Data Protection Policy
- EDLounge needs to keep certain information about its employees, learners and other users to allow it to monitor performance, achievements, and health and safety, for example. It is also necessary to process information so that staff can be recruited and paid, courses organised and to comply with legal obligations to funding bodies and government. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this, EDLounge must comply with the Data Protection Principles which are set out in the Data Protection Act 1998. In summary these state that personal data shall be:
- fairly and lawfully processed
- processed for limited purposes
- adequate, relevant and not excessive
- not be kept longer than necessary
- processed in accordance with the data subject’s rights
- not be transferred to countries without adequate protection
2. See Appendix 2 for details of the eight principles. EDLounge and all staff or others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, EDLounge has developed the Data Protection Policy.
Notification of Data Held and Processed
- All staff, learners and other users are entitled to:
- know what information EDLounge holds and processes about them and why.
- know how to gain access to it.
- know how to keep it up to date.
- know what EDLounge is doing to comply with its obligations under the 1998 Act.
2. EDLounge will therefore provide all staff and learners and other relevant users with a standard request form, on request, for access to data. This will state all the types of data EDLounge holds and processes about them.
3. The Act requires the Training Company to notify the Information Commissioner of the ways in which it processes personal data. Failure to notify the Information Commissioner is a criminal offence. The Training Company's notification must be renewed annually; however, the notification should be amended whenever necessary. It is the responsibility of all staff and learners to ensure that any processing of personal data that they undertake is within the terms of the Training Company's notification. If you believe that any processing which you intend to carry out falls outside of the Training Company's current notification, you must inform the Data Protection Officer. You should not carry out the intended processing until the Data Protection Officer confirms that it will be covered by the Training Company's notification.
4. The Training Company is only able to process personal data within the terms of its notification. If the Training Company processes personal data outside of its notification, both it and the individual processing the data may incur civil and criminal liability. The Data Protection Officer will make the notification after he/she has received written confirmation of details.
5. Current Training Company notification details can be found by entering EDLounge in the Name box on the Information Commissioner’s web site at http://www.ico.org.uk/ESDWebPages/Search
1. Detailed records of all computerised personal data and structured manual data files retained by EDLounge must be registered with the Data Protection Officer who will ensure compliance with the Training Company’s Data Protection Policy and the Act.
1. A small number of activities are exempt from certain provisions of the Act. Activities relevant to EDLounge are:
- Examination scripts (but not examiners' comments) are exempt from the Subject Access provision (Principle 6).
- Personal data used for research purposes is exempt from a limited number of principles of the Act. However, the results of the research should not identify the data subject.
2. Other exemptions that are available are of a very specific nature. They relate to matters such as National Security, Crime and Taxation and Health matters.
Rights to Access Information/Appeal
1. Staff, learners and other users of Achieve Northeast have the right to access any personal data that is kept about them either on computer or in certain files. Any person who wishes to exercise this right should write to Achieve Northeast’s Data Protection Officer. The data subject must supply sufficient information to enable the Training Company to locate the information that the subject seeks. The Training Company is not obliged to comply with open-ended requests. The Training Company may refuse to disclose data that refers to the personal data of third parties.
2. EDLounge will make a charge of £10.00 on each occasion that access is requested, although EDLounge has discretion to waive this.
3. EDLounge aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 40 working days unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the person making the request.
Appeal and Internal Review
If a subject is dissatisfied with the handling of a request, they have the right to ask to request an internal review. Internal review requests should be submitted within two months of the date of receipt of the response to the original request for information and should be addressed to:
If an applicant is dissatisfied with the outcome of an internal review, he/she has the right to apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
1. In many cases, EDLounge can only process personal data with the consent of the individual. In some cases, if the data is sensitive, express consent must be obtained (see below). Agreement to EDLounge processing data collected on a learner within the application form, enrolment form or other data provided by the learner or others whilst the subject is a learner, is subject to a declaration on the Training Company’s application and enrolment forms and signed by the learner. Agreement to EDLounge processing personal data is also a condition of employment for staff. This includes information about previous criminal convictions.
