POLICIES & PROCEDURES:
DATA PROTECTION
• Data Protection Policy
• Password Security Policy
• Protecting ICT within the PREVENT Framework
• Data Protection Privacy Policy
• Computer Acceptable Use Policy
• DATA PROTECTION POLICY
We regard the lawful and correct treatment of personal information by Crosby Training as very important to successful operations and for maintaining confidence between ourselves and those with whom we deal. We therefore make every effort to ensure that personal information is treated lawfully and correctly.
Crosby Training needs to collect a range of personal information in order to operate. This includes current, past and prospective employees, clients, Jobcentre Plus and others with whom it communicates. The company requires this information to support the administration of contracts with Jobcentre Plus, external providers and, in addition, it may occasionally be required by law to collect and use information of this kind to comply with the requirements of government departments for business data, for example. This personal information must be dealt with properly however it is collected, recorded and used – whether on paper, in a computer, or recorded on other material – and there are safeguards to ensure this in the Data Protection Act 1998.
We fully endorse and adhere to the Principles of data protection, as detailed in the Data Protection Act 1998. The Privacy Policy adheres to the requirements of the GDPR Regulations, May 2018.
Specifically, the Principles require that personal information:
| Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met |
| Shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes |
| Shall be adequate, relevant and not excessive in relation to that purpose or purposes for which they are processed; |
| Shall be accurate and, where necessary, kept up to date |
| Shall not be kept for longer than is necessary for that purpose or those purposes |
| Shall be processed in accordance with the Rights of Data Subjects Under The Act; |
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data; Crosby Training will, through appropriate management, and application of criteria and controls:
| Observe fully conditions regarding the fair collection and use of information |
| Meet Its legal obligations to specify the purposes for which information is used |
| Collect and process appropriate information, and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements |
| Ensure the quality of information used |
| Apply strict checks to determine the length of time the information is held |
| Ensure that the rights of people about whom information is held can be fully exercised under the Act. These Include the right to be informed that processing is being undertaken and the right of access to one’s personal information |
| Take appropriate technical and organisational security measures to safeguard personal information |
| Ensure that personal information is not transferred abroad without suitable safeguards. |
Anybody wanting to make enquiries about handling personal information should contact Crosby Training in the first instance.
Crosby Training expects all employees with access to personal information to respect the need for confidentiality and to avoid improper use or transfer of such information. Any employee who fails to adhere to these principles may be subject to disciplinary action.
• PASSWORD SECURITY POLICY
PURPOSE
Passwords are the primary form of user authentication used to grant access to Crosby Training‘s information systems. To ensure that passwords provide as much security as possible they must be carefully created and used. Without strict usage guidelines the potential exists that passwords will be created that are easy to break thus allowing easier illicit access to Crosby Training’s information systems, thereby compromising the security of those systems.
SCOPE
This Password Policy applies to all information systems and information system components of Crosby Training. Specifically, it includes:
| Workstations, servers and other devices that provide centralised computing capabilities. |
| Desktops, laptops and other devices that provide distributed computing capabilities. |
| Routers, switches and other devices that provide network capabilities. |
| Firewalls and other devices that provide dedicated security capabilities. |
POLICY
| Passwords must be constructed according to set length and complexity requirements. As such passwords must be 8 characters in length and must include letters (either upper or lower case), numbers, and special characters |
| Passwords will have both minimum and maximum lifespan. As such, passwords must be replaced at a maximum of 90 days and at a minimum of 30 days. |
| Passwords may not be reused any more frequently than every 12 password refreshes. Reuse includes the use of the exact same password or the use of the same root password with appended or pre-pended sequential characters. |
| Passwords are to be used and stored in a secure manner. As such, passwords are not to be written down or stored electronically. Passwords are to be obscured during entry into information system login screens and are to be transmitted in an encrypted format. |
| Passwords are to be individually owned and kept confidential and are not to be shared under any circumstances. |
Violation of any of the constraints of the ICT policies or procedures will result in disciplinary action.
