Blackpool and The Fylde College (B&FC) and GDPR We are fully compliant with all the latest regulations regarding the acquisition, management and storage of data to ensure personal information is handled and kept securely. B&FC takes its data protection responsibilities very seriously and complies with the Information Commissioner’s Office (ICO) requirements under GDPR. This includes being registered with the Information Commissioner’s Office as a data controller (Registration No. Z4700416). Appropriate measures are taken to ensure that: personal data is only collected where appropriate personal data is only used by appropriate individuals personal data is only used for purposes which are lawful under GDPR personal data are processed in accordance with the GDPR data protection principles data subjects, whether students, employees or others can exercise the rights afforded to them by GDPR personal data we collect and use is protected appropriately from disclosure and misuse Under the new General Data Protection Regulation (GDPR), Blackpool and The Fylde College (B&FC) is a data controller for some types of data and a data processor for others. B&FC is a data controller for personal data we capture about students, employees and others in order to deliver education, manage and develop our business and provide services to students, employees, applicants and members of the public. B&FC is a data processor for personal data we are obliged to process on behalf of data controllers such as the Education & Skills Funding Agency (ESFA), the Office for Students, managing agents for apprenticeships/services and others. Where B&FC is a data processor on behalf of another organisation (data controller), the data controller dictates the basis for processing data and the purposes for which the data is used. The difference between a Data Controller and a Data Processor A data controller is a person or organisation who determines the purposes for which and the manner in which any personal data are (or will be) processed. A data processor is a person (other than an employee of the data controller) who processes personal data on behalf of the data controller. Processing means obtaining, recording or holding information or data or carrying out any operation or set of operations on the information or data. This includes: Organisation, adaptation or alteration of the information or data. Retrieval, consultation or use of the information or data. Disclosure of the information or data by transmission, dissemination or otherwise making available. Alignment, combination, blocking, erasure or destruction of the information or data. Contents For information about how we use your personal information, click below. I am a: Student, Potential Student or Past Student Employee, Potential Employee or Ex-Employee Member of the Public or Other Customer More information: How B&FC protects your data How long B&FC keeps your data Your rights If you have any questions or concerns about the collection, use or sharing of your personal data, please contact the college Data Protection Officer: Call: 01253 504064 Email: datarequest@blackpool.ac.uk If you are unhappy with the response, you can escalate your complaint by contacting the Information Commissioner at ico.org.uk or call 0303 123 1113. Students, Potential Students & Past Students How do B&FC capture and use personal data? B&FC collect personal data from students at application, enrolment, induction, throughout their programme of study and sometimes after they leave us. We collect this information from students directly but also on paper, online (including from your computer usage when in college), through our electronic systems (including databases and registers) by surveys, through CCTV/camera and sometimes we collect information from other organisations such as the Department for Education (DfE) and local education authorities. The information we collect is used to help us provide learning services and to enable students to benefit from education and training, pastoral care, learning support, financial support and to evaluate and improve the quality of our services. We are also required to provide personal data to the Education and Skills Funding Agency (ESFA) who are responsible for funding, planning and encouraging education and training in England. We may collect information in other ways (e.g., video, audio recordings, artificial intelligence) for which we ask your consent. If we do, we will tell you what information we plan to collect and how we plan to use it. You can withdraw your consent at any time. What data do B&FC capture and use? B&FC collect a range of personal data for students including name, contact details, nationality, residency, previous qualifications, employment and educational history, assessment results, attendance information, destination information and information about employment or work placements which students undertake whilst studying with us. We also collect and use sensitive data such as ethnic group, socio-economic indicator, criminal convictions, disability, special educational needs, relevant medical information and other things that might indicate students would benefit from our support services or bursaries (e.g., whether a student is a carer or a care leaver). We may ask for more detailed information if we need to assess whether it is appropriate for an individual to study their chosen course. For example, if someone has a significant medical need that affects our ability to keep them or someone else safe. Why do we need to capture and use personal data? Students and Potential Students We process personal data of our students and we share it with the organisations listed below because we are legally obliged to do so or because we need to do so in order to deliver the education/training required by our students. Specifically: Because it is part of our funding agreement with OfS, the ESFA or other funding organisations So we can submit Individualised Learner Record to the ESFA So we can locate the correct records and register students for a Unique Learner Number (ULN) So we can identify and provide any financial or learning support students may be entitled to So we can fulfil our obligations under the Government’s immigration and counter-terrorism duties So we can maintain a “Travel Plan” which is required if we need to do work on college buildings To support students in securing employment or in progression to a