Privacy Statement – Counselling Training the Midlands Community Interest Company (CTTM)
CTTM Data Controller: Jonno Ward – info.cttm@yahoo.co.uk
Joint Data Controller: Jonno Ward and Counselling and Psychotherapy Central Awarding Body (CPCAB)
- Brief Overview
CTTM complies with, and is licensed in accordance with the legal requirements of the General Data Protection Regulation (GDPR) 2018. This means that we follow strict procedures specified by this legislation when collecting and handling information about individuals. We will be registered with the Information Commissioner as Counselling Training the Midlands Community Interest Company (this is our ‘Data Controller Name’).
As a training agency the majority of the data that CTTM collects and process pertains to individuals (henceforth known as “candidates”) who wish to train with us, and the bulk of candidate information is collected and processed due to our relationship with Counselling and Psychotherapy Central Awarding Body (CPCAB), the organisation that accredits our training.
http://www.cpcab.co.uk/public_docs/data-protection-policy
Once CTTM has arranged an interview for a course with a candidate we ask the candidate to bring along an application form, supplied by email. This application form will contain sensitive and / or personal information about you.
If you are successful at interview and are offered a place on one of our courses then you will fill out a handwritten enrolment form that contains sensitive and / or personal information. Some of what you write in these forms will be shared at registration electronically with Counselling and Psychotherapy Central Awarding Body (CPCAB) our awarding body (see Section Two).
We will also share information if there is a lawful legitimate reason to do so such as if this is in the public interest or in the case of serious crime to protect you or others from harm.
If you enrol on our course then the personal and / or sensitive handwritten information about you will be stored in handwritten form in a locked filing storage.
Applications we receive that do not result in a place being offered or accepted by an applicant will be shredded and destroyed within a 3 months. Once you are registered both with us and with CPCAB then all records will be maintained as above. Records are then kept in line with legitimate requirements for a period of 2 years following completion of your course. After this time, all records are shredded, unless we are requested to do so in the interests of public safety, or in the event of a complaint or grievance against us.
We also process data we keep on you that is primarily related to the recording of the assessment of your course work. This is also stored securely, following the procedures and lifespan described above.
The individuals who have access to all of the data above (registration and assessment) are known as data processors, natural and legal persons who process information on behalf of the Controller. Data processors at CTTM are tutors registered with CPCAB, External Verifiers sent by CPCAB (see Section 2) and exam invigilators.
We do not pass on or sell your details to other agencies or third parties, other than CPCAB for the purpose of registration, or when requested to do so in the interests of public safety, such as by a court of law. We also do not store personal information about you online. (See Section Six)
We are, however, sometimes contacted by other organisations, namely employers or training agencies for a reference. While we assume that these approaches are made with the consent of candidates, we will always explicitly confirm this with the candidate.
- CTTM’s Relationship with CPCAB
CPCAB is the awarding body that certificates our training, and as a CPCAB Recognised Centre we run training on their behalf.
As such, we have a contractual obligation to provide necessary data to CPCAB electronically when a new course begins; this data is taken from the handwritten application form and registration forms that candidates fill out.
One of the implications of this is that for data that CTTM passes on to CPCAB, we are Joint Data Controllers.
The data that CPCAB requests and we provide includes a candidate’s:
a) Name
b) Date of Birth
c) Gender
d) Ethnicity
e) Reasonable adjustments (described as difficulty / disability)
f) Address
g) Email address
The centre processes this data with a password protected system (“CPCAB Portal”) directly with CPCAB – there are no third parties involved and we use a computer that is both password protected and encrypted.
Furthermore, we will liaise with CPCAB about registered candidates over the duration of a course in the following way:
- Professional support and concerns, including, but not limited to both Internal and External Assessment issues.
- External Verifier visits – CTTM will have twice-yearly inspections by a CPCAB representative, and part of this visit will be to appraise candidates’ coursework as well as to discuss tutors’ concerns about candidates, where relevant
- Amendments to data held by CPCAB on candidates (see Section Six, Point Three)
- Your Rights as an Individual
Here we have summarised the rights that you have under Data Protection Law. We strongly suggest you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/In summary, your principal rights under data protection law are:
a) the right to access;
b) the right to rectification;
c) the right to erasure;
d) the right to restrict processing;
e) the right to object to processing;
f) the right to data portability;
g) the right to complain to a supervisory authority; and
h) the right to withdraw consent.
https://gdpr-info.eu/art-6-gdpr/
- Privacy Notice
In line with GDPR, all personal and / or sensitive information held by CTTM must be:
a) fairly and lawfully processed, for relevant purposes only
b) secure, accurate and up to date
c) not kept longer than necessary
d) processed in accordance with the individual’s rights
e) not transferred to countries outside the European Economic area, unless there is adequate protection
We do not pass on or sell your details to other agencies or third parties, other than CPCAB for the purpose of registration, or when requested to do so in the interests of public safety, such as by a court of law.
