top of page

Data Management Policy

1. PURPOSE AND SCOPE

DTMK Limited is committed to ensuring that all learner, staff, customer, and business data is managed lawfully, fairly, securely, and transparently.

This policy applies to all operations of DTMK Limited in both England and Scotland. It covers the handling of personal data, training records, operational records, and special category data by employees, contractors, and any other authorised personnel.

This includes, but is not limited to:

• Learner driver records and progress data
• Training and assessment records
• First Aid treatment records and accident documentation
• Safeguarding and welfare records
• Employment and contractor records
• Business, financial, and contractual data

 

2. LEGAL AND REGULATORY COMPLIANCE

DTMK Limited will comply fully with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Relevant UK legislation including the Limitation Act 1980
• Data management and retention requirements specified by Awarding Organisations

 

Personal data will be processed only where there is a lawful basis under UK GDPR Article 6. Where special category data is processed, including health and medical information arising from First Aid delivery, accident response, safeguarding, or reasonable adjustments, processing will also meet the conditions set out in UK GDPR Article 9.

Records will be retained only for the minimum periods required by law, Awarding Organisation requirements, or internal policy. Where multiple retention rules apply, the longest applicable retention period will take precedence.

 

3. ROLES AND RESPONSIBILITIES

DTMK Limited acts as the Data Controller for all personal, training, operational, and special category data collected and processed in the course of its business.

 

The Data Protection Lead is responsible for implementing this policy, monitoring compliance, and acting as the point of contact for data protection matters.

 

Employees and contractors processing data as part of their role within DTMK Limited act under the authority of the Data Controller and must process data only in accordance with this policy and documented procedures.

 

External organisations and service providers that process data on behalf of DTMK Limited, including software providers and cloud-based systems, act as Data Processors and must operate under a written Data Processing Agreement.

 

No access to personal data will be granted until appropriate data protection training has been completed.

 

4. ACCESS CONTROLS

 

Access to personal and special category data will be restricted to individuals who require it to perform their role.

 

Digital access will be controlled through password protected accounts with role-based permissions.

 

Access rights will be reviewed by the Data Protection Lead every six months.

 

Paper records will be stored in locked filing cabinets within secure premises.

 

Visitors and unauthorised persons will not be permitted in areas where data is stored or processed.

 

5. STORAGE OF DOCUMENTS

Digital records will be stored on secure, encrypted systems with access controls appropriate to the sensitivity of the data.

This includes the use of:

• Secure cloud-based storage systems such as Microsoft OneDrive
• Sector specific platforms used for driving instruction and learner management, including Total Drive
• Awarding Organisation systems for submission of assessment and certification data

 

All systems used must provide appropriate technical and organisational security measures and be subject to contractual data protection assurances where operated by third parties.

Physical records will be stored in locked cabinets in secure areas with access limited to authorised personnel.

Back-ups will be maintained on secure systems, accessible only to authorised personnel, and reviewed quarterly for accuracy and security.

 

6. SECURITY MEASURES

All business devices will be protected by up-to-date firewalls and anti-virus software.

 

Security updates will be applied promptly.

 

Personal data transmitted externally will be sent only via encrypted email or secure file transfer systems.

 

Paper records will be transported securely and never left unattended.

 

Equipment that is no longer in use will be securely wiped or destroyed before disposal.

 

7. DATA SUBJECT RIGHTS

 

DTMK Limited recognises and upholds the rights of individuals under UK GDPR.

 

Requests to access, rectify, restrict, or erase data will be acknowledged within five working days and fulfilled within one calendar month where lawful.

Where deletion cannot be carried out due to legal, regulatory, safeguarding, or public interest obligations, the reasons will be clearly explained and further processing restricted where appropriate.

Individuals will be provided with clear privacy information at the point their data is collected.

 

8. DATA BREACH MANAGEMENT

A breach log will be maintained, and all staff and contractors are required to report suspected data breaches immediately.

All breaches will be assessed by the Data Protection Lead within 24 hours.

Where legally required, the Information Commissioner’s Office will be notified within 72 hours.

Where a breach is likely to result in a high risk to individuals, those affected will be informed without undue delay.

 

9. DATA RETENTION AND DISPOSAL

DTMK Limited maintains a documented data retention schedule. As a minimum:

• Learner registration records: 6 years after training completion
• Assessment and IQA records: 5 years or longer where required by the Awarding Organisation
• Certification records: 6 years
• Complaints, appeals, malpractice, and whistleblowing records: 5 years
• Safeguarding records: until the individual reaches age 25, or longer if active or required
• Employment and contractor records: 6 years after engagement ends
• Financial and contractual records: 6 years in line with the Limitation Act 1980
• Health and safety records: 3 years, or longer where a serious incident has occurred
• First Aid treatment and casualty records: 7 years minimum, or longer where required for legal, safeguarding, insurance, or investigative purposes

• Where a First Aid incident record relates to a child or young person, records will be retained until the individual reaches age 25, or longer if the case remains active.
• Marketing data: 2 years from last contact, or until consent is withdrawn

 

Disposal

• Digital records will be permanently erased, including from back-ups
• Paper records will be cross-cut shredded or destroyed using an accredited confidential waste service

 

10. DATA SHARING WITH THIRD PARTIES

Personal data will be shared only where lawful, necessary, and proportionate.

Awarding Organisation data will be submitted only through secure systems.

Third party suppliers requiring access to personal data must operate under a Data Processing Agreement.

Only the minimum data necessary for the intended purpose will be shared.

 

11. TRAINING AND AWARENESS

All staff and contractors must complete data protection training before handling personal data.

Annual refresher training will be provided.

Quarterly reminders will be issued to reinforce good data protection practice and awareness.

 

12. RELATIONSHIP WITH OTHER POLICIES

This policy should be read alongside:

• Privacy Policy
• Safeguarding Policy
• Appeals, Enquiries and Complaints Policy
• Maladministration, Malpractice, Plagiarism and Whistleblowing Policy

Where retention periods differ, the longest period specified in any DTMK policy will apply.

 

13. REVIEW

Last reviewed: February 2026
Next review due: 28th February 2027

Director: Christopher Cook
Contact: christopher@dtmk.co.uk

bottom of page