higher course or a better job To safeguard students and others So that we can register students with appropriate awarding organisations Who has access to the personal data we collect and process? Student data will be shared with B&FC employees to provide services to those students. Only staff who need access to student personal data will be able to use it. The personal information our students (or potential students) provide will also be shared with the following organisations: The 1Education & Skills Funding Agency (see below) The Office for Students (OfS, previously HEFCE) and the Higher Education Statistics Agency (HESA) (for students who study an HE course with us) The University & College Admissions Service (UCAS) (for students who apply for or study an HE course with us) The Departments for Education and Business, Energy and Industrial Strategy The Student Loans Company (for students who apply for or take a student loan) 2The Learner Records Service The UK Visa & Immigration Service The European Social Fund or organisations operating on its behalf (for students whose education is eligible to be part funded by them) The Local Education Authority and Connexions Auditors, Ofsted or other formal regulatory bodies for the education sector Awarding organisations/Exam boards 3Industry skills bodies for students whose training includes registration of certification with them Third parties who are contracted to provide IT services to us 4Sponsors or employers of students whose course is part funded by them (may include release from work to study) How the Education & Skills Funding Agency Uses Student Personal Information B&FC is a data processor on behalf of the ESFA which operates on behalf of the Secretary of State for the Department Education (DfE). Personal data we share with the ESFA is used to exercise the functions of these government departments, to meet statutory responsibilities (including those under the Apprenticeships, Skills, Children and Learning Act 2009) and to create and maintain a unique learner number (ULN) and a Personal Learning Record (PLR) for our students. Those organisations will securely destroy the student personal data we share with them when it is no longer needed for these purposes. The information our students provide may be shared with other organisations for education, training, employment and well-being related purposes, including research. This will only take place where the law allows it and the sharing complies with data protection legislation. The English European Social Fund (ESF) Managing Authority (or agents acting on its behalf) may contact our students to perform research and evaluation that informs the effectiveness of training. B&FC students may also be contacted after completion of their course by organisations acting on behalf of government education funding agencies to establish whether they (the students) have entered employment or gone onto further training. We are obliged to ask students for their consent for the ESFA to use their data to contact them about courses or surveys and research and about the ways in which the ESFA are permitted to contact them. We ask for this consent at enrolment. If students do not give consent to their personal data being used for these purposes, we advise the ESFA accordingly. For further information about how the ESFA use student personal data, who they allow to access that data, how long they retain that data and how students can withdraw any consent they have given here, read more on GOV.uk. B&FC may also share information about student progress with their employer or other sponsor if they are paying all or part of the student’s course costs. Students who do not want us to do that, must pay their own fees. Students should contact our Student Administration office to make these payments and have their preferences updated in our records. If students give us name and contact details for a “next of kin”, we may contact them in an emergency. We seek the student’s consent before we share any other information with them. B&FC (or our partners) are required to monitor Learner Outcomes (including student destinations and employment). We will use the contact details our students give us to do this and we may share those details with organisations contracted by government agencies to perform this important task. In all cases we may be compelled to share your data. These instances are most likely to relate to (but may not be confined to) The Police, the Health and Safety Executive, local authorities, Her Majesty's Revenue and Customs (HMRC), the Courts and any other central or local government bodies (acting as controllers or processors) where we are required to do so to comply with our legal obligations, or where they request it and we may lawfully disclose it, for example for the prevention and detection of crime or to report serious health and safety incidents. We also may share the information we collect with other third parties where we are legally obliged to do so; for example, to comply with a court order. How B&FC protects your data How long B&FC keeps your data Your rights If you have any questions or concerns about the collection, use or sharing of your personal data, please contact the college Data Protection Officer: Call: 01253 504064 Email: datarequest@blackpool.ac.uk If you are unhappy with the response, you can escalate your complaint by contacting the Information Commissioner at ico.org.uk or on 0303 123 1113. Employees, Potential Employees and Ex-Employees How do B&FC capture and use personal data? B&FC collects information in connection with job applications in a variety of ways. For example, from application forms, CVs, passport and other identity documents; through interviews or other forms of assessment (e.g., selection tests, psychometric testing etc); from other employers, and from organisations who check criminal records. Additional personal data may be collected throughout the period of employment from professional development records, performance monitoring processes, surveys completed and by other means. This information may be collected electronically, on paper or through meetings. What data do B&FC capture and use? B&FC collects a range of information about job applicants and employees including: name, address, date of birth, gender, contact details, including email address and telephone number details of applicant’s qualifications, skills, experience and employment