2. Some jobs or courses will bring the applicants into contact with children, including young people between the ages of 14 and 19. EDLounge has a duty under The Children’s Act and other enactments to ensure that staff are suitable for the job, and learners for the courses offered. EDLounge also has a duty of care to all staff and learners and must therefore make sure that employees and those who use EDLounge facilities do not pose a threat or danger to other users.
3. EDLounge will also ask for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as asthma or diabetes. EDLounge will only use the information in the protection of the health and safety of the individual.
Processing Sensitive Information
1. Sometimes it is necessary to process information about a person’s health, criminal convictions, race and gender and family details. This may be to ensure EDLounge is a safe place for everyone, or to operate other Achieve Northeast policies, such as the Sickness Reporting Policy or Equal Opportunities Policy. Because this information is considered sensitive, and it is recognised that the processing of it may cause particular concern or distress to individuals, staff and learners will be asked to give express consent for EDLounge to do this.
Status of the Policy in relation to EDLounge employees.
1. This policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and policies made by EDLounge from time to time.
2. Any member of staff, who considers that the policy has not been followed in respect of personal data about themselves, should raise the matter with the Training Company’s Data Protection Officer. (See page 7 The Data Controller and the Data Protection Officer)
Responsibilities of Staff
- All staff are responsible for:
- Checking that any information that they provide to EDLounge in connection with their employment is accurate and up-to-date.
- Informing EDLounge of any changes to information, which they have provided. i.e. changes of address.
- Checking the information that EDLounge will send out from time to time, giving details of information kept and processed about staff.
- Informing EDLounge of any errors or changes. EDLounge cannot be held responsible for any errors unless the staff member has informed EDLounge of them.
2. If and when, as part of their responsibilities, staff collect information about other people, (i.e. about learners’ course work, opinions about ability, references to other academic institutions, or details of personal circumstances), they must comply with the guidelines for staff, which are at Appendix 1.
- All staff are responsible for ensuring that:
- Any personal data that they hold on learners is kept securely.
- Personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party.
2. Staff should note that unauthorised disclosure may lead to disciplinary action being taken.
3. Personal information should be:
- Kept in a secure environment; or
- In a locked drawer; or
- If it is computerised, be password protected; or
- Kept only on disk which is itself kept securely.
1. Learners must ensure that all personal data provided to Achieve Northeast is accurate and up to date. They must ensure that changes of address, etc. are notified using the Personal Details Amendment Form, which is available from Client Services. This will enable the Training Company to update its Management Information System.
1. Learners will be entitled to information about their marks for both coursework and examinations
Publication of EDLounge Information
1. Information that is already in the public domain is exempt from the 1998 Act. It is Achieve Northeast’s policy to make as much information public as possible. Access to public information is available under The Freedom of Information Act 2000.
The Data Controller and the Data Protection Officer
1. EDLounge is:
a. The data controller for its staff information
b. The EFA and the Training Company acknowledge that they are both Data Controllers in common of the Personal Data collected and held by the Training Company in performing the Services and provided to the EFA.
c. A data processor for student information as defined within the SFA Financial Memorandum currently in force and will comply fully with the requirements stated within.
2. EDLounge designated Data Protection Officer is: Name: Cara Radford: Office manager Email: cara@EDLounge.com
3. In the absence of the Data Protection Officer, any issue needing urgent attention relating to the provisions of this policy should be raised with senior management acting on behalf of the Data Protection Officer.
Retention of Data
EDLounge will keep some forms of information for longer than others. Because of storage limitations, information about learners cannot be kept indefinitely, unless there are specific requests to do so. In general, information about learners will be kept for a maximum of 10 years after they leave EDLounge. This will include names and addresses and academic achievements
All other information, including any information about health, race or disciplinary matters will be destroyed within 3 years of the course ending and the learner leaving Achieve Northeast.
EDLounge will need to keep information about staff for longer periods. This will include information necessary in respect of pensions, taxation, potential or current disputes or litigation regarding the employment, and information required for job references. See Appendix 3 for a full list of information regarding retention times.
Disposal of Data
Particular care must be taken with the disposal of personal data. Staff should be aware that the same standards should be applied to informal records, lists and printouts held by individual members of staff containing personal data as to records that are part of the formal Training Company records systems.
Personal data must be destroyed by secure methods such as shredding or confidential waste sacks handled by authorised contractors.
Formal records may only be destroyed with the appropriate authority.
Data Protection and the Internet
The provisions of the Data Protection Act apply equally to processing on the World Wide Web as they do to processing on all other information systems. When personal data is requested on the EDLounge website the following information must be supplied to the data subject:
- the purpose for which the data is collected;
- the description of the organisations or individuals to whom the data might be disclosed;
- the details of any direct marketing for which the data might be used together with the opportunity for the individual to object to this use of the data;
- a statement regarding the security of the internet as a mode of communication.
When personal data is obtained from the website of another organisation, the relevant manager must ensure that the subsequent use of the personal data conforms to the information provided to the data subject. If any further subsequent use of this data is proposed that was not disclosed at the time of collection consent must be obtained from the data subject before commencing this processing.
Any Personal Data which is placed on a website is treated as data which is transferred outside the EEA (European Economic Area). Written informed consent will be obtained from all staff and learners before details are entered on the Achieve Northeast site.
1. Compliance with the 1998 Act is the responsibility of all members of Achieve Northeast. Any deliberate breach of the data protection policy may lead to disciplinary action being taken, or access to Achieve Northeast facilities being withdrawn, or even a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the designated Data Protection Officer.
2. Further guidance on Data Protection issues is available from the following websites:
- The office of the Information Commissioner at:
- The JISC Code of Practice for HE and FE Sectors at: www.jisc.ac.uk
Appendix 1 – Staff Guidelines for Data Protection
1. Staff will process data about learners on a regular basis, when marking registers, or Achieve Northeast work, writing reports or references, or as part of a pastoral or academic supervisory role. Achieve Northeast will ensure through registration procedures, that all learners give their consent to this sort of processing, and are notified of the categories of processing, as required by the 1998 Act. The information that staff deal with on a day to day basis will be ‘standard’ and will cover categories such as:
- general personal details such as name and address
- details about class attendance, coursework marks and grades and associated comments
- notes of personal supervision, including matters about behaviour and discipline
2. Information about a learner’s physical or mental health; sexual life; political or religious views; trade union membership or ethnicity or race is sensitive and can only be collected and processed with the learner’s consent. Consent is obtained on the processing of ethnicity data at enrolment. However, if staff members need to record any other information, they should seek the learner’s written consent. For example: recording information about dietary needs, for religious or health reasons prior to taking learners on a field trip; recording information that a learner is pregnant, as part of pastoral duties.
3. All staff members have a duty to make sure that they comply with the data protection principles, which are set out in the Achieve Northeast Data Protection Policy. In particular, staff must ensure that records are:
- kept and disposed of safely, and in accordance with the Achieve Northeast policy
4. Should a member of teaching staff consider it necessary to collect sensitive data or be asked to process this data, they should refer to their line manager in the first instance.
The only exception to this will be if the staff member is satisfied that the processing of the data is necessary:
- in the best interests of the learner or staff member, or a third person or EDLounge, or
- he or she has either informed the authorised person of this, or has been unable to do so and processing is urgent and necessary in all the circumstances.
This should only happen in very limited circumstances. For example, learner is injured and unconscious, but in need of medical attention, and a staff tutor tells the hospital that the learner is pregnant or a Jehovah’s Witness.
5. The curriculum teaching teams will be responsible for ensuring that all data is kept securely.
Staff Checklist for Recording Data
6. Staff must not disclose personal data to any learner, unless for normal academic or pastoral purposes, without authorisation or agreement from the Data Protection Officer, or in line with the Achieve Northeast policy.
7. Staff shall not disclose personal data to any other staff member except with the authorisation or agreement of the designated Data Protection Officer, or in line with the EDLounge policy.
8. Before processing any personal data, all staff should consider the checklist.
- Do you really need to record the information?
- Is the information ‘standard’ or is it ‘sensitive’?
- If it is sensitive, do you have the data subject’s express consent?
- Has the learner been told that this type of data will be processed?
- Are you authorised to collect/store/process the data?
- If yes, have you checked with the data subject that the data is accurate?
- Are you sure that the data is secure?
- If you do not have the data subject’s consent to process, are you satisfied that it is in the best interests of the learner or the staff member to collect and retain the data?
Appendix 2 – Data Protection Principles
The Data Protection Act 1998 contains eight governing Principles relating to the collection, use and disclosure of data, and the rights of the subject to have access to Personal Data concerning themselves. These Principles are:
The First Principle
Personal Data should be processed fairly and lawfully and, should not be processed unless certain conditions are met.
All Personal Data processed must satisfy at least one of the conditions of Schedule 2 of the Act. The requirements of Schedule 2 can be summarised as follows:
- with consent
- to perform a contract with the individual;
- under a legal obligation;
- to protect the vital interests of the individual;
- to carry out public functions conferred by or under enactment;
- for the administration of justice;
- to pursue the legitimate interests of the data controller unless prejudicial to the interests of the individual.
Sensitive personal data processed must meet at least one of the conditions of Schedule 2 (above). In addition, it must also satisfy one of the conditions of Schedule 3 of the Act. The conditions of Schedule 3 can be summarised as follows:
- with explicit consent;
- exercising or performing any right or legal obligation conferred or imposed on the data controller in the context of employment;
- to protect the vital interests of the individual where consent cannot be given or is unreasonably withheld;
- by certain non profit bodies in the course of their legitimate activities;
- where the information has manifestly been made public;
- in any legal proceedings;
- to carry out certain government functions (justice, government department, crown);
- for medical purposes undertaken by a Health Professional or suitably qualified individual;
- certain ethnic monitoring to ensure quality.
The Second Principle
Personal data will be obtained for only one or more specified lawful purposes and will not be further processed in any manner incompatible with that purpose or those purposes.
Personal data obtained for one stated purpose cannot be used for a completely different purpose without the individual being informed of the different purpose.
The Third Principle
Personal data will be adequate, relevant, and not excessive in relation to the purpose or purposes for which it is processed.
You should not simply hold uniform information about all data subjects for all purposes but should consider what personal data is really necessary for a particular activity or operation.
The Fourth Principle
Personal data shall be accurate and, where necessary, kept up to date.
This obligation will apply to personal data not only obtained directly from the data subject but also to personal data obtained from third parties. You must take reasonable steps to ensure that any personal data that you obtain is accurate. Personal data that is likely to change from year to year, such as learner addresses, should be reviewed annually.
The Fifth Principle
Personal data processed for any purpose or purposes will not be kept for longer than is necessary for that purpose or those purposes.
Please refer to the guidelines for Retention of Personal Data in Appendix 3.
The Sixth Principle
Personal data will be processed in accordance with the rights of data subjects under this Act.
The rights of the data subject include the following:
- the right of data subjects to request access to the information held about them, the purpose (s) for which the information is being used and those to whom it is or may be disclosed;
- to prevent processing likely to cause damage or distress;
- to prevent processing for the purposes of direct marketing;
- to be informed of the logic behind any automatic decision making;
- to take action for compensation if they suffer damage for any contravention of the Act by the Data Controller;
- to take action to rectify, block, erase or destroy inaccurate data;
- the right to ask the Information Commissioner to assess whether or not it is likely that any processing of personal data has not been carried out in accordance with the Act.
The Seventh Principle
Appropriate technical and organisational measures will be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data.
An adequate level of security must be in place for the handling of all Achieve Northeast personal data from collection through to disposal. This is all data held on computers (including e-mail) and in manual filing systems (including both formal and informal notes and records). It also applies to personal data handled by external contractors, consultants and partners on behalf of the Training Company. When using these agencies, a written contract should be entered which ensures that all Achieve Northeast data protection policies and procedures are complied with at all times.
The Eighth Principle
Personal data must not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
While the Training Company is registered to transfer information outside of the EEA it would not transfer data to any unapproved region (i.e. not on the EU Commission ‘s list of countries or territories providing adequate rights and protection for freedoms of data subjects or, in the case of the United States, the recipient of the data must be signed up to the US Department of Commerce Safe Harbour Scheme).
There are exceptions to the general rule that may allow information to be transferred outside the EEA. These exceptions can be summarised as follows:
- with consent;
- to make or perform a contract;
- in legal proceedings;
- to protect the vital interests of the individual;
- for substantial public interest;
- where the information is on a public register;
- on terms approved by the Information Commissioner or where authorised by the Information Commissioner;
Appendix 4 – Glossary of Terms
The Act - The Data Protection Act 1998.
Data - Any information that will be processed or used within or by a computerised or manual system. This can be written, taped, photographic or other information.
Data Subject - The person to whom the data relates.
Data Controller - The person or organisation responsible for ensuring that the requirements of the Data Protection Act are complied with.
Designated Data Controller - Individual appointed by Achieve Northeast to carry out the day to-day duties of the Data Controller.
JISC – Joint Information Systems Council
Manual System - Any paper filing system or other manual filing system which is readily structured so that information about an individual is readily accessible.
Personal Data - Information about a living person that by itself, or in conjunction with other information which is kept in a manual or computerised system, is sufficient to identify an individual. This information is protected by The Act.
Processing - Accessing, altering, adding to, changing, disclosing or merging any data will be processing for the purpose of the 1998 Act.
Sensitive Data - Information about a person's religion or creed, gender, trade union membership, political beliefs, sexuality, health or criminal record.
Subject Consent - Before processing personal data, the Training Company must have the agreement of the individual to do so. In the case of sensitive data, this must be specific consent, but in other cases, it can be more general.
The Data Protection principles - the underlying principles of the Act that determine what data can be collected, processed and stored. A failure to abide by the principles will be a breach of the 1998 Act.
The Data Protection Commissioner - Person Appointed by the government to administer the provisions of the 1998 Act including notification and to provide guidance and assistance to organisations and individuals.
The Data Protection Tribunal - The tribunal established to deal specifically with matters of enforcement under the Data Protection Act.
Data Protection in Practice
1. In general, disclosures to external bodies/companies/agencies/individuals should not be made over the telephone. It is strongly advised that you ask enquirers to submit their requests in writing (where appropriate on headed paper). This will give you time to check whether the request is legitimate and where possible obtain consent for the disclosure from the member of staff or learner about whom information is requested. You should, wherever possible, reply to the request in writing.
2. The Training Company recognises that in some, exceptional situations, time constraints and other factors make it a necessity to disclose information over the telephone. Good practice is considered to be only releasing information to those individuals who have access to a unique identifier (UCAS no., staff or learner number) or know at least 3 identifying data (e.g. name, address and date of birth) about the data subject. This should minimise the potential for damages because a relationship between the data subject and the caller has been established. If you find yourself in a position where it is necessary to disclose information over the telephone, you should take a contact number and ring the enquirer back. This will go some way to ensuring that the caller is who they say they are. Even the above procedures could be subject to fraud and should only be used when no other alternative exists. In such cases, the Training Company should at least be regarded as having taken reasonable precaution given the circumstances - i.e. that the security in place was appropriate to the risk involved in unlawful processing of data. As always, particular care should be taken when disclosing sensitive personal data or information that could potentially cause the learner or member of staff to suffer subsequent damage and/or distress. Always keep records of actions taken.
3. Please note that even confirming whether a learner or member of staff studies or works at the Training Company could be a potential breach of the Act.
Disclosure to Employers (Learner Information)
1. The Training Company has no responsibility or obligation to disclose any personal information relating to learners to employers or other sponsors, unless they are contributing to tuition fees. Even if the organisation is sponsoring the learner only attendance and achievement details may be provided, no other personal data is to be disclosed.
Remember to keep records of the actions taken.
Disclosure to Parents (Learner Information)
1. The Training Company has no responsibility or obligation to disclose any personal information relating to learners to parents or other relatives, even if they are contributing to tuition fees. Data Protection and The Children’s Act clearly explains that parental responsibility for educational records passes to the young person, once they leave statutory school age.
2. Learners may provide the name of a nominated individual (parent, guardian or other family members for example), to whom the Training Company may disclose personal information. Learners in the 16 – 19 age range are encouraged to involve their parents in their education. Remember it is their choice. You should not assume that copies of reports, invitations to open evenings etc. must be sent to parents. Always check a learner's record to see whether they have given consent and identified a nominated individual. You may come under pressure to discuss individual learners with parents/guardians or even friends over the telephone. However, in these situations it is essential that you do not disclose personal data without the prior consent of the learner - it would be a breach of the Data Protection Act to do so. If the learner has identified a nominated individual (see above) they are understood to have given prior consent.
3. You are, of course, free to discuss institutional procedures with parents (eg describing reassessment procedures, releasing dates of graduation ceremonies according to team or course, advising on when invoices should be paid) but the specific circumstances of an individual learner cannot be discussed without the consent of that learner.
4. There may be occasional, exceptional circumstances (in which a learner’s life or health is threatened) in which the usual need to get consent before disclosing to parents/guardians may be waived. The Training Company holds details of learners' "next of kin" for such purposes.
Remember to keep records of the actions taken.
What to do if someone calls claiming to be a learner
1. You may receive telephone calls from individuals claiming to be learners and asking, for example, for their examination results. Unless you are 100% sure that the person on the line is who they claim to be, you should not disclose information over the telephone. You are advised to ask for confirmation of the learner's ID number, home address and date of birth before proceeding with the call. If the caller can provide the details accurately, make a note of the information that they require and inform them that you will send it to their previously stated email address. If this is not possible, because, for instance, they have not submitted an email address you should send the information to them at an address recorded on the Training Company database, EBS. If the caller insists that they need the information urgently, you may take a contact telephone number and call them back with the information.
Home Addresses, Telephone Numbers and E-mail addresses
- You should never give out personal/home addresses or telephone numbers of staff or learners to third parties over the telephone unless you have been given explicit (in writing) permission by the individual. Instead you could:
- take the caller's contact details and say you will pass a message asking the learner or member of staff to contact them if they are in the Training Company, or
- offer to forward correspondence to a learner or a member of staff on behalf of the caller.
2. You must take care when handling such requests. Remember that an individual's learner/staff status is personal data. Therefore, if you receive such a request it is important to neither confirm nor deny that that person is a learner or member of staff at the Training Company.
3. However, it would usually be deemed appropriate to disclose a colleague's work contact (telephone and departmental address) details in response to an enquiry regarding a particular function for which they are responsible. If you are asked to disclose another member of staff's email address, you should ask the caller to send the email to you and inform them that you will forward the message on to the individual they are trying to contact if they are a member of the Training Company. It would not usually be appropriate to disclose a colleague's work details to someone who wished to contact them regarding a non-work related matter.
1. Telephone references for learners are not usually recommended. However, they are acceptable if you have been specifically asked by a learner or a member of staff to provide a reference at short notice. The identity of the person requesting the reference should always be confirmed prior to disclosure. As a minimum security measure it is recommended that you ring the enquirer back to check that they are who they claim to be.
2. When disclosing information in the form of personal references please ensure that:
- the information you disclose is FACTUALLY correct;
- the disclosure is kept to a minimum (course(s). dates of study and marks);
- sensitive data (e.g. details of health to explain absences from the Training Company) are not disclosed without the explicit consent of the learner or member of staff;
- where opinions about a person's suitability are disclosed, your comments are defensible and justifiable on reasonable grounds;
- if you are unable or unwilling to give a reference, such a refusal is communicated carefully, without, in effect, implying a negative reference.
Remember to keep records of the actions taken.
Refer to the Board of Directors.
Disclosures to the Police
1. Disclosures to the Police are NOT compulsory except in cases where the Training Company is served with a Court Order requiring information. However, Section 29 of the Data Protection Act 1998 does allow the Training Company to release information to the Police WITHOUT the consent of learners or members of staff in LIMITED circumstances. Such disclosures should only be made if the Police confirm that they wish to contact a named individual about a specific criminal investigation and where the Training Company believes that failure to release the information would prejudice the investigation.
2. If you are contacted by the Police and are not sure how to deal with their request you can get in touch with the Data Protection Officer or senior management for advice on how to deal with the enquiry.
3. The Police MUST request the information from the Training Company in writing. You are NOT obliged to release information to the Police over the telephone. Most Police Forces will have their own request form, which should always include:
- a statement confirming that the information requested is required for the purposes covered in Section 29;
- a brief outline of the nature of the investigation;
- the data subject's role in that investigation;
- the name and signature of the investigating officer.
Remember to keep records of the actions taken.