Statement related to data processing (GDPR)

Statement related to data processing (GDPR)

The Data Protection Act 2018 (DPA) (incorporating the European General Data Protection Regulation GDPR from 25th May 2018) protects the rights of individuals by setting out certain rules as to what organisations can and cannot do with information about people. A key element to this is the principle to process individuals’ data lawfully and fairly. In order to meet the fairness part of this we need to provide information on how we process personal data.

TAA takes its obligations under the Data Protection Act very seriously and will always ensure personal data is collected, handled, stored and shared in a secure manner.  Our Full Data Protection Policy can be accessed here...

The following statement will outline what personal data we collect, how we use it and who we share it with. It will also provide guidance on your individual rights and how to make a complaint to the Information Commissioner’s Office, the regulator for data protection in the UK.

The College’s official contact details are:

College Information Officer

The Acupuncture Academy

54 High Street

Leamington Spa

Email: jacqui@taa-uk.net

How and why does the College use personal data?

The largest volume of personal data the College processes is in relation to students, at both undergraduate and postgraduate level. The primary purposes we process information about these individuals include:

  • to enable us to administer student-related functions from original applications through to graduation and to provide alumni services;
  • to plan and account for the use of the services provided;
  • to produce information including statistics for relevant external agencies such as the Office for Students, the British Acupuncture Council, and the British Acupuncture Accreditation Board;
  • to enable College staff to communicate with students;
  • to monitor academic progress over the period of enrolment towards completion of a qualification;
  • to carry out assessment, authorise award of qualifications and verification of awarded qualifications post-study;
  • to inform professional accrediting bodies of recent graduates;
  • to monitor, complaints, disciplinary cases and academic appeals;
  • to provide student support services, including financial, pastoral and IT/learning resources;
  • to monitor, develop and update College systems to ensure they continue to operate effectively and securely; and
  • to monitor equality and diversity objectives within the College.

The College also processes personal data in relation to staff, both academic and non-teaching. This is undertaken to facilitate recruitment activity and to administer the requirements the College must meet as an employer in line with UK law. In addition, it is used to facilitate operational activity within the relevant professional service.

Personal data is also collected for practitioners attending CPD seminars, to allow for communications relating to the administration of the seminar and for marketing purposes.

Finally, the College processes personal data as part of research activity and for the purposes of healthcare, in relation to patients and clients.

What personal data does the College collect?

The College collects personal data from individuals interested in studying here and registered students at various stages. The volume and nature of the personal data collected is outlined below:

  • Initial email/telephone enquiry:
    • name and address
    • contact details (telephone number, email address)
    • subject / area of interest
  • Details from application forms:
    • Photograph for identification badge and for the College websites
    • name and address
    • contact details (telephone number, email address)
    • age / date of birth
    • gender
    • nationality and country of residence
    • educational records to date
    • academic references (including personal statement and predictive grades)
    • disability declaration
    • Entry and other qualifications
    • Demographic information
    • Ethnic origin
    • Self-declararion of criminal record
    • Assessment resultsFurther data collected at enrolment or updated during a student’s time at the College:
      • Funding and fee related information
      • Information needed to provide services in relation to disability, wellbeing or any other type of pastoral support
      • Course and stage details
      • Attendance, progress and current status
      • Emergency contact details
  • Data collected for statutory monitoring and reporting purposes:
    • Religious belief
    • Sexual orientation
    • Sexual identifier
    • data to evidence attendance on course of study

Additional personal data may be collected by the College where relevant in relation to professional body requirements, extenuating circumstances applications, appeals/complaints/disciplinary cases and any further optional student services.

The College collects the following information from academic and non-teaching staff which is outlined below:

  • initial application:
    • name and address
    • contact details (telephone number, email address)
    • self-declaration of permission to work in the UK
    • self-declaration of criminal record
    • relevant qualifications or indication of highest qualification held
    • professional development / training and membership of any professional body
    • employment history
    • supporting statement
    • Referee details
  • Once a candidate has been made an offer of self-employed contract or employment:
    • Bank details
    • Emergency contact details
    • Data captured for equal opportunities monitoring (as above)
    • Health information

Additional personal data is collected for employees to comply with statutory requirements:

  • Data captured for equal opportunities monitoring (gender, date of birth, nationality, marital status, sexual orientation, religious belief, ethnicity)
  • Declaration about any disability as defined under the Equality Act 2010
  • Passport/visa copy

Personal data collected for CPD seminar participants captured from initial sign-up:

  • name and address
  • contact details (telephone number, email address)
  • payment details

Personal data is held for patients and clients, consisting of:

  • Data collected from the initial booking:
    • name and address
    • contact details (telephone number, email address)
  • Data collected from consultations:
    • Health details
    • Name and contact details of GP

Sharing of personal data

The College is required to share personal data with certain other organisations in order to meet statutory requirements or to provide services to students. Sharing will always be undertaken in line with the requirements of data protection law, either through the consent of the individual, or another relevant legal gateway. The personal data that is actually shared will always be limited precisely to what the other organisation needs to meet its requirements or deliver its services.

