The requirements stated within these guidelines are purely in relation to the administration and certification of Nuco Training courses and FAA qualifications and data that is collected during qualification delivery and on official course paperwork/ documentation.

​

Under the General Data Protection Regulation (GDPR) both Nuco Training Ltd and their registered Trainer/ Assessors at Vital Life Solutions Ltd have a responsibility to ensure compliancy in respect of the learner data that is collected and processed during the administration, delivery and award of training.

​

These guidelines states how Nuco Training requires their approved Trainer/Assessors from Vital Life Solutions Ltd to collect, store and process learner data.

​

The guidelines have been split into sections to allow easy access to important information and procedures:

​

Section 1 – Roles and definitions under the GDPR

Section 2 – Collecting learner’s data
Section 3 – Processing learner’s data
Section 4 – Storing learner’s data

Section 5 – Securely transferring data
Section 6 – Retention periods for learner’s data

Section 7 – Securely disposing of data
Section 8 – Data breaches and notification

​

Section 1 – Roles and definitions under the GDPR

​

What data is covered under this contract?

​

All learner data collected through the completion of official course paperwork/documentation is included within these guidelines and includes the following processes:

​

• The collection of learner’s personal data through any official documentation such as the Learner Workbook or Learner Registration Form. This includes name, email address and date of birth. Gender and a postcode is only collected if a learner requests entry of their achievement onto their Personal Learning Record

• The collection of learner’s special category data when a reasonable adjustment is granted. This is only collected and stored when a reasonable adjustment is granted and only includes any disability, medical condition or learning need

• The storage of course paperwork/documentation

• Upload and maintenance of electronic records of a learner’s achievement on NucoPlus

• The transfer of course paperwork/documentation

​​

What data is not covered under these guidelines?

​

The requirements stated within these guidelines are purely in relation to the administration and certification of Nuco Training courses and FAA qualifications and data that is collected during qualification delivery and on official course paperwork/ documentation.

 

Under the GDPR, Trainer/Assessors must also consider their own:

​

• Employee data

• Customer & supplier data

• Learner data for any non-regulated qualifications/courses

• Direct marketing using learner’s data

• Business activities that they may conduct

• Additional learner data collected in relation to qualifications, not required by Nuco Training, such as during course enquiries and course booking procedures. See our Privacy Policy.

​​

This list is not exhaustive, and Trainer/Assessors must conduct their own internal audit of the data they collect and process to ensure compliance with the GDPR. Full guidance on how Trainer/Assessors can ensure compliancy with the GDPR can be found on the Information Commissioner’s Office website – www.ico.org.uk.

​

The GDPR state that there are two types of data that Nuco Training and approved Trainer/Assessors at Vital Life Solutions collect, store and process:

​

• Personal Data
Includes name, email address and date of birth; gender and postcode may be collected if required for entry onto a learner’s Personal Learning Record.

​

• Special Category Data
Special category data is only collected when the learner is applying for a reasonable adjustment and is data relating to the learner’s health including any disabilities, medical conditions or learning needs they may have.

Please note that within these guidelines the word ‘data’ refers to both personal data and special category data.

​

Section 2 - Collecting learner’s data

​

How do we collect a learner’s data?

​

A learner’s data must only be collected on official course paperwork/documentation. Course paperwork/documentation has been designed to only request the minimum required data to allow Nuco Training and Trainer/Assessors at Vital Life Solutions Ltd to administrate and award a learner’s achievement.

 

Special category data must only be recorded during the application for a reasonable adjustment and is required for no other purpose.

​

Can we collect any additional data?

​

Should a Trainer/Assessor require additional data for any other purpose, they must conduct their own GDPR audit and ensure compliance before doing so. Nuco Training’s GDPR audit does not account for any additional data collected by Trainer/Assessors. See Vital Life Solution's Privacy Policy here.

 

Section 3 - Processing learner’s data

​

Trainer/Assessors at Vital Life Solutions Ltd are required to process learner data as part of the administration of the qualification/course that learner has chosen to undertake.

​

Trainer/Assessors are only permitted to process learner data for the purpose of entering it onto NucoPlus for certification and record keeping purposes for regulated courses.

​

Trainer/Assessors are permitted to electronically store a record of learner’s achievements on their own database but only data that is collected from official course paperwork/documentation and only for the purpose of record keeping.

​

No additional processing of learner data is permitted unless covered by the Vital Life Solution’s own GDPR audit. See Privacy Policy for this.

​

Section 4 - Storing learner’s data

​

What data do I need to keep?

​

All data is generated through the completion of official course paperwork/documentation. Full course paperwork packs must be retained for three years and six months from the final date of the course to provide evidence of a learner’s achievement.

​

How do I securely hold course paperwork/documentation?

​

Course paperwork/documentation can be stored in either hard copy ‘paper’ format or in an electronic document such as Word orPDF.

​

Hard copy ‘paper’ format

​

When data is stored in hard copy format the Trainer/Assessor must ensure that this is kept securely and take appropriate action to prevent unauthorised access.

