Crosby Training is committed to protecting the personal data of learners, staff, contractors, partners, and other stakeholders. This Data Protection, ICT Security & Acceptable Use Policy establishes standards for lawful, fair, and secure data processing, ICT security, acceptable system use, breach management, data retention, and third-party processing, in line with UK GDPR, the Data Protection Act 2018, and relevant regulatory guidance.
This Policy applies to all staff, volunteers, governors, contractors, and third parties processing personal data on behalf of Crosby Training, across all media, systems, and work devices.
DATA PROTECTION PRINCIPLES
Personal data will be:
Processed lawfully, fairly, and transparently.
Collected for specified, legitimate purposes and limited to what is necessary.
Accurate, kept up to date, and retained only as required.
Secured using appropriate technical and organisational measures.
Managed to respect individuals’ rights including access, rectification, erasure, restriction, objection, and portability.
ROLES AND RESPONSIBILITIES
Governance & Leadership Team: Provide oversight, approve the policy, ensure resources.
DPO / Data Protection Lead: Advise on compliance, DPIAs, breaches, and act as ICO contact.
Staff: Handle data safely, complete training, follow ICT procedures, and report breaches or concerns immediately.
ICT SECURITY & ACCEPTABLE USE
Staff must use systems lawfully, responsibly, and for work purposes.
Security measures include strong passwords, multi-factor authentication, encrypted devices, access controls, antivirus, and secure network practices.
Personal or confidential data must not be shared through AI tools unless approved and risk-assessed.
Devices must be locked when unattended, and any suspected breach or loss reported immediately.
DATA COLLECTION, SHARING & RETENTION
Only collect and share data necessary for legitimate purposes.
Maintain Records of Processing Activities and perform Data Protection Impact Assessments for high-risk activities.
Data retention schedules define retention and secure disposal periods (e.g., learner records 6 years, staff records 7 years, safeguarding records per legislation).
DATA BREACHES
All suspected or actual breaches must be reported immediately.
Breaches are assessed, contained, documented, and reported to the ICO where required.
Lessons learned are implemented to prevent recurrence.
TRAINING, MONITORING & REVIEW
Staff complete GDPR and ICT security training at induction and annually.
Compliance is monitored through audits, incident reviews, and spot checks.
Policy is reviewed annually or sooner if legislation, guidance, or operational changes occur.
SAFEGUARDING
Staff must follow the Safeguarding & Welfare Policy when handling sensitive information.
Data protection does not prevent lawful disclosures for safeguarding or PREVENT concerns.
