ASQ DATA (PRIVACY) PROTECTION (GDPR) POLICY AND PROCEDURE

Introduction, aims and purposes

ASQ (“ASQ Group”, “ASQ Construction Services”, “ASQ Training and Assessments”, “ASQ Recruitments,” “we,” “us,” or “our”) needs to keep certain information on its members and employees to carry out its day-to-day operations which is mostly the delivery of NVQ qualification and training and consultancy service purposes, to meet its objectives and to comply with legal obligations.

The organisation is committed to ensuring any personal data will be dealt with in line with GDPR. To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully.

The aim of this policy is to ensure that everyone handling personal data within the organisation is fully aware of the requirements and acts in accordance with data protection procedures. This document also highlights key data protection procedures within the organisation.

The Data (Privacy) Protection (GDPR) procedure addresses the following principles;

1. Management:

ASQ will, through appropriate management and strict application of criteria and controls:

• Observe fully conditions regarding the collection and use of information.
• Meet our legal obligations to specify the purposes for which information is used.
• Collect and process appropriate information, and only to the extent that it is needed to fulfil our operational needs or to comply with any legal requirements.
• Ensure that everyone managing and handling personal information is trained to do so.
• Anyone wanting to make enquiries about handling personal information, whether a member of staff or service user, knows what to do;
• Any disclosure of personal data will be in line with our procedures.
• Queries about handling personal information will be dealt with swiftly and politely.

To meet our responsibilities, we will:

• Ensure any personal data is collected in a fair and lawful way;
• Explain why it is needed at the start;
• Ensure that only the minimum amount of information needed is collected and used;
• Ensure the information used is up to date and accurate;
• Review the length of time information is held;
• Ensure it is kept safely;
• Ensure the rights people have in relation to their personal data can be exercised

Training and awareness about the General Data Protection Regulations (GDPR) and how it is followed in this organisation will be in the form of a general training/awareness raising once a year.

2. Notice:

ASQ provides notice about the policies and procedures in all contract agreements, candidate forms; the policies and procedures are also available on the website, www.asqltd.co.uk. Depending on the purpose for data collection, ASQ may collect the following personal details:

• Name;
• Date of Birth
• Ethnicity
• CSCS/CPCS No.
• ULN
• Gender
• NI Number

Personal information is kept in the following forms:

• Scanned copies of Registration Forms on local PCs and shared drive on the cloud
• On Excel Spreadsheet Database on the shared drive

How do we process your personal data?
ASQ complies with its obligations under the “GDPR” by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.

We use your personal data for the following purposes:

• To enable us register our candidate for various NVQ qualifications or trainings as required for the candidate with our current awarding bodies and others that will might join in future.
• To help us verify candidate learning record from the government database or register an account for them if they don’t already have one.
• To verify their record with CSCS/CPCS and other governing bodies
• To administer candidate records.
• To process request for information, quotes, proposal from our clients or intending client.
• To manage our employees and assessors.
• To maintain our own accounts and records.
• To plan your assessment, request for necessary qualification document evidence or give you update on your qualification process and progress.


3. Legal basis for processing your personal data:
1. Explicit consent: By registering for any of our services including NVQs and trainings, you give your explicit consent with respect to the obtaining, using, holding, amending, disclosing, destroying and deleting of data as described in this notice. Explicit consent here means you were clearly presented with an option to agree or disagree with the collection, use, or disclosure of personal information.
2. Legitimate Interest: As a regulated training and assessment centre, we are obligated to keep the training records of all of our candidate for a period of 3years at least which is statutory. After the completion of intended training and assessments, no processing will be done on the date except for audit purposes if required by our awarding body. At the end of the stated period, we would delete all vital information about the candidate but keep the name, qualification title and date of birth for the centre records.


4. Legal basis for processing your personal data:

We shall obtain and process personal data fairly and in accordance with statutory and other legal obligations. Information could be obtained from signed registration forms, contact via our website, telephone call to the centre, request for information, quotes or proposal and from referrals.

5. Use, retention, and disposal:

In line with GDPR principles, ASQ Training and Assessments will ensure that personal data will:

• Be obtained fairly and lawfully and shall not be processed unless certain conditions are met
• Be obtained for a specific and lawful purpose
• Be adequate, relevant but not excessive
• Be accurate and kept up to date
• Not be held longer than necessary
• Be processed in accordance with the rights of data subjects
• Be subject to appropriate security measures
• Not to be transferred outside the European Economic Area (EEA)


6. Access: - Your rights to your personal data:

Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:

• The right to request a copy of your personal data which we hold about you.
• The right to request that we correct any personal data if it is found to be inaccurate or out of date.
• The right to request your personal data is erased where it is no longer necessary for us to retain such data
• The right to withdraw your consent to the processing at any time.
• The right to request that the data controller provide the data subject with his/her personal data and where possible, to transmit that data directly to another data controller, (known as the right to data portability) where applicable – only applies where the processing is based on consent or is necessary for the performance of a contract with the data subject and in either case the data controller processes the data by automated means.
• The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
• The right to object to the processing of personal data where applicable – only applies where processing is based on legitimate interests; direct marketing and processing for the purposes of scientific/historical research and statistics
• The right to lodge a complaint with the Information Commissioners Office.


