protection Regulation.
22 You may from time to time be asked to complete surveys either for the Partnership or on behalf of other organisations, for example the Welsh Government. These organisations and their contractors will use your details only for that purpose, and will then delete them.
23 There is no requirement for you to take part in any of these surveys but participation assists the Partnership, as well as government and regulatory bodies, in performing their statutory, official and public duties.
Reviewed July 2023