Highfield   |   Privacy policy

Privacy Policy

When we process your personal data we comply with all applicable data protection legislation, including the UK GDPR and the Data Protection Act 2018. 

Your personal data includes all the information we hold that identifies you or is about you. More information about the types of personal data we process about you is set out below.  

Everything we do with your personal data counts as processing it, including collecting, storing, amending, transferring and deleting it. 

This privacy policy provides information about the personal data we process about you, why we process it and how we process it. It applies to individual customers of Highfield Qualifications Limited as well as our business contacts at customer and supplier organisations. 

Our responsibilities 

Highfield Awarding Body for Compliance Limited t/a Highfield Qualifications (a company registered in England with registered company number 06478925 and registered address at Highfield Icon, First Point, Balby Carr Road, Doncaster, South Yorkshire DN4 5JQ) is the controller of the personal data you provide.  

 

What data do we process about you and why? 

 

  • Centre Contacts 

 

We will process the information you provide in the application you submit on behalf of your organisation for your organisation to become a Highfield Qualifications approved centre (a “Centre”). The Centre application will include personal information about you as our Centre contact. Even if you are not our Centre contact, we may process personal data about you if it is included in an application submitted by a Centre. Information we may process about you as a Centre contact or as someone referenced within a Centre application may include: 

 

  • your full name 
  • your email addresses and other contact information 
  • images, videos and information about you taken as part of a quality assurance visit recordings, either onsite or carried out virtually using video conferencing; and 
  • any other personal data about you provided by the Centre in a Centre application. 

 

We may use your personal data for the following purposes: 

 

  • to provide you with information about the Centre, learner registrations, enquiries and results and to send certificates to the Centre 
  • to manage and arrange Centre quality assurance visits 
  • to communicate regulatory changes and updates 
  • to send you marketing information where we are entitled to do so under data protection laws 

 

  • Tutors, assessors and internal quality assurance (IQA) staff 

 

We will process the information you provide in your application to become a tutor, assessor or IQA or the personal data about you in an application made by a Centre. This information is likely to include your name, email address, telephone number and other contact information, your teaching and training qualification certificates, proof of your professional qualifications, your employment history and training experience and references. If the application is successful, your personal data will be stored on our system for the period in which you are a Highfield Qualifications tutor, assessor or IQA. Please notify us, or ask the Centre to notify us, if you cease providing services as a tutor, assessor or IQA. 

 

If you submit an application to us and your application is incomplete, it will be deleted no later than 12 months after receipt if there has been no further activity on the application during that period. If your application is unsuccessful we will delete it promptly following our decision, except to the extent we are required to retain your personal data for regulatory purposes. We will also delete Centre applications (and any personal data held about you within those applications) no more than 12 months after receipt of an incomplete application or promptly following a decision not to appoint a Centre, subject to any regulatory requirement that we continue to hold personal data within the application.  

 

If you are an approved tutor, assessor or IQA but you are not active for a period of 3 years, we may choose to delete your personal data (with the exception of your name which will retain on our file indefinitely so that we have a record of the fact you were tutor for one or more courses) on or after the end of the 3 year period, in which case you would need to submit a new application if you wish to be an approved tutor, assessor or IQA.  

 

Where there is a legal or regulatory requirement for us to process your personal data, we rely on the fact that we are required by law to process it. Otherwise, we process your personal data on the grounds of our legitimate interests in considering your application. If your application is successful we will also process some of your data on the grounds of fulfilment of our contract with you. 

 

  • Learners 

 

If you are undertaking courses, work-based learning awards, exams or qualifications provided by us, we collect the information we need in order to provide those products and services to you including but not limited to your name, date of birth, gender, telephone number and qualification awarded. It may also include photos of you and copies of your signature.  

 

This information will be held by us for a period of 40 years from the date you complete your course, work-based learning award or exam so that we can comply with regulatory requirements and requirements to deliver future services such as certificate re-prints and confirmation of awards. 

