Data protection and usage policy

EdgeWorks™ holds and processes information about employees, learners, and other data subjects for academic, administrative, and operational purposes. This policy is written in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

All staff, learners, and third parties who process or use personal information must comply with the following principles. Personal data must:

  • Be processed lawfully, fairly, and transparently.
  • Be collected for specified, explicit, and legitimate purposes.
  • Be adequate, relevant, and limited to what is necessary.
  • Be accurate and kept up to date.
  • Be kept only as long as necessary.
  • Be processed in a manner that ensures appropriate security.
  • Respect the rights of data subjects under UK GDPR.
  • Only be transferred outside the UK if appropriate safeguards are in place.

Definitions

  • “Data controller” further information about Organisation data controllers is available from the Data Protection Officer.
  • “Other data subjects” and “third parties” may include contractors, suppliers, contacts, referees, friends or family members.
  • “Processing” refers to any action involving personal information, including obtaining, viewing, copying, amending, adding, deleting, extracting, storing, disclosing or destroying information.

Notification of data held

EdgeWorks™ will inform individuals about the personal data it holds and processes about them, including why it is collected and how it is used. This information is maintained in the organisation’s data inventory and may be updated as needed.

Lawful basis for processing

EdgeWorks™ will only process personal data where there is a lawful basis under UK GDPR Article 6. These include:

  • Consent.
  • Contractual necessity.
  • Legal obligation.
  • Vital interests.
  • Public task.
  • Legitimate interests.

For learners, processing will normally be based on contractual necessity and legal obligation relating to qualification registration, assessment and certification. Special category data (such as health information for reasonable adjustments) will be processed in accordance with Article 9 UK GDPR and relevant statutory conditions.

Where learners are sponsored by an employer, relevant progress and activity data may be shared with that employer in accordance with contractual arrangements.

Staff responsibilities

All staff shall;

  • Ensure that all personal information which they provide to EdgeWorks™ in connection with their employment is accurate and up-to-date.
  • Inform EdgeWorks™ of any changes to information, for example, changes of address.
  • Check the information which EdgeWorks™ shall make available from time to time, in written or automated form, and inform EdgeWorks™ of any errors or, where appropriate, follow procedures for updating entries on computer forms. EdgeWorks™ shall not be held responsible for errors of which it has not been informed.

When staff hold or process information about learners, colleagues or other data subjects (for example, learners’ course work, pastoral files or personal details), they should comply with the Data Protection Guidelines.

Staff shall ensure:

  • That all personal information is kept securely.
  • That personal information is not disclosed either orally or in writing, accidentally or otherwise to any unauthorised third party. Unauthorised disclosure may be a disciplinary matter and may be considered gross misconduct in some cases.

Learner responsibilities

All learners shall:

  • Ensure that all personal information which they provide to EdgeWorks™ is accurate and up-to-date.
  • Keep usernames/passwords and any resources shared in the undertaking of their qualification confidential.
  • Check the information which EdgeWorks™ shall make available from time to time, in written or automated form, and inform EdgeWorks™ of any errors or, where appropriate, follow procedures for updating entries on computer forms. EdgeWorks™ shall not be held responsible for errors of which it has not been informed.

Rights to access information

Staff, learners and other data subjects in EdgeWorks™ have the right to access any personal data that is being kept about them either on a computer or in structured and accessible manual files. Any person may exercise this right by submitting a request in writing to the appropriate designated data controller.

EdgeWorks™ will not normally charge a fee for responding to a Subject Access Request. A reasonable fee may be charged where a request is manifestly unfounded or excessive, in accordance with UK GDPR.

EdgeWorks™ will respond to Subject Access Requests within one month of receipt. This period may be extended by up to two further months where requests are complex or numerous, in accordance with UK GDPR. In such cases, the reason for the delay will be explained in writing by the designated data controller to the data subject making the request.

The data controller and the designated data controllers

The Managing Director is ultimately responsible for implementation. Responsibility for day-to-day matters will be delegated to the Centre Manager as the designated data controller. Information and advice about the holding and processing of personal information is available from the Data Protection Officer.

Assessment marks certification

Learners shall be entitled to information about their marks for assessments; however, this may take longer than other information to provide. EdgeWorks™ may withhold enrolment, awards, certificates, accreditation or references in the event that monies are due.

AI (artificial intelligence)

AI tools may be used to support professional judgement within assessment and quality assurance processes. AI systems do not make autonomous assessment decisions.

Learner work must not be used to train external AI models or processed by systems that store or reuse data without explicit approval and appropriate safeguards.

All AI use must comply with UK GDPR and EdgeWorks™ data protection and information security requirements. Any suspected misuse must be reported immediately in line with incident reporting procedures.

Data breach response

All staff must report any data breach or suspected breach to the Data Protection Officer immediately. EdgeWorks™ will investigate and report notifiable breaches to the ICO within 72 hours.

International data transfers

Personal data will only be transferred outside the UK where appropriate safeguards are in place in accordance with UK data protection law.

Retention of data

Different types of data are retained for different periods based on legal and operational needs. Details are provided in EdgeWorks™ Records Retention Schedule.

Care Academy learner platform accounts are subject to defined inactivity rules. An account is considered inactive where there has been no login activity and no active qualification. The 10-year retention period is calculated from the later of last login, employment status change to “ex-employee”, or qualification completion, withdrawal or lapse. Further operational detail is set out in the Records Retention Schedule and internal Retention SOP.

Records must not be retained beyond the periods defined in the Records Retention Schedule unless a documented lawful basis for continued retention exists.

Compliance

Compliance with UK GDPR and the Data Protection Act 2018 is the responsibility of all learners and members of staff. Any deliberate or reckless breach of this Policy may lead to disciplinary, and where appropriate, legal proceedings. Any questions or concerns about the interpretation or operation of this policy should be taken up with the Data Protection Officer.

Any individual, who considers that the policy has not been followed in respect of personal data about him or herself, should raise the matter with the designated data controller initially. If the matter is not resolved it should be referred to the staff grievance or student complaints procedure.

Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
None