Statement of purpose

This policy sets out how we will look after your (data subject’s) information. This includes what you tell us about yourself, what we learn about you, and the choices you give us about what marketing you want us to send to you. It also provides details of your privacy rights and how to exercise those rights with us.

We are committed to promote privacy and compliance by implementing a ‘Privacy by Design’ approach in our business activities.

The policy can be found at - Qualitydglobal

Policy Owner

Data Protection Officer (dataprotection@qualitydglobal.com)

Related Policies, Procedures and Work Instructions

• Data Rights Form
• Data Retention Policy
• QD Global Safeguarding of the Child and Vulnerable Adults Policy ( IQG/0.1/007a)

Regulatory References

A, B, C, G, H, I

Scope

This policy applies to all data processed by QD Global, and affects anyone that may be considered a data subject that is processed by QD Global. This includes employees, members, attendees at QD Global events, subcontractors and partners.

Who we are

QD Global (Company number: 09016031) is registered with the Information Commissioner’s Office (ICO) - Registration number ZA314023 (first registration 5 February 2018).

We are part of a group of associated organisations. Data for each organisation is maintained separately. We will only transfer your data to a group organisation where we have a legal basis for doing so.

How we treat your information

We aim to ensure that all personal data is:

• Processed fairly and lawfully
• Obtained and processed only for specified and lawful purposes
• Adequate, relevant and not excessive
• Accurate and kept up to date
• Held securely and for no longer than is necessary.

We will process your data when we have a legal basis for processing it. In doing so, we will take appropriate technical and organisational measures to prevent your data from inappropriate disclosure. When a data breach occurs, we will take steps to inform you without unnecessary delay.

In processing your information we may provide it to relevant third parties such as our suppliers and enforcement agencies where we have a legal basis for doing so. We will never sell your personal information.

Where do we get your personal data and what personal data do we collect?

We may collect and process the following personal data:

Information which you freely provide to us

For example when you:

• Complete a survey or form,
• Correspond with us by phone, e-mail, or in writing,
• Sign up to receive notifications / messages from us
• Apply to work for us,
• Enter into a contract with us to receive products and/or services

We may need to collect personal information by law, or to enter into or fulfil a contract we have with you.

If you choose not to give us this personal information, it may delay or prevent us from fulfilling our contract with you, or doing what we must do by law. It may also mean that we cannot run your accounts or policies. It could mean that we cancel a product or service you have with us.

We sometimes ask for information that is useful, but not required by law or a contract. We will make this clear when we ask for it. You do not have to give us these extra details and it won't affect the products or services you have with us

Information we collect about you on our website

If you visit our websites, we may automatically collect the following information:

• Technical information, including the internet protocol (IP) address used to connect your computer to the Internet, login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
• Information about your visit to our Website such as the products and/or services you searched for and viewed, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.

We do this by using cookies, a small file that is sent by our web server to your computer, which we can access when you make return visits to our website. For more information please see our website privacy policy: instam.org/website-privacy-policy

Information we receive from other sources / third parties

As part of our role, we may collect and process personal data that is provided to us by our customers without direct access to data subjects.

By providing personal information to us, you give consent to QD Global for processing the data as set out within this document, and you confirm that you have obtained the appropriate consent from the relevant individuals for the personal data to be processed accordingly by QD Global. We reserve our right to refuse to process information received from you if we have reasonable suspicion that data subjects have not provided consent, or where we feel that there is no legitimate basis for processing.

Information about other people

If you provide information to us about any person other than yourself, such as your relatives, next of kin, your advisers or your suppliers, you must ensure that they understand how their information will be used, and that they have given their permission for you to disclose it to us and for you to allow us, and our outsourced service providers, to use it.

