Blackpool and The Fylde College (B&FC) and GDPR We are fully compliant with all the latest regulations regarding the acquisition, management and storage of data to ensure personal information is handled and kept securely. B&FC takes its data protection responsibilities very seriously and complies with the Information Commissioner’s Office (ICO) requirements under GDPR.This includes being registered with the Information Commissioner’s Office as a data controller (Registration No. Z4700416).Appropriate measures are taken to ensure that:personal data is only collected where appropriatepersonal data is only used by appropriate individualspersonal data is only used for purposes which are lawful under GDPRpersonal data are processed in accordance with the GDPR data protection principlesdata subjects, whether students, employees or others can exercise the rights afforded to them by GDPRpersonal data we collect and use is protected appropriately from disclosure and misuse Under the new General Data Protection Regulation (GDPR), Blackpool and The Fylde College (B&FC) is a data controller for some types of data and a data processor for others.B&FC is a data controller for personal data we capture about students, employees and others in order to deliver education, manage and develop our business and provide services to students, employees, applicants and members of the public.B&FC is a data processor for personal data we are obliged to process on behalf of data controllers such as the Education & Skills Funding Agency (ESFA), the Office for Students, managing agents for apprenticeships/services and others.Where B&FC is a data processor on behalf of another organisation (data controller), the data controller dictates the basis for processing data and the purposes for which the data is used. The difference between a Data Controller and a Data Processor A data controller is a person or organisation who determines the purposes for which and the manner in which any personal data are (or will be) processed. A data processor is a person (other than an employee of the data controller) who processes personal data on behalf of the data controller. Processing means obtaining, recording or holding information or data or carrying out any operation or set of operations on the information or data. This includes: Organisation, adaptation or alteration of the information or data. Retrieval, consultation or use of the information or data. Disclosure of the information or data by transmission, dissemination or otherwise making available. Alignment, combination, blocking, erasure or destruction of the information or data. ContentsFor information about how we use your personal information, click below. I am a:Student, Potential Student or Past StudentEmployee, Potential Employee or Ex-EmployeeMember of the Public or Other Customer More information:How B&FC protects your dataHow long B&FC keeps your dataYour rights If you have any questions or concerns about the collection, use or sharing of your personal data, please contact the college Data Protection Officer:Call: 01253 504064Email: datarequest@blackpool.ac.ukIf you are unhappy with the response, you can escalate your complaint by contacting the Information Commissioner at ico.org.uk or call 0303 123 1113. Students, Potential Students & Past StudentsHow do B&FC capture and use personal data?B&FC collect personal data from students at application, enrolment, induction, throughout their programme of study and sometimes after they leave us. We collect this information from students directly but also on paper, online (including from your computer usage when in college), through our electronic systems (including databases and registers) by surveys, through CCTV/camera and sometimes we collect information from other organisations such as the Department for Education (DfE) and local education authorities.The information we collect is used to help us provide learning services and to enable students to benefit from education and training, pastoral care, learning support, financial support and to evaluate and improve the quality of our services. We are also required to provide personal data to the Education and Skills Funding Agency (ESFA) who are responsible for funding, planning and encouraging education and training in England. We may collect information in other ways (e.g., video, audio recordings, artificial intelligence) for which we ask your consent. If we do, we will tell you what information we plan to collect and how we plan to use it. You can withdraw your consent at any time. What data do B&FC capture and use?B&FC collect a range of personal data for students including name, contact details, nationality, residency, previous qualifications, employment and educational history, assessment results, attendance information, destination information and information about employment or work placements which students undertake whilst studying with us.We also collect and use sensitive data such as ethnic group, socio-economic indicator, criminal convictions, disability, special educational needs, relevant medical information and other things that might indicate students would benefit from our support services or bursaries (e.g., whether a student is a carer or a care leaver).We may ask for more detailed information if we need to assess whether it is appropriate for an individual to study their chosen course. For example, if someone has a significant medical need that affects our ability to keep them or someone else safe. Why do we need to capture and use personal data?Students and Potential StudentsWe process personal data of our students and we share it with the organisations listed below because we are legally obliged to do so or because we need to do so in order to deliver the education/training required by our students. Specifically:Because it is part of our funding agreement with OfS, the ESFA or other funding organisationsSo we can submit Individualised Learner Record to the ESFASo we can locate the correct records and register students for a Unique Learner Number (ULN)So we can identify and provide any financial or learning support students may be entitled toSo we can fulfil our obligations under the Government’s immigration and counter-terrorism dutiesSo we can maintain a “Travel Plan” which is required if we need to do work on college buildingsTo support students in securing employment or in progression to a higher course