Data Protection Policy
Who we are
Our website address is: http://www.mp-qc.org/
In order to provide education, training, assessment, qualifications and health and safety measures to its customers and clients, the Mineral Products Qualifications Council (MPQC) needs to gather, process, store and use certain information about individuals. To this end MPQC is registered as a Data Controller (No. Z8206631) with the Information Commissioners Office (ICO).
This policy describes how personal data is collected, handled, and stored to meet the company’s data protection standards and comply with the General Data Protection Regulation 2018 (Since 1st January 2021 the DPA 2018/UK GDPR).
Scope of Policy
This policy covers data protection for all living individuals/ data subjects which could include;
• Employees (past and current)
• Prospective Clients
• Contracting Companies and their employees/ subcontractors
• Individual Contractors
• Company Members
• All other stakeholders in relation to MPQC
Purpose of the Policy
This policy describes how personal data is collected, handled, and stored to meet MPQC’s data protection standards and comply with the DPA 2018/UK GDPR. For example, it may not be possible to identify living individuals from a spreadsheet of candidate numbers, however, it may be possible when combined with other information in MPQC’s possession. As such all data shall be processed equally.
There are 6 principles regarding data processing listed in Article 5 of the GDPR with which all Data Controllers must be able to demonstrate compliance. These are that data must be:
1. Processed lawfully, fairly, and transparently
2. Specified, explicit and for legitimate purpose
3. Adequate, relevant, and limited to that necessary
4. Accurate and kept up-to-date
5. Kept in a form that permits identification for no longer than necessary
6. Appropriately secured
Additionally this Policy ensures that MPQC:
• Complies with data protection law and follows best practice
• Protects the rights of staff, customers, and partners
• Is open and honest about how it stores and processes individuals’ data
• Protects itself and others from the risks of a data breach
An important aspect of the GDPR is the right of an individual to know what information is held on them, and it provides a framework to ensure personal information is processed securely by those responsible. More information on data processing can be found in Appendix A.
Failure to comply with the GDPR is a criminal offence and individuals who feel they are being denied proper access to their personal information, or feel this information is not being handled according to the six principles above, must raise their concerns with MPQC in the first instance (see Appendix B). The ICO expects MPQC to respond to and deal with any concerns raised by individuals within one month (assuming a straightforward inquiry). If the matter is not resolved, individuals can contact the ICO for help (see Appendix B). Complaints are usually dealt with informally, but if this is not possible, enforcement action can be taken.
By entering into any form of contract with MPQC data subjects’ consent to the collection and processing of their personal information under Article 6(1)(b)/(f) of the GDPR because it is necessary for the performance of MPQC’s legitimate business interests. Where information is requested that is not directly necessary for MPQC or any of its subsidiaries to discharge their responsibilities it will be clearly highlighted and the reasons explained. Active consent of the data subject shall be sought, which they are free to deny.
The majority of the data MPQC deals with is classed as ‘standard’ personal data covering categories such as:
General personal details, for example:
- Names and addresses
- Telephone numbers and email addresses
- National Insurance Numbers
- Driving license details
- Bank account details and credit card numbers
- Photographs, CCTV footage and voice recordings
- Details about relevant scheme completion
- Performance appraisals; including behaviours and discipline
There are specific conditions for ‘sensitive’ personal data (referred to as ‘Special Categories of Personal Data’) such as: racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, health, sex life, and offences or alleged offences. This type of data shall only be used where there is an essential need and under strict conditions, which include:
• Explicit consent from the individual
• Legal requirements i.e. employment purposes
• To protect the interests of the data subject or another individual
• Administration of justice or legal proceedings
Additionally, the data subject must be clearly informed who will see ‘sensitive’ data and why it is to be processed.
