1.0 Purpose and Scope
1.1 The Seetec Group of companies is committed to conducting its business in accordance with all applicable Data Protection laws and regulations, in line with the highest standards of ethical conduct.
This policy, together with our Data Protection Framework, provides a system for ensuring that the Seetec group of companies meets its obligations under UK/EU General Data Protection Regulations and the Data Protection Act 2018 (DPA 18). It applies to all processing of personal data carried out by the Seetec group, including processing undertaken by partners, contractors, and processors.
For clarity, throughout this policy document reference made to Seetec, includes all companies/entities/divisions within the Seetec group.
1.2 Seetec collects and processes personal and special category (sensitive) data from our customers, employees, and other stakeholders. When processing personal data Seetec complies with data protection legislation guided by the GDPR data protection principles to ensure that data is:
- Processed fairly, lawfully and in a transparent manner
- Used only for limited, specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes.
- Adequate, relevant, and limited to what is necessary
- Accurate and, where necessary, up to date
- Not kept for longer than necessary; and
- Kept safe and secure.
1.3 Personal Data covered by Data Protection Legislation and this policy.
EU/UK GDPR definition of ‘personal data’ includes any information which identifies either directly, or indirectly an identifiable natural living person.
Pseudonymised personal data is also covered by this legislation and policy; however, anonymised data is not regulated by data protection laws, providing that the anonymisation is not reversible.
Special Category Data due to its sensitive nature must be provided with additional protection, this information relates to:
- Race and ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic Data
- Biometric ID data
- Health data
- Sexual life and/or sexual orientation
- Criminal data (relating to convictions and offences) (although not classified as special category data under GDPR requires the same level of protection)
2.0 Policy Aims
2.1 To ensure that Seetec meets its statutory requirements under data protection laws, and that all personal and special category data is processed compliantly.
2.2 That staff are aware of their responsibilities regarding data protection and have access to the necessary policies, operational procedures, and guidance.
2.3 To provide assurance that Seetec has appropriate technical and organisational measures in place for compliance with data protection law.
This policy should be read in conjunction with the following:
- Information Security Policy
- Data Protection Framework
- Individual User Agreement
- Data-Document Retention and Archiving Policy
- Classification Policy
- Security Incident Management Policy
- Privacy Notices
- Internet Cookie Notice/Cookie Policy
- Data Retention Schedules
- Archiving Procedure
- Data Subject Rights Procedure
- Emailing of Sensitive Data Guidance
- Security Incident Management Procedure
- Event Reporting Procedure
3.0 Responsibilities
3.1 Management and Employee Responsibilities
Senior management must ensure that all employees are aware of and comply with their data protection responsibilities as outlined in this policy, and by extension the Data Protection Framework and supporting policies and procedures. It is the responsibility of managers to ensure their staff are fully aware of their responsibilities in managing personal data and its associated risks and have access to this policy and supporting documents. It is the responsibility of all employees to undertake data protection training annually and to adhere to this and related policy documents and guidance when processing personal data.
The Data Protection Officer (DPO) is primarily responsible for assessing and monitoring compliance with the UK/EU GDPR and other data protection laws and for making recommendations to improve compliance. This will include reviewing and updating data protection policies, awareness-raising, training and audits. The DPO is the contact point for Supervisory Autorities (ICO/DPC), including Article 36 Consultations- Data Protection Impact Assessment referrals.
4.0 Our Commitment
4.1 Compliance Monitoring
We undertake assurance activities, built into the groupwide Assurance plan on a regular basis. These include,
External ISO27001 certification assessments
Internal ISO27001 audits
Internal assurance activities and control testing
Commissioner audits and inspections.
4.2 Data Protection by Design and Default
We consider privacy at the design phase of any system, service, or processing and limit personal data processing to only what is necessary. We assess processing of personal data where perceived to be high risk and where necessary complete DPIAs (Data Privacy Impact Assessments) before implementation of new systems or processing.
4.3 Data Subject Rights
We have clear processes to handle data subject access requests and other data subject rights requests.
4.4 Privacy Notices
We publish privacy notices on our websites, which are regularly reviewed and updated. Employees are provided with their own privacy notice.
4.5 Records of Processing Activities-Information Asset Registers
We maintain records of all processing activities in respect of personal and special category data.
4.6 Staff Training
Mandatory Data Protection Training is completed on an annual basis, with role specific training provided as necessary.
4.7 Data Breaches and Information Security Incidents.
We have clear processes for reporting and management.
4.8 Contracts
Our Information Security and Contract Departments oversee contracts for compliance with data protection laws.
4.9 Policies and Procedures
We produce policies and procedures to provide guidance on information security, information management, and compliance with data protection legislation.
