GDPR Policy for Cambridge Professional Academy (trading as Professional Academy within the UK)
The following outlines the General Data Protection Regulation Policy for Cambridge Professional Academy (CPA).
The overarching principle is that
- All data collected and/or stored by CPA is done so for the sole purposes of CPA business and an individual’s relationship with CPA. This will include; communications with students from CPA directly, communications between students and their respective support tutors, and communications with individuals and businesses who have expressed genuine and legitimate interest in CPA products or services. Individual’s personal data will not be shared with a third party without prior written consent.
- No member of staff both at CPA head office or within the support tutor network will share any personal data with a third party without the prior consent of the individual. This includes, but is not limited to Name, address, email address and phone details.
- All CPA Staff consent to their business email address, phone number and associated business contact details to be circulated for the sole purposes of CPA business.
Communications with interested parties
- By submitting their contact details as part of a query to CPA, via website, phone call, webchat, SMS, social media platforms, face-to-face, or email, interested parties have expressed legitimate interest in CPA’s products and services.
- Parties completing online webforms will be asked to opt-in to receive further information, if the interested party does not opt-in they will be removed from all bulk marketing, but CPA may contact them on an individual basis to investigate and confirm their legitimate interest.
- Individuals who have submitted legitimate interest in a specific product or service will only receive information regarding that specific product or service.
- An interested party has the right to rescind their legitimate interest at any time, removing them from all communications both individual or on mass.
- Data for individuals who have expressed legitimate interest will not be stored for more than 3 years and will be removed from all systems once this period has elapsed.
- CPA will not retain any paper files of personal data, including financial transactional data.
- CPA are responsible for the maintenance of all online cloud data storage and will continue to review the security of each system which holds personal data in a timely manner, this includes Customer Relationship Management (CRM), Learning Management System (LMS), backup reporting, file storage systems, accounting software and eCommerce platforms.
- Financial information for online payments are not held by CPA and are all managed by Sagepay, CPA hold none of this payment information.
- When processing financial information by telephone staff taking the call must not write down or record any of the information given to them except in the designated boxes in the Sagepay payment terminal. They must not repeat back any card details and if they require clarification they will ask the caller to repeat the details. The transaction should not be processed on speaker phone or via email.
- No PC or workstation shall be left unmanned without a suitable password protected screen saver. All PCs and workstations should be closed, and password protected overnight.
- All Staff should use only their own login to access PCs and membership databases and not share their login details with others.
- To show compliance to the General Data Protection Regulations all staff will complete a training program and sign to agree that they understand the implications (log available on request) they will also sign this policy to show they have read and understand their responsibility to personal data.
- From May 2018 the Managing Director, Operational Director, and Sales & Marketing Director will be responsible for quarterly GDPR audits to ensure full compliance.
- All staff have signed as part of their contract of employment a confidentiality clause.
Learners with Cambridge Professional Academy
- On registering to study with CPA individuals must be told that the CPA will not under any circumstances use their data for any other purpose than communication with CPA support services, their direct support tutor, and post-completion marketing information. The data will not be circulated to third parties unless learners give their prior written consent. This is made clear at the beginning of the registration process.
- From time to time CPA may be approached to circulate relevant matters on behalf of third parties, such as studying institutes. Only information relevant to your studies or membership with the institute will be communicated. Data Rights.
- The data held by CPA can only be as accurate as the information supplied to CPA. It is the responsibility of the individual to ensure their data is accurate.
- Once an individual has commenced their studies with CPA their personal data, including a record of their studies, will be retained electronically for 7 years or 5 years from completion, whichever longer, before deletion.
- An individual may at any time request the removal of their personal data by contacting email@example.com for learners and associated parties both past and present and firstname.lastname@example.org for those who have previously expressed interest. It should be noted that the removal of all personal data (including email contact details) will result in CPA no longer being able to carry out the processing of the learner support and would negate the 100% pass guarantee.