Privacy Notice

• General information
Data Protection Officer’s contact details
How do we get your information?
Your data protection rights
Changes to this privacy notice
Glossary

General information

This notice relates to the way in which Onefile Ltd (“Onefile”) processes personal information about individuals.

We have provided a glossary at the end of this document for your reference but if you have any difficulty understanding the information in this policy, please contact us at [email protected].

This policy only relates to instances where we are the Data Controller and we directly collect the information from individuals.

We do not process any personal data that we receive indirectly from third-parties, other than where we are acting on the instructions of our Clients. These may be your employer, an independent training provider, a college, university or any other organisation who may have engaged with us for the purposes of using our products and services to provide you with a service. In these circumstances our Clients are the Data Controller and we are the Data Processor. If you have any questions about how our Clients process your personal information, then you must contact that organisation directly.

 

Data Protection Officer’s contact details

Onefile has elected Ceren Demir as our Data Protection Officer and you can contact her in several ways:

Email

[email protected]

Post

Data Protection Officer
Onefile Ltd
6th Floor Arndale House
Arndale Centre
Manchester
M4 3AQ

Telephone

0161 638 3876 – please select the ‘other’ option and ask to speak to the Data Protection Officer.

How we get your information

Whenever you visit our website

Analytics

When you visit any website using the onefile.co.uk domain name, we use a third-party service, Google Analytics to collect standard internet log information and details of visitor behaviour patterns. We do this to find out how many visitors are visiting which parts of our sites. This information is only processed in a way that does not identify anyone. We do not send your IP address to Google or let Google identify who you are.

We also record standard internet log information on our servers that are hosted with Microsoft Azure and Amazon Web Services which are located within the United Kingdom. This log information does record your IP address and we record and monitor this for security reasons. This information is only shared with Onefile employees.

If you have provided consent to our tracking cookie (a notice which appears at the foot of our website) then we will also collect your IP address and store it on Hubspot.

Cookies

You can read more about how we use cookies on our Cookies page. We use a cookies tool on our website which relies on the consent of visitors.

Security and performance

We use a third-party service called Cloudflare to protect our website at www.onefile.co.uk. Cloudflare is a security service that monitors the traffic flowing to our service is legitimate and can challenge or block access to anything it thinks might be malicious. Cloudflare servers are located worldwide but under normal working circumstances, if you are accessing our services within the United Kingdom then then traffic will be routed through a Cloudflare server based in the United Kingdom.

Purpose and legal basis for processing

The purpose for implementing all of the above is to maintain and monitor the performance of our websites and information services and to constantly look to improve the way we are doing this. The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.

What are your rights?

As we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may

refuse your objection, which depend on why we are processing it. For more information on your rights please see the section “Your data protection rights”.

When you contact us

Joining one of resource mailing lists
Making an enquiry
Creating a Onefile Keychain and CPD account
Using the Eportfolio service as an external verifier or external quality assurer
Applying for a job with us
Making a complaint
Requesting technical support with any of our services
Booking a sales demonstration
Booking a webinar
Subscribing to the newsletter
Requesting standards from us
Signing up for the OneFile ideas portal

Joining one of our resource mailing lists

When you visit the ‘Explore’ section of our website you will have the option of joining one of our online communities which is a resource mailing service that we provide that you subscribe to. The different online communities are:

• Apprenticeships

• Further & Higher Education

• Training & CPD

• Healthcare

Joining one or more of these communities will give you access to more detailed resources that are not available otherwise on our website. You will also receive future resources of similar interest in the future by email and you can opt out of this subscription service at any time. We will not contact you for any other reason than to supply you will future resources.

Purpose and legal basis for processing

Our purpose for collecting the information is so we can provide you with a service and send you resources that you are interested in.

The legal basis we rely on to process your personal data is your consent under article 6(1)(a) of the GDPR.

What we need

Your name, job title, organisation name and email address.

Why we need it

We need these details to provide you with our service and understand who our members are and the organisations they work for.

What we do with it

We use your name and email address to create an email that will send you your future resources and we use your job title and company to understand the make-up of the membership so that we can devise more appropriate resources in the future.

