This policy supersedes our current Data Protection Policy and Privacy information displayed on our websites. It demonstrates the company’s commitment to the protection of personal information and the requirements of the General Data Protection Regulations 2018.
Cognet Limited is registered with the Information Commissioner’s Office under reference number Z1999548.
Data We Receive from Our Clients
In the operation of our business we will collect and process data that is provided to us by our clients/customers. Personal information about your employees and learners may be included in this data and it is important that you have in place contractual agreements with these individuals on how you will use this information and with whom it could be potentially shared. We require all our customers to be compliant with the General Data Protection Regulations 2018.
By providing personal data by email, phone or other methods you are giving Cognet Limited consent to process this data and confirm you have obtained the appropriate consent from these individuals for their personal data to be processed by Cognet Limited.
Cognet Limited will retain this data for the legitimate purposes of delivering services for the duration that you remain a Cognet Limited customer.
We collect your personal data when you enrol on a course delivered by us. This also includes courses organised and provided by your employer and/or contracting local authority. Personal information is collected to undertake basic training, certification functions and attendance reporting. The personal data is usually limited to name, date of birth, work/contact address and email address. Additionally, depending on the awarding body your gender, contact telephone number and Unique Learner Number may also be requested.
All information collected on behalf of awarding bodies is subject to their own GDPR policy and compliance. Details of which can be provided upon request. Cognet Limited will ensure that all awarding bodies it contracts with are GDPR compliant.
In line with awarding body regulatory requirements and requirements to deliver future services such as certificate reprints and the confirmation of awards, this basic learner-level data will be held by Cognet indefinitely.
We keep digital copies of all information generated during a course including completed attendance registers, completed examination papers and course feedback forms. This will include any personal information provided by you. The physical copies of this information are sent to the awarding bodies when required and all remaining paperwork is securely destroyed. Digital copies of completed course information are securely stored on our internal database for one year and are then archived for a further 5 years before being deleted.
Learners may also contact Cognet Limited to request replacement certificates. In these circumstances a record of the learner’s name and contact address are taken so that the certificate can be requested and sent. A record of the certificate re-issue is made on our database and the contact information is destroyed.
Cognet will only process and hold staff data for the legitimate purpose of employment.
Personal data including name, address, contact details, NI number, date of birth, bank details, employment history, medical history, next of kin contact details is stored and processed on the Cognet network and External payroll system and will be held for the duration of the employment.
On leaving the company all data will be removed from systems and personnel files and be archived for a period of 3 years before being securely destroyed. PAYE information will be held by external payroll for 6 years after as required by HMRC.
CVs and interview notes will be held for 6 months after the recruitment of a role before being securely destroyed or deleted. Data for successful candidates will be stored with employment data.
Prospective CVs will be considered on receipt, shared with internal departments and destroyed should no suitable vacancies be available. Cognet does not store prospective CVs.
References will be requested from former employers as part of employment terms. Factual references for former staff will only be provided on request from future employers, Cognet Limited will only state dates of employment and final role. On receipt of financial reference requests, HR staff will seek consent before providing information.
Personal data will be shared with relevant agencies for the appropriate performance of pensions schemes, tax affairs, benefit schemes, insurances, fleet management, illness cover. Staff participation in such services will indicate consent to share required data for the performance of the service.
Freelance Trainers/Assessors, Suppliers and Banking
Cognet Limited engages the services of freelance trainers/assessors and suppliers for various purposes in the pursuit of its service provision. It is necessary to obtain and store personal data to fulfil contracts. Data including but not limited to: names, addresses, contact details, professional qualifications, identification documents, bank details – will be held on our secure network.
Contracts are reviewed regularly, and inactive partnerships deleted from system.
It is necessary to share bank details with our bankers to make payments for services. Cognet Limited will always make sure that the details are only processed using secure banking systems.
Cognet Limited will never share this information elsewhere, outside of the company unless required to do so by a regulatory or legal authority.
