CCAS Ltd is committed to protecting the privacy and security of personal information.
This policy applies to current and former employees and all other third parties on which CCAS keep data i.e. course students. This policy does not form part of any contract of employment or other contract to provide services. CCAS may update this policy at any time.
It is important that this policy is read, together with any other privacy notice CCAS might provide on specific occasions when collecting or processing personal information, so that the relevant persons are aware of how and why CCAS are using such information.
Personal Data Personal data, or personal information, means any information about an individual (relevant person) from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
Relevant Persons Any person who CCAS has contact with CCAS as a client, customer or employee.
Course Delegate Any person attending a course run by CCAS.
Data protection principles
CCAS will comply with data protection law, which states that the personal information held must be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that has been clearly explained to the relevant persons and not used in any way that is incompatible with those purposes.
- Relevant to the purposes and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes as explained.
- Kept securely.
The kind of information CCAS holds
CCAS may collect, store, and use the following categories of personal information:
- Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses.
- Date of birth.
- Marital status and dependants.
- Next of kin and emergency contact information.
- National Insurance number.
- Bank account details, payroll records and tax status information.
- Salary, annual leave, pension and benefits information.
- Start date.
- Location of employment or workplace.
- Copy of driving licence.
- Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process).
- Employment records (including job titles, work history, working hours, training records and professional memberships).
- Compensation history.
- Performance information.
- Disciplinary and grievance information.
- Information about the use of CCAS information and communications systems.
There are “special categories” of more sensitive personal data which require a higher level of protection.
CCAS may also collect, store and use the following “special categories” of more sensitive personal information:
- Information about race or ethnicity, religious beliefs, sexual orientation and political opinions.
- Information about health, including any medical condition, health and sickness records.
- Genetic information and biometric data.
- Information about criminal convictions and offences.
How is personal data collected?
CCAS typically collect personal information about employees and other third parties through the application and recruitment process, either directly from candidates or sometimes from an employment agency or a course broker.
CCAS will only use personal information when the law allows. Most commonly, personal information will be used in the following circumstances:
- To perform the contract, CCAS have entered into with the relevant person.
- To comply with a legal obligation.
- Where it is necessary for legitimate interests (or those of a third party) and interests and fundamental rights do not override those interests.
CCAS may also use personal information in the following situations, which are likely to be rare:
- To protect the relevant persons interests (or someone else’s interests).
- Where it is needed in the public interest (or for official purposes).
Situations where personal information will be used
CCAS will need some or all of the categories of information, depending on contract, in the list above (see The kind of information CCAS holds) primarily to perform the contract with the relevant person and to enable CCAS to comply with legal obligations.
In some cases, personal information may be used to pursue legitimate interests of CCAS or those of third parties, provided the interests of the relevant person and fundamental rights do not override those interests.
The situations in which CCAS will process personal information are listed below.
- Making a decision about recruitment or appointment.
- Determining the working terms and conditions.
- Checking legal entitlement to work in the UK.
- Remuneration if you an employee, deducting tax and National Insurance contributions.
- Liaising with the pension provider.
- Administering the contract, entered into with the relevant person.
- Business management and planning, including accounting and auditing.
- Conducting performance reviews, managing performance and determining performance requirements.
- Making decisions about salary reviews and compensation.
- Assessing qualifications for a particular job or task, including decisions about promotions.
- Gathering evidence for possible grievance or disciplinary hearings.
- Making decisions about continued employment or engagement.
- Making arrangements for the termination of a working relationship.
- Education, training and development requirements.
- Dealing with legal disputes involving employees, workers and contractors, including accidents at work.
- Ascertaining fitness to work.
- Managing sickness absence.
- Complying with health and safety obligations.
- To prevent fraud.
- To monitor use of information and communication systems to ensure compliance with IT policies.
- To ensure network and information security, including preventing unauthorised access to CCAS computer and electronic communications systems and preventing malicious software distribution.
- To conduct data analytics studies to review and better understand employee retention and attrition rates.
