When dealing with personal data at your centre you should consider the six principles of data protection law in all aspects of your operation:
1. Lawfully, fairly and transparently
Lawful: You must have a lawful basis to collect the data, as defined by the GDPR. Further information can be found on the website of the Information Commissioner’s Office (ICO). For most student-training centre relationships the appropriate basis will most likely be ‘Contract’ or ‘Legitimate interest’, although ‘Consent’ may be applicable in some circumstances, such as opt-in marketing.
Fair: You must only do what you tell the student you will do with their data. You cannot collect data for one purpose and use it for another.
Transparency: You must tell the student what you will do with their data. You should do this at the time you collect the data.
2. Purpose limitations
You can only use data for the purpose for which it was collected, and for no other reason.
3. Data minimisation
Data must be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’. In other words, only collect the data you actually need.
4. Accuracy
Data must be ‘accurate and, where necessary, kept up to date’. You should have systems to update and correct data.
5. Storage limitations
Only keep data for as long as you need it.
6. Integrity and confidentiality
Data must be kept appropriately to ensure security.
In addition:
- If you have to share data with another organisation you must make it clear who that is and why and how it is shared.
- Data must be kept accurate and up to date, and only held for as long as necessary for fulfilment of the purpose for which it was collected.
- Your students have the right to request removal of their data from your records.
- Some personal data such as financial or medical information have additional requirements and any breaches are treated more seriously than more general personal data.
- A Privacy Policy or Notice should be used to explain how data is handled at your training centre. It should be referred to wherever personal data is collected so students can reference what will happen to the information they provide.
Further advice on the General Data Protection Regulations is available on the ICO website.
Data shared between the RYA and RTCs
Recognised Training Centres (RTCs) are required to share certain data with the RYA and the RYA to share certain data with the RTC. In the case of such shared data, both the RTC and the RYA will be Data Controllers.
Data should only be shared in line with the requirements in these RGNs. Particular attention is drawn to the items in Related Pages (on the Training Support Site). The data will be retained by the RYA in line with the RYA’s Privacy Notice.
Data shared by the RYA with RTCs will only be used for the stated purpose, for example lists of instructors available for work should not be retained for longer than is needed to engage an instructor for that job.
Both the RYA and RTC will individually be data controllers for the data they hold on students of an RTC and will be independently responsible for:
- The robustness of their data systems;
- Their own data breaches and informing the other party about data breaches;
- Respecting the rights of the data subject.