How long we keep it

We keep this information until you opt-out of the service and then it is erased.

What are your rights?

We rely on your consent to process the personal data you provide to us for marketing purposes. This means you have the right to withdraw your consent, or to object to the processing of your personal data for this purpose at any time. If you do that, we’ll update our records immediately to reflect your wishes.

For more information on your rights, please see “Your data protection rights”.

Do we use any data processors?

The information we collect from you is stored on a third-party called HubSpot which is located in the USA and is US Privacy Shield self-certified, an approved scheme under GDPR. Please see HubSpot’s privacy notice.

Making an enquiry

Purpose and legal basis for processing

Our purpose for processing your personal data is so we can fulfil your information request to us.

The legal basis for this is article 6(1)(f) of the GDPR which relates to processing required for our legitimate interests.

What we need and why we need it

We need information from you to respond to you and to locate the information you are looking for. This enables us to deliver a quality service.

What we do with it

When we receive a request from you we will set up an electronic case file containing the details of your request. This will normally include your contact details and any other information you have provided. We’ll also store on this case file a copy of the information that we send back to you and keep this as a communication history.

How long we keep it

We keep this information for 3 years from the time you make your enquiry. If your enquiry is a sales enquiry then we keep this information for 5 years.

What are your rights?

You have several rights – please see the section on “Your data protection rights”.

Do we use any data processors?

If your enquiry has been sent from the online form on our website at https://www.onefile.co.uk/contact-us then the details you provide will be stored with a third-party service called HubSpot which is located in the USA under US Privacy Shield self-certification, an approved scheme under GDPR.

If you are making a sales enquiry then your details will be stored within the EEA with a third-party service called salesforce.com.

Creating a Onefile Keychain and CPD account

Purpose and legal basis for processing

Our purpose for us collecting the personal data that you provide to us is to fulfil our obligations in providing you with the services that you have signed up for.

The legal basis we rely on to process your personal data is article (6)(1)(B) of the GDPR which allows us to process personal data in order to perform a contract.

What we need

Your name and email address.

Why we need it

We need your name as part of the contract and your email address is used to form part of your login and also, so we can send you communications regarding the services we are providing.

What we do with it

In addition to the information we collect from you when registering you may enter at your discretion further personal data that may include:

(a) Your logins to other OneFile services

(b) Personal data inside your CPD record

We will track when you log in and monitor the frequency in which you log in.

We will read any “learning objectives” that you may enter in the CPD service and place any advertisements that we may think are relevant to you on the pages that you are viewing within the service. An example of advertising might be an e-learning course.

How long we keep it

The data you store with us will remain with us until you terminate the agreement. We reserve the right to monitor the activity of your account and if it has been inactive for 12 months we will attempt to contact you and ask you if you wish to keep it.

What are your rights?

You have several rights – please see the section on “Your data protection rights”.

Do we use any data processors?

The data is stored on Microsoft Azure and Amazon Web Services, both located in UK data centres.

Using the Eportfolio service as an external verifier or external quality assurer

Purpose and legal basis for processing

Our purpose for us collecting the personal data that you provide to us is to fulfil our obligations in providing you with the access required for you to complete your role.

The legal basis we rely on to process your personal data is article (6)(1)(B) of the GDPR which allows us to process personal data in order to perform a contract.

What we need

Your name, email address and name of your awarding body.

Why we need it

We need your name and email address to create your login and the name of the awarding body is used to ensure that you have been assigned to the correct qualification.

What we do with it

When we receive a request with your information from a Centre Manager to create an account for you, we will contact you first to ensure that:
(a) you do not already have an account with us; and
(b) whether you are happy for us to create an account or assign the new centre to your existing account

Once you have confirmed one of the above, we will use the details provided to create your account on Onefile and send you an automatically generated email with your login information on.

How long we keep it

Your information will be kept on our systems until a Centre Manager, or yourself, contact us to ask to be removed.

What are your rights?

You have several rights – please see the section on “Your data protection rights”.

Do we use any data processors?

