For reasons of Safeguarding within the workshop, it may be necessary on occasion for information to be passed from ReSkilled to a participant’s referral agency, e.g. in the unlikely event of an incident in the workshop prior to returning. It may also be necessary at times for information to be passed from the referral agency onto ReSkilled, e.g. if a participant is particularly suffering from anxiety that morning yet still willing to attend. For this reason Information Sharing Agreements have been set up between ReSkilled and referral agencies.
Information relating to past offences will only be shared with ReSkilled staff or volunteers as deemed appropriate by the Programme Manager (and after a volunteer’s probationary period).
Recruitment equality monitoring
Where equality monitoring forms are used in the application process, they will be unnamed, separated from the application form upon receipt and kept securely until the data has been gathered, at which point the forms will be destroyed. Monitoring of equality in recruitment is not a legal obligation and therefore it is reasonably assumed that an individual is giving their consent by completing an equality monitoring form.
Trustees’ personal information is required for the operating of ReSkilled (i.e. performance of a contract) and will not be used otherwise without consent. When an individual chooses to cease being a trustee, their contact details alone will be retained by the Chair of Trustees in case of a need to communicate on matters related to ReSkilled in the future.
Rectifying and amending data
If your personal information changes or you become aware that our records are inaccurate, please contact us at firstname.lastname@example.org or write to:
Data Protection Officer, ReSkilled, 37 Hazel Avenue, Guildford GU1 1NP
We will correct any inaccuracies in no longer than one month from being notified.
Requesting restriction on, or objecting to our using your data
Where there are not compelling, legitimate reasons for our needing to use your data, or the information is not required as part of a contract, we will restrict its use according to your request. Most of the personal information is given by consent and you have the right to withdraw consent. Please contact us as above.
Erasing and disposing of data
ReSkilled will hold your information as set out in the Privacy Notice under Data retention periods. If you no longer wish us to hold your information, please contact us and we will arrange for the information to be deleted (electronic) or securely destroyed (paper-based) within one month of being notified, subject to concluding any contract that is ongoing at the time.
Storage of data
Information gathered will either be on paper or in an electronic format, depending on how it was given to us. It will be handled and stored appropriately according to the level of risk that a breach would carry.
– All information gathered on paper will be stored in a locked filing cabinet to which only the ReSkilled Programme
Manager will have a key
– Electronic data will be stored in encrypted files and laptops will be kept locked away when not in use
All Criminal Record Risk Assessments and Disclosure Statements will be kept securely in a locked cabinet separate from the individuals’ Application Forms and Initial Interview notes.
At the end of the courses, the participant’s Application Form and Initial Interview notes will be forwarded onto Voluntary Action South West Surrey or Volunteer Woking. This will ease the transition from ReSkilled on towards voluntary opportunities.
In following the GDPR, Voluntary Action South West Surrey and Volunteer Woking will also provide clear information on how individuals’ information will be used. When transferring these documents, ReSkilled will use a “Signed for” service.
Subject Access Requests
– We will not charge for complying with a request
– We will have a month to comply
– We can refuse or charge for requests that are manifestly unfounded or excessive
– If we refuse a request, we will tell you why and remind you that you have the right to complain to the ICO and to a judicial remedy. We will do this without undue delay and at the latest, within one month
Reporting a data breach
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
– Where a breach is likely to result in a risk to the rights and freedoms of individuals, we have to notify the ICO.
– Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we have to also notify those concerned directly and without undue delay.
In all cases we will maintain records of personal data breaches, whether or not they were notifiable to the ICO. Notifiable breaches have to be reported to the ICO within 72 hours of our becoming aware of it. Where it is not possible to investigate the breach fully within that time frame, we will provide additional information in phases, as permitted by the GDPR. We have an Internal Breach Reporting Procedure in place in order to facilitate an effective and efficient response to any perceived data breaches and help to avoid any similar recurrence.
Reviewing data needs
Effective September 2019