Data Retention

DATA RETENTION POLICY

Introduction to the policy

The London Hairdressing Apprenticeship Data retention policy sets out what information The London Hairdressing Apprenticeship Academy Limited (LHAA) and The London Beauty training Academy Limited (LBTA) holds, how long we hold it for and when it will be deleted. 

The LHAA needs to keep certain information about its employees, learners and other users to allow it to monitor performance, achievements, and health and safety, for example.  It is also necessary to process information so that staff can be recruited and paid, courses organised and legal obligations to funding bodies and government complied with.  To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully.  To do this, the LHAA must comply with the Data Protection Principles which are set out in the Data Protection Act 1998 (the 1998 Act) and revisions.  In summary these state that personal data shall:

  • be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met
  • be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose
  • be adequate, relevant and not excessive for those purposes
  • be accurate and kept up to date
  • not be kept for longer than is necessary for that purpose
  • be processed in accordance with the data subject’s rights
  • be kept safe from unauthorised access, accidental loss or destruction
  • not be transferred to a country outside the European Economic area, unless that country has equivalent levels of protection for personal data

The LHAA and all staff or others who process or use any personal information must ensure that they follow these principles at all times.  In order to ensure that this happens, the LHAA has developed the Data Protection Policy.

STATUS OF THE POLICY

This policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and policies made by the LHAA from time to time.  Any failures to follow the policy can therefore result in disciplinary proceedings.

Any member of staff, who considers that the policy has not been followed in respect of personal data about themselves, should raise the matter with the LHAA Managing Directors.  If the matter is not resolved it should be raised as a formal grievance.

The policy covers the procedure to follow regarding data requests.

  • Information held by us
  • How long is personal data held for?
  • Where is personal data held?
  • How personal data is deleted
  • Access to personal information, correction and deletion

NOTIFICATION OF DATA HELD AND PROCESSED

·       all staff and learners and other users are entitled to

·       know what information the LHAA holds and processes about them and why

·       know how to gain access to it

·       know how to keep it up to date

·       know what the LHAA is doing to comply with its obligations under the 1998 Act and its revisions

The LHAA will therefore provide all staff and learners and other relevant users with a standard form of notification.  This will state all the types of data the LHAA holds and processes about them, and the reasons for which it is processed.  

RESPONSIBILITIES OF STAFF

 All staff are responsible for:

  • checking that any information that they provide to the LHAA in connection with their employment is accurate and up to date
  • informing the LHAA of any changes to information, which they have provided i.e. changes of address
  • checking the information that the LHAA will send out from time to time, giving details of information kept and processed about staff
  • informing the LHAA of any errors or changes.  The LHAA cannot be held responsible for any errors unless the staff member has informed the LHAA of them

If and when, as part of their responsibilities, staff collect information about other people, (i.e. about learners’ course work, opinions about ability, references to other academic institutions, or details of personal circumstances), they must comply with the guidelines for staff, which are at Appendix 1.

All staff will complete training in GDPR as component of their Induction to employment at the LHAA.  

LEARNER OBLIGATIONS 

Learners must ensure that all personal data provided to the LHAA is accurate and up to date.  They must ensure that changes of address, etc. are notified to the learner registration office/other person as appropriate

DATA SECURITY

All staff are responsible for ensuring that: Any personal data which they hold is kept securely. Personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party.

·       Personal data about clients, financial transactions and employees are held on our secure servers which are backed up every day which can be accessed only by the Managing Director

·       Personal information is; kept in a locked filing cabinet; or in a locked drawer; or if it is computerised, be password protected; or when kept or in transit on portable media the files themselves must be password protected

·       Personal data should never be stored at staff members’ homes, whether in manual or electronic form, on laptop computers or other personal portable devices or at other remote sites

·       Personal data should not be processed at staff members’ homes, whether in manual or electronic form, on laptop computers or other personal portable devices or at other remote sites. In cases where such off-site processing is felt to be necessary or appropriate, the agreement of the relevant Data Controller must be obtained, and all the security guidelines given in this document must still be followed 

·       Data stored on portable electronic devices or removable media is the responsibility of the individual member of staff who operates the equipment. It is the responsibility of this individual to ensure that:

ü  Suitable backups of the data exist

ü  Sensitive data is appropriately encrypted

ü  Sensitive data is not copied onto portable storage devices without first consulting a Data Controller, in regard to appropriate encryption and protection measures.

ü  Electronic devices such as laptops, mobile devices and computer media that contain sensitive data ARE not left unattended when offsite. 

PROCESSING SENSITIVE INFORMATION

Sometimes it is necessary to process information about a person’s health, criminal convictions, race and gender and family details.  This may be to ensure the LHAA is a safe place for everyone, or to operate other LHAA policies, such as the sick pay policy or equal opportunities policy.  Because this information is considered sensitive, and it is recognised that the processing of it may cause particular concern or distress to individuals.  Staff and learners will be asked to give express consent for the LHAA to do this. 

THE DATA CONTROLLER 

The LHAA as a body corporate is the data controller under the Act, and the board is therefore ultimately responsible for implementation. However, there are designated data controllers who deal with day to day matters. 