• PROTECTING ICT WITHIN THE PREVENT FRAMEWORK
POLICY
We aim to adhere to the Prevent Strategy Guiding principles:
Prevent is part of our counter-terrorism strategy. Its aim is to stop people becoming terrorists or supporting terrorism. Crosby Training is committed to Prevent and depends on a successful integration strategy.
Crosby Training works with local Communities and local authorities in this strategy.
INTRODUCTION
The UK faces a range of terrorist threats. All the terrorist groups who pose a threat to us seek to radicalise and recruit people to their cause but the percentage of people who are prepared to support violent extremism in this country is very small. It is significantly greater amongst young people; these account for a high percentage of our learners.
There is evidence to indicate that support for terrorism is associated with rejection of a cohesive, integrated, multi-faith society and of parliamentary democracy. Work to deal with radicalisation will depend on developing a sense of belonging to this country and support for our core values.
THE INTERNET
The Internet has transformed the extent to which terrorist organisations and their sympathisers can radicalise people in this country and overseas. It enables a wider range of organisations and individuals to reach a much larger audience with a broader and more dynamic series of messages and narratives. It encourages interaction and facilitates recruitment.
The way people use the Internet also appears to be conducive to these processes. Despite the wealth of information available, people often talk to those whose views are similar to their own, encouraging group thinking and inhibiting external challenge.
Crosby Training have securities in place to stop any learners visiting any sites that incite radicalisation and see this as a vital part of the policy.
There are a number of internet-specific measures which Crosby Training take to address the threat of radicalisation online. They include steps to:
- Limit access to harmful content online
- Ensure that action is taken to try to remove unlawful and harmful content from being allowed through the firewall.
Crosby Training has filtering software that has the ‘kitemark’. The kitemark covers commercial filtering software.
Online material can be referred to the CTIRU through the Directgov website, which also explains how material which is unlawful or offensive can be referred directly to the company which hosts the relevant site and whose contractual terms of use may be breached by it.
There are some projects intended to educate Internet users so that they can protect themselves online. These projects have educated users in the techniques being used by online radicalisers and have reached schools, community groups, youth centres and mosques. Crosby Training staff have all attended CHANNEL training to gain a better understanding of PREVENT and what is best practice.
Internet filtering across our sites is essential. We want to ensure that learners are unable to access unlawful material.
YouTube has introduced a ‘promoting terrorism’ referral flag for any context of a terrorist nature, enabling YouTube users to report terrorist content, which might be in breach of YouTube’s Community Guidelines. Crosby Training does not allow You Tube to be accessed at any of its sites.
CROSBY TRAINING’S RESPONSIBILITY
To have the following in place in all of its Centres:
• Oversight arrangements
• Appropriate accountability
• Monitoring
• Evaluation
• DATA PROTECTION PRIVACY POLICY
To meet the requirements of the General Data Protection Regulations, which came into force on May 25th 2018, Crosby Training has amended its Privacy Policy.
1. YOUR RIGHTS
You have a number of rights in relation to your personal information and the opportunity to choose how it is used. You have:
| The right (in certain circumstances) to request that we delete personal data held on you where we no longer have any legal reason to retain it (i.e. the right of erasure or to be forgotten); |
| The right to ask us to update and correct any out of date or incorrect personal data that we hold about you (i.e. the right of rectification); |
| The right to opt out of any communications that we may send you and to object to us using or holding your personal data if we have no legitimate reasons to do so (i.e. the right to object); |
| The right (in certain circumstances) to ask us to ‘restrict processing of data’; this means that we would need to secure and retain data for your benefit but not otherwise use it (i.e. the right to restrict processing); |
| The exercise of these rights is subject to exceptions set out in the General Data Protection Regulation and Data Protection Act (reg May 2018). |
You may opt out of receiving further communications from us at the end of your contractual training period in any medium, at any time.