4.10 Data Retention and Disposal
Seetec adheres to the data minimisation and storage limitation principles of the GDPR. In conjunction with our contractual obligations, we follow the policies of our commissioners relating to document retention. We will obtain authorisation from the appropriate body prior to the destruction of any documents. (Please refer to Appendices A, B and C)
For further information on how we process personal data please refer to our Privacy Statement: https://seetec.co.uk/legal/privacy-notice/
5.0 Associated Documents
As listed at 2.3 of the Policy.
Appendix A – Interventions Alliance: ESF
Interventions Alliance is part of the Seetec Group, delivering European Social Fund (ESF) funded contracts within the criminal justice system and social care sector as listed below.
This applies to all CFO Activity Hub contracts terminating on or before July 2023.
The Seetec Group of companies will follow ESF Policy around Document retention and that ‘Prior to the destruction of any documents relating to CFO Projects, confirmation will be sought from the Managing Authority’ as stated in ESF Document Retention Guidance for the 2014-2020 ESF Programme (publishing.service.gov.uk)
| ESF Funded Contract | Region | Location |
| HMPPS CFO Activity Hub | North West | Liverpool |
| HMPPS CFO Activity Hub | North West | Manchester |
| HMPPS CFO Activity Hub | North West | Warrington |
| HMPPS CFO Activity Hub | South West | Bristol |
| HMPPS CFO Activity Hub | South East | Medway |
Appendix B – Seetec Pluss Ltd and Pluss Organisation CIC: ESF
Seetec Pluss and Pluss Organisation CIC are part of the Seetec Group, delivering European Social Fund (ESF) funded contracts as listed below.
The Seetec Group of companies will follow ESF Policy around Document retention and that ‘Prior to the destruction of any documents relating to ESF funded Projects, confirmation will be sought from the Managing Authority’ as stated in ESF Document Retention Guidance for the 2014-2020 ESF Programme (publishing.service.gov.uk)
Storage of electronic data for ESF 2014-2020 projects should be in accordance with Seetec Group policies and GOV.UK guidance.
Current and previous ESF2014-2020 funded projects include:
| DWP – Work and Health Programme* (CPA4: Cornwall, Devon, Somerset – inc. N Somerset and Bath & NE Somerset – Bristol, Dorset, Wiltshire, Hampshire, Portsmouth, Isle of Wight, Surrey, West Sussex, Brighton, Gloucestershire, Oxfordshire and Buckinghamshire) |
| DWP – ESF14-20 Right Steps to Work (Calderdale, Kirklees & Wakefield) |
| National Lottery Community Fund and ESF – BBO: Positive People (Cornwall C2C) |
| National Lottery Community Fund – BBO: Positive People (Cornwall S&E) |
| National Lottery Community Fund – BBO: Positive People (Devon) |
| National Lottery Community Fund – BBO: Positive People (Somerset) |
| National Lottery Community Fund – BBO: Hopeful Families (Calderdale, Kirklees & Wakefield) |
| Health Works for Cornwall (Cornwall Council) |
| Seetec Pluss also works as a partner for the following ESF funded Programmes: |
| DWP – Work and Health Programme* (CPA3: Northwest) – Ingeus |
| DWP – Work and Health Programme* (Greater Manchester Combined Authority) – Ingeus |
| DWP – Work Routes ESF1420 (Greater Cambridgeshire) – Reed |
| DWP – Work Routes ESF1420 (Greater Peterborough & Hertfordshire) – Reed |
| DWP – Work Routes ESF1420 (Cornwall) – Reed |
| Devolved GMCA Adult Education Budget (AEB) now Adult Skills Fund ASF) |
*Please note: The Work and Health Programme is co-financed by the European Social Fund for participants who were referred before 1st November 2022 and ended before 23rd July 2023.
In accordance with ESF guidelines on GOV.UK. ESF2014-2020 retention period is advised by the Commissioner for each project and is subject to change.
- ESF14-20 data retention period is currently up to 21 July 2032.
- Work and Health Programme data retention date is currently up to 21 July 2032.
- BBO data retention date is currently up to 31 March 2034.
- Health Works for Cornwall data retention date is currently up to 31 December 2035
It is important that the relevant DWP / /Commissioner guidance is consulted, and authorisation obtained, before information is deleted/destroyed.
Appendix C – Seetec Training: ESF
Seetec Training is part of the Seetec Group, delivering ESF funded contracts as listed below.
Current ESF14-20 funded projects include:
| Apprenticeships Levy |
| Apprenticeships Non-Levy |
Former ESF 14-20 funded projects include:
| Adult Skills Fund (ASF) – (formerly AEB) Non-Devolved |
| Traineeships 16-18 |
| Traineeships 19-24 |
The Seetec Group of companies will follow ESF Policy around Document retention and that ‘Prior to the destruction of any documents relating to ESF Projects, confirmation will be sought from the Managing Authority’ as stated in ESF Document Retention Guidance for the 2014-2020 ESF Programme (publishing.service.gov.uk)
Published: August 2024