The General Data Protection Regulation (GDPR) / Data Protection Act 2018
The GDPR came into force on 25th May 2018 and the Data Protection Act 2018 is the UK’s implementation of it. This page is to tell you what Universal Training Ltd has in place to ensure we remain fully compliant.
| Questions | Comments |
| Name of Supplier | Universal Training Limited |
| Is Universal Training a Data Controller? | Yes |
| Is Universal Training a Data Processor? | Yes |
| Does Universal Training have a Data Protection Officer? | No. Due to the nature of Universal Training’s service and data management, there is no requirement for this post. |
| Who is the senior person responsible for information security and data protection at Universal Training? |
Marc Edwards. Information security and data protection is a standing agenda item for Universal Training Board Meetings. |
| Who is the senior person with overall responsibility for security at Universal Training? | Marc Edwards |
| What service is Universal Training
providing? |
Universal Training provides customers with licensed access to its Online Service – www.Universal-Training.com – whereby learners can gain essential knowledge on a wide variety of duty of care and safeguarding topics. Learners complete training modules and answer corresponding questionnaires with access to additional resources to support the . Downloadable personalised certificates evidence course completion and confirm any credits achieved. The robust reporting suite provides organisations with learner status reports on training progress and completions. |
| In providing this service, is Universal Training processing personal data belonging to its customers? | Yes. The organisation data (organisation name, address, URL, key business and contact information) is stored securely on Universal Training’s Customer Relationship Management (CRM) system for the purpose of managing the relationship and service, ensuring satisfaction and awareness of products and developments. The organisation’s individual learner data (first/last name and email) is stored on Universal Training’s Learner Management System (LMS) to enable learners to access the LMS, complete courses, questionnaires, access resources, record progress and download personalised certificates. |
| Does Universal Training process sensitive special category data? | No. |
| What security standards does Universal Training have in place to keep personal data secure? | We take customers’ privacy and security very seriously.
Universal Training has achieved the following external certifications: • Cyber Essentials for IT Systems • IASME Governance Standard for IT Processes • EU GDPR for Personal Data Universal Training’s robust quality processes meet the ISO 9001:2015 British Standards Institute. To achieve the above standards, Universal Training has: • analysed all the data that comes into our organisation (data mapping) and how we protect it. • updated our internal systems and processes as necessary and have ensured that third-party suppliers are GDPR compliant or are working towards it. • updated all our internal policies regarding the information we hold to ensure it is fully protected and compliant. |
| What policies and procedures are in place and how does Universal Training ensure they are followed? | We maintain a Quality standard and all staff are trained to follow the processes within the scope of the standard ISO 9001:2015.
Our policies 1. Information Security Policy 2. Technical Standards Policy 3. Credit Card Processing policy 4. Information Classification and Handling Policy
We maintain a Data Breach register (as required by the GDPR/DPA) which is maintained by the Quality Manager and reported on at leadership level. The ‘IASME Governance Standard |
| for IT Processes’ provides quality assurance that our staff follow procedure. | |
| How often are Universal Training policies and procedures reviewed? | Annually. |
| Does Universal Training appoint other companies or organisations to process personal data? | Yes. Universal Training works with external third-party service providers to support and host the LMS, the IT infrastructure and website, plus professional services such as accountants, auditors and marketing agencies who assist us in carrying out business activities.
Universal Training carries out due diligence on third-party suppliers related to their position on GDPR. All our systems are located within the UK or EEA. Access to organisation data and individual learner data is only allowed when required by law. We do not, and will never, sell or share your personal information with third parties for marketing purposes. |
| Does Universal Training ever transfer personal data outside the UK? If so, please specify where. | We may process some data outside of the EU. Our LMS stores data with Amazon Web Services (AWS) and they meet the EU-US Privacy Shield framework adopted by the European Commission. This complies with data protection requirements and GDPR legislation when transferring data outside of the EU. For more information, please see here. |
| Who has access to the data regarding customer data subjects? | Our customer services team have access to the data for the purpose of service set-up, training and to support learners with day-to-day needs. Our LMS stores data with Amazon Web Services (AWS) and they meet the EU-US Privacy Shield framework adopted by the European Commission. We have suppliers who support and develop our systems, but they do not process any data. All Universal Training third-party suppliers are GDPR compliant or are working towards it. |
| Does Universal Training have signed contracts and statements of works between the data controller, data processor and third parties? | Yes. Contracts are reviewed annually, or when renegotiating continuity of service. |
| Does Universal Training, as the data processor, have a written contract? | Yes. The agreement and Service Level Agreement (SLA) form part of Universal Training’s quotation process, which customers agree when finalising the sale.
Please also view Universal Training’s general terms and conditions here. These would have been signposted to you and agreed at the point of quotation and service delivery. |
| How is this data gathered? | Learner data is currently uploaded via CSV file with our customer services team. The purpose of the CSV file is to enable our staff to upload your learners to the LMS so they can start their training.
Once this upload is completed, the CSV is securely stored on our Customer Relationship Management system for record keeping and future amendments. CSV files can be encrypted on customer request. From August 2018, we will be introducing a secure online form whereby customer administrators and Universal Training staff will directly upload and edit learners on the Management System (LMS). |
| How does Universal Training ensure consent for the data’s use has been obtained by the Data Controller? | When the customer confirms their agreement to purchase the service from Universal Training, consent is agreed between the parties at this stage, as mentioned in the T&Cs. |
| How will data be provided in response to any EU Citizen Subject Access
Requests for data? |
A subject access request will follow our internal process and be responded to within the period required by law.
|
| What happens to personal data when the service contract ends? | Universal Training invite customers to renew their service before the service expiry date. If the organisation chooses not to renew the service, access to the courses and training service will no longer be available. Three months after the contract expiry date has passed, if no service renewal has been agreed – Universal Training will:
1. Permanently delete the organisation, learner data and training history from the LMS. 2. Retain the organisation financial transactional details, in line with HMRC’s legal retention requirements. 3. Retain the organisation data and key contact details on the CRM system. 4. Continue to keep the organisation updated about essential safeguarding and duty of care matters and products, whereby organisations will be given the opportunity to ‘opt out’ if they wish. |