history information about applicants’ current level of remuneration, including benefit entitlements whether or not applicants have a disability for which B&FC needs to make reasonable adjustments during the recruitment process information about the applicant’s entitlement to work in the UK identification to be able to complete a DBS application equal opportunities monitoring information, including information about ethnic origin, sexual orientation, health and religion or belief the terms and conditions of employment for employees employee qualifications, skills, experience and employment history information about remuneration, including entitlement to benefits such as pensions and sick pay employee bank account details and national insurance number employee marital status, next of kin, dependants and emergency contacts information about nationality and entitlement to work in the UK information about criminal record as detailed within Enhanced DBS checks details of schedule (days of work and working hours) and attendance at work details of periods of leave taken, including holiday, sickness absence, family leave and the reasons for them details of any disciplinary or grievance procedures in which employee is involved, including warnings issued and related correspondence assessments of performance, including appraisals, performance reviews and ratings, training, performance improvement plans and related correspondence information about medical or health conditions, including about any disabilities for which B&FC needs to make reasonable adjustments details of trade union membership equal opportunities monitoring information, including information about key protected characteristics As part of the process of assessing applications and making job offers, B&FC also collects personal data about applicants from third parties. This includes references from former employers, information from occupational health provider, information from criminal records checks. Data is stored in a range of different places including on our Application Tracking System and other IT systems (including email). Why do we need to capture and use personal data? B&FC processes data to: manage the recruitment process and monitor applications assess the need for reasonable adjustments for candidates with disabilities and provide appropriate support assess and confirm a candidate's suitability for employment (e.g., undertaking criminal records checking, checking references, experience etc) comply with legal obligations (e.g., to check a successful applicant's eligibility to work in the UK) to make decisions about offers of employment ensure fairness, transparency and appropriate management of applications, shortlisting and appointment enter into a contract with employees and meet its obligations under said contract enable employees to be paid in accordance with employment contract, to administer benefits and pension entitlements, to enable employees to take statutory periods of leave enable tax to be deducted in accordance with the law operate progression and promotion processes maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency) and records of employee contractual and statutory rights operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes operate and keep a record of absence and allow effective workforce management obtain occupational health advice, ensure compliance with duties in respect of individuals with disabilities, meet its obligations under health and safety law operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave) ensure effective general HR and business administration provide references on request for current or former employees maintain and promote equality in the workplace. facilitate monitoring for equal opportunities purposes (e.g., special category data, such as ethnic origin, sexual orientation, health or religion or belief) meet its obligations in respect of safeguarding employees and students respond to and defend against legal claims Some special categories of personal data, such as information about health or medical conditions, are processed to carry out employment law obligations (such as those in relation to employees with disabilities and for health and safety purposes). Information about trade union membership is processed to allow the organisation to operate deductions for union subscriptions. Where the organisation processes other special categories of personal data, such as information about the protected characteristics, this is done for the purposes of equal opportunities monitoring. Who has access to the personal data we collect and process? Personal data will be shared internally with members of the HR department, hiring managers and others involved in the recruitment process. Personal data may be shared with IT staff where it is necessary for the performance of their roles and with external staff who support our Applicant Tracking System, HireServe. Where personal data is received through a third party recruitment website (e.g., FE Jobs), data is protected by their privacy statement. B&FC will share personal data with third parties in order to perform necessary pre-employment checks (e.g., former employers to obtain references, occupational health provider to obtain medical clearance, Disclosure and Barring Service or Personnel Checks Ltd to undertake mandatory criminal records checks). Please note: Some employee roles may be partly funded from project funding, including European Social Fund (ESF) funding. This will usually be linked to specific projects and it may be necessary to share the employee's job description, salary details and timesheets with the Project Board in order to claim that funding. Where this is the case, the employee will be advised and any personal data will be shared securely. In all cases we may be compelled to share your data. These instances are most likely to relate to (but may not be confined to) The Police, the Health and Safety Executive, local authorities, Her Majesty's Revenue and Customs (HMRC), the Courts and any other central or local government bodies (acting as controllers or processors) where we are required to do so to comply with our legal obligations, or where they request it and we may lawfully disclose it, for example for the prevention and detection of crime or to report serious health and safety incidents. We also may share the information we collect with other third parties where we are legally obliged