Nottinghamshire Healthcare E-Induction Privacy Policy

(Please scroll down to view Dynamics Privacy Policy)

Introduction

This privacy statement explains how your personally identifiable information is being used in this learning management system. Your personally identifiable information is stored, used and accessed in accordance with the General Data Protection Regulations (GDPR). Personally identifiable information is information that can be used on its own or with other information to identify, contact, or locate a person, or to identify a living individual in context. Please read our privacy policy carefully to get a clear understanding of how we collect, use, protect or otherwise handle your personally identifiable information.

What personal information do we hold?

When using this learning management system or registering on it, you may be asked to enter your first name, surname, email address, date of birth or other details. Nottinghamshire Healthcare Trust only collects and holds the minimum information required on the learning management system to help you with your learning and overall experience on the site and to manage your learning. Other personally identifiable information that Nottinghamshire Healthcare Trust hold about you for other purposes - such as payroll and HR, will not be transferred to this learning management system.

Your right to data portability

All training records which are held about you within the learning management system can be accessed by you at any time. To access your information please select the ‘View your completed courses’ option on the ‘Learning History’ portal of the Dashboard.

When do we collect information?

We collect information from you when you fill out a form, enter information on our site, or complete a course.

How do we use your information?

We use the information we hold on you to personalize your experience and to allow us to deliver the type of learning content which is most relevant to you and to ensure we transfer your training record accurately to the Trust’s learning management system.

How do we protect your information?

We only provide learning materials and information.

Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential in accordance with GDPR laws.

We implement a variety of security measures when a user enters, submits, or accesses their information to maintain the safety of your personal information. For example, all sensitive information you supply, such as your username and password when logging on, is encrypted via Secure Socket Layer (SSL) technology as it is transmitted.

Your password (if stored in the learning management system) is stored in an encrypted format which is both salted and hashed.

We never ask for credit card details.

Do we use 'cookies'?

Yes Dynamic does. Cookies are small files that a website or its service provider transfers to your computer's hard drive through your Web browser (if you allow) that enables the site's or service provider's systems to recognize your browser and capture and remember certain information. Dynamic use a cookie to remember your session ID once you are logged into the learning management system, this ensures that as you move from one page to another, it remembers your session ID and keeps you logged in, until such time as you decide to log out. Cookies are not stored for purposes of advertising or marketing. You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser settings. Since each browser is a little different, look at your browser's help menu to learn the correct way to modify your cookies.

If you disable cookies in your browser:

If you turn cookies off completely, this will prevent the proper functioning of the learning management system and it is unlikely that you will be able to effectively use the learning management system.

Third-party links and disclosure

We do not include or offer third-party products or services on our learning management system.

We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information.

Can I update the information held on me?

Some information held on you can be updated by yourself – such as your password. Other information held on you may not be updated such as your username. In this case, you will need to contact us to have this information updated.

What happens if you want to remove your data from the site?

You can change your consent preference at any time by contacting the Learning & Organisational Development Department by email at,

E-Learning_Enquiries@nottshc.nhs.uk. If you withdraw consent any records of e-learning modules you have already completed will be transferred securely to your Trust training record, your E-Induction account will be closed and your personal details will be deleted.

Who can I contact about the information held on me or if I have a query about the system?

If you have any queries regarding your information or your use of the learning management system then you should contact the following:

E-Learning_Enquiries@nottshc.nhs.uk.

Dynamic's Privacy Policy

Background

The Data Protection Act 1998 is the law that protects personal privacy and upholds individuals' rights. The Act applies to anyone who handles, or has access to, information about individuals.

The Act also gives rights to the people the information is about. By law, everyone who handles personal information must follow the rules set out in the Act and help to protect individuals' rights.

In 2016 a new regulation, the General Data Protection Regulation (GDPR), was agreed and adopted by the European Union. This came with a two-year transition period, becoming enforceable on 25 May 2018. The main purpose of the GDPR was to allow a data subject to have more control over who has access to their data and how their data is processed.

Whilst the GDPR increases the responsibilities of the data controller, the GDPR also gives new legal obligations to the data processors. Processors are now required to maintain records of personal data and how that information is processed. The processor is also responsible for the data that they have access to.

Data Protection Officer

The Data Protection Officer (DPO) for Dynamic is the IT Systems Manager (Callum Statham). It is the responsibility of the DPO to ensure that this policy is reviewed and updated with any changes that have been made to the DPA/GDPR. In addition to this, the DPO needs to ensure that this policy is read and understood by all members of staff within Dynamic. It is also the responsibility of the DPO to ensure that data protection is considered during all business activities.

