Data Protection Policy

1. Purpose Statement

This policy sets out how we comply with our data protection obligations and seek to protect personal information relating to our workforce. Its purpose is also to ensure that staff understand and comply with the rules governing the collection, use and deletion of personal information to which they may have access in the course of their work.

We regard the lawful and correct treatment of personal information as very important to our successful operations and to maintaining confidence between the Company and those with who it carries out business. We will ensure that we treat personal information lawfully and correctly.

Personal information will be handled and dealt with properly however it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means.

As part of our commitment to data protection, we will review and update this policy regularly in accordance with our data protection obligations. We may amend, update or supplement it from time to time. We will circulate any new or modified policy to staff when it is adopted.

2. Terminology Definitions

Data breach – means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information.

Data subject – means the individual to whom the personal information relates.

Personal information – (sometimes known as personal data) means information relating to an individual who can be identified (directly or indirectly) from that information.

Processing information – means obtaining, recording, organising, storing, amending, retrieving, disclosing and / or destroying information, or using or doing anything with it.

Sensitive information – (sometimes known as ‘special categories of personal data’ or ‘sensitive personal data’) means personal information about an individual’s race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), genetic information, biometric information (where used to identify an individual) and information concerning an individual’s health, sex life or sexual orientation.

3. Guidance

Information security

Datalaw will use appropriate technical and organisational measures to keep personal information secure, and in particular to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.

International transfers

Most of our processing takes place in the UK and the European Economic Area (EEA), with production systems hosted in European AWS regions. Where personal information is transferred outside the UK (for example to US-based service providers such as Microsoft, Zoom, and our email and payment providers), the Company relies on appropriate safeguards under Articles 44-46 UK GDPR: the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or the UK-US Data Bridge where the recipient is certified. Details of recipients and safeguards are in our published Privacy Policy.

Storage and retention of personal information

Personal information (and sensitive personal information) should not be retained for any longer than necessary. The length of time over which data should be retained will depend upon the circumstances, including the reasons why the personal information was obtained. Staff should follow the Company’s records retention policy which set out the relevant retention period. Where there is any uncertainty, staff should consult the Commercial Director.

Disposing of Data

Data will be disposed of through either confidential shredding using an external contractor or purging from the company servers. Where computer equipment is disposed of, all data shall be removed and storage media such as hard disks, Tablets, iPads and USB memory sticks will be “electronically” shredded or a similar procedure to ensure that data can’t be “reclaimed”

Data breaches

Datalaw takes every care in protecting the personal information it holds and avoiding risks which could lead to a compromise of security and a potential data protection breach. Compromised security and/or data breaches can result in harm to the individual(s) involved, reputational damage to the Company, detrimental effect on service provision, legislative non-compliance, and/or financial costs.

Training

The Company will ensure that staff are adequately trained regarding their data protection responsibilities. Individuals whose roles require regular access to personal information, or who are responsible for implementing this policy or responding to subject access requests, will receive

additional training to help them understand their duties and how to comply with them.

4. Staff Data

Datalaw believes that the following list of records and their use are consistent with the employment relationship and principles of the UK GDPR. The information will be held for our management and administrative use only, but there may be occasions when we need to disclose some information we hold to a relevant third party especially where we are legally obliged to do so (for example HM Revenue & Customs (HMRC)). We may also transfer information to another organisation, but this would be connected with an employee’s career or due to the management of the employment relationship; for example, to our external provider of HR and payroll services so that staff may be paid.

Examples of information Datalaw is responsible for:

  • Information gathered about a member of staff and any references obtained during recruitment
  • Details of terms of employment
  • Payroll, tax and National Insurance information
  • Performance related information
  • Details of grade and job duties
  • Health records
  • Absence records, including holidays and self-certification forms
  • Details of disciplinary investigations and proceedings
  • Training records
  • Contact name and addresses
  • Any other information provided to Datalaw in connection with employment

Information relating to a member of staff’s health in relation to health and safety, reasonable adjustments under the Equality Act 2010 and personnel records and administration. Specialist agencies such as our HR providers will also keep data related to health and this will be kept in line with the principles of the UK General Data Protection Regulation and Access to Medical Reports Act 1988.