to do so; for example, to comply with a court order. How B&FC protects your data How long B&FC keeps your data Your rights If you have any questions or concerns about the collection, use or sharing of your personal data, please contact the college Data Protection Officer: Call: 01253 504064 Email: datarequest@blackpool.ac.uk If you are unhappy with the response, you can escalate your complaint by contacting the Information Commissioner at ico.org.uk or on 0303 123 1113. Members of the Public and Others How do B&FC capture and use personal data? B&FC captures and processes personal data from members of the public who attend open events or who make enquiries about the courses we offer, from customers of our restaurant, beauty salons and other retail outlets, from customers and members of our sports centres and from those visiting our theatre, art gallery and other campus facilities. We do this by telephone, online, on paper and sometimes on CCTV. We may also process data received by social media with the consent of the data subject. What data do B&FC capture and use? Restaurants B&FC collect personal data for customers including name, address, contact information and payment details. This information is used to manage reservations and plan tabling. We also collect and use sensitive data such as dietary requirements and allergy information and data that helps us to give our customers appropriate access to and use of our facilities. Hair and Beauty Salons B&FC collect a range of personal data from customers including name, address, date of birth, contact information, occupation, treatment history and payment details. We also collect and use sensitive data such as relevant medical history and conditions, allergies and sensitivities and ethnic group in order to help us provide safe, accessible treatments, to identify any beneficial adjustments we need to make or special advice we need to give to our customers. Fitness Suites and Sports Centres B&FC collect a range of personal data from customers including name, address, contact details, bank/payment details, date of birth, employment/occupation type. We also collect and use sensitive data such as relevant health and medical history and conditions, disability, biometric data (e.g. weight, height & BMI) to help us understand whether customers would benefit from additional adjustments and/or special advice and guidance, and/or to draw up a personal fitness plan. B&FC collect and process data relating to children which has been provided by the parent/guardian of the child in question. This may be to process or manage a booking for premises (e.g., for party use) or for Holiday Sports Camps. We also collect and use sensitive data relating to children such as relevant health, medical and behavioural conditions or disabilities which help us identify where a child might benefit from reasonable adjustments or special support. Theatre B&FC collect a range of personal data for customers including name, address, contact details, bank/payment details. We also collect and use sensitive data such as disability or medical conditions to help us understand where customers would benefit from additional support or reasonable adjustments. General B&FC collects CCTV images on college premises in order to manage security, ensure the health, safety and wellbeing of students, employees and visitors. Why do we need to capture and use personal data? We process personal data of our customers to process and manage bookings, to schedule reservations and appointments and to fulfil any contractual obligations relating to customer requests. Sensitive data is collected and processed in order to for us to ensure we comply with our legal obligations in respect of health and safety, safeguarding, equality and diversity. Personal data is only shared with employees, students in training and volunteers where it is necessary to enable them to safely provide the service(s) our customers’ request. Who has access to the personal data we collect and process? Customers of Restaurants, Salons, Sports Centres, Theatres and other B&FC retail outlets – personal data will be shared with employees, students in training and volunteers to enable them to safely provide service(s) to our customers. This data will also be shared with appropriate internal departments (such as Finance, for example, in relation to the processing of payments), and external third parties (such as insurers or legal representatives for example) in the event of complaints or claims made against us. Information used to process bookings in our restaurants may be passed to a third party booking system to help us manage reservations and operate the restaurant efficiently. In all cases we may be compelled to share your data. These instances are most likely to relate to (but may not be confined to) The Police, the Health and Safety Executive, local authorities, Her Majesty's Revenue and Customs (HMRC), the Courts and any other central or local government bodies (acting as controllers or processors) where we are required to do so to comply with our legal obligations, or where they request it and we may lawfully disclose it, for example for the prevention and detection of crime or to report serious health and safety incidents. We also may share the information we collect with other third parties where we are legally obliged to do so; for example, to comply with a court order. How B&FC protects your data How long B&FC keeps your data Your rights If you have any questions or concerns about the collection, use or sharing of your personal data, please contact the college Data Protection Officer: Call: 01253 504064 Email: datarequest@blackpool.ac.uk If you are unhappy with the response, you can escalate your complaint by contacting the Information Commissioner at ico.org.uk or on 0303 123 1113. How B&FC protects personal data B&FC have a range of technical and operational measures in place to protect personal data from accidental destruction, misuse or disclosure. Data stored electronically is governed by role-based access control, based on the minimum required by for an employee to carry out their duties. Data is encrypted in transit, and all systems require secure passwords for access. All personal data is secured behind firewalls to prevent unauthorised access, with implicit deny rulesets in place. Comprehensive anti-virus, web filtering and email filtering tools are in place, along with strict patching cycles