The data is stored on Microsoft Azure and Amazon Web Services, both located in UK data centres.

Applying for a job with us

Purpose and legal basis for processing

Our purpose for processing the personal data that you provide to us is to assess your suitability for the role you have applied for.

The legal basis we rely on for processing your personal data is article 6(1)(b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract.

The legal basis we rely on to process any information you provide as part of your application which is special category data, such as health, religious or ethnic information is article 9(2)(b) of the GDPR, which also relates to our obligations in employment and the safeguarding of your fundamental rights and article 9(2)(h) for assessing your work capacity as an employee. And Schedule 1 part 1(1) and (2)(a) and (b) of the DPA2018 which relates to processing for employment, the assessment of your working capacity and preventative or occupational medicine.

What we need

We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.

Application stage

If you use our online application system, this will be collected by a data processor on our behalf.

We ask you for your personal details including name and contact details. We will also ask you about your previous experience, education, referees and for answers to questions relevant to the role you have applied for. Our HR team will have access to all this information.

Shortlisting

Our hiring managers shortlist applications for interview. They will be provided with your name or contact details, plus your previous experience, education and answers to questions relevant to the role you have applied for.

Assessments

We might ask you to complete tests and/or to attend an interview – or a combination of these. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes. This information is held by Onefile Ltd.

If you are unsuccessful following assessment for the position you have applied for, we may ask if you would like your details to be retained in our talent pool for a period of six months. If you say yes, we would proactively contact you should any further suitable vacancies arise. If you say no, these details will be deleted.

Conditional offer

If we make you a conditional offer of employment we will ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We are required to confirm the identity of our staff, their right to work in the United Kingdom and seek assurance as to their trustworthiness, integrity and reliability.

You will therefore be required to provide:

• Proof of your identity – you will be asked to attend our office with original documents, we will take copies

• Proof of your qualifications – you will be asked to attend our office with original documents, we will take copies

• We will contact you to complete an application for a Basic Criminal Record check via the Disclosure and Barring Service

• We will contact your referees, using the details you provide in your application, directly to obtain references

• We will also ask you to complete a questionnaire about your health. This is to establish your fitness to work

Final offer

If we make a final offer, we will also ask you for the following:

• Bank details – to process salary payments

• Emergency contact details – so we know who to contact in case you have an emergency at work

Why we need it

The information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for, but it might affect your application if you don’t.

What we do with it

All of the information you provide during the process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.

We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical format.

We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.

Final recruitment decisions are made by hiring managers and members of our HR team. All the information gathered during the application process is considered.

You may ask about decisions made about your application by speaking to your contact or by emailing [email protected].

How long we keep it

If you are successful, the information you provide during the application process will be retained by us as part of your employee file for the duration of your employment plus 6 years following the end of your employment. This includes your criminal records declaration, fitness to work, records of any security checks and references.

If you are unsuccessful at any stage of the process, the information you have provided until that point will be retained for 6 months from the closure of the campaign, unless you request otherwise.

Information generated throughout the assessment process, for example interview notes, is retained by us for 6 months following the closure of the campaign, unless you request otherwise.

What are your rights?

You have several rights – please see the section on “Your data protection rights”.

Do we use any data processors?

If you use our online application system, you will provide the requested information to CezanneHR who provide this online service for us and are used internally for HR records system. Once you click ‘Apply Now’ you will be taken to CezanneHR’s website and they will hold the information you submit but OneFile will have access to it.

If you accept a final offer from us, some of your personnel records will be held on CezanneHR.

CezanneHR will also provide us with management information about our recruitment campaigns. This is anonymised information which tells us about the effectiveness of campaigns, for example, from which source did we get the most candidates, equal opportunities information for monitoring purposes. This anonymised information will be retained for 6 years from the end of the campaign.

If you apply for a Secondment, then the data is stored on Microsoft Azure and Amazon Web Services, both located in UK data centres.

Secondments/work experience

We also offer opportunities for people to come and work with us on a secondment/work experience basis. We accept applications from individuals or from organisations who think they could benefit from their staff working with us.

