Data Policy, Controls and Management Processes

BIOR is committed to safeguarding personal data


BIOR is committed to safeguarding personal data. Its Privacy Policy explains the data collected and how it is treated in compliance with Data Protection Law and the General Data Protection Regulation (GDPR).

As a responsible Awarding Organisation, EPAO and employer BIOR aims to comply with the General Data Protection Regulation (GDPR) requirements. In doing this BIOR aims to process all personal data lawfully, fairly and in a transparent manner.

This document is provided to BIOR staff and contractors, where relevant, to guide them on GDPR and BIOR processes. 

GDPR provides the following rights for individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

BIOR staff responsibilities

BIOR, its staff and where applicable its contractors must comply with the GDPR and to support this: 

  • Individuals must be trained and understand their responsibilities. 
  • BIOR must respond to data access requests. 
  • BIOR must act to prevent any breach and protect data. Deliberate, or negligent actions that lead to breach will be taken seriously and can lead to disciplinary action.
  • BIOR will provide guidance on data security. This includes BYOD (bring your own device) guidance where staff or third parties use personal smart phones, tablets or laptops to store data.
  • BIOR will make sure data is retained only for the timescale specified. 

BIOR Centre responsibilities

BIOR Centres have responsibilities under GDPR too. Centres specifically agree to:

  • Have a Privacy Policy that outlines the data collected and for what purpose, and the protection afforded to that personal data; also, a data access process, data breach policy and named data compliance officer.
  • Respond to any data access requests.
  • Make sure Learners know what data will be passed to BIOR, including:
  • To identify an individual Learner.
  • For administration purposes relating to the qualification the Learner has registered for.
  • To provide a certificate on successful completion of the qualification.
  • For administering or advising on Special Considerations, Reasonable Adjustments, Appeals or Complaints.
  • To allow BIOR to contact the Learner on relevant matters including their training and certification.
  • To allow the Centre to meet its contractual requirements to BIOR and Learners.
  • To allow BIOR to monitor the quality of the Centre’s operations.
  • To allow BIOR to inform Learners about relevant products or services.
  • To allow BIOR to report to regulators, funding agencies or relevant bodies as required in law.
  • To allow relevant statistical analysis.
  • Any legitimate interest that BIOR will advise the Centre about.  

Dealing with a Subject Access Request

If an individual wants to see what personal data BIOR may hold on them they should contact the AO Manager. 

The BIOR will comply with a SAR without undue delay and at the latest within one month of receiving the request. We may extend the time to respond by a further two months if the request is complex or we have received a number of requests from the individual, eg other types of requests relating to individuals’ rights.

If we process a large amount of information about an individual, we may ask them to specify the information or processing activities their request relates to, if it is not clear. The time limit for responding to the request is paused until we receive clarification.

The BIOR need to be satisfied that we know the identity of the requester (or the person the request is made on behalf of). If the BIOR are unsure, we can ask for information to verify an individual’s identity. The timescale for responding to a SAR does not begin until we have received the requested information. We will request ID documents promptly.

BIOR’s AO Manager will arrange for all data to be collated so that it is made available to the person requesting it.  

BIOR may choose not to respond to requests to data access where they are manifestly unfounded or excessive, and in particular where they are repetitive, in these cases BIOR will be within its rights to:

  • charge a reasonable fee considering the administrative costs of providing the information; or
  • refuse to respond.

Where BIOR refuse to respond to a request, it will explain why this is the case and inform them of their right to complain to the ICO and to a judicial remedy. BIOR’s AO Manager will take any decisions around data access requests and manage the process.

Dealing with incomplete or incorrect personal data

The GDPR allows a right for individuals to have inaccurate personal data rectified or completed if it is incomplete. BIOR must respond to any such request:

  • where an individual makes a request for rectification, verbally or in writing, and
  • do this within 30 days. 

BIOR’s AO Manager will manage this process.
Right to data erasure

Individuals have the right to have their data erased. BIOR must respond to any such request:

  • if an individual makes this verbally, or in writing and
  • do this within 30 days. 

However, this right is not absolute and only applies in certain circumstances. BIOR’s AO  Manager will manage this process and be responsible for taking any decisions on non-erasure of date. 


The GDPR requires the BIOR to take suitable security measures, at a level appropriate to the risk.

BIOR requires personal data to be held: 

  • securely on its systems by requiring secure access logins;
  • on encrypted files, where transferred by email; or
  • in locked, secure cabinets in the case of hard copy data. 

All staff and contractors where relevant must follow these requirements for data security. Advise or guidance on data security should be sought from the AO Manager.  

Data retention periods

Personal data must only be kept where it is legitimate to do so. BIOR has in place time frames within which data may be kept, please see the table in Appended to this document.

Where personal data falls outside of these requirements it must be deleted. BIOR’s AO Manager will regularly remind staff and where relevant contractors of this obligation and ask them to clean down records, as appropriate.    

Data Breach

Please refer to the BIOR’s separate policy and process on this matter. 

Data Compliance Officer (DCO)

BIOR’s DCO is its Legal Adviser. The DCO role will include providing advice on the GDPR, monitoring compliance and training staff. These duties may be done in collaboration with third-parties or delegated to professional advisers and experts.

BIOR’s DCO reports to the Managing Director on these matters.    

Minimum Retention Periods for Records Containing Personal Data

Type of Record Retention Period Reason for Length of Period
Learner registration 3 years after the qualification is completed Processing any queries; requirement to contact in the case of any legacy malpractice
Learner achievements/certification record In perpetuity Replacement certificates; authenticating achievement
Centre staff records

3 years after data subject ceases to be on staff

5 years for data relating to proven malpractice

Data may be held in perpetuity in cases of proven serious malpractice

May be required for professional reference

Potential litigation

Potential litigation

Personnel files, including training records, notes of disciplinary and grievance hearings, and appraisal forms

6 years from end of employment

Some data relating to proven serious malpractice  may be held in perpetuity

References and potential litigation

Selected material may form part of the Institute Archive

Letters of reference 6 years from end of employment, by the author of the reference letter References and potential litigation
Application forms/interview notes At least 6 months from the date of the interviews Time limits on litigation
Facts relating to redundancies where fewer than 20 redundancies 6 years from the date of redundancy As above
Facts relating to redundancies where more than 20 redundancies 12 years from the date of redundancies Limitation Act 1980
Income Tax and NI returns including correspondence with tax office At least 3 years after the end of the financial year the records relate to Income Tax Employment Regulations 1993
Statutory Maternity pay records and calculations As above Statutory Maternity Pay (General) Regulations 1986
Statutory sick pay records and calculations As above Statutory Sick Pay (General) Regulations 1982
Wages and salary records 6 years from end of employment Taxes Management Act 1970
Accident books and records and reports  of accidents 3 years after the date of the last entry Social Security  (Claims and Payments) Regulations 1979, RIDDOR 1985
Health Records During period of employment Management of Health and Safety at Work Regulations
Health records where reason of termination of employment is connected with health including stress related illnesses 3 years Limitation Period for personal injury claims
Medical records kept by reasons of the Substances Hazardous to Health Regulations 1999 40 years The Control of Substances Hazardous to Health Regulations 1999