Data Management Policy

1. PURPOSE AND SCOPE

DTMK Limited is committed to ensuring that all learner, staff, and business data is managed lawfully, fairly, securely, and transparently.

This policy applies to all operations of DTMK Limited in both England and Scotland. It covers the handling of personal and training data by employees, contractors, and any other authorised personnel.

2. LEGAL AND REGULATORY COMPLIANCE

DTMK Limited will comply fully with:

UK General Data Protection Regulation (UK GDPR)
Data Protection Act 2018
Relevant UK legislation including the Limitation Act 1980
Data management and retention requirements specified by the Awarding Organisation

We will process personal data only where lawful and necessary, ensuring that all records are retained for the minimum periods required by law, Awarding Organisation requirements, or internal policy. Where multiple rules apply, the longest retention period will take precedence.

3. ROLES AND RESPONSIBILITIES

DTMK Limited acts as the Data Controller for all personal and training data collected and processed in the course of business
Data Protection Lead is responsible for implementing this policy and monitoring compliance
Authorised employees and contractors act as Data Processors under instruction and will only process data for agreed purposes
Staff access to personal data will not be granted until appropriate data protection training has been completed

4. ACCESS CONTROLS

Access to data will be restricted to those who require it to perform their role
Digital access will be controlled through password-protected accounts with role-based permissions
Access rights will be reviewed by the Data Protection Lead every six months
Paper records will be stored in locked filing cabinets within secure office premises
Visitors and unauthorised persons will not be permitted in areas where data is stored

5. STORAGE OF DOCUMENTS

Digital records will be stored on encrypted cloud-based systems and password-protected local drives, with two-factor authentication enabled where available
Physical records will be stored in locked cabinets in secure areas with access limited to authorised personnel
Back-ups will be maintained on secure systems, accessible only to the Data Protection Lead, and reviewed quarterly for accuracy and security

6. SECURITY MEASURES

All business devices will be protected by up-to-date firewalls and anti-virus software
Security updates will be applied promptly
Personal data transmitted externally will be sent only via encrypted email or secure file transfer systems
Paper records will be transported securely and never left unattended
Equipment that is no longer in use will be securely wiped before disposal

7. DATA SUBJECT RIGHTS

DTMK Limited recognises and will uphold the rights of individuals under UK GDPR.

Requests to access, rectify, or erase data will be acknowledged within five working days and fulfilled within one calendar month where lawful
Where deletion cannot be carried out due to legal obligations, reasons will be explained and further processing restricted
Individuals will be provided with clear privacy information at the point their data is collected

8. DATA BREACH MANAGEMENT

A breach log will be maintained and all staff trained to report suspected breaches immediately
All breaches will be assessed by the Data Protection Lead within 24 hours
Where legally required, the Information Commissioner’s Office (ICO) will be notified within 72 hours
Where a breach poses a high risk to individuals, those affected will be informed without delay

9. DATA RETENTION AND DISPOSAL

DTMK Limited will maintain a documented retention schedule. As a minimum:

Learner registration records: 6 years after training completion
Assessment and IQA records: 5 years (or longer if required by the Awarding Organisation)
Complaints, appeals, malpractice and whistleblowing records: 5 years
Certification records: 6 years
Safeguarding records: until the individual reaches 25, or longer if active
Employment records: 6 years after employment ends
Financial and contractual records: 6 years (Limitation Act 1980)
Health and safety records: 3 years, or longer if serious incident related
Marketing data: 2 years from last contact, or until consent withdrawn

Disposal:

Digital records permanently erased, including back-ups
Paper records cross-cut shredded or destroyed by accredited confidential waste service

10. DATA SHARING WITH THIRD PARTIES

Data will only be shared where lawful and necessary
Awarding Organisation data will be submitted through secure systems
Third-party suppliers requiring access must sign a Data Processing Agreement
Only the minimum necessary data will be shared

11. TRAINING AND AWARENESS

All staff and contractors complete induction training in data protection before handling personal data
Annual refresher training provided to ensure compliance
Quarterly reminders issued to reinforce best practice

12. RELATIONSHIP WITH OTHER POLICIES

This policy should be read in conjunction with:

Privacy Policy – explains how data is collected, used, and shared
Safeguarding Policy – governs handling and retention of safeguarding records
Appeals, Enquiries and Complaints Policy – sets out complaints/appeals handling
Maladministration, Malpractice, Plagiarism and Whistleblowing Policy – sets out investigation procedures

Where retention periods differ, the longer period in any DTMK policy will apply.