or a better jobTo safeguard students and othersSo that we can register students with appropriate awarding organisations Who has access to the personal data we collect and process?Student data will be shared with B&FC employees to provide services to those students. Only staff who need access to student personal data will be able to use it. The personal information our students (or potential students) provide will also be shared with the following organisations:The 1Education & Skills Funding Agency (see below)The Office for Students (OfS, previously HEFCE) and the Higher Education Statistics Agency (HESA) (for students who study an HE course with us)The University & College Admissions Service (UCAS) (for students who apply for or study an HE course with us)The Departments for Education and Business, Energy and Industrial StrategyThe Student Loans Company (for students who apply for or take a student loan)2The Learner Records ServiceThe UK Visa & Immigration ServiceThe European Social Fund or organisations operating on its behalf (for students whose education is eligible to be part funded by them)The Local Education Authority and ConnexionsAuditors, Ofsted or other formal regulatory bodies for the education sectorAwarding organisations/Exam boards3Industry skills bodies for students whose training includes registration of certification with themThird parties who are contracted to provide IT services to us4Sponsors or employers of students whose course is part funded by them (may include release from work to study) How the Education & Skills Funding Agency Uses Student Personal InformationB&FC is a data processor on behalf of the ESFA which operates on behalf of the Secretary of State for the Department Education (DfE). Personal data we share with the ESFA is used to exercise the functions of these government departments, to meet statutory responsibilities (including those under the Apprenticeships, Skills, Children and Learning Act 2009) and to create and maintain a unique learner number (ULN) and a Personal Learning Record (PLR) for our students.Those organisations will securely destroy the student personal data we share with them when it is no longer needed for these purposes. The information our students provide may be shared with other organisations for education, training, employment and well-being related purposes, including research. This will only take place where the law allows it and the sharing complies with data protection legislation. The English European Social Fund (ESF) Managing Authority (or agents acting on its behalf) may contact our students to perform research and evaluation that informs the effectiveness of training.B&FC students may also be contacted after completion of their course by organisations acting on behalf of government education funding agencies to establish whether they (the students) have entered employment or gone onto further training.We are obliged to ask students for their consent for the ESFA to use their data to contact them about courses or surveys and research and about the ways in which the ESFA are permitted to contact them. We ask for this consent at enrolment. If students do not give consent to their personal data being used for these purposes, we advise the ESFA accordingly.For further information about how the ESFA use student personal data, who they allow to access that data, how long they retain that data and how students can withdraw any consent they have given here, read more on GOV.uk.B&FC may also share information about student progress with their employer or other sponsor if they are paying all or part of the student’s course costs. Students who do not want us to do that, must pay their own fees. Students should contact our Student Administration office to make these payments and have their preferences updated in our records.If students give us name and contact details for a “next of kin”, we may contact them in an emergency. We seek the student’s consent before we share any other information with them.B&FC (or our partners) are required to monitor Learner Outcomes (including student destinations and employment). We will use the contact details our students give us to do this and we may share those details with organisations contracted by government agencies to perform this important task.In all cases we may be compelled to share your data. These instances are most likely to relate to (but may not be confined to) The Police, the Health and Safety Executive, local authorities, Her Majesty's Revenue and Customs (HMRC), the Courts and any other central or local government bodies (acting as controllers or processors) where we are required to do so to comply with our legal obligations, or where they request it and we may lawfully disclose it, for example for the prevention and detection of crime or to report serious health and safety incidents. We also may share the information we collect with other third parties where we are legally obliged to do so; for example, to comply with a court order.How B&FC protects your dataHow long B&FC keeps your dataYour rights If you have any questions or concerns about the collection, use or sharing of your personal data, please contact the college Data Protection Officer:Call: 01253 504064Email: datarequest@blackpool.ac.ukIf you are unhappy with the response, you can escalate your complaint by contacting the Information Commissioner at ico.org.uk or on 0303 123 1113. Employees, Potential Employees and Ex-EmployeesHow do B&FC capture and use personal data?B&FC collects information in connection with job applications in a variety of ways. For example, from application forms, CVs, passport and other identity documents; through interviews or other forms of assessment (e.g., selection tests, psychometric testing etc); from other employers, and from organisations who check criminal records.Additional personal data may be collected throughout the period of employment from professional development records, performance monitoring processes, surveys completed and by other means. This information may be collected electronically, on paper or through meetings. What data do B&FC capture and use?B&FC collects a range of information about job applicants and employees including:name, address, date of birth, gender, contact details, including email address and telephone numberdetails of applicant’s qualifications, skills, experience and employment historyinformation about