Dynamic Business Services is registered with the Information Commissioner’s Office: Registration Number Z826796X https://ico.org.uk/ESDWebPages/Entry/Z826796X

Roles and responsibilities

In the agreement with Dynamic for the provision of a LMS platform, Nottinghamshire Healthcare are the data controller. This is because the data held within the LMS platform is employees’ information. Dynamic is the data processor – this is because they store your data and provide functions for the processing of this data.

Data Controller (you)

Nottinghamshire Healthcare responsibilities are:

  • To obtain legal and lawful reasons to store data on a subject.
  • To ensure that all data held is necessary and up-to-date.
  • To detail a data retention policy to the data subject.
  • To inform the data subject why, what and how their data is being used.
  • To assist with any subject access requests made by a data subject.

Data Processor (Dynamic)

Dynamic’s responsibilities are:

  • To only ever act on written or verified telephone instructions from the data controller – this will include assisting with issues via the helpdesk.
  • To not use a subcontractor to process data without written authorisation from the controller.
  • To co-operate with supervisory authorities as required.
  • To ensure the security of the data – this will be achieved by annual penetration tests, which will be run on Dynamic’s default deployment of the LMS. Any advisories will be applied to all of Dynamic’s LMS deployments.
  • To keep records of its processing activities – these will be held through the helpdesk system for monitoring client contacts. They will also be held via audit logs within the LMS, for administrator-level access of user data (Dynamic and client).
  • To notify the controller of any breaches of personal data.
  • To employ a data protection officer (Callum Statham).
  • To assist the data controller with any subject access requests.
  • At the end of the agreement, to return all personal data to the controller as requested. This will usually be supplied in a .csv format.

Training

All members of staff at Dynamic receive a copy of this policy. This is managed through Dynamic’s internal LMS. Records of staff reading this documentation and other Dynamic policies are stored on this LMS.

Regular updates on data protection and data security are provided by the IT systems manager during monthly business-wide meetings. Email updates may also be sent between meetings, should there be key changes in the law. Training to all new starters within the business is given by the IT systems manager and cover:

  • The law around data protection.
  • Policies at Dynamic.
  • Standard operating procedures.
  • How to handle access requests.
  • Whistleblowing.

Further training is provided to staff on an annual basis and is managed through the internal company LMS.

Policy – client data

Storage of personal client data

  • Dynamic has access to personally identifiable client information. It is essential that this information is stored and processed in line with the Data Protection Act and GDPR. The key points relating to Dynamic’s activities are shown below:
  • Client data will only be hosted within the UK using Dynamic’s hosting partner, iCloudHosting. Dynamic utilises a private cloud infrastructure with dedicated storage and backup.
  • iCloudHosting is certified to the following standards:
  1. BS EN ISO 9001:2008 (Quality management systems)
  2. ISO/IEC 27001:2013 (Information security management systems)
  • The primary data centre is located in Reading and is Tier 3+ and fully resilient. The off-site backup is in Manchester, giving a separation of over 200 miles.
  • We back up the data from the LMS platform on an hourly and daily basis. Hourly backups are taken on 24-hour cycles, and daily backups are taken on 14-day cycles and securely transferred to the off-site backup location in Manchester.
  • Dynamic will never transfer your data outside of the EU.
  • Clients can request for their data to be held in a different country if required. For example:
  1. A client and its employees are all based in the USA - they wish to host the LMS on a server within the USA, rather than in the UK.
  • Dynamic will never share your data with any other third parties.
  • Personal client data is only stored within Dynamic’s LMS platform.
  • All web servers must adhere to Dynamic’s IT security standards and contain appropriate firewalls and anti-virus software, as well as receive operating system updates.
  • Very small LMS platforms may on occasion be deployed on shared web servers – in this situation, each instance of the LMS application will utilise a separate database, in order to separate each client’s personal data held on that shared web server.
  • Access is restricted via username and password and limited to connections only by Dynamic and the data controller.
  • Data is never saved onto mobile storage devices - this also includes CDs and DVDs.
  • The personal client data will not be transferred over the web without suitable encryption.
  • The personal client data should not be held if it is not required, or is excessive for our uses. For example:
  1. A client may supply date of birth or National Insurance numbers for employees as part of the staff user profile for populating the LMS. This data is not normally required for training administration and elearning purposes, and therefore Dynamic will inform the client that this personal data is excessive and should be removed from the data source and must not be supplied in the future.

