1.0 Purpose and Scope

1.1 The Seetec Group of companies is committed to conducting its business in accordance with all applicable Data Protection laws and regulations, in line with the highest standards of ethical conduct.

This policy, together with our Data Protection Framework, provides a system for ensuring that the Seetec group of companies meets its obligations under UK/EU General Data Protection Regulations and the Data Protection Act 2018 (DPA 18). It applies to all processing of personal data carried out by the Seetec group, including processing undertaken by partners, contractors, and processors.

For clarity, throughout this policy document reference made to Seetec, includes all companies/entities/divisions within the Seetec group.

1.2 Seetec collects and processes personal and special category (sensitive) data from our customers, employees, and other stakeholders. When processing personal data Seetec complies with data protection legislation guided by the GDPR data protection principles to ensure that data is:

  • Processed fairly, lawfully and in a transparent manner
  • Used only for limited, specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes.
  • Adequate, relevant, and limited to what is necessary
  • Accurate and, where necessary, up to date
  • Not kept for longer than necessary; and
  • Kept safe and secure.

1.3 Personal Data covered by Data Protection Legislation and this policy.

EU/UK GDPR definition of ‘personal data’ includes any information which identifies either directly, or indirectly an identifiable natural living person.

Pseudonymised personal data is also covered by this legislation and policy; however, anonymised data is not regulated by data protection laws, providing that the anonymisation is not reversible.

Special Category Data due to its sensitive nature must be provided with additional protection, this information relates to:

  • Race and ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic Data
  • Biometric ID data
  • Health data
  • Sexual life and/or sexual orientation
  • Criminal data (relating to convictions and offences) (although not classified as special category data under GDPR requires the same level of protection)

2.0 Policy Aims

2.1 To ensure that Seetec meets its statutory requirements under data protection laws, and that all personal and special category data is processed compliantly.

2.2 That staff are aware of their responsibilities regarding data protection and have access to the necessary policies, operational procedures, and guidance.

2.3 To provide assurance that Seetec has appropriate technical and organisational measures in place for compliance with data protection law.

This policy should be read in conjunction with the following:

  • Information Security Policy
  • Data Protection Framework
  • Individual User Agreement
  • Data-Document Retention and Archiving Policy
  • Classification Policy
  • Security Incident Management Policy
  • Privacy Notices
  • Internet Cookie Notice/Cookie Policy
  • Data Retention Schedules
  • Archiving Procedure
  • Data Subject Rights Procedure
  • Emailing of Sensitive Data Guidance
  • Security Incident Management Procedure
  • Event Reporting Procedure

3.0 Responsibilities

3.1  Management and Employee Responsibilities

Senior management must ensure that all employees are aware of and comply with their data protection responsibilities as outlined in this policy, and by extension the Data Protection Framework and supporting policies and procedures. It is the responsibility of managers to ensure their staff are fully aware of their responsibilities in managing personal data and its associated risks and have access to this policy and supporting documents.   It is the responsibility of all employees to undertake data protection training annually and to adhere to this and related policy documents and guidance when processing personal data.

The Data Protection Officer (DPO) is primarily responsible for assessing and monitoring compliance with the UK/EU GDPR and other data protection laws and for making recommendations to improve compliance.  This will include reviewing and updating data protection policies, awareness-raising, training and audits.  The DPO is the contact point for Supervisory Autorities (ICO/DPC), including Article 36 Consultations- Data Protection Impact Assessment referrals.

4.0 Our Commitment

4.1 Compliance Monitoring

We undertake assurance activities, built into the groupwide Assurance plan on a regular basis.  These include,

External ISO27001 certification assessments

Internal ISO27001 audits

Internal assurance activities and control testing

Commissioner audits and inspections.

4.2 Data Protection by Design and Default

We consider privacy at the design phase of any system, service, or processing and limit personal data processing to only what is necessary.   We assess processing of personal data where perceived to be high risk and where necessary complete DPIAs (Data Privacy Impact Assessments) before implementation of new systems or processing.

4.3 Data Subject Rights

We have clear processes to handle data subject access requests and other data subject rights requests.

4.4 Privacy Notices

We publish privacy notices on our websites, which are regularly reviewed and updated. Employees are provided with their own privacy notice.

4.5 Records of Processing Activities-Information Asset Registers

We maintain records of all processing activities in respect of personal and special category data.

4.6 Staff Training

Mandatory Data Protection Training is completed on an annual basis, with role specific training provided as necessary.

4.7 Data Breaches and Information Security Incidents.

We have clear processes for reporting and management.

4.8 Contracts

Our Information Security and Contract Departments oversee contracts for compliance with data protection laws.

4.9 Policies and Procedures

We produce policies and procedures to provide guidance on information security, information management, and compliance with data protection legislation.