Applications are sent directly to OneFile Ltd. Once we have considered your application, if we are interested in speaking to you further, we will contact you using the details you provided.

We might ask you to provide more information about your skills and experience or invite you to an interview.

If we do not have any suitable work at the time, we will let you know but we might ask you, if you would like us to retain your application so that we can proactively contact you about possible

opportunities in the future. If you say yes, we will keep your application for 6 months. If you say no, these details will be deleted.

You will be expected to adhere to a confidentiality agreement and code of conduct which will be agreed with your organisation.

We might also ask you to complete our pre-employment checks so that we fulfil our obligations to avoid conflicts of interest and to protect the information we hold.

It will be retained for the duration of your secondment/work experience plus 6 years following the end of your secondment, unless you request otherwise.

Making a complaint

Purpose and legal basis for processing

Our purpose is to investigate and resolve the issues that you are experiencing.

The legal basis we rely on to process your personal data is article (6)(1)(F) of the GDPR which allows us to process personal data under legitimate interest (in resolcing your query and being able to return to you) which would be necessary.

What we need

We need information from you to investigate your complaint properly, so we ask for:

• your name
• the organisation for whom you work
• whether you are a customer, supplier or other
• telephone number
• email address
• nature of the complaint (which may contain information you have given us about the other parties in your complaint)

Why we need it

We will use your personal information to investigate your complaint and check on our level of service. We compile and publish statistics showing information, i.e. the number of complaints we receive, but this is anonymised.

No third parties have access to your personal information unless the law allows them to do so.

We will try to respect that you may wish to remain anonymous if complaining about a particular member of staff however, it is not always possible to handle a complaint on an anonymous basis so we’ll contact you to discuss this.

If you are acting on behalf of someone making a complaint, we will ask for information to satisfy us of your identity and if relevant, ask for information to show you have authority to act on someone else’s behalf.

How long we keep it

An entry of each complaint received will be made within an electronic file, which will be maintained at all times.

We will retain a record of each complaint received for at least 2 years from the date the complaint is resolved.

What are your rights?

You have several rights – please see the section on “Your data protection rights”.

Do we use any data processors?

The data is stored on Microsoft Azure and Amazon Web Services, both located in UK data centres.

Requesting technical support with any of our services

Purpose and legal basis for processing

Our purpose for us collecting the personal data that you provide to us is to fulfil our obligations in providing you with the services that you have signed up for.

The legal basis we rely on to process your personal data is article (6)(1)(B) of the GDPR which allows us to process personal data in order to perform a contract.

What we need

Your name, email address and learner ID (if learner).

Why we need it

We need these details in order to find your account and assist you with the technical difficulties you may be experiencing.

What we do with it

If you have provided the information by telephoning us, the information will be used to access your Onefile account and assist you with your technical issues.

If you have submitted your information on our Support page, then the details will be used to contact you and assist you with your technical issues.

How long we keep it

Your information will be kept on our systems for a period of 2 years from being resolved.

What are your rights?

You have several rights – please see the section on “Your data protection rights”.

Do we use any data processors?

No.

Booking a sales demonstration

Purpose and legal basis for processing

Our purpose for us collecting the personal data that you provide to us is to provide a demonstration before you decide if you would like to enter into a contract.

The legal basis we rely on to process your personal data is article (6)(1)(B) of the GDPR which allows us to process personal data in order to perform a contract or in order to take steps at your request prior to entering into a contract.

What we need

Your name, email address, company name, telephone number, job title, industry of company and city.

Why we need it

We ask for the following:
• name
• email address
• company name
• telephone
so that we can contact you and arrange to book a demonstration.

We ask for the following:
• job title
• industry of company
• city
so that we can research and understand more about your company and tailor the demonstration based on what you may typically use and provide you with the best demonstration of the software. The city is also used to ensure that if you do go ahead with our software, we can assign an account manager and trainer close to you.

What we do with it

We would use your details to arrange a demonstration and email you a link to this registration.

We would also add your details to a sales database which will ensure that we keep a track of your progress post-demonstration, should you wish to go ahead.

How long we keep it

A record of the information you have provided will be kept for 6 years.

