Introduction and General Principles
This privacy notice has been prepared in accordance with the General Data Protection
Regulation (EU) 2016/679 (“GDPR”) and the Data Protection Act 2018. Our ICO number is Z1744194.
Data Controller
For the purpose of the UK Data Protection Act 1998 (the Act), and EU General Data Protection Regulation (GDPR), the data controller is Mercury Training Services Ltd of Suite 526, One Victoria Sqaure, Birmingham, West Midlands, B1 1BD registration number 5442257.
Mercury Training Services Ltd (Mercury) has a responsibility under data protection legislation to provide individuals with information about how we process their personal data.
When collecting personal data, Mercury will notify staff, students and other relevant parties of the nature of data that we hold and processes about them, the reasons for which it is processed and how this can be changed. Notification will take the form of Privacy Notices, Contracts, Learning Agreements and other
relevant modes of communication. It provides details on what type of personal information we collect, how we use it and how we keep it secure.
Mercury values the rights of individuals when it comes to data protection and is committed to:
Lawfulness, fairness and transparency: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data minimisation: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. This means that consent is insufficient: the individual must be informed of exactly what their data is being used for. Furthermore, organisations must inform the individual of their right to withdraw consent at any time.
Accuracy: Personal data shall be accurate and, where necessary, kept up to date. This means that the organisation should not rely on individuals to update their information, but they should be proactive to ensure personal data is current.
Storage limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary, for the purposes for which the personal data are processed.
Data security
· All staff are responsible for ensuring that personal data that they hold on behalf of Mercury is (a) secure, and (b) is not disclosed to an unauthorised third party.
· Unauthorised disclosure will be a disciplinary matter and may be considered gross misconduct.
· Personal information must be physically secure and, if it is computerised, it must be coded, encrypted or password protected or kept only on a medium that is stored securely.
· All personal data leaving our secure network must be encrypted and password protected. The password must be shared with the recipient via an alternative means of communication.
· Mercury does not store data outside of the European Economic Area.
Data sharing
We sometimes need to share the personal information we process with other organisations.
Where this is necessary we are required to comply with all aspects of the GDPR. What follows is
a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.
Where necessary or required we share information with:
· family, associates and representatives of the person whose personal data we are
processing
· current, past or prospective employers
· awarding organisations
· trade, employer and professional organisations
· security industry authority
· voluntary and charitable organisations
· healthcare, social and welfare organisations
· funding organisations
· survey and research organisations
· persons making an enquiry or complaint
· press and the media
· local and central government
· security organisations, police forces, prison and probation services, courts and tribunals
· suppliers and service providers
When personal information is shared with any third party, this will be done only following the legal
basis for processing detailed above and is documented in Mercury’s Data Register.
Information collected via our website or associated services
Google Analytics
When someone visits our website we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone.
Site search
Search terms used on our website are collected and processed anonymously to help improve our website and search functionality. No user-specific data is collected by Mercury.
Site Cookies
Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. Their purpose is to track visitor use of the website and to compile statistical reports on website activity.
Like many websites, we also obtain certain types of information when your web browser accesses our website, or advertisements and other content served by or on behalf of Mercury on other websites. This information is used to provide measurement services and target advertisements.
Categories of personal information processed
Mercury collects information relating to learners such as:
· Name, unique learner number, date of birth, address, telephone numbers, ethnicity, nationality, eligibility for public funding
· Attendance Information (such as classes attended, number of absences, absence reasons).
· Performance Information (such as grades, examination marks, reports and references).
· Destination Information (employment, training & apprenticeships).
· Service Usage (such as internet history)
· Health & Wellbeing / Medical Information (such as medical conditions, first aid records, accident reports, and related potential civil claims).
· Safeguarding (DBS)
· Educational Needs such as disabilities and learning difficulties, support needed, examination arrangements).
· Behavioural Information (such as concerns, warnings, suspensions and exclusions).
· Likeness/Biometric Information (such as identifiable CCTV images).
Why we collect and use information
· To comply with statutory legislation.
· To provide learning opportunities to applicants, existing learners and previous learners.
· To support teaching and learning.
· To monitor and report on progress.
· To provide appropriate pastoral care.
· To provide appropriate learner support services.
· To ensure safeguarding of staff and learners.
· To assess the quality of our services.
· To engage with businesses in order to provide opportunities for our learners.
· To comply with funding regulations.
Legal basis for processing data
Processing of personal data is legal when one or more of the following conditions is met:
· It is necessary to fulfil a contract between the data subject and controller.
· It is a legal requirement.
· It is necessary to protect the vital interests of the data subject or other natural person.
· It is necessary for legitimate interests pursued by the controller except where the rights of the data subject override.
· The data subject has consented.
· Any reuse is compatible with the original purpose of collection, effects archiving or statistical processing.
Mercury records the legal basis for processing different types of personal data on our Data Register.
A number of legislative and regulatory requirement mandate our data collection. We collect and
use information under the provisions of:
· The Disability Discrimination Act 1995.
· The Equality Act 2010.
· The Reporting of Injuries, Diseases, and Dangerous Occurrences Regulations (2013).
· The Children and Families Act 2014.
· The Safeguarding Vulnerable Groups Act 2006
· The Children and Social Work Act 2017
Whilst the majority of learner information provided to us is mandatory, some of it is provided to
us on a voluntary basis. In order to comply with the General Data Protection Regulation, we will
inform learners and other interested parties whether they are required to provide certain
information or whether there is choice.
In addition, Mercury processes Sensitive/Special Categories of Information where:
· Consent has been given.
· Tasks are performed for reasons of public interest.
Your rights
Under certain circumstances, by law you have the right to:
· Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
· Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
· Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
· Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
· Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
· Request the transfer of your personal information to another party. If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party
Making a complaint
Staff, learners or other parties who believe that the Policy has not been followed in respect of
their own personal data should first raise the matter in writing with Mercury’s designated Data Protection Officer.
By email: [email protected]
By post: Data Protection Officer (FAO: Paul Lawton-Jones)
Mercury Training Services Ltd
Suite 526, One Victoria Square, Birmingham, West Midlands, B1 1BD
If you are not satisfied with the way in which we process your personal data, we ask that you let
us know so that we can try and put things right. If we are not able to resolve issues to your
satisfaction, you can refer the matter to the Information Commissioner’s Office (ICO). The ICO
can be contacted at:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
Changes to our privacy policy
We keep our privacy notice under regular review to comply with legislative developments and the
need for good practice and we will place any updates to this policy on our website.