applicants’ current level of remuneration, including benefit entitlementswhether or not applicants have a disability for which B&FC needs to make reasonable adjustments during the recruitment processinformation about the applicant’s entitlement to work in the UKidentification to be able to complete a DBS applicationequal opportunities monitoring information, including information about ethnic origin, sexual orientation, health and religion or beliefthe terms and conditions of employment for employeesemployee qualifications, skills, experience and employment historyinformation about remuneration, including entitlement to benefits such as pensions and sick payemployee bank account details and national insurance numberemployee marital status, next of kin, dependants and emergency contactsinformation about nationality and entitlement to work in the UKinformation about criminal record as detailed within Enhanced DBS checksdetails of schedule (days of work and working hours) and attendance at workdetails of periods of leave taken, including holiday, sickness absence, family leave and the reasons for themdetails of any disciplinary or grievance procedures in which employee is involved, including warnings issued and related correspondenceassessments of performance, including appraisals, performance reviews and ratings, training, performance improvement plans and related correspondenceinformation about medical or health conditions, including about any disabilities for which B&FC needs to make reasonable adjustmentsdetails of trade union membershipequal opportunities monitoring information, including information about key protected characteristics As part of the process of assessing applications and making job offers, B&FC also collects personal data about applicants from third parties. This includes references from former employers, information from occupational health provider, information from criminal records checks.Data is stored in a range of different places including on our Application Tracking System and other IT systems (including email). Why do we need to capture and use personal data?B&FC processes data to:manage the recruitment process and monitor applicationsassess the need for reasonable adjustments for candidates with disabilities and provide appropriate supportassess and confirm a candidate's suitability for employment (e.g., undertaking criminal records checking, checking references, experience etc)comply with legal obligations (e.g., to check a successful applicant's eligibility to work in the UK)to make decisions about offers of employmentensure fairness, transparency and appropriate management of applications, shortlisting and appointmententer into a contract with employees and meet its obligations under said contractenable employees to be paid in accordance with employment contract, to administer benefits and pension entitlements, to enable employees to take statutory periods of leaveenable tax to be deducted in accordance with the lawoperate progression and promotion processesmaintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency) and records of employee contractual and statutory rightsoperate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplaceoperate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposesoperate and keep a record of absence and allow effective workforce managementobtain occupational health advice, ensure compliance with duties in respect of individuals with disabilities, meet its obligations under health and safety lawoperate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave)ensure effective general HR and business administrationprovide references on request for current or former employeesmaintain and promote equality in the workplace.facilitate monitoring for equal opportunities purposes (e.g., special category data, such as ethnic origin, sexual orientation, health or religion or belief)meet its obligations in respect of safeguarding employees and studentsrespond to and defend against legal claims Some special categories of personal data, such as information about health or medical conditions, are processed to carry out employment law obligations (such as those in relation to employees with disabilities and for health and safety purposes). Information about trade union membership is processed to allow the organisation to operate deductions for union subscriptions.Where the organisation processes other special categories of personal data, such as information about the protected characteristics, this is done for the purposes of equal opportunities monitoring. Who has access to the personal data we collect and process?Personal data will be shared internally with members of the HR department, hiring managers and others involved in the recruitment process. Personal data may be shared with IT staff where it is necessary for the performance of their roles and with external staff who support our Applicant Tracking System, HireServe. Where personal data is received through a third party recruitment website (e.g., FE Jobs), data is protected by their privacy statement.B&FC will share personal data with third parties in order to perform necessary pre-employment checks (e.g., former employers to obtain references, occupational health provider to obtain medical clearance, Disclosure and Barring Service or Personnel Checks Ltd to undertake mandatory criminal records checks).Please note: Some employee roles may be partly funded from project funding, including European Social Fund (ESF) funding. This will usually be linked to specific projects and it may be necessary to share the employee's job description, salary details and timesheets with the Project Board in order to claim that funding. Where this is the case, the employee will be advised and any personal data will be shared securely.In all cases we may be compelled to share your data. These instances are most likely to relate to (but may not be confined to) The Police, the Health and Safety Executive, local authorities, Her Majesty's Revenue and Customs (HMRC), the Courts and any other central or local government bodies (acting as controllers or processors) where we are required to do so to comply with our legal obligations, or where they request it and we may lawfully disclose it, for example for the prevention and detection of crime or to report serious health and safety incidents.We also may share the information we collect with other third parties