Policy statement
BLT Driver Training (‘we’, ‘us’, and ‘our’) is committed to fully complying with all the requirements of the General Data Protection Regulation (GDPR).
Scope
This data protection policy explains how we will comply with our responsibilities and obligations under the GDPR and applies to:
- All personal data whose use is controlled by us, whether kept on paper or electronically
- All our staff and any of our data processors
NB: This policy should be read and used in conjunction with our other following policies
- Privacy
- Retention
- IT
- Clear desk
Objective
The objective of this policy is to:
- Ensure we follow the principles of personal data
- Ensure personal data is processed in a consistent manner throughout the organisation at all times
- Clarify responsibilities for implementing, complying and monitoring this policy
- Give guidance to staff and data processors about how to identify and minimise the risks of breaching the GDPR as well as the possible consequences of doing so
Definitions
Personal data means any information relating to an identified or identifiable person (‘data subject’) such as a name, postal/email address or an identification number.
- Examples of personal data typically processed by us are:
- First and last names
- Postal and email addresses
- Telephone numbers
- Identity documents (e.g. passports & driving licence)
- Identity numbers (e.g. National Insurance and Bank accounts)
- Career & educational documents (e.g. CVs & qualifications)
- Any contact information
Special categories of personal data means personal data revealing race or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; physical or mental health; genetic data; biometric data; sexual life or sexual orientation; and criminal records.
Examples of special category personal data typically processed by us are:
- Health & medical information (including whether a person has a disability)
- Staff sickness records
Data subject means any individual whose personal data is processed by us.
Examples of our data subjects are:
- Charity clients
- Driving training and assessment clients
- Staff, volunteers and trustees
- Staff next of kin
- Job applicants
- Suppliers of goods/service
- Contacts
Processing means any use of personal data such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, erasure and destruction.
NB: This means that virtually anything we do with personal data will be processing.
Data controller means the organisation which decides the purposes and means of the processing of personal data
NB: We are the data controller for the purposes of this policy.
Data processor means an individual or organisation that processes personal data on behalf of a data controller.
Examples of our data processors are:
- External payroll
- External IT support
- Police and or Fire HQ
- Driving Trainers/Assessors (on road and in classroom)
- Suppliers
- Staff and volunteers
- Taxi Licensing Authorities
Personal data breach means a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.
Staff means anyone working at or for us including:
- Trustees
- Permanent, interim and temporary employees
- Trainees
- Volunteers
- Self-employed contractors
Principles of data protection
Personal data shall be:
1. Processed lawfully, fairly and in a transparent manner
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’)
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
4. Accurate and, where necessary, kept up to date (‘accuracy’)
5. Kept for no longer than is necessary (‘storage limitation’)
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)
Roles and responsibilities
Our Trustees have ultimate responsibility for ensuring compliance with the GDPR, the principles of data protection and this policy.
The CEO has responsibility to remind Trustees of their responsibility for ensuring compliance with the GDPR, the principles of data protection and this policy. They have day-today operational responsibility for ensuring we comply with the GDPR and can be contacted at: info@bltdrivertraining.co.uk.
All staff have a responsibility to comply with the GDPR, the principles of data protection and this policy when carrying out their duties.
Line managers are responsible for supporting staff’s adherence with this policy.
All data processors have a responsibility to comply with the GDPR, the principles of data protection and this policy when carrying out their contractual and statutory obligations to us.
Failure to comply with this policy may result in legal and/or disciplinary action.
Rights
Data subjects’ have the right to:
1. Be informed about the collection and use of their personal data.
2. Access their personal data
3. Rectification of inaccurate personal data
4. Erasure (deletion) of their personal data (also known as the ‘right to be forgotten) *
5. Restrict processing of their personal data*
6. Data portability – to easily move, copy or transfer their personal data
7. Object to
7.1. processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
7.2. direct marketing (including profiling); and
7.3. processing for purposes of scientific/historical research and statistics
7.4. Appropriate decision-making in relation to automated decision making and profiling
*This is not an absolute right and only applies in certain circumstances
Subject Access Requests
Any data subject may make a Subject Access Request, (‘SAR’). Any member of staff or data processor in receipt of a SAR must pass it on to the CEO as a matter of urgency.