- Equal opportunities monitoring.
Some of the above grounds for processing will overlap and there may be several grounds which justify the use of personal information.
Failure to provide personal information
On failure to provide certain information when requested, CCAS may not be able to perform the contract entered into with the relevant person (such as remuneration or providing a benefit), or CCAS may be prevented from complying with its legal obligations (such as to ensure the health and safety of workers).
Change of purpose
CCAS will only use personal information for the purposes for which it was collected, unless there is a reasonably considered reason that it is needed for another reason and that reason is compatible with the original purpose. If personal information is required for an unrelated purpose, CCAS will notify the relevant person and will explain the legal basis which allows this information to be used.
Please note that CCAS may process the personal information without knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Particularly sensitive personal information
“Special categories” of particularly sensitive personal information require higher levels of protection. CCAS must have further justification for collecting, storing and using this type of personal information. Special categories of personal information may be processed in the following circumstances:
- In limited circumstances, with the relevant person’s explicit written consent.
- Where CCAS need to carry out legal obligations.
- Where it is needed in the public interest, such as for equal opportunities monitoring or in relation to the CCAS occupational pension scheme.
- Where it is needed to assess working capacity on health grounds, subject to appropriate confidentiality safeguards.
Less commonly, CCAS may process this type of information where it is needed in relation to legal claims or where it is needed to protect the interests of the relevant person (or someone else’s interests) and the relevant person is not capable of giving consent, or where the information has already been made public.
Obligations as an employer
CCAS will use particularly sensitive personal information in the following ways:
- Information relating to leaves of absence, which may include sickness absence or family related leaves, to comply with employment and other laws.
- Information about physical or mental health, or disability status, to ensure health and safety in the workplace and to assess fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits.
- Information about race or national or ethnic origin, religious, philosophical or moral beliefs, or sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
Is consent required?
CCAS does not need consent if special categories of personal information is used in accordance with the written policy to carry out legal obligations or exercise specific rights in the field of employment law. In limited circumstances, CCAS may approach the relevant person for written consent to allow certain particularly sensitive data to be processed. In this instance CCAS will provide the relevant person with full details of the information required and the reasons, so that it can be carefully consider before consent is given. It is not a condition of any contract with us that any request for consent must be agreed.
Information about criminal convictions
CCAS may only use information relating to criminal convictions where the law allows. This will usually be where such processing is necessary to carry out obligations and provided it is done in line with this policy.
Less commonly, information relating to criminal convictions may be used where it is necessary in relation to legal claims, where it is necessary to protect the interests of the relevant person (or someone else’s interests) and if the relevant person is not capable of giving consent, or where the information has already been made public.
CCAS will hold information about criminal convictions, it will only collect information about criminal convictions if it is appropriate given the nature of the role and where it is legal to do so.
Information about criminal convictions and offences may be used in the following ways:
- Driving at work.
- Working with children or vulnerable adults.
CCAS may need to share personal data with third parties, including third-party service providers. CCAS expect and require third parties to respect the security of personal data and to treat it in accordance with the law.
CCAS may transfer personal information outside the EU (i.e. Malaysia). If so a similar degree of protection in respect personal information can be expected.
Why will personal information with third parties?
CCAS may share personal information with third parties where required by law, where it is necessary to administer the working relationship with the relevant person or where there is another legitimate interest in doing so.
Which third-party service providers process personal information?
“Third parties” includes third-party service providers (including contractors and designated agents) and other entities within the company.
The following activities are carried out by third-party service providers:
- Pension administration.
The following third-party service providers process personal information for the following purposes:
- NEBOSH – Required for assessment and administration.
- IOSH – Required for assessment and administration.
- CITB – Required for assessment and administration.
- NUCO – Required for assessment and administration.
Security of information shared with third-party service providers and other entities in the company
All third-party service providers and other entities in the company are required to take appropriate security measures to protect personal information in line with the policies. Third-party service providers are not allowed to use shared personal data for their own purposes; they can only process shared personal data for specified purposes and in accordance with CCAS instructions.