​

Trainer/Assessors must ensure that paperwork/documentation is:

​

• Securely transported from the course venue to their premises by an authorised person, such as the Trainer/Assessor, or through a secure carrier, such as Royal Mail Special Delivery service

 

Data Protection Guidelines

Personal Data and Special Category Data

• Not left unattended

• Securely protected

• Promptly transferred to a secure storage area with access only by authorised persons

• Securely disposed of, as stated below, should it be electronically scanned MALADMINISTRATION

​

Electronic format

​

When data is stored in electronic format, appropriate security measures must be taken to protect learner’s data.

Trainer/Assessors must ensure that electronic records and documents are stored on a computer/server/cloud system that is protected by suitable security software and that physical computers are in secure locations with access only available to authorised persons.

​

It is crucial that the security software is maintained and that important security updates are quickly installed.

Appropriate measures must be in place to cover staff working from home or accessing systems, containing learner data, from remote locations.

​

All systems must be protected and only accessed through a secure log in system with users having unique user name and passwords.

​

Loss of data

​

Trainer/Assessors must take all possible actions to prevent the accidental or deliberate loss of data.

Course paperwork/documentation in electronic format must be appropriately backed up either internally or remotely through the internet.

​

Course paperwork/documentation in hard copy format must be securely stored and a back up copy generated if being sent through a secure courier.

​

Section 5 - Securely transferring data?

​

Course paperwork/documentation may need to be transferred in either hard copy or electronic format. Audit requests from Nuco Training may require the Trainer/Assessor to transfer copies of paperwork/documentation which can be done electronically or in hard copy.

​

Hard copy ‘paper’ format

​

Trainer/Assessors must ensure that hard copies of data are secure when being transferred and that measures are taken to prevent loss of data. Secure mail services such as Royal Mail’s Special Delivery service should be used. Trainer/Assessors must ensure a backup copy of any paperwork/documentation is taken before the hard copies are sent to prevent data being lost in transit.

​

Electronic format

​

When transferring course paperwork/documentation and data through electronic formats, Trainer/Assessors have the following options available:

​

• Transfer through NucoPlus

​

NucoPlus is located on a secure server with security being maintained by an international provider. Trainer/Assessors can securely upload documents directly to Nuco Training through the upload facility, located within NucoPlus. Access to NucoPlus is gained through a secure log in.

​

• Transfer through email

​

Paperwork/documentation and other documents must not be sent via email without being encrypted. ‘Zipped’ folders and documents must be encrypted, and a suitable alphanumeric password created, before being sent and this can be achieved using software such as ‘WinZip’. The password must be sent via a different medium than the documents, such as telephone.

​

• Transfer through a file hosting service, for example ‘Drop Box’

​

Paperwork/documentation and other documents can be shared using file hosting services such as Drop Box, Microsoft 365, etc. The Trainer/Assessor can create an account with the file hosting service and upload documents to the service which can then be shared with Nuco Training.

​

When using such services, the Trainer/Assessor must add a password and expiry time to documents and communicate the link and password in separate mediums, for example the link can be emailed, and the password communicated by telephone.

​

Section 6 - Retention periods for learner’s data

​

Course paperwork/documentation including assessment papers, must be kept by the Trainer/Assessor for three years and six months from the final date of the course. Records are maintained to allow any complaints/appeals/confirmation of achievement requests to be dealt with, as well as for auditing purposes.

​

Trainer/Assessor must securely dispose of course paperwork/documentation once this date has been reached.

Data, whether in paper or electronic format, must be disposed of in an appropriate manner.

​

Paper based data

​

All paperwork/documentation that contains learner data must be disposed of in a secure way.

 

Paperwork/documentation must be either:

​

• Shredded onsite by a nominated person and the waste securely disposed of OR

• Collected and disposed of by a specialist business providing the Trainer/Assessor with a certificate of destruction

 

Electronically based data

​

Electronic based records within a database, or any IT document such as Word or PDF, must be deleted in full and removed from all systems in their entirety including any ‘recycle bins’ that the data may be unknowingly backed up into.

​

Trainer/Assessors must ensure all archived or backed up versions are also deleted in their entirety. There must be no way that the data is able to be retrieved.

​

Section 7 - Securely disposing of data

​

Data, whether in paper or electronic format, must be disposed of in an appropriate manner.

​

Paper based data

​

All paperwork/documentation that contains learner data must be disposed of in a secure way.

 

Paperwork/documentation must be either:

• Shredded onsite by a nominated person and the waste securely disposed of OR

• Collected and disposed of by a specialist business providing the Trainer/Assessor with a certificate of destruction

​​

Electronically based data

​

Electronic based records within a database, or any IT document such as Word or PDF, must be deleted in full and removed from all systems in their entirety including any ‘recycle bins’ that the data may be unknowingly backed up into.

​

Trainer/Assessors must ensure all archived or backed up versions are also deleted in their entirety. There must be no way that the data is able to be retrieved.

​

Section 8 - Data breaches and notification

​

Under the GDPR Nuco Training has a legal duty to notify the ICO should a data breach occur.

​

What is a data breach?

​

A data breach is described in the GDPR as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

​

The following example situations would be considered a data breach:

​

• Access to personal data by an unauthorised person or organisation

• Deliberate or accidental deletion of data

• Sending data to the wrong person

• Computers, phones or any electronic equipment on which data is stored, being lost or stolen

• Paper files, on which data is written, being lost or stolen

• Changing a person’s data without their permission

• Loss of availability of data

 

Our policies are kept under constant review and updated as and when required