Respecting your data 

Summary of use:

Here at the WEA we take your data very seriously. The WEA will use the personal data we collect from you for the purposes of: providing you with relevant support, providing information advice and guidance, carrying out our enrolment processes, recording your attendance, delivering your learning, recording your exam results and certification (if applicable), contacting you if you are a member or volunteer, letting you know about upcoming courses or events or other areas of the WEA that may be relevant and of interest to you. We will also use your personal data for meeting our legal and funding duties and responsibilities; this includes reporting to WEA funders as a condition of us receiving their funding to run your course and supporting your learning.
 
Our General Data Protection Regulation (GDPR) policies [drafted documents] 

Due to the new General Data Protection Regulation being introduced from 25 May 2018, we are currently reviewing our policies even further to make sure that they represent you and comply fully with the new regulation. For full transparency, we are providing you with all of these drafts as current reference points ahead of our full update, along with summaries points about what each document contains. If you are still not fully satisfied with the details provided in these documents, please seek further information from us. We are here to help. You can contact us with your enquiry at dpo@wea.org.uk or call 0300 303 3464.

Request to see the data we hold about you. We will use all reasonable efforts to answer any questions or resolve any concerns regarding your privacy promptly.

Below is a list of all of our GDPR polices.

Acceptable use policy

•    Deals with confidentiality, integrity, availability, traceability  and compliance of information
•    Covers clear desk policy and clear screen policy, email and internet acceptable usage, email communication and file sharing
•    Social media use

Read this policy

CCTV

•    Maintain security of individuals and property in a vulnerable area
•    Protect and maintain the wellbeing of the students, staff and visitors
•    Prevent and detect crime

Read this policy

Connections between WEA and 3rd parties

•    Non-disclosure agreement should be in place produced in conjunction with legal services around data sharing
•    How 3rd party organisations manage and control information.
•    How 3rd parties will secure ICT and networks

Read this policy

Consent

•    Obtaining consent- freely given, specific, informed and unambiguous
•    Opt-in and opt-out options
•    Consent should be documented, maintained and deleted
•    Consent around children’s data, medical data and criminal data

Read this policy

Data access control

•    Access to systems based on business requirements and authorisation for employees and none employees
•    Password protection as a means to manage access based on user criteria
•    Ongoing review of access rights

Read this policy

Data handling and classification

•    All employees are responsible for ensuring that they comply with handling guidelines.
•    Access Restriction, including the granting & revoking of permissions and restrictions.
•    Transmission, including e-mail, fax, other electronic file transfer, post (internal and external mail), reading in public, verbal disclosure and copying & printing.
•    Storage, including paper files in work areas and cabinets as well as electronic storage in systems including network shares and portable devices.
•    Disposal, including recycling, shredding, general waste, disposal of electronic devices.

Read this policy

Data Protection Impact Assessment (DPIA)

•    Ensuring DPIA are performed as required per GDPR legislation
•    Provides guidance around when required and how to complete 
•    Must be completed by the DPO for WEA
•    This must include technical and organisational measures to mitigate any risks

Read this policy

Data protection policy

Read this policy

Data retention

•    Captures the retention periods for different classifications of data according to either legal requirements or legitimate basis
•    Provides classification of all personal data
•    Disposal of data where retention can no longer be justified. This can be anonymised or pseudonymised. 

► Draft policy coming soon – please contact us at this time for further details

Email and social media

•    Access to the internet must be through WEA approved devices and network connections and have a suitable firewall connection configured
•    Only acceptable material use of material can be used in the workplace e.g. photographs, video etc.
•    Email and internet activities will be monitored and reviewed
•    Inspection of files stored on any server or workstation which it owns

Read this policy

Equipment reassignment and disposal policy

•    Disposal of removable media
•    Reuse and resale of IT equipment
•    Disposal of equipment with regard to GDPR compliance

Read this policy

Payment processing policy

•    Electronic credit cards numbers should not be stored on a personal computer or email account  
•    An electronic list of credit card information should not be stored
•    Only essential information should be stored

Read this policy

Privacy notice

•    Legal basis of processing personal data
•    Information we collect
•    Retention policy information
•    Sharing of personal data
•    Cookies

Read this policy

Subject access requests

•    Gives a user the right to access their personal data held by the WEA
•    Can request rights to erasure, portability, accuracy, forgotten, object, automated decision making
•    Provides a guidance on the process the DPO has to follow to provide this information

If you would like to exercise your Data Subject Rights including your right to access; rectification; erasure; restriction; or objection to processing, please fill in this form.

Read this policy

Use of 3rd party services and outsourcing

•    Security requirements in place to secure our information
•    Contracts should be in place for services provided by 3rd parties
•    Service Definition Agreements (SDA) and Service Level Agreements (SLA) should be in place

Read this policy

Thank you for reviewing our policies -  as a reminder: all the personal details you have provided to the WEA will be retained and protected by the WEA in accordance with the General Data Protection Regulations. 

If you have any complaints about the way the WEA collects and stores your data, you have the right to lodge a complaint with the UK’s Information Commissioners Office www.ico.org.uk.

If you have any questions for us, please email dpo@wea.org.uk or call 0300 303 3464.