Data Management & Processing Policy

Activity Overview

To support the enrolment, delivery, and assessment of learners through our apprenticeship programmes – the Coaching Professional and the Learning & Skills Mentor – we as the provider have a requirement to import, process and store personal data.

Systems Overview – security, storage and pen testing

We use two different Saas platforms:

  1. Aptem - https://www.aptem.co.uk/
  2. The Learning Pathway, from People Alchemy - https://peoplealchemy.com/platform/

Aptem is a dedicated apprenticeship platform that provides the following services:

  • Learner recruitment & enrolment
  • ILR & IA eligibility checking and compliance
  • Functional skills assessment
  • Funding management
  • Data reporting and analytics

All data is hosted on Microsoft Azure servers based in London and Cardiff. No backups are made outside the UK. Any access to live data is done in alignment with GDPR guidelines and contractual agreements. Aptem hold up to date ISO 27001, ISO 9001 and Cyber Essentials certification. We also have copied of their recent penetration testing certificate. In addition, we have included the “Data Protection” section of our recently signed Master Services Agreement as Appendix A to this document.

The Learning Pathway workflow system is a SaaS multitenant application that we use for:

  • Learning delivery and management
  • E-learning
  • Learner portal and progress tracking
  • Apprenticeship management

The servers and data are held at a Dediserve Tier 4 data centre in Maidenhead in the UK. (https://www.dediserve.com/). The primary database server is not directly accessible from the internet. All data at rest and in transit are encrypted. All data is backed up every two hours onsite and every 24 hours off-site. User accounts are accessible with a username and password which is salted and hashed in the database. MFA can be activated if required. Regular penetration tests are done by an external party.

These two systems are linked via an encrypted and secure API link.

Duration of the processing, retention & deletion

To comply with our legal obligations to the ESFA and Ofsted, we will continue to store the personal details of individual leaners for the duration of their studies (typically 18 months) and for a period of 3 years post-completion of their end-point-assessment. Once the retention period is over, only name and qualification achievement details are archived with all all other personal data being permanently deleted from our records. 

 

During this period, we will:

 

 

Types of Personal Data

We will collect and process the following types of personal data:

  • Names
  • Email addresses
  • Home address
  • Education & training details (including academic and professional achievement).
  • Employment details (including contract length)
  • Personal data relating to Safeguarding, Health & Wellbeing (including any registered disabilities related to training needs e.g. dyslexia)

Transfers to sub-processors

No transfers of data will take place to sub-processors unless we are required to do so for EFA auditing or Ofsted inspection purposes. If required these will be managed via encrypted and secure platforms e.g. Galaxkey.

However, to enable end point assessment to take place, our designated End Point Assessment Organisation, will be given access to individual user accounts. User accounts are accessible with a username and password which is salted and hashed in the database. MFA can be activated if required.

Keeping data safe, security/data incidents

The OCM Group takes information security risks very seriously and takes all reasonable technical and organisational precautions to prevent the loss, misuse and / or alteration of personal information. 

 

We work closely with our IT provider, Wavenet, who provide a range of monitoring services to all our systems. Each user has Carbon Black next gen anti-virus, end point detection and response, and advanced threat hunting. We have also just installed Microsoft Defender and 24/7 monitoring for all users on our 365 accounts.

We have an SLA in place with Wavenet that should a security instance occur, the threat will be dealt with, and normal service resumed within a 2-hour window. We will inform and we will notify the affected parties as soon as we are able (typically within 24 hours) with the details of the breach and the remedial action taken to address it.

We also hold up-to-date Cyber Security Plus Certification.

 

Access to personal information and correction of data 

All users have the right to request a copy of the information that we hold about them. If they would like to access the data we hold on, please email or write to us at the address located at the end of this document. We will reply in full within 2-weeks of receiving their request, unless the information is particularly complex. If we need more time, we will let them know.

We want to make sure that the personal information is accurate and up to date. They may ask us to correct or remove information they think is inaccurate. We will delete or update their information within 48 hrs. 

 

Withdrawing consent and objections to processing 

Individuals have the right to withdraw consent for us to have their data and the right to object to it being processed in any particular way. If they wish to do this, please email or phone us using the contact details given below. Please note that in accordance with the law around data protection, we aim to anonymize data as soon as possible. If we have already anonymized their responses, it may not be possible for us to give them a copy of the data they have submitted, or to correct, remove or withdraw it. 

 

Right to lodge a complaint. 

If an individual would like to complain about how their data has been treated by us, please contact our Data Protection Officer, Deborah Raffell, at the address below. To take escalate the complaint further, contact our Chief Executive, Ed Parsloe. Under GDPR, they also have a right to lodge a complaint with the supervisory authority in their state of residence, place of work or where the alleged breach of GDPR occurred. In the UK, this is the ICO. The OCM is registered with the ICO, registration reference Z2387178.

 

Data Protection Officer

Executive Responsibility

Review

We review our data security and processing responsibilities on annual basis. The next review will take place in September 2024