where we are legally obliged to do so; for example, to comply with a court order.How B&FC protects your dataHow long B&FC keeps your dataYour rights If you have any questions or concerns about the collection, use or sharing of your personal data, please contact the college Data Protection Officer:Call: 01253 504064Email: datarequest@blackpool.ac.ukIf you are unhappy with the response, you can escalate your complaint by contacting the Information Commissioner at ico.org.uk or on 0303 123 1113. Members of the Public and OthersHow do B&FC capture and use personal data?B&FC captures and processes personal data from members of the public who attend open events or who make enquiries about the courses we offer, from customers of our restaurant, beauty salons and other retail outlets, from customers and members of our sports centres and from those visiting our theatre, art gallery and other campus facilities. We do this by telephone, online, on paper and sometimes on CCTV. We may also process data received by social media with the consent of the data subject. What data do B&FC capture and use?RestaurantsB&FC collect personal data for customers including name, address, contact information and payment details. This information is used to manage reservations and plan tabling. We also collect and use sensitive data such as dietary requirements and allergy information and data that helps us to give our customers appropriate access to and use of our facilities. Hair and Beauty SalonsB&FC collect a range of personal data from customers including name, address, date of birth, contact information, occupation, treatment history and payment details.We also collect and use sensitive data such as relevant medical history and conditions, allergies and sensitivities and ethnic group in order to help us provide safe, accessible treatments, to identify any beneficial adjustments we need to make or special advice we need to give to our customers. Fitness Suites and Sports CentresB&FC collect a range of personal data from customers including name, address, contact details, bank/payment details, date of birth, employment/occupation type. We also collect and use sensitive data such as relevant health and medical history and conditions, disability, biometric data (e.g. weight, height & BMI) to help us understand whether customers would benefit from additional adjustments and/or special advice and guidance, and/or to draw up a personal fitness plan.B&FC collect and process data relating to children which has been provided by the parent/guardian of the child in question. This may be to process or manage a booking for premises (e.g., for party use) or for Holiday Sports Camps.We also collect and use sensitive data relating to children such as relevant health, medical and behavioural conditions or disabilities which help us identify where a child might benefit from reasonable adjustments or special support. TheatreB&FC collect a range of personal data for customers including name, address, contact details, bank/payment details. We also collect and use sensitive data such as disability or medical conditions to help us understand where customers would benefit from additional support or reasonable adjustments. GeneralB&FC collects CCTV images on college premises in order to manage security, ensure the health, safety and wellbeing of students, employees and visitors. Why do we need to capture and use personal data?We process personal data of our customers to process and manage bookings, to schedule reservations and appointments and to fulfil any contractual obligations relating to customer requests.Sensitive data is collected and processed in order to for us to ensure we comply with our legal obligations in respect of health and safety, safeguarding, equality and diversity. Personal data is only shared with employees, students in training and volunteers where it is necessary to enable them to safely provide the service(s) our customers’ request. Who has access to the personal data we collect and process?Customers of Restaurants, Salons, Sports Centres, Theatres and other B&FC retail outlets – personal data will be shared with employees, students in training and volunteers to enable them to safely provide service(s) to our customers.This data will also be shared with appropriate internal departments (such as Finance, for example, in relation to the processing of payments), and external third parties (such as insurers or legal representatives for example) in the event of complaints or claims made against us. Information used to process bookings in our restaurants may be passed to a third party booking system to help us manage reservations and operate the restaurant efficiently.In all cases we may be compelled to share your data. These instances are most likely to relate to (but may not be confined to) The Police, the Health and Safety Executive, local authorities, Her Majesty's Revenue and Customs (HMRC), the Courts and any other central or local government bodies (acting as controllers or processors) where we are required to do so to comply with our legal obligations, or where they request it and we may lawfully disclose it, for example for the prevention and detection of crime or to report serious health and safety incidents.We also may share the information we collect with other third parties where we are legally obliged to do so; for example, to comply with a court order.How B&FC protects your dataHow long B&FC keeps your dataYour rights If you have any questions or concerns about the collection, use or sharing of your personal data, please contact the college Data Protection Officer:Call: 01253 504064Email: datarequest@blackpool.ac.ukIf you are unhappy with the response, you can escalate your complaint by contacting the Information Commissioner at ico.org.uk or on 0303 123 1113. How B&FC protects personal dataB&FC have a range of technical and operational measures in place to protect personal data from accidental destruction, misuse or disclosure.Data stored electronically is governed by role-based access control, based on the minimum required by for an employee to carry out their duties. Data is encrypted in transit, and all systems require secure passwords for access. All personal data is secured behind firewalls to prevent unauthorised access, with implicit deny rulesets in place. Comprehensive anti-virus, web filtering and email filtering tools are in place, along with