We are, however, sometimes contacted by other organisations, namely employers or training agencies for a reference. While we assume that these approaches are made with the consent of candidates, we will always explicitly confirm this with the candidate.
- Fair processing of data
CTTM collects and processes data from our service users and on behalf of CPCAB, in line with GDPR law (“lawful bases”) for the following reasons:
Compliance with legal obligations (including the GDPR [2018])
Performance of a contract with the data subject (i.e. a candidate wishing to study with us). The individuals at CTTM who have access to such data (registration and assessment) are known as data processors, natural and legal persons who process information on behalf of the Controller. Data processors at CTTM are tutors registered with CPCAB, External Verifiers sent by CPCAB (see Section 2) and exam invigilators.
Security
- Security
6.1 Security of data:
Once CTTM has arranged an interview for the course you have applied for we ask you to bring along an application form, supplied by email. This application form will contain sensitive and / or personal information about you.
If you enrol on our course then you will also complete handwritten registration forms, also containing personal and / or sensitive handwritten information about you. We do this for our own “lawful base” and on behalf of CPCAB.
All data will be stored in paper handwritten form in a locked filing storage. The data processors are the only individuals to have access to this storage (see Section 5). We do not store personal information about you online or in electronic form.
Applications we receive that do not result in a place being offered or accepted by an applicant will be shredded and destroyed within a 3 months. Once you are registered both with us and with CPCAB then all records will be maintained as above. Records are then kept in line with legitimate requirements for a period of 1 to 2 years following completion of your course. After this time, all records are shredded, unless we are requested to do so in the interests of public safety, or in the event of a complaint or grievance against us.
We also process data we keep on you that is primarily related to the recording of the assessment of your course work. This is also stored securely, following the procedures and lifespan described above.
6.2 Deletion of data
You are able to request that the data CTTM holds on your behalf is deleted (please see our summary, and Point One, above) for our standard periods of data retention). A request to delete data may be refused if it is required in order to provide data to regulatory authorities or as part of a direction from a court of law.
6.3 Amendment of data
Candidate data is collected by CTTM and requests to make amendments may be accepted up to the point of the award of a certificate by CPCAB. Any amendments will be dealt with by the Data Controller and passed on to CPCAB.
6.4 Data Portability
Under the new GDPR legislation you are able to apply for your own data to be provided to you in a format that will allow you to share it with another organisation, such as a different training centre.
6.5 General security
CTTM takes data processing seriously:
-
- There is one computer that is used for registration data processing, that is, the data that we give to CPCAB (see Section 2). This is both encrypted and password protected. The Data Controller (Jonno Ward) is the only individual who has access to such data, and is the only individual who processes such data
- Coursework related data (assessment proformas and so forth) are stored electronically by data controllers on password-protected computers. In paper form, these are stored securely by the centre in line with our general storage principles (see Point 6.1 above)
6.6 Data breaches
CTTM takes its responsibilities in respect of the retention of data seriously and undertakes to handle any data breach promptly, thoroughly and transparently. In the event of a data breach CTTM will:
a) Identify the scale of the breach; and
b) Identify the sensitivity of the data.
Depending on the outcome, CTTM will, if appropriate:
a) Notify the Information Commissioner’s Office;
b) Notify the data subject(s);
c) Notify CPCAB in accordance with our obligation to them
d) Formally record any lessons learned;
e) Initiate an appropriate action plan, such as extra security measures or staff training
6.7 Data storage equipment
All data will be stored in paper handwritten form in a locked filing storage. The data processors are the only individuals to have access to this storage. We do not store personal information about you online or in electronic form.
- Cookies
This website uses cookies – small text files that are placed on your machine to help the site provide a better user experience. In general, cookies are used to retain user preferences, store information for things like shopping carts, and provide anonymised tracking data to third party applications like Google Analytics. As a rule, cookies will make your browsing experience better. However, you may prefer to disable cookies on this site and on others. The most effective way to do this is to disable cookies in your browser, although we do offer an active “opt out” at the bottom of the page.
We suggest also consulting the Help section of your browser or taking a look at the About Cookies website which offers guidance for all modern browsers: http://www.aboutcookies.org/
- Information access requests
You can apply for copies of your personal data under the Subject Access Request (SAR) scheme. Please contact Jonno Ward at info.cttm@yahoo.co.uk.
SAR requests must be received in writing and copies of the data will be provided electronically; if you are unable to access an electronic response please ask for advice.
- Your Right To Complain
You are able to complain about the data held by CTTM on your behalf if it is, or you feel it is:
a) Inaccurate.
b) Inappropriate.
c) Insecure.
- Amendments
We may update this policy from time to time by publishing a new version on our website.
In all cases, please contact the CTTM data controller, Jonno Ward, at info.cttm@yahoo.co.uk
or in writing at:
67 Derby Road
Sandiacre
Nottingham
NG10 5HX