Cognet Limited will never distribute or share personal data collected by us and stored on our internal system with any third party other than:
- Employers – for attendance reporting purposes only
- Awarding bodies – for the purposes of completing the assessment and certification processes
- Regulatory or legal authorities – only when required to do so
Cognet Limited is PCI DSS (Payment Card Information Data Security Standard) compliant. Credit card information is never recorded. It is never stored on Cognet’s systems and is only used to authorise the specific transaction through Cognet’s card payment authority (Elavon) and then removed. Under no circumstances will your credit card information be passed to any other third party.
Where we store data
All data collected by Cognet Limited is stored on our secure internal network at our offices in Worcester, UK. All client information is stored on a password-protected, bespoke database and relevant paperwork is digitised and stored on designated internal server. All data is backed up daily and stored on a secure external cloud server.
Cognet Limited’s email data is stored with Microsoft located in EU data centres and follows Microsoft’s standard security and backup processes.
Destruction of physical data
The destruction of all personal information is under the direct control of the Office Manager. All hard-copy paperwork containing personal data is securely shredded by our designated contactor.
Data breach incidents
In line with our regulatory requirements, Cognet has procedures in place to deal with incident management and disaster recover which includes data breaches. In the event of a data breach these procedures include the required notifications to be sent to the Information Commissioners Office and to customers. This is reviewed annually and may be subject to change.
Cookies/ Log files/IP addresses
When you visit our web site, we automatically log your IP address (the unique address which identifies your computer on the internet) which is automatically recognised by our web server. We use IP addresses to help us administer our web site and to collect broad demographic information for aggregate use. We do not link IP addresses to personally identifiable information.
Cookies are pieces of information that a Web Site transfers to your hard drive to store and sometimes track information about you. Most web browsers automatically accept cookies, but if you prefer, you can change your browser to prevent that. However, you may not be able to take full advantage of a Web Site if you do so. Cookies are specific to the server that created them and cannot be accessed by other servers, which means they cannot be used to track your movements around the web. Although they do identify a user’s computer, cookies do not personally identify customers or passwords. Credit card information is not stored in cookies.
- To identify who you are and to access your account information;
- To estimate our audience size and patterns;
- To ensure that you are not asked to register twice.
We may automatically collect non-personal information about you such as the type of internet browsers you use or the site from which you linked to our Web Sites. You cannot be identified from this information and it is only used to assist us in providing an effective service on our Web Site. We may from time to time supply the owners or operators of third party sites from which it is possible to link to our Web Site with information relating to the number of users linking to our Web Site from their sites. You cannot be identified from this information.
Your Rights under the GDPR
Individuals have certain rights when it comes to the control of personal data:
The right to be informed – Each individual has the right to be inform about what information is collected, how it is used and why it is needed. This policy is designed to show how we handle your data. The policy will be available on our website and learners will be specifically informed prior to the commencement of the course by the trainer.
The right of access – Each individual has the right to access the personal information we hold about them. This is commonly known as a Subject Access Request which can be made verbally or in writing. A copy of an individual’s information will be provided within one month of a Subject Access Request being made.
The right to rectification – Each individual has the right to request any inaccurate information held by Cognet is corrected or completed. A request can be made verbally or in writing and will be carried out within one month.
Right to erasure (to be forgotten) – Each individual has the right to have their personal data deleted. A request can be made verbally or in writing and will be carried out within one month. However, this right is not absolute and there are some circumstances where this right does not apply, for instance where deletion will make it impossible to provide replacement certification or notification of certificate expiry in the case of First Aid at Work training.
Right to restrict processing – Each individual has the right to restrict what we do with your personal information, however, Cognet would still have the right to hold that information but not use it. This is not an absolute right and only applies in certain circumstances.
Right to data portability – Each individual has the right to obtain and reuse for their own purposes the personal data we hold on them.
To make a subject access request or exercise your rights under the GDPR please email firstname.lastname@example.org
St Mary Street
Tel: 01905 28326