Privacy Policy
Careskills Academy Limited (“CareSkills”, also referred to as “we”, “us” or “our” throughout this privacy policy) respects your privacy and is committed to protecting your personal data. This privacy policy will inform you as to how we look after your personal data and tell you about your privacy rights and how the law protects you.
Throughout this policy we refer to “you”, the client contact or authorised user, and “your” personal data and legal rights.
This privacy policy covers the following:
- our website www.careskillsacademy.co.uk (“website”)
- our systems inclusive of our Learning Management System (“LMS”)
- our business contact databases
Careskills Academy Limited is responsible for the website, systems and databases.
Whenever you visit and use our website, use our systems or provide us with your personal data, this privacy policy will apply to how we process your personal data. If you do not agree with how we process your personal data, we suggest that you stop using our website and/or systems immediately. This privacy policy will also apply where we hold your business contact data on our databases.
Please note: the website and systems may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements or processing activities. When you leave our website or systems, we encourage you to read the privacy policy of every website you visit.
What is personal data?
Personal data, or personal information, means any information about an individual from which that person can be identified. Personal data is defined by the General Data Protection Regulation (the “GDPR2016”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’. All data is processed in line with the following legislation: Data Protection Act (“DPA2018”), General Data Protection Act (“GDPR2016”), UK GDPR (“UKGDPR2020”), Privacy and Electronic Communications Regulations (“ECDIRECTIVE2003”).
Personal data is, in simpler terms, any information about you as a natural person that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers. It does not include data where the identity has been removed (anonymous data). It also does not relate to company entity data or any business-related entity data.
Our role…
Careskills acts as a data processor of the personal data we collect and process about you and the company we are contracted by to provide services for, in order to provide an online CPD Learning Management Systems (LMS) and services related to e-learning. We process your data to grant you access to our system(s) as an authorised user or contact. Our clients will act as the Data Controller for any of their user data which is passed to Careskills for the provision of LMS services.
Where you undertake training in a direct individual capacity via our CareSkills Academy in conjunction with AQA our accreditation body; we will be considered the Data Controller of your data. AQA annually audits Careskills for the provision of our training academy services and as part of these audits, your data may be shared with AQA to assess our competency and processes. Please refer to our separate individual applicant privacy notice for more information on the ‘Train the Trainer’ training Academy and AQA.
Types of personal data and how we use it…
We may collect, use, store and/or transfer the following types of personal data about you where you are a business contact or registered as an authorised user:
- Personal information: including your full salutation title, forename, surname, and date of birth (where required), employer name, job title.
- Contact data: including email address, company address and company telephone number(s)
- Technical data: including internet protocol (IP) address, your log-in data for our systems, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website and/or systems
- Usage data: including information about how you use our website and/or systems, products and services
- Profile and transaction data: including your payment and purchase history with us (but not your card payment details), together with your interests, preferences, feedback and survey responses.
How we collect your data…
We use different methods to collect personal data from and about you, including through:
Direct interactions: you may be asked to provide certain identity and contact data by filling in the forms on our website and/or systems, or by corresponding with us by post, telephone or email. The following activities will require the provision of certain personal data:
- completing information required to register for our services and/or to gain access to our system(s) as an authorised user.
- completing information in order to enter a customer service survey or competition, promotion or any other survey.
- Or providing us with feedback or contacting us.
Automated technologies or interactions: as you interact with our website and/or systems, we will automatically collect technical data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. Please see our separate cookies policy (available on our website) for further details.
Obtaining contact data from a third-party supplier: we may have obtained your business contact data from a third-party supplier/database for the purpose of lead generation. We use a number of companies to buy in data and can assure that we have performed due diligence on any companies we use for lead generation to ensure the correct permissions and lawful basis are in place before we make contact to those leads.
We conduct marketing activity per our legitimate interests when performing business to business prospecting and you are within your right to opt out if you do not wish to be contacted. Where we may obtain marketing data for business to consumer activity, we can confirm that any data sourced is screened to check the correct permissions are in place for example: your consent. Data sourced for both business to business (b2b) marketing activity and business to consumer (b2c) activity is screened against the relevant directory services such as the TPS and the CTPS. For more information on the third parties we use, please contact our DPO directly on the details listed below.