7. Data Backup:
• Full backups of all candidates’ data are performed bi-weekly. Full backups are retained for at least 3 years according to the Awarding Body regulation.
• Backups are stored in the cloud (Dropbox). A limited number of authorised personnel have access to the backup application and media copies.
• Requests for backup data from 3rd parties must be approved by any of the Directors.

Anyone whose personal information we process has the right to know what information we hold and process on them, how to gain access to this information, how to keep it up to date and what we are doing to comply with GDPR. They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong.

Individuals have a right under GDPR to access certain personal data being kept about them on computer and certain files. Any person wishing to exercise this right should apply in writing to ASQ office at following details:

ASQ Construction Services Limited
Attn: Mr. Ebenezer Daramola
Suite 6, City View House,
1 Dorset Place, Stratford
London E15 1BZ

We may also require proof of identity before access is granted. Groups of people within the organisation who will process personal information are: Directors, Data Protection Officer, Assessors, Office Administrator and any employee delegated to do so.

Queries about handling personal information will be dealt with swiftly and politely.



8. Disclosure to third parties:

The organisation will take steps to ensure that personal data is kept secure at all times against unauthorized or unlawful loss or disclosure. Any disclosure of personal data will be in line with our procedures. Any unauthorized disclosure of personal data to a third party apart from our awarding body by any data processor will be seriously frowned at.

9. Security for privacy:

The organisation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken:

• Using lockable cupboards (restricted access to keys)
• Computers and relevant files will be passworded
• Candidate spreadsheet are passworded to prevent unauthorized access.
• Access to building is strictly through security pass and only staff are allowed access. Visitors into the building are accompanied at all time.


10. Quality:

We maintain accurate, complete, and relevant personal information as reasonably possible and only for the purposes identified in this notice. We retrieve your personal data from emails you shared with us, candidate registration form or website contact form. Please note that we have shared responsibility with regard to the accuracy of your personal information. If the collected personal data is incorrect or outdated, please contact us immediately.

11. Monitoring and enforcement:

We monitor compliance with our privacy policies and procedures and have procedures to address privacy related complaints and disputes.

If you believe that your personal information is not handled in accordance with the applicable law or our privacy policies, you may submit a complaint to our Data Protection Officer who will investigate the complaint

Contact Details
To exercise all relevant rights, queries of complaints please, in the first instance, contact our office at ASQ Construction Services, Delta House, 175 – 177 Borough High Street, London SE1 1HR

You can contact the Information Commissioners Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.

Definitions of Terms

Privacy: The rights and obligations of individuals and organisations with respect to the collection, use, retention, disclosure, and disposal of personal information.

Personal Information: (sometimes referred to as personally identifiable information or PII) information that is about, or can be related to, an identifiable individual. It includes any information that can be linked to an individual or used to directly or indirectly identify an individual.

Individuals, for this purpose, include prospective, current, and former customers, employees, and others with whom the entity has a relationship. Most information collected by an organisation about an individual is likely to be considered personal information if it can be attributed to an identified individual. Some examples of personal information are as follows:

• Name
• Home or email address
• DAte of birth
• Identification number (for example, a Social Security or Social Insurance Number)
• Physical characteristics
• Consumers purchase history

Sensitive Information: Some personal information is considered sensitive. Some laws and regulations define the following to be sensitive personal information:

• Information on medical or health conditions
• Financial Information
• Racial and ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Sexual preferences
• Information related to offenses or criminal convictions

Non-personal Information: information about or related to people that cannot be associated with specific individuals. This includes statistical or summarized personal information for which the identity of the individual is unknown or linkage to the individual has been removed. In such cases, the individual’s identity cannot be determined from the information that remains because the information is de-identified or anonymized. Non-personal information ordinarily is not subject to privacy protection because it cannot be linked to an individual. However, some organisations may still have obligations over non-personal information due to other regulations and agreements.

Processing: Is the obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes some paper based personal data as well as that kept on computer. The organisation will seek to abide by this code in relation to all the personal data it processes, i.e.

Data Controller: Is responsible for understanding and communicating obligations under the Act, identifying potential problem areas or risks, producing clear and effective procedures, notifying and annually renewing notification to the Information Commissioner and notifying of any relevant interim changes

Explicit Consent: Is the freely given, specific and informed agreement by a customer in the processing of personal information about her/him. Explicit consent is needed for processing sensitive data of our customers.