We may refuse to process information about other people if we have reasonable suspicion that they have not provided their consent, or where we feel that there is no legitimate basis for processing

Sensitive personal data

Sensitive personal information includes information about your:

• Racial or ethnic origin
• Political opinions,
• Religious or similar beliefs,
• Trade union activities,
• Physical or mental health condition ,
• Sexual orientation
• Details of any commission or alleged commission of offences
• Genetic or biometric data

In certain cases, we may need to process sensitive personal data from you. We aim to minimise collecting this information as far as possible, and will only collect and process this information if it is absolutely essential to do so, for example to confirm your qualification achievements. We aim to do so on the basis of your explicit consent unless there is a legal basis not to inform you, for example, where informing you would contravene money laundering legislation.

Personal data held for equal opportunities monitoring purposes

Where personal data obtained is to be held for equal opportunities monitoring purposes, all such data will be made anonymous.

Why do we process your data?

When we ask you to supply us with personal data we will make it clear whether the personal data we are asking for must be supplied so that we can provide the products and services to you, or whether the supply of any personal data we ask for is optional.

Contract performance

To take steps to fulfil or linked to a contract:

• To provide products and/or services which we are contractually obliged to provide to you, your client or the organisation you work for in relation to the contract;
• To keep you up to date with any information required in relation to contracted products and/or services between us;
• To discharge our duties as an employer.

Legal obligations / Public interest

• To fulfil any regulatory or statutory obligations of the organisation, such as to provide information or respond to any lawful or proportionate request by government authorities, law enforcement or statutory bodies,
• To keep basic records of your membership with us and any achievements or contributions to the administrative management field.

• To protect the safety and security of yourself or others as outlined within our Safeguarding Policy or Health and Safety Policy.

Overriding legitimate interests

These interests may include our, or a third party’s, interests. For example:

• For the purposes of good governance,
• To audit, analyse and protect systems and data from misuse,
• To maintain security, functionality and improve your experience on our website,
• To improve or develop our products and/or services,
• To monitor, analyse, and improve sales, organisational performance and business performance,
• To request for your consent to be contacted by us about relevant products / services,
• To conduct research relevant to Administrative Management, or our products / services,
• To ensure that members meet the criteria for membership,
• To collect outstanding debt owed to us,
• To resolve arising issues, complaints, claims, or disputes between us and you.

Consent

We will rely on your consent to:

• Provide marketing or information which is not directly relevant to your contract with us,
• Process or transfer sensitive information where it is not required by a legal, public interest or overriding legitimate interest obligation.

Marketing preferences

Each marketing email that is sent provides you with the ability to unsubscribe from receiving marketing emails at any time. Alternatively, you can change your preferences by sending a request to marketing@qualitydglobal.com.

Automated decision making

QD Global does not currently process data by means of ‘automated decision making’ as defined by the

QD Global may from time to time promote / provide information on social media websites such as LinkedIn, and Facebook that may conduct ‘automated decision making’ in relation to our communication notices we post on those sites. Your interactions with us on those platforms are subject to the terms and conditions of the respective sites, and you do so at your own risk.

QD Global aims to track your engagement with us on the site in which it originates and limit the transference of information outside of those sites in accordance with best practice and the terms and conditions of those sites. We will not store or transfer your interaction within those sites outside of the relevant social media unless there is a proportionate and necessary legal basis for processing. If you have any concerns about how your information is used and the notifications you receive on those sites, you are advised to contact them directly.

Sharing with third parties

We may disclose and share your personal information with

• Employers, education institutions or parent/carer (where they have purchased access to our products / services on your behalf)
• Our service providers / contractors (for example, suppliers who develop or host our IT Services) to the extent where it is required to deliver products / services to you, or to uphold any overriding legitimate interest,
• External auditors, to the extent where it is necessary to assess our governance and compliance arrangements,
• Law enforcement agencies, statutory organisations, governmental bodies or other relevant organisations where we have a legal or public interest obligation to do so,
• Investigatory and fraud protection agencies, to verify your identity, prevent fraud and/or other criminal offences,
• To anyone we deem necessary to protect your vital interests, including the security / safety of yourself and / or other persons, as consistent with applicable law,
• Debt collection agencies, to protect our legitimate business interests, (for example to collect outstanding debt from your organisation),
• an acquiring entity, in connection with a sale, joint venture or other transfer of some or all of our company or assets (subject to the commitment of the acquiring entity to comply with this policy),
• Third parties in other situations with your consent.