This LHAA has designated data controllers, the first of which is the primary authorisation for receipt and supply of data requests. They are: 

  • Managing Directors
  • Director of Quality
  • Director of MIS and Funding
  • Director of Finance

INFORMATION HELD BY US

We hold personal information about:

  • Learners
  • Clients / Models
  • Former Learners and prospective Learners
  • Former clients/Models and prospective clients/Models
  • Employees and past Employees
  • Employer Co-Investment / Levy contributions
  • Job applicants

We also hold information about financial transactions relating to the above as necessary or legally required to do so e.g. services or treatments provided, products, payroll information, learner enrolment and achievement and certification data.  We will hold medical information pertaining only to client/learner use only for the periods shown below or as required by law or as required by The Skills Funding Agency.

HOW LONG IS PERSONAL DATA HELD FOR?

We aim not to hold personal data longer than necessary.  Unless requested by an individual, the following types of data will be held for the periods shown below, after which it will be securely deleted or destroyed:

TYPE OF INFORMATION

RETENTION PERIOD

Client general records

12 months

Client health records

4 years

Financial transactions, invoices and supplier details

6 years

Employee records, contracts of employment, changes to terms and conditions, annual leave, training records

While employment continues and up to 6 years after employment ends

Payroll and wage records including PAYE, income tax, national insurance, sick pay, redundancy payments

6 years from the financial year-end in which payments were made

Maternity records

3 years after the end of the tax year in which the maternity pay period ends

Learner Information

7 years

Employer Financial transactions

7 Years

Job applications (unsuccessful)

6 months after notifying unsuccessful candidates

Emails

One year from the end of the month in which they were received or sent unless a longer period is relevant as above.  Emails to and from ex-employees or contractors will be deleted within 6 weeks of them leaving unless these form part of the employment record – see above. 


HOW IS PERSONAL DATA DELETED?

Personal data is permanently deleted in accordance with the retention periods listed above from:

  • Electronic files
  • Emails
  • Paper records, which are securely shredded.  

ACCESS TO PERSONAL INFORMATION, CORRECTION AND DELETION

A copy of our Privacy notice can be found online at  or www.lhaa.co.uk or www.lbta.co.uk and is attached to this consent form.

All requests for access to personal information will be handled by the Managing Director. 

Responses to requests will be made within 30 days.

 All information relating to the individual will be compiled into a report and collected from:

  • Financial transactions where relevant
  • Emails
  • Other electronic records
  • Paper records (where applicable)


Appendix 1 

STAFF GUIDELINES FOR DATA PROTECTION.

All staff will process data about learners on a regular basis, marking registers, writing reports or academic references, or as part of pastoral or academic supervision. The LHAA will ensure that through registration procedures all learners give their consent to this sort of processing and are notified of the categories of processing as required by the 1998 Act.

The information that staff deal with on a day to day basis will be “standard” and will cover categories such as:

  • General personal details such as name and address,
  • Details of attendance, course work marks and grades and associated comments.
  • Notes of personal supervision, including matters about behaviour and discipline.

Information about a learners physical or mental health: sexual life: political or religious views: trade union membership or ethnicity or race is sensitive and can only be collected and processed with the learner’s consent. If staff need to record this information, they should use a standard LHAA form e.g. recording information about dietary needs, for religious or health reasons prior to taking learners on a field trip; recording information that a learner is pregnant, as part of pastoral duties.

All staff have a duty to make sure they comply with the data protection principles, which are set out in the Data Protection Policy. In particular staff must ensure that records are:

  • Accurate;
  • Up to date;
  • Fair;
  • Kept and disposed of safely and in accordance with the policy.

The LHAA will designate selected staff as “authorised staff”. These staff are the only staff authorised to hold or process data that is:

  • Non-standard data; or
  • Sensitive data. 

The only exception to this will be if a non-authorised staff member is satisfied that the processing of the data is urgent and necessary in all the circumstances. For example:

  • a learner is injured and unconscious but in need of medical attention and a staff member tells the hospital that the learner is pregnant.
  • Do you really need to record the information? Is the information “standard” or is it “sensitive”?  If it is sensitive, do you have the data subject’s express consent?
  • Has the learner been told this type of data will be processed?
  • Are you authorised to collect/store/process the data?
  • If yes have you checked with the data subject that the data is accurate?
  • Are you sure that the data is secure?
  • If you do not have the subject’s consent to process, are you satisfied that it is in the best interests of the learner or the staff member to collect and retain the data?
  • Have you reported the fact of data collection to the authorised person within the required time? 

Authorised staff will be responsible for ensuring that all data is kept securely. 

Staff must not disclose personal data to any learner, unless for normal academic or pastoral purposes, without authorisation or agreement from the data controller, or in line with the data protection policy.

Staff shall not disclose personal data to any other staff member except with the authorisation or agreement of the designated data controller, or in line with the policy.

Before processing any personal data, all staff should consider the following checklist:

  • Do you really need to record the information? Is the information “standard” or is it “sensitive”?  If it is sensitive, do you have the data subject’s express consent?
  • Has the learner been told this type of data will be processed?
  • Are you authorised to collect/store/process the data?
  • If yes have you checked with the data subject that the data is accurate?
  • Are you sure that the data is secure?
  • If you do not have the subject’s consent to process, are you satisfied that it is in the best interests of the learner or the staff member to collect and retain the data?
  • Have you reported the fact of data collection to the authorised person within the required time? 
@thelhaa

Get in touch

If you are interested in receiving more information about LHAA relating to our courses and events sign up below

Please note that if you are under 16 years-old you should seek parental consent to submit your data to us. By checking this box you confirm that you have consent

By submitting this form you trust us with your information. Our Privacy Policy is meant to help you understand what data we collect, why we collect it and what we do with it. This is important; we hope you will take time to read it carefully.