strict patching cycles to minimise cyber-attacks and potential security exploits.All B&FC employees attend GDPR awareness training as part of induction before they are permitted to access any personal data. Employees are only given access to personal data if they need to use it as part of their role and access to our databases is strictly controlled. Only staff with the relevant training have access and access is removed when staff leave B&FC.We have a Clean Desk Clear Screen policy to ensure no personal data is accessible in offices or public spaces and a Code of Practice for Information Sharing which provides guidance for sharing information appropriately with others (such as the police or employers seeking references). Emails sent externally are encrypted and, where personal data is shared by email, we provide it in password-protected attachments and send the passwords separately (usually by telephone).We have a suite of policies, procedures and codes of practice to enable us to appropriately manage our obligations under the GDPR. They are as follows:Clean Desk Clear Screen PolicyClean Desk Clear Screen ProcedureConsent Withdrawal FormData Protection PolicyData Protection Code of PracticeData Breach Reporting/Management ProcedurePrivacy Impact Assessment ProcedureRights of Individual Code of PracticeSharing Information Code of PracticeSubject Access Request Procedure If you have any questions or concerns about the collection, use or sharing of your personal data, please contact the college Data Protection Officer:Call: 01253 504064Email: datarequest@blackpool.ac.ukIf you are unhappy with the response, you can escalate your complaint by contacting the Information Commissioner at ico.org.uk or on 0303 123 1113. How long do we keep personal data?We keep different types of data for different lengths of time depending on need and our obligations. These are explained in section 5.2 of our Data Protection Code of Practice. Where we ask for consent to collect or use personal data, the data subject can withdraw that consent at any time.Students, employees, applicants and others can ask us to delete some or all of those data items or stop us from using it for certain purposes. This is done by completing a withdrawal of consent form and sending it to the datarequest@blackpool.ac.uk data protection office or by calling us on 01253 504064. Your RightsUnder GDPR, all individuals have rights over their personal data. B&FC customers, suppliers, partners and any individuals about whom B&FC processes personal data have the following rights: The right to be informed means you can:Identify what data we are collecting from you including: the purpose and use of your personal data, how long we will keep your information for and who it will be shared with.Be kept up to date where the purpose of processing your information changes.Identify any personal information that the College has obtained about you from other sources.Identify the lawful basis for processing your information.Identify where we may transfer your personal information to any countries or organisations outside the EU.Receive information as to how to lodge a complaint with the supervisory authority. The right of access means you can:Ask us to confirm the Personal Data we hold about you - you are entitled to know what categories of data B&FC holds, why we hold it, who we have shared (or will share) it with and how long we will keep it. If we collected the data from a third party, you are entitled to know who and how.Ask us to correct any inaccuracies in the data, update it, restrict how we use it or delete it (the last 2 are not absolute rights and it depends why we need the data as to whether we can do these things).Request a copy of the Personal Data we hold about you (this is known as a Subject Access Request or SAR) and we will provide itComplain to the ICO if you are unhappy about how B&FC deals with any such request or about the way B&FC handles your Personal Data The right to rectification means you can:Ask us to correct any inaccurate personal data we hold about you and we will do so within one month (or two months if your request is complex). If we have shared the information with other organisations, we will tell them about the correction as well.Ask us to update any data we hold about you that is incomplete The right to erasure (right to be forgotten) means you can:Ask us to delete the data we have about you (this right is limited in scope and does not apply to every individual or case). The right to be forgotten applies when:the data is no longer necessary for the purpose we collected ityou withdraw consent and we have no other legal basis to use that datayou object to us processing and there is no overriding legitimate interest to continue processing that datathe personal data was unlawfully processed orthe personal data has to be erased to comply with a legal obligationIf we have disclosed the deleted personal data to any third parties we must tell you who they are and we must inform them to delete the data if we can. The right to restrict processing means you can:"Block” or “suppress” the processing of your personal data under some circumstances. If the right applies and we have shared the data with other organisations, we will tell you who they are and we will inform them about the restriction if we can. The right to data portability means you can:Obtain a copy of your personal data in a structured, commonly-used and machine-readable format (such as CSV files) to help you. This only applies under certain circumstances. The right to object means you can:Object to us processing your personal data under certain circumstances Your rights in relation to automated decision-making mean you can:(Under some circumstances) prevent us from making decisions based solely on automated processing, including profiling. Automated decision-making is where an organisation makes a decision about you solely by automated means without any human involvement.Profiling happens where an organisation automatically uses personal data to evaluate certain things about you.If you have any questions or concerns about the collection, use or sharing of your personal data, please contact the college Data Protection Officer:Call: 01253 504064Email: datarequest@blackpool.ac.ukIf you are unhappy with the response, you can escalate your complaint by contacting the Information Commissioner at ico.org.uk or on 0303 123 1113.