When might CCAS share personal information with other entities in the company?
CCAS will share personal information with other entities in the company as part of regular reporting activities on company performance, in the context of a business reorganisation or company restructuring exercise, for system maintenance support and hosting of data.
What about other third parties?
CCAS will only share personal information with a regulator or to otherwise comply with the law.
CCAS have put in place measures to protect the security of personal information.
Appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of data.
All Company computers have a log in system and are password protected, which allow only authorised staff to access personal data. Passwords on all computers are changed frequently.
Person identifiable information is not removed from the premises, is kept in a locked safe, cabinet or office and is shredded once no longer required according to the retention schedule.
CCAS has put in place appropriate security measures to prevent personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, CCAS limit access to personal information to those employees and other third parties who have a business need to know. Personal information will only be processed on CCAS instructions; third parties are subject to a duty of confidentiality. Details of these measures may be obtained from the Managing Director of CCAS Ltd.
CCAS have procedures to deal with any suspected data security breach or Cyber Attacks, this is implemented and monitored by a third-party organisation (Strident) and they will notify all relevant persons affected by the breach and any applicable regulator of a suspected breach where it is a legal requirement.
CCAS will retain personal information for as long as necessary to fulfil the purposes it was collected for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data the following will be considered:
- the amount, nature, and sensitivity of the personal data.
- the potential risk of harm from unauthorised use or disclosure of personal data.
- the purposes for which it was processed and whether it can achieve those purposes through other means.
- the applicable legal requirement will be considered.
In some circumstances CCAS may anonymise personal information so that it can no longer be associated with the relevant person, such information may then be used without further notice.
CCAS will retain and securely destroy personal information in accordance with applicable laws and regulations for all persons no longer employed or no longer studying with CCAS.
Rights of access, correction, erasure and restriction
Duty to inform CCAS of changes
It is important that the personal information CCAS holds is accurate and current. It is the responsibility of the relevant person to inform if personal information changes during the working relationship.
Relevant person rights in connection with personal information
Under certain circumstances, by law relevant persons have the right to:
- Request access to their personal information (commonly known as a “data subject access request”). A copy of the personal information held will be made available in order to check that it is being lawfully processed.
- Request correction of the personal information held to ensure accuracy.
- Request erasure or removal of personal information. where there is no good reason for CCAS continuing to process it. Deletion or removal of personal information where right to object to processing has been exercised (see below).
- Object to processing of personal information where CCAS are relying on a legitimate interest (or those of a third party) and there is something about the situation which the relevant person may object to processing on this ground. The relevant person has the right to object where personal information is being processed for direct marketing purposes.
- Request the restriction of processing of personal information, in order to suspend the processing of personal information, for example to establish its accuracy or the reason for processing it.
- Request the transferral of personal information to another party.
Requests to review, verify, correct or request erasure of personal information, objection to the processing of personal data, or requesting that a copy of personal information is transferred to another party, must be submitted to the Managing Director of CCAS Ltd in writing.
No fee usually required
A fee to access personal information is not usually payable. However, a reasonable charge made be made if the request for access is clearly unfounded or excessive. Alternatively, a request may be refused to comply with the request in such circumstances.
What information CCAS may need for a request
CCAS may need specific information from the requester to help confirm identity and ensure the right to access the information. This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Right to withdraw consent
In the limited circumstances where consent has been provided to the collection, processing and transfer of personal information for a specific purpose, there is a right to withdraw consent for that specific processing at any time. To withdraw consent, the Managing Director of CCAS Ltd must be contacted.
Once notification has been received that consent has been withdrawn, CCAS will no longer process information for the purpose or purposes originally agreed to, unless there is another legitimate basis for doing so in law.
Data Protection Officer
Monitoring and Review
CCAS will undertake a periodic review of Policy in relation to the company activities, client base, sectors of operation, and any changes to the Act.