What are your rights?

You have several rights – please see the section on “Your data protection rights”.

Do we use any data processors?

A record of the information will be created and stored in our sales database within the EEA with a third-party service called salesforce.com. You can view their privacy policy here.

Booking a webinar

Purpose and legal basis for processing

Our purpose for us collecting the personal data that you provide to us is to provide you with a service that you have requested.

The legal basis we rely on to process your personal data is article (6)(1)(A) of the GDPR which allows us to process personal data with your freely given, specific, informed and unambiguous consent of your wishes by requesting a webinar.

What we need

Your name and email address will be entered into a third-party processor used for webinars called GoToWebinar.

Why we need it

The third-party provider requires this in order for the booking to be completed. We have access to this information and use the information you have provided is used to send a follow up email to thank you for attending and attaches our contact information, should you wish to know more.

What we do with it

We do not store any of your details. To see how GoToWebinar processes your data, please visit https://www.logmeininc.com/legal.

How long we keep it

Your information is retained by us for 6 months after your webinar attendance.

What are your rights?

You have several rights – please see the section on “Your data protection rights”.

Do we use any data processors?

A record of the information will be stored in GoToWebinar, part of LogMeIn which is located in the USA under US Privacy Shield self-certification, an approved scheme under GDPR.

Subscribing to the newsletter

Purpose and legal basis for processing

Our purpose for us collecting the personal data that you provide to us is to inform you about our services.

The legal basis we rely on to process your personal data is article (6)(1)(A) of the GDPR which allows us to process personal data with your freely given, specific, informed and unambiguous consent of your wishes by signing up to our newsletter.

What we need

Email address.

Why we need it

We need this information to send you the newsletter that you have signed up for.

What we do with it

We enter this information into our third-party database used to host our website and newsletter mailing lists.

How long we keep it

The information that you provide to us is kept for 2 years.

What are your rights?

You have several rights – please see the section on “Your data protection rights”.

Do we use any data processors?

The information we collect from you is stored on a third-party called HubSpot which is located in the USA and is US Privacy Shield self-certified, an approved scheme under GDPR. Please see HubSpot’s privacy notice.

Requesting standards

Purpose and legal basis for processing

Our purpose for us collecting the personal data that you provide to us is to fulfil our obligations in providing you with the services that you have signed up for.

The legal basis we rely on to process your personal data is article (6)(1)(B) of the GDPR which allows us to process personal data in order to perform a contract.

What we need

Name, email address, and name of centre on OneFile.

Why we need it

We need your name and email address are used to contact you once your standards have been built and are awaiting your quality check. We also need the name of your centre so we can upload the standard to you centre once it’s been processed.

What we do with it

We collect this information through our website in our own software called e-Forms. Once the form has been submitted, our standards teams are sent a copy through the customer enquiry system.

We then use this information to inform you that the standards have been built and uploaded to your standards approval area.

How long we keep it

The information that you provide to us is kept for 2 years.

What are your rights?

You have several rights – please see the section on “Your data protection rights”.

Do we use any data processors?

The data is stored on Microsoft Azure and Amazon Web Services, both located in UK data centres.

Signing up for the OneFile ideas portal

Purpose and legal basis for processing

Our purpose for us collecting the personal data that you provide to us is to provide you with access to the OneFile Ideas Portal, which will allow you to add ideas, vote and comment on other ideas.

The legal basis we rely on to process your personal data is article (6)(1)(A) of the GDPR which allows us to process personal data with your freely given, specific, informed and unambiguous consent of your wishes by signing up to our OneFile Ideas Portal.

What we need

Your name and email address.

Why we need it

We will use your name and email address to create your account login and also to have visibility over who and which organisation has suggested which ideas.

What we do with it

We use your details to create your login and we may also use your email address to communicate updates on the status of an idea you may have suggested or shown an interest in.

How long we keep it

The data you store with us will remain with us until your organisation terminates the agreement.

What are your rights?

You have several rights – please see the section on “Your data protection rights”.

Do we use any data processors?