If you wish to exercise your rights in respect of your personal data or have any concerns about how your data is used, please email our Data Protection lead: Jane Black.
2. IF WE ASK YOU FOR PERSONAL INFORMATION, WE WILL:
• Make sure you know why we need it
• Only ask for what we need
• Make sure nobody has access to it who should not
• Keep it secure
• Tell you if we share it with other organisations (DWP for example)
• Ask you to agree to us sharing your information where you have a choice
• Only keep it for as long as we need to
• Not make it available for commercial use (such as marketing)
3. WHY WE NEED TO COLLECT AND USE YOUR PERSONAL DATA
The primary basis that we intend to use for the processing of your data is for the performance of providing training services for you. The information that we collect about you is essential for us to be able to effectively carry out the services that you require from us. Without collecting your personal data we would also be unable to fulfill our regulatory obligations.
Where sensitive data is required, we will obtain your explicit consent in order to collect and process this information.
4. INFORMATION WE COLLECT ABOUT YOU
We collect information about you when you engage us for training services. The type of information we collect about you includes:
• Your name
• Your address
• Your email address
• Your phone number
• Your National Insurance number
• Your date of birth
• Information to ensure equal opportunities
5. HOW LONG WE KEEP HOLD OF YOUR INFORMATION
We are subject to regulatory requirements to retain data for specified minimum periods. You have the right to request deletion of your personal data. See above.
We will comply with this request, subject to the restrictions of our regulatory obligations.
6. HOW WE PROTECT YOUR INFORMATION
The personal information, which we hold, will be held securely in accordance with our internal security policy and the law. We are committed to keeping your personal data safe and secure.
Our security measures include:
• Encryption of data;
• Daily testing of systems;
• Security controls, which protect the entire infrastructure from external attack and unauthorised access;
• Internal policies setting out our data security approach and training for employees detailed in the Crosby Training Security Policy
7. UPDATES
We keep our privacy policy under regular review and we will inform you of any changes when they occur. This Privacy Notice was last updated on 25/05/2018.
• COMPUTER ACCEPTABLE USE POLICY
Services provided by us may only be used for lawful purposes. You agree to comply with all applicable laws, rules, and regulations in connection with your use of the services. Any material or conduct that in our judgment violates this policy in any manner may result in suspension or termination of the services or removal of the user’s account with or without notice.
PROHIBITED USE
You may not use the services to publish content or engage in activity that is illegal under applicable law, that is harmful to others, or that would subject us to liability, including, without limitation, in connection with any of the following, each of which is prohibited under this Acceptable Use Policy:
| Phishing or engaging in identity theft |
| Distributing computer viruses, worms, Trojan horses or other malicious code |
| Distributing pornography or adult related content or offering any escort services |
| Promoting or facilitating violence or terrorist activities |
| Infringing the intellectual property or other proprietary rights of others |
ENFORCEMENT
Your services may be suspended or terminated with or without notice upon any violation of this policy. Any violations may result in the immediate suspension or termination of your account.
REPORTING VIOLATIONS
To report a violation of this policy, please contact us.
We reserve the right to change this policy at any given time, of which you will be promptly updated. If you want to make sure that you are up to date with the latest changes, we advise you to frequently visit this page.
This policy forms an important part of our Safeguarding Handbook and to our commitment to Safeguarding and PREVENT. Your compliance and support in adhering to this policy helps us ensure the safety of learners, staff and others.
This document forms part of The Crosby Training Safeguarding Handbook. We regard all Data Protection matters as being closely related to Safeguarding and PREVENT. The above policy, and our wider Information Security practice, are part of our emphasis on Safeguarding and PREVENT. We are committed to ensuring that data and other information relating to vulnerable individuals is not corrupted, lost or acquired by individuals or organisations that might use such information to target, mislead, harm or indoctrinate any of our learners, staff or stakeholders.
Policy Docs : V2022 MP Review date: January 2026