Security
All staff and data processors are responsible for ensuring that any personal data which we are responsible for is kept securely.
Examples of keeping personal data secure are:
- Paper files/records should be kept in locked cabinets when not in use
- Monitors/computer screens should be visible only to those who need to see them
- Paper files/records should not be removed from our business premises without appropriate authorisation
- Desks should be cleared when not in use
- Personal data no longer required for day-to-day use should be sent to secure archiving
Full details can be found in the Acceptable Usage (IT) and clear desk policies.
Disclosure (sharing)
This includes the disclosure (sharing) of personal data by:
- Staff with other teams /departments and
- Staff with third parties/other organisations (including out data processors)
- Our data processors to third parties.
Personal data must not be disclosed unless the recipient is authorised to have access to that personal data (usually because we are fulfilling a contract with or providing a service to the data subject) and then only in accordance with the GDPR.
Examples of unauthorised recipients are:
- Family members
- Friends
- In certain circumstances, the police
Staff and data processors should exercise great caution when asked to disclose personal data and if in doubt should seek advice from the CEO before doing so.
All decisions to disclose personal data must be recorded and all such disclosures must be specifically authorised by the CEO.
Retention
Personal data must not be kept for any longer than is necessary. Our retention policy is to keep personal data for the time period required in line with legal obligations and business needs.
Record types and retention policy:
Staff, Volunteers and Trustees – 7 years after they have left employment
Employment Applicants – 1 year after their application
Charity Clients – 5 years
Driver Training and Taxi Assessment Customers – 3 years
eLearning Customers – 4 years
Financial Records – 7 years
Health & Safety Records – 3 years
Disposal (deletion)
When it is no longer necessary to keep it, personal data must be disposed of securely. This means that:
- Paper will be placed in the confidential waste unit for disposal off site as confidential waste
- Electronic data will be deleted from the system
- Computer equipment will be disposed of securely by specialist contractors
A register will be maintained to record details of the media and computer equipment that has been disposed of, when it was disposed, how it was disposed and by whom.
Transfer outside the EEA
The GDPR generally prohibits the transfer (sending) of personal data outside the European Economic Area (EEA) unless:
- An ‘adequacy decision’ has been made for the destination country; or
- The transfer is subject to appropriate safeguards; or
- A ‘derogation’ can be relied upon, e.g.
- Where it is necessary for the conclusion or performance of a contract that we have with the data subject or another person, or
- It is in our legitimate interests (this will only be available to and used by us in very limited circumstances)
- With the data subject’s explicit consent (this can only be available to and used by us in very limited circumstances)
These restrictions mean that personal data cannot be freely transferred outside the EEA and that it will be a breach of the GDPR to do so unless any such transfer can be made in accordance with the above.
BLT Driver Training does not routinely send information outside the EEA. In exceptional circumstances a decision to transfer personal data outside the EEA must be specifically authorised by the CEO.
Data protection Impact assessments
A data protection impact assessment (DPIA) is a process to help identify and minimise the data protection risks of a project.
The GDPR includes a new obligation to conduct a DPIA for types of processing likely to result in a high risk to individuals’ interests and is good practice for any major new project which requires the processing of personal data.
Any circumstances where a DPIA may be required should not be undertaken without the approval of the CEO.
Marketing
The rules about sending marketing messages, mean, in summary, that unless in legitimate business to business transactions, we should not contact individuals without being satisfied that they do not object to hearing from us and that by contacting them we are not being a nuisance to them.
Any electronic marketing will include an ‘opt-out’ function to allow recipient to withdraw from further communications.
Reviewed June 2025