The information below outlines the key partners with whom the College shares personal data with on a periodic basis:

  • Professional and Funding Bodies:
    • Validation of registrations and awards; and
    • Approval of funding applications.
  • Other individuals / organisations:
    • External examiners for examination, assessment and moderation purposes;
    • The Office Of The Independent Adjudicator to review student complaints;

How long does the College keep personal data?

The College takes its obligations under the DPA very seriously in terms of not holding onto personal data for any longer than is necessary. The College has a retention schedule in place for the different categories of data it holds.

In some cases, there are good reasons as to why the College needs to retain data about students and other individuals for a significant period of time. The most important reasons are outlined below:

  • in order that student awards can be verified in the long-term;
  • to produce transcripts and references;
  • for alumni services and ongoing relations with the College;
  • to deal with complaints, appeals and disciplinary cases including if they are taken to the Office of the Independent Adjudicator (OIA);
  • for statutory reporting purposes and in order to complete statutory surveys such as the Graduate Outcomes from Higher Education Surveys;
  • to produce references on request from previous employees and staff members; and
  • in order to meet pension obligations.

Data Retention periods

Reason for retaining data Data retained Period
in order that student awards can be verified in the long-term;
to produce transcripts and references
Student name, date of birth, College student ID, contact details, award and module marks, course period, Photo, copies of any reference written Indefinitely
for alumni services and ongoing relations with the College Student name, Contact details, Photo Indefinitely or until individual asks to be removed
to deal with complaints, appeals and disciplinary cases including if they are taken to the Office of the Independent Adjudicator (OIA) Documentation relating to complaint or appeal 18 months after complaint or appeal raised
for statutory reporting purposes and in order to complete statutory surveys such as the Graduate Outcomes from Higher Education Surveys Student name, course, contact details Period set by OfS Designated Data Body, plus additional period for audit by DDB
Marketing Student testimonial, video clip, student name and photo, accommodation providers contact details Indefinitely or until individual asks to be removed
References for past employees and staff members Student testimonial, video clip, student name and photo, accommodation providers contact details Indefinitely or until individual asks to be removed
In order to meet pension obligations Name, contact details, pension details Indefinitely
Statutory purposes Employee sick and maternity pay 3 years following the tax year of payment
Patient or client health record Patient name and contact details, clinical notes 7 years or until a child reaches 25 (or 26 if attendance in clinic ends when they are 17)

 

  • All other information, including any information about health, race or disciplinary matters will be destroyed within 7 years of the course ending and/or the student leaving the College (whichever event comes sooner).
  • In general, other information about staff will be kept for 5 years after a member of staff leaves the College.

 

Your rights

An individual has the right to ask the College what personal data we hold about them, and to ask for a copy of that information. This is called making a Data Protection Subject Access Request.

A Subject Access Request should be submitted in writing via email to the college Administrator or in hard copy to the postal address provided above. The College reserves the right to ask you to provide proof of identification and for you to clarify your request if it is unclear in the first instance. You will receive a reply no longer than one calendar month from the date you make the request in writing.

If you are unhappy with the initial response you can ask the College to undertake a further search if there is specific information you have good reason to believe exists but that hasn’t been provided.

You also have the right to complain to the UK Regulator the Information Commissioner’s Office (ICO) if you believe you request has not been dealt with properly or you have a complaint to raise against the College for any other data protection related issue. A complaint can be raised via the ICO’s website or write to the following address:

The Office of the Information Commissioner

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

You also have the right to withdraw consent from the processing of your personal data by the College at any time, if your consent was sought initially to use your personal data.

Right to rectify

If you believe the College holds information about you that is factually incorrect please email TAA’s Administrator (jacqui@taa-uk.net) and one of the Principals (jen@taa-uk.net or julie@taa-uk.net) providing the correct information, and we will update it within one month.

Your responsibilities

All students, staff and any other relevant individual who handles personal information which the College holds is responsible for following the requirements of the Data Protection Policy.