• Any data in connection with the requirement to undertake a criminal records/disclosure and barring service check to enables Datalaw to assess an employee’s suitability for employment

Members of Staff are responsible for:

  • Ensuring that any information that they provide to Datalaw in connection with their employment is accurate and up to date
  • Informing Datalaw of any changes to information, which they provide, for example, change of address
  • If as part of their job, members of staff collect information about other living people, they must comply with this Data Protection Policy and Guidelines
  • Ensuring that personal data is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party

5. Learner Data

Datalaw believes that the following list of records and their use are consistent with the learner relationship and principles of the UK GDPR. The information will be held for our management, administrative and marketing use, together with disclosure of some of the information we hold to relevant third parties where we are obliged to do so (for example, the DWP Department for Work and Pensions). When using learner data for marketing purposes, prior consent is sought.

Data will also be transferred to other organisations where necessary (for example internal and external auditors).

Examples:

  • Basic personal information gathered about a learner (name, address, gender, DOB)
  • Sensitive information gathered about a learner (Ethnicity, Disability, Learning Difficulties)
  • Details of a learner’s programme of learning
  • Examination details relating to a learner (entries and results)
  • Attendance details for a learner
  • Information relating to school/career history and future destinations of learners on completion of their Apprenticeship
  • Case studies highlighting successful learners

Learners are responsible for:

  • Ensuring that information they provide to Datalaw in connection with their apprenticeship is accurate and up to date and informing Datalaw of any changes to information which they provide, for example, change of address, change of name etc.

6.Confidentiality

Datalaw requires all members of staff to comply with the UK General data Protection Regulation in relation to the information it holds. Failure to maintain confidentiality e.g. unauthorised, inappropriate or excessive disclosure of or obtaining information about individuals, will be regarded as serious misconduct and will be dealt with in accordance with Datalaw’s disciplinary policy and procedure. Where a member of staff has specific responsibility for the management of personal sensitive data, they will be given additional guidance on their obligations. However, members of staff must ask if they are unsure. Datalaw operates a whistle blowing policy which gives effect to our wish that no member of staff should feel reluctant for fear of management’s response, to give information about any wrongdoings within the organisation.

7.Staff and Learner Rights

Members of staff and learners (Data Subject) have rights under the UK GDPR. In particular, they have the right of access to personal data held about them by Datalaw and the right to have inaccurate personal data corrected.

Data Subjects have other rights which include:

  • The right to erasure of their data
  • The right of access
  • The right to restrict processing
  • The right of data portability
  • The right to object to data processing
  • The right not to be subject to a decision based solely on automated processing which produces legal or similarly significant effects (Article 22 UK GDPR)
  • The right (under section 164A of the Data Protection Act 2018, in force since 19 June 2026) to complain directly to Datalaw about the handling of their personal data, via the data protection complaints form on our website or dpo@datalaw.org, in addition to the right to complain to the Information Commissioner’s Office at any time

8. Data Protection Officer Contact Details

To obtain a copy of information held about you, to which the UK GDPR applies, a ‘Data Subject Access Request’ must be sent to the Data Protection Officer (dpo@datalaw.org). Datalaw will comply with the request within one calendar month of receipt. Where a request is complex or numerous, this period may be extended by up to a further two months in line with Article 12(3) UK GDPR, and the person making the request will be informed of the extension and the reasons for it within the first month. In line with the Data (Use and Access) Act 2025, Datalaw will carry out a reasonable and proportionate search for the requested information, and the response period pauses while identity is verified or clarification of the request is awaited.

Staff Name Title Area of responsibility Phone number Email
Henry Dean Data Protection Officer Data protection compliance (staff and learner data) 0151 236 2024 dpo@datalaw.org
Reviewed Date 25th March 2026 Next Review Due Date 25th March 2027
Reviewed by S Parsons

Quality Assurance Manager

Signature S E Parsons
Updated Date 7th July 2026 Next Review Due Date 25th March 2027
Updated by Henry Dean
Data Protection Officer
Signature H Dean

Version note: updated 7 July 2026 by Henry Dean, Data Protection Officer. Corrections: DPO contact details; international transfers statement; statutory references (Equality Act 2010, Access to Medical Reports Act 1988, HMRC); subject access timescales aligned to Article 12(3) UK GDPR and the Data (Use and Access) Act 2025; Article 22 and section 164A rights added. This version supersedes the version reviewed 25 March 2026.