4.10 Data Retention and Disposal

Seetec adheres to the data minimisation and storage limitation principles of the GDPR. In conjunction with our contractual obligations, we follow the policies of our commissioners relating to document retention. We will obtain authorisation from the appropriate body prior to the destruction of any documents. (Please refer to Appendices A, B and C)

For further information on how we process personal data please refer to our Privacy Statement:    https://seetec.co.uk/legal/privacy-notice/

5.0 Associated Documents

As listed at 2.3 of the Policy.

Appendix A – Interventions Alliance: ESF

Interventions Alliance is part of the Seetec Group, delivering European Social Fund (ESF) funded contracts within the criminal justice system and social care sector as listed below.

This applies to all CFO Activity Hub contracts terminating on or before July 2023.

The Seetec Group of companies will follow ESF Policy around Document retention and that ‘Prior to the destruction of any documents relating to CFO Projects, confirmation will be sought from the Managing Authority’ as stated in ESF Document Retention Guidance for the 2014-2020 ESF Programme (publishing.service.gov.uk)

ESF Funded Contract Region Location
HMPPS CFO Activity Hub North West Liverpool
HMPPS CFO Activity Hub North West Manchester
HMPPS CFO Activity Hub North West Warrington
HMPPS CFO Activity Hub South West Bristol
HMPPS CFO Activity Hub South East Medway

 

Appendix B – Seetec Pluss Ltd and Pluss Organisation CIC: ESF

Seetec Pluss and Pluss Organisation CIC are part of the Seetec Group, delivering European Social Fund (ESF) funded contracts as listed below.

The Seetec Group of companies will follow ESF Policy around Document retention and that ‘Prior to the destruction of any documents relating to ESF funded Projects, confirmation will be sought from the Managing Authority’ as stated in ESF Document Retention Guidance for the 2014-2020 ESF Programme (publishing.service.gov.uk)

Storage of electronic data for ESF 2014-2020 projects should be in accordance with Seetec Group policies and GOV.UK guidance.

Current and previous ESF2014-2020 funded projects include:

DWP – Work and Health Programme* (CPA4: Cornwall, Devon, Somerset – inc. N Somerset and Bath & NE Somerset – Bristol, Dorset, Wiltshire, Hampshire, Portsmouth, Isle of Wight, Surrey, West Sussex, Brighton, Gloucestershire, Oxfordshire and Buckinghamshire)
DWP – ESF14-20 Right Steps to Work (Calderdale, Kirklees & Wakefield)
National Lottery Community Fund and ESF – BBO: Positive People (Cornwall C2C)
National Lottery Community Fund – BBO: Positive People (Cornwall S&E)
National Lottery Community Fund – BBO: Positive People (Devon)
National Lottery Community Fund – BBO: Positive People (Somerset)
National Lottery Community Fund – BBO: Hopeful Families (Calderdale, Kirklees & Wakefield)
Health Works for Cornwall (Cornwall Council)
Seetec Pluss also works as a partner for the following ESF funded Programmes:
DWP – Work and Health Programme* (CPA3: Northwest) – Ingeus
DWP – Work and Health Programme* (Greater Manchester Combined Authority) – Ingeus
DWP – Work Routes ESF1420 (Greater Cambridgeshire) – Reed
DWP – Work Routes ESF1420 (Greater Peterborough & Hertfordshire) – Reed
DWP – Work Routes ESF1420 (Cornwall) – Reed
Devolved GMCA Adult Education Budget (AEB) now Adult Skills Fund ASF)


*Please note:
The Work and Health Programme is co-financed by the European Social Fund for participants who were referred before 1st November 2022 and ended before 23rd July 2023.

In accordance with ESF guidelines on GOV.UK. ESF2014-2020 retention period is advised by the Commissioner for each project and is subject to change.

  • ESF14-20 data retention period is currently up to 21 July 2032.
  • Work and Health Programme data retention date is currently up to 21 July 2032.
  • BBO data retention date is currently up to 31 March 2034.
  • Health Works for Cornwall data retention date is currently up to 31 December 2035

It is important that the relevant DWP / /Commissioner guidance is consulted, and authorisation obtained, before information is deleted/destroyed.

Appendix C – Seetec Training: ESF

Seetec Training is part of the Seetec Group, delivering ESF funded contracts as listed below.

Current ESF14-20 funded projects include:

Apprenticeships Levy
Apprenticeships Non-Levy

Former ESF 14-20 funded projects include:

Adult Skills Fund (ASF) – (formerly AEB) Non-Devolved
Traineeships 16-18
Traineeships 19-24

 

The Seetec Group of companies will follow ESF Policy around Document retention and that ‘Prior to the destruction of any documents relating to ESF Projects, confirmation will be sought from the Managing Authority’ as stated in ESF Document Retention Guidance for the 2014-2020 ESF Programme (publishing.service.gov.uk)

Published: August 2024

Have a question? Call us 0800 334 5525 Contact us