Statutory bodies and government agencies we work with may include, but is not limited to, Her Majesty’s Revenue and Customs (HMRC), Department for Work and Pensions (DWP), Institute for Apprenticeships (IfA), ActionFraud, Serious Fraud Office (SFO), Health and Safety Executive (HSE), Information Commissioner’s Office (ICO).

All of our service providers, partners, and contractors are contractually required to implement appropriate technical and organisational measures to meet the requirements of applicable law, and to process information only in compliance with it.

International transfers

QD Global also operates a number of international partnerships and has customers outside the European Union. Data originating from these regions may be processed in the UK and transferred back to its origin country. Data originating from the European Union will not be processed outside the European Union unless it is essential, and even so, not without adequate technical and organisational safeguards

Whistleblowing and malpractice

In accordance with the conditions of recognition, we may report to third parties such as other membership organisations and statutory bodies where we have reasonable grounds for suspecting that you have committed a relevant criminal offence.

We will only share your information with organisations so far as is reasonable to investigate any allegations that may affect the delivery of our products / services, or to fulfil our legal obligations under any conditions of recognition applied by a statutory body.

Your responsibility

To protect personal information, you are urged to:

• Notify us of any changes to your information / status to ensure your information is accurate and up to date,
• Keep passwords safe,
• Only access our services using secure networks,
• Maintain updated internet security and virus protection software on your devices and computer systems,
• Contact us immediately if you suspect a security or privacy concern or issue.

We may immediately suspend or terminate your access to our services without notice if we become aware that you are in breach of our Terms and Conditions or of this Policy

Purposes for which personal data may be held (employees)

Personal data relating to employees may be collected primarily for the purposes of:

• Recruitment, promotion, training, redeployment, and/or career development;
• Administration and payment of wages and sick pay;
• Calculation of certain benefits including pensions;
• Disciplinary or performance management purposes;
• Performance review;
• Recording of communication with employees/students and their representatives;
• Compliance with legislation;
• Provision of references to financial institutions, to facilitate entry onto educational courses and/or to assist future potential employers; and
• Staff, volunteers and students, staffing levels and career planning.

Exercising your data rights

We aim to deal with any concerns which you may have about your information effectively and efficiently as part of our day to day operations with you.

If you have a concern about the way your data is used which has not been addressed here, write to dataprotection@qualitydglobal.com with your concerns.

For more information about how your rights apply, please see the ICO guidance at ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/ .

We aim to respect your request wherever possible however, please note that there are exceptions to when these rights may apply. If we are unable to comply with your request due to an exception, we will explain this to you in our response.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

We will usually comply with your request within 30 days of the receipt of your request, or at most, 60 days, if the information we hold about you is excessive.

Event of a breach

In the event of a breach of your personal information, we will take reasonable steps to inform you wherever possible. We will also make best endeavours to inform the ICO within 72 hours of first finding the breach.

Our recovery time objective (RTO) is:

• 1 working day for minor breaches
• 5 working days for serious breaches

This may be longer in serious or complex cases.

Retention of records

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any regulatory duty, public interest, or overriding legitimate interest.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

For more information, please refer to QD Global’s Data Retention Policy.

Complaints

We take very seriously any improper collection or misuse of personal information. Please report it to our Data Protection Officer at dataprotection@qualitydglobal.com

If you believe that your data protection rights may have been breached, and we have been unable to resolve your concern, you may lodge a complaint with the applicable supervisory authority or to seek a remedy through the courts. Please visit ico.org.uk/concerns/ for more information on how to report a concern to the UK Information Commissioner’s Office