We are committed to protecting the privacy of anyone whose personal data we hold.
As an organisation we have to comply with data protection legislation. From Friday 25 May 2018, the Data Protection Act 1998 will be superseded by the EU General Data Protection Regulations (GDPR) and the UK Data Protection Act 2018 and other supporting data protection legislation (e.g. Privacy Electronic Communications Regulations (PECR)).
To help us demonstrate how we comply with data protection legislation, we have implemented an Information Governance Framework, which outlines our approach to data privacy.
As a publicly funded organisation we are required to have a Data Protection Officer (DPO). The Data Protection Officer will report directly to the Chair of the Corporation.
Bradford College and Bradford College Group Subsidiary Companies are registered with the Information Commissioner’s Office (ICO), the UK’s data protection authority, as follows:
- Bradford College - Registration No: Z8112946
- Training for Bradford, trading as City Training Services - Registration No: Z5254595
- Inprint and Design Limited - Registration No: ZA360610
How does data protection legislation protect personal data?
Data protection legislation places obligations on us to protect your personal information. We have to make sure we process personal data in line with data protection principles and ensure that your rights as Individuals (Data Subjects) are met. These are outlined our Data Protection (GDPR) policy.
Your rights under data protection legislation
We will follow current data protection and other legislative guidance when dealing with requests from Individuals (Data Subjects) to exercise their data rights.
The right to be informed
We will tell you what we are doing with your personal data, why we need to collect it, what we will do with it and who we will share it with. We will give you this information in our Privacy Notices (see below). Where we need to collect, process or share your personal information for any purpose not outlined on the Privacy Notices, we will provide separate information and obtain consent where necessary.
Read more about partner agencies and other organisations who we work with (including privacy notices for awarding/validating bodies, agencies and some other third parties).
We would like to ensure our partners, schools and agencies we work with that we take data protection seriously. Read more about this in our 'Data Protection Statement for Partners, Schools and Agencies'.
The right to access
This is known as a Data Subject Access Request. Full details are available in the Data Protection (GDPR) policy.
If you wish to request information we hold about you, we would prefer you to complete a Data Subject Access form and email it for the attention of the Data Protection Officer; however any request in writing or email from the Individual (Data Subject) will be considered as a valid request, as long as it contains the relevant information to enable us to deal with your request.
If you are not known to the relevant Department or Business area, we may ask to see proof of your identity. The following forms of identity will be accepted as proof of identity (please note, we will require sight of the original):
- A copy of your passport
- A copy of your driving licence
- A copy of your Bank, Building Society or credit card statement in the Data Subject's name for the last quarter
- A copy of your Council Tax bill
How do you request information on behalf of someone else?
If you are requesting information on behalf of someone else you must complete the Data Subject Access Request form (clicking downloads the form) and provide written evidence that you have the Data Subject’s authority to ask for the information on their behalf, e.g. signature on the Data Subject Access form, a letter written by them, evidence of Power of Attorney, etc.
If your Data Subject Access Request is approved, you will be provided with either a printout or a photocopy of paper records. Where information is requested to be provided by email, we will only agree to this if it can be sent via an approved secure method.
We will respond to your request within 30 days, where we are unable to approve your request for information or are unable to provide the information within 30 days, we will notify you. Verification of identity of the person/organisation making the request will be required.
How do you request information on behalf of an enforcing body?
Requests for disclosure of personal information in connection with investigation of crime or any other enforcing body investigation should be made on a Police and Enforcing Bodies disclosure request form (clicking downloads the form) and emailed for the attention of the Data Protection Officer. ID will be requested and verified.
Will a charge be made for providing the information?
Information will normally be provided free of charge. However, there may be certain circumstances when a charge can be made: for example, where the request is manifestly unfounded or excessive, we may charge a ‘reasonable fee’ for the administrative costs of complying with the request. We can also charge a reasonable fee if an Individual (Data Subject) requests further copies of their data following a request. We will follow guidance from the ICO to determine if a charge applies and advise you prior to collating the information.
The right to rectification
For amendments to your personal information such as updating details we have collected from you for normal business processing, e.g. contact details; change of address; emergency/next of kin; contact details; course details and medical details etc. please contact the relevant Department to tell them what is incorrect and ask for it to be corrected.
For anything that is not considered routine business processing, please contact the Data Protection Officer who will take steps to action your request.
We will aim to deal with requests for rectification as soon as possible. We will respond within one month; this will be extended by two months where the request for rectification is complex.
The right to erasure/deletion
Requests for the erasure (deletion) or removal of personal data where there is no lawful basis for its continued processing, should be made to the relevant Department. We have the right to refuse a request for erasure under certain circumstances – please refer to the Data Protection (GDPR) policy for further details.
We will aim to deal with right to erasure requests within one month. Where we are unable to complete the request within this timescale, we will inform the individual.
Right to restriction
Requests to restrict us from processing your personal data can be made, however there may be reasons why we may not be able to comply. If a request is determined to be valid, we will take steps to immediately restrict processing of personal data as set out in our Data Protection (GDPR) policy.
Right to data portability
Details on this are outlined in the Data Protection (GDPR) policy. Requests should be made to the relevant Department. We will aim to respond within one month or within one month advise the individual if we need to extend the timeframe by two months, where the request is complex, or a number of requests have been received.
Right to objection
You may object to processing under certain circumstances, please refer to the Data Protection (GDPR) policy. Requests should be made to the relevant Department. We will aim to deal with requests within one month and advise you if we cannot meet this timescale.
Rights in relation to profiling and automated decision-making
Profiling and automated decision-making are two different things, although automated decision-making can include profiling. We will specify any profiling or automated decision-making in our Privacy Notices or other communication as necessary. Further information is in our Data Protection (GDPR) policy.
Reporting a concern
If you are unhappy with the way we have processed your personal information, or feel that your request for information or to exercise your data rights have not been dealt with appropriately, please contact the Data Protection Officer in the first instance.
Email: [email protected]
If you are unhappy with the outcome of your complaint, you can escalate your complaint to the Information Commissioner’s Office (ICO).
ICO helpline, call: 0303 123 1113
See the ICO Concerns website for more information.