a. ELCAS fully understands the importance of protecting information that comes into its possession whether from customers, suppliers, contractors or staff. The company has formalised its approach to managing and protecting this information through the M Group’s (of which M Assessment Services belongs) ISO27001 certification which provides a robust framework for the security and protection of all its information.
ELCAS is also committed to complying with all
Data Protection legislation including the General Data Protection Regulation
(Regulation (EU) 2016/679) and the Data Protection Act
2018 and to ensuring the appropriate safeguarding and processing of
Personal Data may be processed, retained and protected as a result of our
ongoing, or potential, day-to-day business, including individuals visiting our website.
This Policy complies
with the General
Data Protection Regulation (Regulation (EU) 2016/679) and the Data Protection Act
2. Your data and information
In the course of our business, we collect information from individuals we deal with on behalf of the Ministry of Defence (MOD) in relation to the provision of the MOD’s Enhanced Learning Credits Scheme (ELC). In this context, we are the Data Processor and the MOD are the Data Controller.
b. An “individual” might be any person including an actual (or potential) service leaver, service person, learning provider, customer, supplier or subcontractor or could be a visitor
to our website. In the context of the GDPR, an identified or identifiable person is known as a “Data Subject”.
Some of the information we gather can be Personal
Data. “Personal Data”
is information that relates to a Data Subject who can be
identified from that data on its own, or when taken together with other information that comes into our possession. It can include
any expression of opinion or indication of intention in respect of that person
but does not include anonymised data.
3. What do we
The typical information collected through
provision of our standard products and services includes;
some Personal Data such as: VAT number, Companies House details, DUNS number, name, rank, position, date of birth, service number, gender, ethnic group, working location
and contact details;
it may also include spouse
contractual information such as: commercial
contracts, technical information and site access information; and
relevant business information such as:
meeting notes, related documents, complaints and informal letters.
From our website, we may collect;
browser information such as: internet
protocol (IP) address,
computer operating system and
browser type; and
website information such as: general traffic
patterns, address of any referring website, website areas visited most
frequently and website services accessed the
4. Why do we need it and what do we do with it?
We only gather and process information
(including Personal Data) that we need in order to conduct our day-to-day
business. We do so under two of the
lawful purposes specified in the GDPR:
of a contract. For example, we process Personal Data to engage in contractual
negotiations, undertake operational delivery of customer products and services
and correspond with our suppliers
obligation. For example, we process Personal Data to undertake operational
delivery of the Enhanced Learning Credit Scheme in line with JSP822 and The
Armed Forces (Enhanced Learning Credit Scheme and Further and Higher Education
Commitment Scheme) Order 2012, S.I 2012/1796 (as amended, most recently by S.I
Personal Data processed as part of the provision
of our standard products and services is stored in the UK.
5. What don’t we do with it?
ELCAS will not process Personal Data for
purposes other than identified above without first informing the individual of
the legal basis on which the processing will occur and gaining their consent.
We do not take automated decisions about
individuals using Personal Data or profiling.
In certain circumstances, we will share
Personal Data with other persons
or companies where this is required in order to carry out
a contract or where there is a legitimate interest. In all cases, we require
Personal Data to be kept confidential, secure and to be protected in accordance
with the law.
6. How do we protect it?
ELCAS has robust measures in place to ensure
the security of Personal Data. Where reasonably practicable this includes:
staff training and data processing guidelines;
anonymisation and/or encryption of Personal
Data; In-built resiliency to restore and access Personal Data in a
timely manner in the event of a physical or technical incident
7. How long do we keep it?
Retention periods for Personal Data are
determined by its nature and purpose and in accordance with the requirements of
the GDPR. Data held for the purposes of performing a contract will be held for
the period required by the contract or for as long as commercial relations
remain between the parties.
Personal Data processed
for other legitimate interests will be retained for as long as it remains
appropriate and relevant. Regardless of purpose, the continued relevance and
accuracy of Personal Data will be reviewed and validated on a regular basis.
8. What are your rights?
Under the GDPR, you are entitled to a copy of
any information we hold about you which can be
obtained through a Subject Access Request (SAR). The
request must be made in writing to us at firstname.lastname@example.org.
You can request
correction of inaccuracies in Personal Data; if you
believe we hold incorrect or incomplete data please contact us so that we may
take all reasonable steps to check and correct where possible or signpost you
to the source of the data provision.
You have the right to request we restrict the
processing of your data (conditions in respect of JSP822 will apply).
You have the right to request erasure (also
referred to as the right to be forgotten) and can request that we no longer
process your data and erase all information about you. This is not an absolute
right and there may be legal, regulatory or contractual reasons why data cannot
be erased at the time of the request.
e. ELCAS will normally respond to a SAR within
one month unless the request is complex or numerous in which case the period
in which we must respond
can be extended by a further
In circumstances where a SAR is manifestly unfounded or excessive, ELCAS may legally charge a reasonable administrative
fee or may legally or contractually refuse to act on the SAR.
9. Who can you
You may escalate your query to:
i. Our Group Data Protection Officer (“DPO”), Nick Scott. The DPO can be contacted at DP@morrisonus.com.
ii. The Ministry of Defence DPO on email@example.com or by post
at MOD Data Protection Officer, Ground floor, zone D, Main Building, Whitehall,
London, SW1A 2HB
c. Finally, you can also obtain
additional information about the GDPR and your rights under it on the Information Commissioner’s Office website here. You can
also make a formal complaint to the ICO in the event that you feel we have not
resolved any query to your satisfaction.
10. Policy changes
ELCAS will review this Policy periodically and reserves the right to update it as required. In any case the Policy will be reviewed at such times as organisational or legislative changes impact upon its content. This Policy was last reviewed on 28 December 2019