Data Protection Policy
Data Protection Policy
This policy outlines how Puzzled Education collects, uses, stores, and protects personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are committed to safeguarding the rights and freedoms of individuals by ensuring that personal data is handled lawfully, fairly, and transparently.
1. Purpose and Scope
This policy applies to all staff, learners, contractors, and stakeholders who access or process personal data on behalf of Puzzled Education. It applies to all data that identifies or could identify a living person and includes digital, paper-based, and verbal records.
2. Legal Framework
This policy complies with the UK GDPR, the Data Protection Act 2018, and other relevant legislation. It supports the rights of individuals and the obligations of Puzzled Education as a data controller and, where applicable, a data processor.
3. Data Protection Principles
We commit to the following UK GDPR principles:
– Data must be processed lawfully, fairly, and in a transparent manner.
– Collected for specified, explicit, and legitimate purposes.
– Adequate, relevant, and limited to what is necessary.
– Accurate and kept up to date.
– Retained only for as long as necessary.
– Processed securely using appropriate technical and organisational measures.
– Accountability: We are responsible for demonstrating compliance.
4. Roles and Responsibilities
– The Managing Director serves as the Data Protection Lead.
– Staff must complete training and handle data in line with policy.
– Contractors and third parties must adhere to data protection clauses in their agreements.
5. Lawful Basis for Processing
Puzzled Education processes personal data only where a lawful basis exists, including:
– Consent
– Contract
– Legal obligation
– Vital interests
– Public task
– Legitimate interests
Special category data is processed only under strict conditions and with additional safeguards.
6. Rights of Individuals
Individuals have the right to:
– Be informed
– Access their data
– Rectify inaccurate or incomplete data
– Erasure (where applicable)
– Restrict processing
– Object to processing
– Data portability
– Not be subject to automated decision-making
Requests can be submitted in writing to enquiries@puzzledtraining.co.uk.
7. Data Sharing and Disclosures
We only share data when necessary and in compliance with the law. This includes:
– With awarding organisations or regulatory bodies
– For safeguarding and welfare concerns
– With funders or government agencies
– Never sold to third parties
Wherever possible, anonymised or pseudonymised data is used for reporting purposes.
8. Security of Data
We apply appropriate security controls:
– Passwords and encryption
– Controlled access permissions
– Lockable storage for paper records
– Use of secure communication channels
– Secure deletion protocols
Staff must report any loss or suspected breach immediately.
9. Data Retention and Disposal
Personal data is held in accordance with our retention schedule. Data is deleted or securely destroyed when no longer needed. Learner records are retained for a minimum of 6 years. Financial data is retained in accordance with statutory requirements.
10. Data Breaches and Complaints
Breaches must be reported immediately to the Data Protection Lead. Where there is a risk to individuals, the Information Commissioner’s Office (ICO) will be notified within 72 hours. Individuals may also complain directly to the ICO if they are dissatisfied with how we have handled their data.
11. Training and Awareness
All staff are required to complete data protection training on induction and at regular intervals thereafter. We promote awareness through updates, guidance, and supervision to maintain compliance.
12. Policy Review and Contact
This policy will be reviewed annually or in response to legislative changes.
Signed: Z Croot
Managing Director
Date: June 2025
Review Date: June 2026
| Issue | Date | Author | Role | Revision Notes |
| V1 | January 2024 | Anne-Louise Everton | Operations / Centre Manager | New Policy Publication |
| V2 | June 2025 | Claire Pyle | Compliance Manager | Updated and compliant with the UK GDPR and DPA 2018 |