Purposes for which we will use your data…
We have set out below, in a table format, a description of the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground, we are relying on to process your personal data where more than one ground has been set out in the table below.
Please note, we will always be considered as a data controller when processing your personal data for the purposes set out below:
| Purpose/activity | Type of data | Lawful basis for processing |
| Providing an online vetting LMS service to you and your workforce including registering your employees as an authorised user to allow you to request and complete online CPD and learning modules. This provision includes troubleshooting, data analysis, support, reporting and hosting of data and may include payment card verification services | Personal information
Contact data Technical data Usage data Business Financial Data |
Necessary for the performance of a contract with you (i.e. the contract we enter into with you when you register) |
| Responding to you when you contact us to make an enquiry about the services that we provide | Personal information
Contact data |
Necessary for our legitimate interests (to promptly respond to your query to determine if our service can help you) |
| Managing our relationship with you, including direct contact via telephony, online chat boxes or by asking you to leave a review or take a survey at the end of a call or live chat | Personal information
Contact data |
Necessary for our legitimate interests to service your account (and to understand how satisfied you are with your experience and to help improve our services) |
| To administer our promotion or competition you have entered into or partake in [on our website] | Personal information
Contact data |
Necessary for our legitimate interests (for business-to-business direct marketing activities)
Necessary for the performance of a contract with you (i.e. the contract we enter into with you when you enter our promotion or competition) |
| Utilising business contact data obtained from a third-party supplier/database to generate business-to-business sales leads as part of direct marketing campaigns | Personal information
Contact data |
Necessary for our legitimate interests (for business-to-business direct marketing activities) |
| Utilising personally identifiable contact data (PII) obtained from a third-party supplier/database to generate business-to-consumer sales leads as part of direct marketing campaigns | Personal information
Contact data |
Necessary for our legitimate interests (for business-to-consumer direct marketing activities)
May also be indicative of your prior consent (for business-to-consumer direct marketing activities) via us, or one of our affiliated third party lead generation companies |
| Payment Card Services and Contracts | Business Financial Data | Necessary for the performance of a contract with you (i.e. the contract we enter into with you when you register) |
Whenever we refer to relying on our legitimate interests, please note that we will always carry out a “balancing” test to make sure that we consider safeguard any rights of data subjects as well as your own when acting on behalf of a business.
How we process personal and business data legally
Under the GDPR, we must always have a lawful basis for processing personal data. This may be because the data is necessary for our performance of a contract with you, because you have consented to our use of your personal data, or because it is in our legitimate business interests to use it. Your personal data could be used for one or more of the following purposes:
- Providing and managing your account (clients).
- Supplying our services to you. Your personal details are required in order for us to enter into a contract with you even where acted on behalf of a business.
- Personalising and tailoring our services for you.
- Communicating with you. This may include responding to emails or calls from you.
- Supplying you with information by email and/or post that you have opted-in to (you may unsubscribe or opt-out of emails at any time by clicking on the email unsubscribe link).
With your permission, we may also use your personal data for marketing purposes, which may include contacting you by email and/or telephone and/or post with information, news, and offers on our services. You will not be sent any unlawful marketing or spam. We will always work to fully protect your rights and comply with our obligations under the GDPR, and you will always have the opportunity to opt-out.
We do not sell data on to third party companies.
External third parties and other relevant third parties
- Service providers acting as processors or sub-processors who provide IT and system administration services. When offering our services our sister company ‘iHasco’ may in some instances act as a data processor for activities undertaken by Careskills. ‘Careskills’ and ‘iHasco’ sit in the same corporate group, and both fall under the Citation Group of companies. Please refer to their privacy information below for more information about activities undertaken by them on our behalf: Terms & Policies | iHASCO & Privacy Policy – thecitationgroup.com.
- Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers based in the United Kingdom who provide consultancy, banking, legal, insurance and accounting services.
- Governing accreditation bodies such as the AQA: AQA | Professional development | About our training.
- Third party card payment providers such as Stripe (https://stripe.com) and GoCardless (https://gocardless.com) who may process your card details and PCI-DSS/Direct Debit data for the payment of your contract with us.
- HM Revenue & Customs, regulators and other authorities acting as processors or joint controllers based in the United Kingdom who require reporting of processing activities in certain circumstances.
- Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.
- We do not share your personal or business data with anyone else unless in some limited circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers (where acting as sub-processors) to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Processing your personal data in other territories
In very limited circumstances and from time to time your personal information may be transferred in and out of the UK and the European Economic Area (“EEA”) where local laws may not provide legal protection for personal data in the same way as is applicable in the UK or the EEA.
Where your personal information is processed outside of the UK and EEA, we will ensure that we take the necessary steps to protect your personal information as required by data protection laws. For example, we may require the overseas recipient to enter particular contract terms, or we will make sure that the information that we give to them will be limited to what is needed to perform our contract with you.
We primarily store all personal data in the UK. Our servers are based in Manchester, London and Bracknall, United Kingdom. We have backups in the Republic of Ireland (EU). This is through Amazon Web Services.
Change of Purpose
We will only use your personal data for the purposes for which we say we collect it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If at any time you wish to obtain an explanation as to how any processing for a new purpose is compatible with our original purpose, please contact us at: DPO@iHasco.co.uk or using the additional details set out in this policy.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Marketing
As Careskills is part of the Citation Group; we may use your data for our intra-group marketing strategies across our corporate group as part of our legitimate interests. We also may use your personal data for our own direct marketing purposes where we have obtained your business contact data from a third-party lead generation service, and we are contacting you for the first time; or you have opted in to receiving communication from us. The third parties we use ensure that the data is screened against the TPS, CTPS and MPS before being passed to us for marketing purposes.
If you wish to opt-out of receiving marketing communications from us, you can do so at any time by using the “unsubscribe” option within any marketing email received or contacting us at: DPO@citation.co.uk.
Third-Party Marketing
We do not, at this time, use your personal data for third-party marketing purposes. If in the future, we wish to use your personal data for marketing communications, we will ensure we have a valid lawful basis to do so.
We do not sell data on to third party companies.
Data Security and Data Retention
Data security is of great importance to us, and to protect your personal data we have put in place suitable physical, electronic and managerial procedures to safeguard and secure data collected through our website and/or systems.
We have put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to do so. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
- Business (company) information will be retained for seven years after our services to our clients have ended for financial reporting purposes.
Details of retention periods for different aspects of your personal data are available in our retention policy. For further information on our data security and data retention arrangements, please email: DPO@iHasco.co.uk.
Your legal rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data.
You have the right to:
- Request access: to your personal data (i.e. ask us for copies of your personal information). You can read more about the right on the ICO’s website, here: https://ico.org.uk/your-data-matters/your-right-of-access/
Please note, in relation to this right:
- What we will need from you: We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights as set out here).
- Response time: We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
- Request correction of the personal data that we hold about you. This right always applies. You can read more about this right on the ICO’s website, here: https://ico.org.uk/your-data-matters/your-right-to-get-your-data-corrected/
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You can read more about the right on the ICO’s website, here: https://ico.org.uk/your-data-matters/your-right-to-get-your-data-deleted/
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) in order to process it and you feel our processing impacts on your fundamental rights and freedoms. You can read more about this right on the ICO’s website, here: https://ico.org.uk/your-data-matters/the-right-to-object-to-the-use-of-your-data/
- Request restriction of processing of your personal data. This enables you to ask us to suspend or restrict the processing of your personal data in certain circumstances. You can read more about this right on the ICO’s website, here: https://ico.org.uk/your-data-matters/your-right-to-limit-how-organisations-use-your-data/
- Data portability. This right only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. You can read more about this right on the ICO’s website, here:https://ico.org.uk/your-data-matters/your-right-to-data-portability/
- Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.
