The General Data Protection Regulation (GDPR)

As you know the European GDPR comes into force on 25th May 2018. This page is to tell you what EduCare Learning Ltd has put in place to ensure we are fully compliant by the due date.

Of course, your data has always been protected, but the new GDPR gives individuals new rights and freedoms not afforded by the current Data Protection Act.

  • ‘Personal data’ means any information that may (either on its own or in combination with other information) be capable of identifying a living person.
  • ‘Processing’ includes anything from using, collecting, storing, accessing, deleting, extracting or transferring.

Questions

Comments

Name of Supplier EduCare Learning Limited
Is EduCare a Data Controller? Yes
Is EduCare a Data Processor? Yes
Does EduCare have a Data Protection Officer? No. Due to the nature of EduCare’s service and data management, there is no requirement for this post.
Who is the senior person responsible for information security and data protection at EduCare?

Jane Brunsden

Information security and data protection is a standing agenda item for EduCare Board Meetings.

Who is the senior person with overall responsibility for security at EduCare?

Bernadette Sixsmith

What service is EduCare providing?     EduCare provides customers with licensed access to its Online Learning Service – www.myeducare.co.uk - whereby learners can gain essential knowledge on a wide variety of duty of care and safeguarding topics. Learners complete training modules and answer corresponding questionnaires with access to additional learning resources to support the learning. Downloadable personalised certificates evidence course completion and confirm the CPD credits achieved. The robust reporting suite provides organisations with learner status reports on training progress and completions.
In providing this service, is EduCare processing personal data belonging to its customers? 

Yes. The organisation data (organisation name, address, URL, key business and contact information) is stored securely on EduCare’s Customer Relationship Management (CRM) system for the purpose of managing the relationship and service, ensuring satisfaction and awareness of products and developments.

The organisation’s individual learner data (first/last name and email) is stored on EduCare’s Learner Management System (LMS) to enable learners to access the LMS, complete courses, questionnaires, access resources, record learning progress and download personalised certificates. 

Does EduCare process sensitive special category data? No.
What security standards does EduCare have in place to keep personal data secure?  

We take customers’ privacy and security very seriously.
EduCare has achieved the following external certifications:

  • Cyber Essentials for IT Systems
  • IASME Governance Standard for IT Processes
  • EU GDPR for Personal Data

EduCare’s robust quality processes meet the ISO 9001:2015 British Standards Institute.

To achieve the above standards, EduCare has:

  • analysed all the data that comes into our organisation (data mapping) and how we protect it.
  • updated our internal systems and processes as necessary and have ensured that third-party suppliers are GDPR compliant or are working towards it.
  • updated all our internal policies regarding the information we hold to ensure it is fully protected and compliant. 
What policies and procedures are in place and how does EduCare ensure they are followed? 

We maintain a Quality standard and all staff are trained to follow the processes within the scope of the standard ISO 9001:2015.

Our policies

  1. Information Security Policy
  2. Technical Standards Policy
  3. Credit Card Processing policy
  4. Information Classification and Handling Policy


We maintain a Data Breach register (as required by the GDPR/DPA) which is maintained by the Quality Manager and reported on at leadership level. The ‘IASME Governance Standard for IT Processes’ provides quality assurance that our staff follow procedure.

How often are EduCare policies and procedures reviewed? Annually.
Does EduCare appoint other companies or organisations to process personal data?  

Yes.  EduCare works with external third-party service providers to support and host the LMS, the IT infrastructure and website, plus professional services such as accountants, auditors and marketing agencies who assist us in carrying out business activities.

EduCare carries out due diligence on third-party suppliers related to their position on GDPR. All our systems are located within the UK or EEA.

Access to organisation data and individual learner data is only allowed when required by law. We do not, and will never, sell or share your personal information with third parties for marketing purposes.

Does EduCare ever transfer personal data outside the UK? If so, please specify where.  We may process some data outside of the EU. Our LMS stores data with Amazon Web Services (AWS) and they meet the EU-US Privacy Shield framework adopted by the European Commission. This complies with data protection requirements and GDPR legislation when transferring data outside of the EU. For more information, please see here.
Who has access to the data regarding customer data subjects? Our customer services team have access to the data for the purpose of service set-up, training and to support learners with day-to-day needs. Our LMS stores data with Amazon Web Services (AWS) and they meet the EU-US Privacy Shield framework adopted by the European Commission. We have suppliers who support and develop our systems, but they do not process any data. All EduCare third-party suppliers are GDPR compliant or are working towards it.
Does EduCare have signed contracts and statements of works between the data controller, data processor and third parties? Yes. Contracts are reviewed annually, or when renegotiating continuity of service.
Does EduCare, as the data processor, have a written contract?

Yes. The agreement and Service Level Agreement (SLA) form part of EduCare’s quotation process, which customers agree when finalising the sale.

Please also view EduCare’s general terms and conditions here.

These would have been signposted to you and agreed at the point of quotation and service delivery.

How is this data gathered?

Learner data is currently uploaded via CSV file with our customer services team. The purpose of the CSV file is to enable our staff to upload your learners to the LMS so they can start their training.

Once this upload is completed, the CSV is securely stored on our Customer Relationship Management system for record keeping and future amendments. CSV files can be encrypted on customer request.

From August 2018, we will be introducing a secure online form whereby customer administrators and EduCare staff will directly upload and edit learners on the Learning Management System (LMS).

How does EduCare ensure consent for the data’s use has been obtained by the Data Controller? When the customer confirms their agreement to purchase the service from EduCare, consent is agreed between the parties at this stage, as mentioned in the T&Cs.
How will data be provided in response to any EU Citizen Subject Access Requests for data? A subject access request will follow our internal process and be responded to within the period required by law. Please view our privacy statement here.
What happens to personal data when the service contract ends?

EduCare invite customers to renew their service before the service expiry date. If the organisation chooses not to renew the service, access to the courses and training service will no longer be available. Three months after the contract expiry date has passed, if no service renewal has been agreed – EduCare will:

  1. Permanently delete the organisation, learner data and training history from the LMS.
  2. Retain the organisation financial transactional details, in line with HMRC’s legal retention requirements.
  3. Retain the organisation data and key contact details on the CRM system.
  4. Continue to keep the organisation updated about essential safeguarding and duty of care matters and products, whereby organisations will be given the opportunity to ‘opt out’ if they wish.