General Data Protection Regulation (GDPR)

Ubique Risk Management Privacy Policy 

Introduction 

Ubique Risk Management has created this document to demonstrate its commitment to data privacy and its alignment to the requirements of the Data Protection Act 1998 and, in substitution from 25 May 2018, the General Data Protection Regulation 2018 (“GDPR”) in respect of handling and processing personal data. 


We have been recognised for our high quality standards having passed the "GDPR ready" assessment as well as Cyber Essentials and IASME Governance. This is evidence that we have a suitable governance system for the management and protection of personal data, meeting the new EU GDPR compliance standards in addition to our existing UK Data Protection Act standards and Information Commissioners Office (ICO) registration.


Data received from Clients


We will collect and process data that is provided to us from our clients.  Personal data may be included in the data they provide about learners.  It is important that contractual arrangements with those individuals clearly set out how our clients will use their data and with whom it could potentially be shared. We require all our clients to comply with the GDPR.


By adding individuals’ personal data to our systems, or by sending personal data via email or by other methods to Ubique Risk Management, the clients give consent to us processing the data and they confirm that they have obtained the appropriate consent from the relevant individuals for the personal data to be processed by Ubique Risk Management.


Ubique Risk Management will retain and use this data to perform the contract between us and our clients whilst they remain in contract and will further use it where it is in Ubique Risk Management’s legitimate interest, for example fraud prevention.


Learners’ Data


You may provide us with personal data when you book onto our courses.  We will collect this as a Data Controller and Data Processor in our role as an Approved Training Centre.  The personal data is usually limited to the details required for us to undertake the basic functions of an Approved Training Centre and processed as a 'third party' to related Awarding Bodies for the applicable certification process.  These details will include a learner’s name, date of birth, gender and contact details.  For certain qualifications, such as those within the security industry, data held will include photo images and signatures in line with the Security Industry Authority’s (“SIA”) requirements.


In line with Awarding Body's regulatory requirements and requirements to deliver future services such as certificate re-prints and the confirmation of awards, this basic learner-level data will be held by the Awarding Bodies indefinitely.  Ubique Risk Management will hold this data securely on our systems for no longer than 3 years from the date of completion of the course attended and then it will be destroyed or deleted.


Learners may also contact Ubique Risk Management to request certificate replacements in the first 3 year period.  In these circumstances, a record of a learner’s address is taken if different to the one held on file so that the certificate can be sent.  This is held on file for a maximum of 6 months before it is destroyed or deleted if this period of time exceeds the original 3 year end period.

End-Point Assessment


Ubique Risk Management will process personal data for the performance of End point Assessment.  We collect this personal data in the capacity of a Data Controller and also as a Data Processor in our 'third party' role to related Awarding Bodies.


Employers will provide Ubique Risk Management with data for the processing of assessments for learners; it is the responsibility of the Employer to ensure that learners are aware and have consented to their data being share with Ubique Risk Management.  Ubique Risk Management may share this data with Associate End Point Assessors, Awarding Organisations and Regulators.  We have carried out a comprehensive review of their activities in relation to GDPR and agreements are in place which will be reviewed annually.


Data sharing


Other than as set out in the next paragraph and even where we collect personal data in the capacity of a Data Controller, we will never distribute or share personal data that is held on our system with any third parties other than Ubique Risk Management’s employees, consultants, sub-contractors only if required for operational delivery.  We may also share personal data with Awarding  Bodies in respect of:


* Security qualifications: learner details, including photo ID and signatures, will be provided to the SIA; and

* All qualifications or endorsed training : including names, dates of birth, addresses, signatures and contact details;
* The Learning Record Service (LRS) – where unique learner numbers (ULNs) have been provided, learner and qualification data is shared with the LRS.
* Investigations carried out by Awarding Bodies and/or Regulatory Bodies.


External Consultants and Suppliers

Ubique Risk Management engage the services of external freelance consultants and suppliers for various purposes within the company.
It is necessary to obtain and retain personal data for the fulfilment of contracts.  We collect this personal data in the capacity of a Data Controller.  Data including but not limited to: names, addresses, contact details, professional qualifications, identification documents, bank details – will be held on our

Systems.


We collect tutor and assessor personal data and use it for the purpose of maintaining centre approval to use them for formal qualifications through the awarding bodies of which we are members.  


Contracts are reviewed annually, and inactive partnerships deleted from systems.  It is necessary to share bank details with our bankers to make payments for services, Ubique Risk Management will always make sure that the details are only processed using secure banking systems.


Ubique Risk Management will never share this information elsewhere, outside of the company unless required to do so by a regulatory or legal authority.


Website use – tracking and monitoring


Our website uses cookies to distinguish you from other users of our website.  We may automatically collect the following information when you visit our website: your IP (Internet Protocol) address, your login information, your browser type, time zone settings, browsers and operating systems used; and
information about your visit, such as the pages visited, or documents downloaded.


Security


Ubique Risk Management’s online systems have security measures in place to help protect against the loss or misuse of any data under our control.


When the website is accessed by users, data traffic is encrypted using up to date secure socket layer (SSL) technology so that it can only be accessed by the end user.  All sensitive information on the website, such as passwords, are encrypted by a proprietary encryption system.  All personal data can only be accessed by the relevant end users by way of unique user names and passwords that must be entered when a user logs in.


Where we store data


All data in Ubique Risk Management’s systems is stored on a secure server hosted by our hosting provider.  The server resides in the United Kingdom.  Data is frequently backed up and stored in the backup/disaster recovery secure external hard drive.


The secure server hosting facility and external hard drive have the necessary environmental, physical and technical controls in place to ensure unapproved access is prevented.


Data breach incidents


In line with our regulatory requirements, Ubique Risk Management has a set of processes for issue and incident management, including data breaches. These processes include the required notifications to be sent to the Information Commissioners Office and to our clients, contractors and learners.  This is reviewed annually and may be subject to change.


The General Data Protection Regulation 2018


Ubique Risk Management has adapted its policies and procedures to ensure it is compliant with the GDPR.  This document has been produced to represent our current status and will be reviewed annually and updated as processes are developed.


Under GDPR, individuals have certain rights when it comes to the control of personal data:


The right to be informed - Each individual has the right to be given information about how their data is being processed and why. Ubique Risk Management have provided this policy to show how we handle your data.
The right of access - Ubique Risk Management have a duty to comply with the requirements of Subject Access Requests (SAR)
The right to rectification - The GDPR includes a right for individuals to have inaccurate personal data rectified or completed if it is incomplete.
The right to be forgotten - You have the right to ask Ubique Risk Management to remove your data.
The right to restrict processing - You may restrict processing for a legitimate reason, we would still have the right to hold that information.
The right to data portability - You may be able to obtain the information we hold about you and use it for your own purposes. Conditions apply.

Should you wish to exercise any of your rights above, please email info@ubiqueriskmanagement.co.uk stating the following information:

* Name
* Contact details
* Relationship to Subject
* Full details of information relating to your request
* Reason for request and the right being exercised.

You will be asked to verify your identity if you are the subject, alternatively you will be asked to provide consent from the subject if you are a representative.


Should we require further information we will contact you.


Your request will be dealt within one month of receipt of your request.