to minimise cyber-attacks and potential security exploits. All B&FC employees attend GDPR awareness training as part of induction before they are permitted to access any personal data. Employees are only given access to personal data if they need to use it as part of their role and access to our databases is strictly controlled. Only staff with the relevant training have access and access is removed when staff leave B&FC. We have a Clean Desk Clear Screen policy to ensure no personal data is accessible in offices or public spaces and a Code of Practice for Information Sharing which provides guidance for sharing information appropriately with others (such as the police or employers seeking references). Emails sent externally are encrypted and, where personal data is shared by email, we provide it in password-protected attachments and send the passwords separately (usually by telephone). We have a suite of policies, procedures and codes of practice to enable us to appropriately manage our obligations under the GDPR. They are as follows: Clean Desk Clear Screen Policy Clean Desk Clear Screen Procedure Consent Withdrawal Form Data Protection Policy Data Protection Code of Practice Data Breach Reporting/Management Procedure Privacy Impact Assessment Procedure Rights of Individual Code of Practice Sharing Information Code of Practice Subject Access Request Procedure If you have any questions or concerns about the collection, use or sharing of your personal data, please contact the college Data Protection Officer: Call: 01253 504064 Email: datarequest@blackpool.ac.uk If you are unhappy with the response, you can escalate your complaint by contacting the Information Commissioner at ico.org.uk or on 0303 123 1113. How long do we keep personal data? We keep different types of data for different lengths of time depending on need and our obligations. These are explained in section 5.2 of our Data Protection Code of Practice. Where we ask for consent to collect or use personal data, the data subject can withdraw that consent at any time. Students, employees, applicants and others can ask us to delete some or all of those data items or stop us from using it for certain purposes. This is done by completing a withdrawal of consent form and sending it to the datarequest@blackpool.ac.uk data protection office or by calling us on 01253 504064. Your Rights Under GDPR, all individuals have rights over their personal data. B&FC customers, suppliers, partners and any individuals about whom B&FC processes personal data have the following rights: The right to be informed means you can: Identify what data we are collecting from you including: the purpose and use of your personal data, how long we will keep your information for and who it will be shared with. Be kept up to date where the purpose of processing your information changes. Identify any personal information that the College has obtained about you from other sources. Identify the lawful basis for processing your information. Identify where we may transfer your personal information to any countries or organisations outside the EU. Receive information as to how to lodge a complaint with the supervisory authority. The right of access means you can: Ask us to confirm the Personal Data we hold about you - you are entitled to know what categories of data B&FC holds, why we hold it, who we have shared (or will share) it with and how long we will keep it. If we collected the data from a third party, you are entitled to know who and how. Ask us to correct any inaccuracies in the data, update it, restrict how we use it or delete it (the last 2 are not absolute rights and it depends why we need the data as to whether we can do these things). Request a copy of the Personal Data we hold about you (this is known as a Subject Access Request or SAR) and we will provide it Complain to the ICO if you are unhappy about how B&FC deals with any such request or about the way B&FC handles your Personal Data The right to rectification means you can: Ask us to correct any inaccurate personal data we hold about you and we will do so within one month (or two months if your request is complex). If we have shared the information with other organisations, we will tell them about the correction as well. Ask us to update any data we hold about you that is incomplete The right to erasure (right to be forgotten) means you can: Ask us to delete the data we have about you (this right is limited in scope and does not apply to every individual or case). The right to be forgotten applies when: the data is no longer necessary for the purpose we collected it you withdraw consent and we have no other legal basis to use that data you object to us processing and there is no overriding legitimate interest to continue processing that data the personal data was unlawfully processed or the personal data has to be erased to comply with a legal obligation If we have disclosed the deleted personal data to any third parties we must tell you who they are and we must inform them to delete the data if we can. The right to restrict processing means you can: "Block” or “suppress” the processing of your personal data under some circumstances. If the right applies and we have shared the data with other organisations, we will tell you who they are and we will inform them about the restriction if we can. The right to data portability means you can: Obtain a copy of your personal data in a structured, commonly-used and machine-readable format (such as CSV files) to help you. This only applies under certain circumstances. The right to object means you can: Object to us processing your personal data under certain circumstances Your rights in relation to automated decision-making mean you can: (Under some circumstances) prevent us from making decisions based solely on automated processing, including profiling. Automated decision-making is where an organisation makes a decision about you solely by automated means without any human involvement. Profiling happens where an organisation automatically uses personal data to evaluate certain things about you. If you have any questions or concerns about the collection, use or sharing of your personal data, please contact the college Data Protection Officer: Call: 01253 504064 Email: datarequest@blackpool.ac.uk If you are unhappy with the response, you can escalate your complaint by contacting the Information Commissioner at ico.org.uk or on 0303 123 1113.