 

Information that is processed as part of the qualification, such as your exam papers, will be held for no longer than 6 months from the date the information is collected.  

 

We may also capture personal data about you when we conduct a quality visit (such as video evidence of training). Once we have concluded our review, the personal data stored for this purpose will be deleted or destroyed. 

 

If you contact us to request a replacement certificate, we will retain a record of the address to which you wish the certificate to be sent for no longer than 6 months. 

 

  • Remote Invigilation 

 

We may provide remote invigilation services in respect of the qualification you are undertaking. Remote invigilation services are provided on our behalf by a company located in the EU. We retain the recording of your exam for a period of 30 days from the date of the exam unless an issue has arisen in respect of your exam in which case we will retain the recording until the issue has been resolved.  

 

  • Business customers and suppliers (including external consultants, EQCs, SMEs, end-point assessors and exam markers)  

 

If the organisation for which you work purchases services from our website or provide services to us the only personal data we are likely to process about you is your name and your business email address. The remainder of the information we collect will be company information and therefore not covered by data protection legislation. We process your personal data on the grounds of our legitimate interests in fulfilling the order placed by the company for which you work or receiving services from the company for which you work. We will retain your personal data for the duration of our contract with the organisation for which you work or, if earlier, until we are notified that you are no longer the relevant person to contact at the organisation. 

If you are a centre contact, your information may be provided to us by the centre for which you work. The information we hold about you is likely to include your name, email address and telephone number. We process your personal data in order to: 

 

  • communicate with the centre about, for example, courses, exam results and certificates; 
  • liaise with the centre to organise and undertake external quality visits; 
  • communicate regulatory changes and updates; 
  • market Highfield’s products and services; and 
  • purchase and provide products and services from and to you. 

We will retain personal data relating to Centre contacts for the duration of our contract with the Centre or, if earlier, until the Centre informs us that you are no longer the relevant person to contact at the Centre. 

  • Webinar attendees 

We will process personal data about you if you choose to attend one of our webinars. We use a third party to provide webinar tools and services to us. When you register to use/access our webinars we will ask for your full name, email address, job title and the name of the company for which you work. We and the third-party provider may have access to those systems from the date you input them to the date 6 months after the webinar takes place. Personal data may be accessed by the third party from outside the UK and the EEA, including in the US. Any such transfers of data take place on the basis of standard contractual clauses. 

  • Recruitment Candidates 

We will process personal data about you if you apply for a role with us. That personal data is likely to include: 

 

identity data such as your first name, middle names, last name, marital status, title, date of birth and gender; 

contact data such as your postal address, email address and telephone numbers; 

background data such as your education, career background and work experience; 

personal information such as your skills and qualities; 

any other information that you include on any CV, application or covering letter you send to us. If this information includes special categories of data we will process that information on the grounds of consent because you have chosen to provide it to us. 

 

We process your personal data on the grounds of our legitimate interests in determining whether or not we have a suitable vacancy for you. 

 

If you are successful we will retain your personal data in line with our employee privacy policy, a copy of which will be provided to you if you accept a role with us. 

 

If you are unsuccessful, we will retain your personal data for 6 months from the date of your application. 

 

Our collection of your personal data 

We use different methods to collect data from and about you including through: 

  • Direct interactions 

 

You may give us your personal data by filling in forms on our website or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you: place an order for our services or provide products or services to us; submit a query about our products whether on our website or by email or phone; request for marketing to be sent to you; or otherwise correspond with us. 

  • Automated technologies or interactions 

 

As you interact with our website, we may automatically collect personal data about you. You can find out more information in our cookie policy available [here].  

  • Information received from our clients and the Centres to which we provide services 

 

We may receive information about you from your employer so that we can liaise with you in respect of the qualification you wish to undertake.  

If you are a tutor, assessor, IQA or Centre contact we may receive information about you from the Centres with which we work.  

