As a responsible Awarding Organisation, EPAO and employer BIOR aims to comply with the General Data Protection Regulation (GDPR) requirements. In doing this BIOR aims to process all personal data lawfully, fairly and in a transparent manner.
This document is provided to BIOR staff and contractors, where relevant, to guide them on GDPR and BIOR processes.
GDPR provides the following rights for individuals:
BIOR staff responsibilities
BIOR, its staff and where applicable its contractors must comply with the GDPR and to support this:
BIOR Centre responsibilities
BIOR Centres have responsibilities under GDPR too. Centres specifically agree to:
Dealing with a Subject Access Request
If an individual wants to see what personal data BIOR may hold on them they should contact the AO Manager.
The BIOR will comply with a SAR without undue delay and at the latest within one month of receiving the request. We may extend the time to respond by a further two months if the request is complex or we have received a number of requests from the individual, eg other types of requests relating to individuals’ rights.
If we process a large amount of information about an individual, we may ask them to specify the information or processing activities their request relates to, if it is not clear. The time limit for responding to the request is paused until we receive clarification.
The BIOR need to be satisfied that we know the identity of the requester (or the person the request is made on behalf of). If the BIOR are unsure, we can ask for information to verify an individual’s identity. The timescale for responding to a SAR does not begin until we have received the requested information. We will request ID documents promptly.
BIOR’s AO Manager will arrange for all data to be collated so that it is made available to the person requesting it.
BIOR may choose not to respond to requests to data access where they are manifestly unfounded or excessive, and in particular where they are repetitive, in these cases BIOR will be within its rights to:
Where BIOR refuse to respond to a request, it will explain why this is the case and inform them of their right to complain to the ICO and to a judicial remedy. BIOR’s AO Manager will take any decisions around data access requests and manage the process.
Dealing with incomplete or incorrect personal data
The GDPR allows a right for individuals to have inaccurate personal data rectified or completed if it is incomplete. BIOR must respond to any such request:
BIOR’s AO Manager will manage this process.
Right to data erasure
Individuals have the right to have their data erased. BIOR must respond to any such request:
However, this right is not absolute and only applies in certain circumstances. BIOR’s AO Manager will manage this process and be responsible for taking any decisions on non-erasure of date.
The GDPR requires the BIOR to take suitable security measures, at a level appropriate to the risk.
BIOR requires personal data to be held:
All staff and contractors where relevant must follow these requirements for data security. Advise or guidance on data security should be sought from the AO Manager.
Data retention periods
Personal data must only be kept where it is legitimate to do so. BIOR has in place time frames within which data may be kept, please see the table in Appended to this document.
Where personal data falls outside of these requirements it must be deleted. BIOR’s AO Manager will regularly remind staff and where relevant contractors of this obligation and ask them to clean down records, as appropriate.
Please refer to the BIOR’s separate policy and process on this matter.
Data Compliance Officer (DCO)
BIOR’s DCO is its Legal Adviser. The DCO role will include providing advice on the GDPR, monitoring compliance and training staff. These duties may be done in collaboration with third-parties or delegated to professional advisers and experts.
BIOR’s DCO reports to the Managing Director on these matters.
Minimum Retention Periods for Records Containing Personal Data
|Type of Record||Retention Period||Reason for Length of Period|
|Learner registration||3 years after the qualification is completed||Processing any queries; requirement to contact in the case of any legacy malpractice|
|Learner achievements/certification record||In perpetuity||Replacement certificates; authenticating achievement|
|Centre staff records||
3 years after data subject ceases to be on staff
5 years for data relating to proven malpractice
Data may be held in perpetuity in cases of proven serious malpractice
May be required for professional reference
|Personnel files, including training records, notes of disciplinary and grievance hearings, and appraisal forms||
6 years from end of employment
Some data relating to proven serious malpractice may be held in perpetuity
References and potential litigation
Selected material may form part of the Institute Archive
|Letters of reference||6 years from end of employment, by the author of the reference letter||References and potential litigation|
|Application forms/interview notes||At least 6 months from the date of the interviews||Time limits on litigation|
|Facts relating to redundancies where fewer than 20 redundancies||6 years from the date of redundancy||As above|
|Facts relating to redundancies where more than 20 redundancies||12 years from the date of redundancies||Limitation Act 1980|
|Income Tax and NI returns including correspondence with tax office||At least 3 years after the end of the financial year the records relate to||Income Tax Employment Regulations 1993|
|Statutory Maternity pay records and calculations||As above||Statutory Maternity Pay (General) Regulations 1986|
|Statutory sick pay records and calculations||As above||Statutory Sick Pay (General) Regulations 1982|
|Wages and salary records||6 years from end of employment||Taxes Management Act 1970|
|Accident books and records and reports of accidents||3 years after the date of the last entry||Social Security (Claims and Payments) Regulations 1979, RIDDOR 1985|
|Health Records||During period of employment||Management of Health and Safety at Work Regulations|
|Health records where reason of termination of employment is connected with health including stress related illnesses||3 years||Limitation Period for personal injury claims|
|Medical records kept by reasons of the Substances Hazardous to Health Regulations 1999||40 years||The Control of Substances Hazardous to Health Regulations 1999|