MPQC shall ensure that:
• All personal data is held securely:
- Physical copies are stored in a locked drawer or filing cabinet
- Digital copies are password protected
- External digital and magnetic media is password protected and, where appropriate, encrypted
- The utmost attention is given to the physical security of any portable media or laptop computers carrying personal data
- No personal data shall be disclosed in any form to unauthorised third parties
- Access to information internally shall be limited to those with a legitimate purpose
In the event of a data breach which is likely to risk the rights and freedoms of an individual MPQC has a legal requirement to inform both the data subject and the ICO within 72hrs. MPQC will carry out an appropriate risk assessment and take any necessary corrective action in accordance with current guidance from the ICO.
The nature of MPQC’s responsibilities requires that most information is held indefinitely, although physical copies are destroyed as soon as they are no longer required, digital data is retained.
Any physical material containing personal data will be placed in secure confidential waste bins/ bags, where ever possible shredded, and disposed of as confidential waste. This includes anything relating to candidate records, registration/certification/card matters or client staffing matters. Particular care will be taken to delete information from computer hard drives if a machine is to be disposed of or passed on to another individual.
In order to conduct its business MPQC must share information with several other organisations and/or individuals, these include:
• Internal administrators
• Training centres
• Government Agencies
Data Subjects Rights
All individuals have seven rights in relation to their personal data:
1. The right to be informed
Upon data collection MPQC shall inform individuals of:
• The Identity and address of the data controller
• The purpose and legal basis for the processing
• Any recipients of the data
• The period the data shall be stored for
• The right of access, erasure, and portability
• Where applicable, the right to withdraw consent at any time
• The right to lodge a complaint with the ICO
Where the data has not been collected directly, individuals may enquire as to its source.
2. The right of access
Individuals retain the right to know if their personal data is being processed, and if so, access to that data, in addition to:
• The purpose of processing
• The categories of data concerned
• Any recipients, or categories of recipients of the data
• The period the data will be stored or the criteria used to determine the period
This assumes that the cost of researching and providing this information is not prohibitive, although a conformation (positive or negative) remains mandatory.
3. The right to rectification
Data subjects have the right, without undue delay, to obtain rectification of inaccurate personal data or to complete partial data.
4. The right to erasure
Individuals have the right to the erasure of any of their personal data held by MPQC or its subsidiaries, without undue delay, so long as:
• The data is no longer necessary to the purpose for which it was collected
• Where applicable, they actively withdraw consent
• There are no legitimate grounds for the processing
• The data has been processed unlawfully
• It is required to comply with a legal obligation
Equally individuals’ data cannot be erased if processing is necessary for:
• Exercising the right of freedom of information
• Compliance with a legal obligation
• Reasons of public interest/health
• Archiving in the public interest; scientific, historical, or statistical purposes (following data minimisation and ensuring the data subject cannot be identified)
• The establishment, exercise, or defence of legal claims
5. The right to restrict processing
Individuals can obtain restriction of processing, provided:
• The accuracy of the data is contested (restriction is only for a period enabling verification)
• The processing is unlawful but you oppose erasure
• The data is no longer needed but is required by the subject for the establishment, exercise, or defence of legal claims
• The subject has objected under their right to object (pending verification of MPQCs legitimate grounds to process the information (see below))
6. The right to data portability
Data subjects have the right to receive any of their personal data MPQC holds in a structured, commonly used machine-readable format and transmit it to another data controller without hindrance provided:
• The processing is purely based on an individual’s consent
• The processing is carried out by automated means
7. The right to object
Individuals have the right to object to their data being processed for the purposes of:
• Direct marketing
• Scientific, historical, or statistical purposes, unless the processing is necessary for reasons of public interest
Data subjects are permitted to challenge and request a review of the processing if they believe the above rules aren’t being followed.
Where it is able, MPQC will provide any requested information in a concise, transparent, intelligible, and easily accessible form. Unless specifically requested this shall be via electronic communication. This will be done within one month of receipt of the request unless it is complex or numerous (whereby an additional two months are permitted), and initial copies will remain free of charge. MPQC reserves the right to charge a commensurate administration fee for any subsequent copies or to refuse the request if it is manifestly unfounded or excessive.
Related Privacy Policies
There are separate privacy policies to meet specific requirements in the following areas: