General Data Protection Regulation (GDPR)
Rob Nichols Driver Training (RNDT) is registered with the Information Commissioners Office (ICO) as data is both handled and controlled in some circumstances. RNDT may process personal information to enable promotion goods, services and maintain records in relation to such services.
Information Disclosure
Who the information may be shared with:
We sometimes need to share the personal information we process with the individual themselves and also with organisations. Where this is necessary we are required to comply with all aspects of the General Data Protection Regulation (GDPR). What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.
Where necessary or required we share information with;
Family, associates and representatives of the person whose personal data we are processing
Central government;
Organisations where the information is requested by law, such as;
The Police;
The DVSA;
Solicitors or Insurance Companies.
This list is not exclusive.
Any data held for each client will not be passed on to a third party without consent from the client themselves. Any request for information from a third party on a client, will not be divulged by RNDT without the written consent of the client, with the exception of;
- The client being under 18 years of age, and the information is requested directly by a parent or guardian of that client.
- Required by law, for instance, police, solicitors or insurance companies, where the information is required for a legal process. In this instance the third party will be notified of the information being passed on.
- The DVSA may require certain information from a client, in relation to licence verification checks and the booking of theory or practical tests. The DVSA have their own policy as to how they manage this data once they have received it.
Information Requests
Any client has the right to request any of the information held by RNDT in relation to them, and are able to request a copy of such information. This request can be a verbal one, for information such as record of payments made for goods and services, names, address and phone numbers held. Any request from a third party will require written consent from the client themselves, with the exceptions as stated previously.
Safeguarding of Information
Information is stored is kept to the absolute minimum required for RNDT to function and provide goods and services to clients. This information is stored both in written form and digitally.
Written data stored is kept securely in a locked office. This information usually is limited to client names, addresses, phone numbers and records including lessons planning, and record of payments. No sensitive information is stored in written form.
Digitally stored data is secured on devices that are password/passcode protected and are not accessible to others. No sensitive data is stored however in addition to the written documentation there may well be driving licence numbers, date of birth and driving / theory test confirmation emails stored and potentially dash cam footage in some cases. In addition to this RNDT uses as electronic diary management system which is also passcode protected. This information is only held for its purpose, and is deleted afterwards immediately.
Types/classes of information processed
RNDT processes Information relevant to the following reasons/purposes. This may include:
Personal details;
Holding records (both digitally and written) may be necessary for information such as name of client, client addresses, client telephone numbers and records of goods and services (driving tuition for example) undertaken and those goods and services booked and planned for future dates. These may result in information being stored in an electronic diary system and also may include financial details such as records and methods of payments made for past, present and future goods and services.
Client banking details will not be retained by RNDT, however these may well be retained by those organisations in the banking system not connected with RNDT.
Personal information (as stated earlier) will only be held for as long as is necessary. It may be necessary to obtain further information such as a client’s date of birth and their driving licence number. These may be required to facilitate a theory or practical driving test booking. Records of test dates booked will also be kept as per diary management. A verification email will be received by RNDT which can be passed on to the client at any time, subject to any payment for the test being received. Verification of driving licences conducted before any initial driving tuition may be required. In order to do so, an online check needs to be carried out on www.gov.uk, and licence information being shared in due course. RNDT is not responsible for how www.gov.uk manages any data; however no information regarding licence verification will be retained after the verification process.
Each client will have a record of each completed session of driving tuition. These records are recorded in written form, which cover a brief summary of the session, along with the date and time of the session. Information regarding these can be requested by the client at any time. These records may also be used to develop and aid development with training purposes in mind. This also includes any progress record charts.
In Car Cameras;
In most circumstances, driving tuition provided has a forward facing car dash camera. This may also use a rear facing dash camera. Data from these cameras are stored on the data card inside the camera hub, and is overwritten approximately every four hours. This data can be retrieved if necessary, and if required to do so by law, or required by an insurance company to aid in any matter. This data may include third parties, including their vehicle, registration number or the third party themselves. No sound is recorded on either of the dash cameras. These cameras can also be used to retrieve footage for training purposes with the client driving the car. This data can be passed onto the client at their request, however will not be disclosed to a third party, except for reasons stated above.
Financial details,
Records of payments received for past, present and future goods and services, along with the method of payment are stored both digitally and in written form. These records can be requested by the client at any time, but not a third party with the exception of law or the client being under 18, and requested by their parent or guardian. No personal financial information is retained by RNDT.
Goods and services provided;
Usually upon completion of a client’s driver training programme, they have the option to consent or not to have a personal photo congratulating them on completing their training. This will only happen with the given consent from the individual, personal data may be used to promote the goods or services in the form of marketing and PR. This may include the photo, with name and a brief description. This may be disclosed on social media outlets such as Facebook and on the internet via Google plus and on the website https://robnicholsdrivertraining.co.uk
Should the client choose to leave a feedback review on social media or google plus, they do so at their own discretion, as their data is subject to the terms and conditions of each site used.
Breach of Data
In the event of certain types of sensitive personal data being breached, in relation to the General Data Protection Regulation (GDPR); RNDT will inform the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, where feasible.
If the breach were to likely result in a high risk of adversely affecting the individual’s rights and freedoms, the individual will be notified directly straight away.
Any breach will be subject to an internal investigation and review, which will facilitate decision making about whether the relevant supervisory authority or individual affected are notified.
Any personal data breaches will be recorded digitally on a secure device, irrespective of whether there is cause to notify or not.
RNDT envisages to only hold personal data in the minimal form for the minimum amount of time required to carry out day to day running and providing goods and services.