Transferring of data

Dynamic will provide all clients with the ability to gain access to their server via SFTP. This is used as a repository where they can securely send user data to Dynamic. Dynamic will not accept data that’s been sent in an unsecure manner, e.g. an unencrypted excel attachment via email.

Privacy notice

  • The client has the ability to create a privacy policy on the LMS which can explain to system users:
  • Transferring of data
  • Who is collecting their data.
  • How it is being collected.
  • Why it is being collected.
  • How it will be used.
  • Who it will be shared with.
  • The identity and contact details of their data controller.
  • Details of where the data will be stored.
  • The retention period of the data.

Accuracy and relevance

It is the responsibility of the client to ensure that all data within the LMS is kept up-to-date and is relevant for the purposes that they wish to use the LMS functions for. Dynamic provides several ways that user data can be securely fed into the LMS platform:

  • SFTP user upload – a regular user upload directly onto the server via SFTP. This will then be processed by the LMS and the users created, updated or deleted as required.
  • LDAP connection – this method will allow the LMS to be linked into the Active Directory (AD) of the client. A synchronisation can be configured, which will create, update and delete users to match the data held within the AD system.
  • User upload via LMS interface – user records can be updated directly through the LMS interface by the client, using the LMS’s inbuilt upload function.

Data retention

It is the responsibility of the client to manage the user data within the LMS. The client can decide their own retention policy. User accounts can be suspended – this maintains the user’s training record, but does not allow the user to access the LMS. User accounts can also be deleted – if a user is deleted their training records will also be removed.

Data portability

All data subjects have the ability to access their data held on the LMS. This includes the user profile data that was uploaded into the LMS as part of the user creation process, and also their training records. This data can be exported from the LMS in a .csv format. If required, Dynamic can provide the client administrators with assistance in dealing with data subject access requests.

Right to be forgotten

Data subjects have the right to be forgotten, which can be achieved on the system by deleting a user account. When a user record is deleted off the system, all of their personal information – including profile data and learning records – are deleted. There may be times when an exemption applies, such as:

to comply with a legal obligation for the performance of a public interest task or exercise of official authority.

For example, if there are compliance courses on the LMS, then a user’s records may need to be kept for a set amount of time. This would usually be highlighted to the users within the privacy statement. The following may then happen:

  • A client decides that they must retain compliance training records for 12 months after an employee has left employment with them. When an employee leaves the organisation, their user account is suspended. Twelve months later their account is deleted.

Data retention and destruction of records

Once a client notifies Dynamic that they will be ending their hosting agreement, Dynamic will provide the client with a copy of the data held on the LMS. This will include user data and completion records. Dynamic will then erase the server that the data is held on. A copy of this data will remain in the backups for 14 days before being overwritten. Dynamic will keep a register of this deletion.

Privacy Impact Assessments

A PIA forms one of the 12 steps in the ICO official guidance, and is designed to enable an organisation to systematically and thoroughly analyse how a particular project or system will affect the privacy of the individuals involved. It is the responsibility of the client to conduct their own PIA if they wish to when implementing the Dynamic LMS. Dynamic will assist the client by providing information about how the LMS holds and processes user data, as well as providing functions in the LMS that assist clients with GDPR requirements.

Data processing agreement

When a client takes delivery of the Dynamic LMS platform (with or without hosting by Dynamic), then Dynamic will provide a number of documents relating to the product and service. These will include the following:

  • This GDPR document.
  • An LMS platform administrator guide.
  • Server hosting documentation (if hosted by Dynamic).
  • A Service Level Agreement document.
  • A Contacting Dynamic document.
  • A Pricing Matrix document.

This then constitutes the agreement between the data controller (the client) and the data processor (Dynamic). In summary, this is as follows:

  • The purpose of the LMS is to provide an online resource for staff members to access and complete online training courses.
  • The data processing agreement between Dynamic and the client is in place for as long as the LMS is hosted and/or supported by Dynamic.
  • Dynamic does not process your data without you requesting for this to be done via the helpdesk.
  • The LMS will automatically process data – this processing forms part of the core functionality of the LMS. All of the following processing activities are managed by the LMS but do require setting up by the client:
  1. Assigning users to groups.
  2. Enrolling users onto courses.
  3. Emailing users about course deadlines.
  4. Notifying users of face-to-face sessions.
  5. Account creation, updating and deletion.
  • The information that will be imported onto the LMS should only be what is deemed necessary to providing training to staff. Dynamic strongly recommends that the client does not use any type of sensitive or special category data, as this information is not required by the LMS. Data such as job title, team and department are appropriate for use on the LMS. A user’s date of birth, national insurance number or home address are not appropriate for use on the LMS.