  • Information received from Highfield e-Learning Limited 

If you have purchased an e-learning product or service from Highfield e-Learning Limited and it includes a qualification, your personal data will be passed to us so that we can engage with you in respect of the qualification and retain a record of your qualification. In that scenario, the sections in this privacy policy that are applicable to learners will apply to you. 

Who will receive or have access to your personal data? 

Your personal data is only transferred to the extent that this is necessary. Recipients of your personal data may include: 

 

  • our third-party remote invigilation partner that provides remote invigilation services in respect of your exam. Data transferred to our remote invigilation partner includes your full name and email address so that instructions relevant to the remote invigilation may be sent to you; 

 

  • our third-party provider of webinar tools and services, referred to above in the section entitled “Webinar Attendees”; 

 

  • our third-party marketing partners that send marketing and service communications to you on our behalf where you have consented to us doing so or where we have other grounds for sending you marketing in accordance with data protection legislation. Your personal data may be transferred to those providers located outside of the UK and EEA, including in the US, in which case the transfer takes place on the basis of standard contractual clauses; 

 

  • third-party providers through which our emails to you are routed in order to assist with tracking and delivery of emails. Your personal data may be transferred to those providers located outside of the UK and EEA, including in the US, in which case the transfer takes place on the basis of standard contractual clauses;   

 

  • legal advisers to the extent they need to see your personal data to provide us with legal advice;  

 

  • our external hosted data centre; 

 

  • Microsoft Azure which provides our disaster recovery solution; 

 

  • third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy. 

If you are a learner, we may also share your data with: 

  • awarding organisations and regulators to the extent necessary to provide you with the products and services requested for you; 

 

  • the Security Industry Authority to the extent necessary to comply with regulatory requirements (the information shared is likely to include your photo ID and signature); 

 

  • the national Learning Record Service; 

 

  • other regulatory bodies to the extent we are required to do so in relation to, for example, investigations. 

We require all third parties to respect the security of your personal data and to treat it in accordance with the law.  

Unless otherwise expressly stated in this privacy policy, we do not transfer your personal data outside of the EEA. 

What are your rights? 

You benefit from a number of rights in respect of the personal data we hold about you. We have summarised your rights below, and more information is available from the Information Commissioner’s Office website (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/). These rights apply for the period in which we process your data. 

  1. Access to your data 

You have the right to ask us to confirm that we process your personal data, as well as access to and copies of your personal data. You can also ask us to provide a range of information, although most of that information corresponds to the information set out in this fair processing notice.  

  1. Rectification of your data 

If you believe personal data we hold about you is inaccurate or incomplete, you can ask us to rectify that information. We will comply with your request within one month of receiving it unless we do not feel it is appropriate in which case we will let you know why. We will also let you know if we need more time to comply with your request. 

  1. Right to be forgotten 

In some circumstances, you have the right to ask us to delete personal data we hold about you.  

There are certain scenarios in which we are entitled to refuse to comply with a request. If any of those apply, we will let you know. 

  1. Right to restrict processing  

In some circumstances, you are entitled to ask us to suppress the processing of your personal data. This means we will stop actively processing your personal data but we do not have to delete it.  

  1. Data portability 

You have the right to ask us to provide your personal data in a structured, commonly used and machine-readable format so that you are able to transmit the personal data to another data controller. 

  1. Right to object 

In some circumstances, you are entitled to object to us processing your personal data.  

Automated decision making 

Automated decision making means making a decision solely by automated means without any human involvement.  

We do not carry out any automated decision making using your personal data. 

Your right to complain about our processing 

If you think we have processed your personal data unlawfully or that we have not complied with GDPR, you can report your concerns to the supervisory authority in your jurisdiction. The supervisory authority in the UK is the Information Commissioner’s Office (“ICO”). You can call the ICO on 0303 123 1113 or get in touch via other means, as set out on the ICO website - https://ico.org.uk/concerns/

Any questions? 

If you have any questions or would like more information about the ways in which we process your data, please contact dataprotection@highfield.co.uk.