Skip to content

Appropriate Policy Document

1. Introduction

As part of its operations, it is necessary for BPP Education Group (“BPP”) to process special category data. BPP needs to process personal data about its current and former staff, corporate learners, apprentices, consultants, freelancers and customers to carry out its functions as a provider of corporate training and further education.  This policy explains how BPP protects special category and criminal offence personal data.

Pursuant to Schedule 1, Part 4 of the DPA 2018, this Appropriate Policy Document explains the processing that may occur and the relevant procedures the Company follows to ensure compliance with data protection legislation and supplements information contained within our privacy notices.

This document should be read in conjunction with BPP’s data protection policy and privacy notice. This document applies to all employees, including temporary, casual, contract and agency staff, as well as any contractors or service providers acting on behalf of BPP, students, suppliers, contractors or consultants, representatives and agents that process or manage personal data on behalf of BPP.

1.1. Special category data (defined by Article 9 of the UK General Data Protection Regulation (GDPR)) and sensitive data (defined by section 35 of the Data Protection Act 2018 (DPA)) is personal data which reveals:

  • racial or ethnic origin

  • political opinions

  • religious or philosophical beliefs

  • trade union membership

  • genetic data

  • biometric data for the purpose of uniquely identifying a natural person

  • data concerning health

  • data concerning a natural person’s sex life or sexual orientation

1.2. Article 10 GDPR sets out the legal authority for the processing of personal data relating to criminal convictions and offences or related security measures.

1.3. Section 11(2) of the DPA 2018 provides that criminal offence data includes data which relates to the alleged commission of offences and related proceedings and sentencing. Information about victims and witnesses of crime is also included in the scope of data relating to criminal convictions and offences.

1.4. This policy meets the requirement in the DPA 2018 for an appropriate policy document which details the lawful basis and conditions for processing and safeguards that BPP has put in place when processing special category data and criminal offence data.

2. Description of Data Processed

2.1. BPP’s Privacy Notice has more information about the information processed by the Company, the legal basis for processing and what the information is used for.

Article 9(1) GDPR prohibits the processing of special categories of data unless at least one condition in Article 9(2) is met. BPP must always ensure that its processing is generally lawful, fair and transparent and complies with all the other principles and requirements of the GDPR, which means it will need to identify an Article 6 lawful basis for processing, and, if processing special category data, also an Article 9(2) condition.

2.2.     Special Category Data

           2.2.1     BPP processes special category personal data under the following legal basis:

2.2.1.1 Article 9(2)(a) – explicit consent.  An example of which would include health information we receive from learners who require additional support.

2.2.1.2 Article 9(2)(b) – where processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on either BPP or the data subject in connection with employment, social security, or social protection.  For example where BPP processes staff sickness and absences information.

2.2.1.3 Article 9(2)(c) – where processing is necessary to protect vital interests.  An example of this processing would be using health information about a member of staff or learner in a medical emergency. 

2.2.1.4 Article 9(2)(f) – for the establishment, exercise, or defence of legal claims.  Examples of this processing include processing relating to any employment tribunal or other litigation.

2.2.1.5  Article 9(2)(g) - processing is necessary for reasons of substantial public interest.  Processing for reasons of substantial public interest meets the condition at Schedule 1 Part 2 paragraph 8 of the Data Protection Act 2018 - i.e. it is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained and the appropriate policy documents are in place.

2.2.1.6 Article 9(2)(i) – where processing is necessary for public health.  For example, in relation to BPP’s processing of data in response to the Covid-19 pandemic.

2.3.      Criminal Offence Data

            2.3.1       BPP processes criminal offence data under Article 10 of the GDPR.

2.3.2 Examples of our processing of criminal offence data include pre-employment checks and declarations by an employee in line with contractual obligations. 

Section 10(2) of the DPA 2018 sets out that in order for processing of special categories of personal data to be necessary for the purposes of carrying out the obligations and exercising specific rights of BPP or of the data subject in the field of employment, social security and social protection law under Article 9(2)(b) of the UK GDPR, that processing must meet one of the conditions set out in Part 1 of Schedule 1. 

BPP processes special category data for HR purposes when the condition set out in paragraph 1 of Part 1 of Schedule 1 to the DPA 2018 is met. This condition applies to processing for HR purposes.

3. Compliance with the Data Protection Principles

3.1 In accordance with the accountability principle, BPP maintains records of processing activities under Article 30 of the GDPR and section 61 of the DPA 2018.  BPP will carry out data protection impact assessments (where appropriate) in accordance with Articles 35 and 36 of the GDPR and section 64 of the DPA 2018 to ensure data protection by design and default.

3.2       BPP follows the data protection principles set out in Article 5 of the GDPR, and Part 3, Chapter 2 of the DPA 2018 for processing, as follows:

Accountability Principle:

BPP has put in place appropriate technical and organisational measures to meet the requirements of accountability.  These include:

·       The appointment of a data protection officer who reports directly to the highest management level.

·       Taking a ‘data protection by design and default’ approach.

·       Maintaining documentation of processing activities.

·       Adopting and implementing data protection policies. 

·       Implementing contracts with data processors.

·       Implementing appropriate security measures in relation to the personal data.

·       Carrying out data protection impact assessments (where required).

·       Regular review of accountability measures.

Principle (a): Lawfulness, Fairness, and Transparency

BPP provides clear and transparent information about the processing of personal data including the lawful basis for that processing in its Records of Processing Activities (ROPA), Privacy Notice and this policy document.

Principle (b): Purpose Limitation

Where BPP shares data with another organisation based on the contractual legal basis (e.g. it’s parent or other companies in the BPP Group, it shall document that sharing and do so on the basis of the data sharing agreement in place with the BPP Group.  

BPP will not process personal data for purposes incompatible with the original purpose it was collected for.

Principle (c): Data Minimisation

BPP will only collect personal data necessary for the relevant purposes and ensure it is not excessive.  The information processed is necessary for and proportionate. 

Where personal data is provided to BPP or obtained but is not relevant to our stated purposes, it will be erased.

Principle (d): Accuracy

BPP will ensure that where personal data is identified as inaccurate or out of date, having regard to the purpose for which it is being processed, BPP will take every reasonable step to ensure that data is erased or rectified without delay.  If BPP decides not to either erase or rectify it, for example because the lawful basis means those rights don’t apply, the decision will be documented.

Principle (e): Storage Limitation

All special category data processed by BPP for the purpose of employment or making training adjustments, will only be retained for the periods set out in BPP’s retention schedule. This retention procedure is reviewed regularly and updated when necessary.

Principle (f): Integrity and Confidentiality (Security)

BPP ensures that electronic information is processed within our secure networks and has obtained ISO 27001 and Cyber Essentials Plus certification.  Hard copy information is processed in line with our security procedures.  The systems used to process personal data allow data to be erase or updated as required.  Electronic systems and physical storage have appropriate access controls applied.

4. Further Information

This policy will be retained in accordance with Section 42(3) of the DPA 2018. It will be made available to the ICO on request and reviewed yearly.

We have appointed data protection officers (“DPO”) who are responsible for overseeing our data protection compliance.  If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact the relevant DPO using the following details:

For any BPP branded entities, StaySharp Education Limited, Estio Training Limited or Buttercups Training Limited please use:

FAO of the Data Protection Officer

BPP Education Group (or select the relevant BPP entity from the list above)

Legal Team
1 Portsoken Street
London
E1 8BT
Email address: dataprotection@bpp.com