The information we collect from you is stored on a third-party called Aha which is located in the USA and is US Privacy Shield self-certified, an approved scheme under GDPR. Please see Aha’s privacy notice here. This information is also stored on Microsoft Azure and Amazon Web Services, both located in UK data centres.

Your data protection rights

Right to be informed

The GDPR states that you have the right to be informed about how we collect and use your personal information (“privacy information”).

Right of access

You have a right to access any of your personal data. In some circumstances you will be able to obtain your personal information through the various self-service facilities that we provide with our products and services. However, in other circumstances such information may not be available and you can send us a special request (known as a “subject access request”) to our Data Protection Officer at [email protected] who will assist in giving you access to the information we hold about you. We will provide this information to you within no longer than one month and free of charge, unless you make excessive requests in which case we will be entitled to charge a fee.

Right to rectification

This is your right to have any personal data recorded about you that is inaccurate rectified or completed if it is incomplete. If you believe that the personal data we hold about you is incomplete or inaccurate then please contact our Data Protection Officer. If we are the Data Controller for your personal data then we will be able to rectify or complete it as necessary, however if we are acting as a Data Processor for your personal data then we will provide you with the contact details of the Data Controller (which may be one of our Clients).

Right to erasure

This is your right to be forgotten and means that at your request, the personal data we hold about you can be erased. If you wish us to erase your personal data then please contact our Data Protection Officer and we will respond no longer than one month. Please note that in instances where we are processing your personal data as a Data Processor, we will promptly inform the Data Controller of your request and advise you of this when you make the request.

Right to restrict processing

This is your right to request the restriction or suppression of your personal data (instead of erasure or rectification). It means that we can still store your data but no longer use it. There are a few circumstances in which this right can be exercised:
(a) If you are contesting the accuracy of the personal data and in the meantime we are verifying the accuracy of the data
(b) If you believe the personal data has been unlawfully obtained and you oppose your right to erasure
(c) When we no longer need the data but you need it to establish, exercise or defend a legal claim
(d) You have objected to us processing your data and Onefile is considering whether our legitimate grounds override those of your own

It is therefore our policy to automatically restrict the processing whist we are considering the accuracy or the legitimate ground for processing the personal data in question.

Right to data portability

This is your right to receive a copy of the personal data we hold about you in a format that will allow to reuse your data for your own purposes across different systems. Whilst we can provide the data to you in a common format such as CSV or XML, we cannot guarantee that the service you decide to reuse your information in will accept the automatic importing of your data.

This right applies to Keychain and CPD, and the marketing subscription service.

Right to object

This is your right to object to us processing your information. It may relate to any direct marketing you may be receiving from us or if you object to our legitimate interests. Please contact our Data Protection Officer.

Rights related to automated decision making including profiling

We don’t make automated decision making based on your personal data.

Please note if you are using the CPD service then we reserve the right to place advertising content on your web pages that we think is appropriate to you, but this is based on the learning outcomes you have selected which is not classified as personal data.

If you have any queries about your rights, then please contact our Data Protection Officer.

Changes to this privacy notice

 

We review this Privacy Review regularly and update it accordingly.

The last update was 12 July 2018.

Glossary

 

In this document the following words have the following meanings:

Clients means the business organisations that are Onefile’s customers that are typically either independent training providers, employers, colleges or universities. Our Clients will usually be purchasing our products and services to use with their own customers (e.g. students or employees), and usually in the context of this Policy, each Client will be a Data Controller and we will be a Data Processor.

Data Controller is an entity (e.g. an organisation) that determines the purpose and means for processing the personal data that it obtains.

Data Processor is an entity that processes personal data on behalf of a Data Controller and under their written instructions.

EEA means the European Economic Area and it includes the 28 members of the European Union (of which the United Kingdom is currently a member) plus Iceland, Liechtenstein and Norway.

Eportfolio means our software as a service that we sell and licence directly to our Clients, and in this context our Clients will be Data Controllers and we will be a Data Processor

Explore Community means any of the 4 communities that are featured within the Explore section of our website.

Keychain and CPD means our software as a service that we licence directly to individuals and in this context, we are a Data Controller.