- Automated decision-making. We will not use your personal data for the purposes of automated decision-making including profiling.
If you wish to exercise any of the rights set out above, please contact us at: DPO@iHasco.co.uk or using the additional details set out in this policy.
The website and/or systems are not intended for children, and we do not knowingly collect data relating to children.
Cookies
You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of the website and/or systems may become inaccessible or not function properly.
Our website and our services may use cookies. Where such cookies are used, you consent to our use of cookies in accordance with the terms of this policy.
Cookies consist of small files, often including unique identifiers, that are sent by web servers to web browsers, and which may then be sent back to the server each time the browser requests a page from the server.
Cookies can be used by web servers to identity and track users as they navigate different pages on a website and to identify users returning to a website.
Cookies may be either “persistent” cookies or “session” cookies. A persistent cookie consists of a text file sent by a web server to a web browser, which will be stored by the browser and will remain valid until its set expiry date (unless deleted by the user before the expiry date). A session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
We use both session cookies and persistent cookies on this website.
How we use cookies
Cookies do not contain any information that personally identifies you, but personal information that we store about you may be linked, by us, to the information stored in and obtained from cookies.
We may use the information we obtain from your use of our cookies for the following purposes:
(1) to recognise your computer when you visit our website or our services;
(2) to track you as you navigate our website or our services, and to enable the use of the some of the features on our website (such as our shopping cart and service platform access);
(3) to improve the website’s or our services’ usability;
(4) to analyse the use of our website or our services;
(5) in the administration of this website or our services;
(6) to personalise our website or our services for you, including targeting advertisements which may be of particular interest to you.
Third party cookies
When you use our website, you may also be sent third party cookies.
We use Google Analytics to analyse the use of this website. Google Analytics generates statistical and other information about website use by means of cookies, which are stored on users’ computers. The information generated relating to our website is used to create reports about the use of the website. Google will store this information. Google’s privacy policy is available at: http://www.google.com/privacypolicy.html
Blocking and deleting cookies
Most browsers allow you to refuse to accept cookies. (e.g. Internet Explorer: you can refuse all cookies by clicking “Tools”, “Internet Options”, “Privacy”, and selecting “Block all cookies” using the sliding selector; Firefox: you can block all cookies by clicking “Tools”, “Options”, and un-checking “Accept cookies from sites” in the “Privacy” box).
Blocking all cookies will, however, have a negative impact upon the usability of many websites. If you block cookies, you will not be able to use many of the features of this website or our services.
You can enable, disable or delete cookies by following your browser instructions, which you can usually find in the Tools or Help or Edit menu of a computer.
Changes to this Privacy Policy
We will review this privacy policy regularly and update it if necessary. Any updates to this privacy policy will be posted on our website and systems.
Contact details
Careskills Ltd is part of ‘iHasco’ which sits within the Citation Group of companies. Should you have any questions about this privacy policy or our privacy practices across our corporate group, please contact us using the following details:
Careskills Academy Ltd.
A Limited Company registered in England & Wales under company number 08543838.
Our data protection registration number is ZA218406.
VAT number:
Data Protection Officer: Fawn Beddows
Email address: DPO@iHasco.co.uk
Main Trading Address: iHasco Ltd 3 Arlington Square Downshire Way Bracknell RG12 1WA
iHasco Limited.
A Limited Company registered in England & Wales under company number 06447099.
Data Protection Officer: Fawn Beddows
Email address: DPO@iHasco.co.uk
Main Trading Address: iHasco Ltd 3 Arlington Square Downshire Way Bracknell RG12 1WA
Citation Limited.
A Limited Company registered in England & Wales under company number 03097504.
Data Protection Officer: Mathew Parry
Email address: DPO@citation.co.uk
Registered Office: Kings Court Water Lane, Wilmslow, Cheshire, United
Kingdom, SK9 5AR
Telephone number: 0300 140 0022
Complaints
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Our data protection registration number and ICO registration number is ZA218406.
