Courses

About us

Our Team

Contact

Book a Course

GDPR & Data Protection Policy

1. Purpose

Exell Training is committed to protecting the personal information of all individuals who take part in our training courses.

This policy explains how we collect, handle, store, and protect personal data in line with the UK GDPR and the Data Protection Act 2018.

2. Scope

This policy applies to all Exell Training staff, trainers, contractors, learners, and partner organisations.

It covers personal data collected from:

  • Health Care Professionals (HCAs, nurses, etc.)

  • Non-Health Care Professionals attending courses

  • Exell Training staff and contractors

3. Legal Framework

  • UK General Data Protection Regulation (UK GDPR)

  • Data Protection Act 2018

  • Freedom of Information Act 2000 (where applicable)

4. Roles & Responsibilities

  • Director (Data Controller): Overall accountability for compliance with data protection law.

  • General Manager (Data Processor): Implements day-to-day procedures and staff training.

  • All Staff & Trainers: Must comply with this policy, protect data, and report breaches immediately.

5. Data Collected

  • Name, contact details, workplace information

  • Training records, assessments, certification details

  • Employment information (for staff and trainers)

  • Any other information necessary for training or compliance

6. Data Use

Data is used for:

  • Course enrolment and administration

  • Training delivery and assessments

  • Issuing certificates and maintaining compliance records

  • Meeting legal and regulatory requirements

7. Data Storage & Security

  • Electronic data stored securely on password or access-protected systems (e.g. Xero, Curaflex, Learning Hub).

  • Paper records kept in locked storage at Exell Training HQ (60 Lisburn Road, Belfast, BT9 6AF).

  • Access limited to authorised staff.

8. Data Sharing

  • Shared only with awarding bodies, regulators (RQIA, NISCC), or as legally required.

  • Data Processing Agreements in place with third-party providers.

9. Data Retention

  • Learner training records and certificates: retained minimum 6 years.

  • Employee records: retained for employment period + 6 years.

  • Secure disposal of data after retention period (shredding or digital deletion).

10. Data Breach Procedure

  • Suspected breaches reported immediately to the General Manager.

  • Investigation by Data Controller within 72 hours.

  • Serious breaches reported to the ICO within 72 hours.

  • Affected individuals notified if there is a risk to their rights or freedoms.

11. Data Subject Rights

Data subjects have the right to:

  • Access their data (via DSAR)

  • Request correction or deletion (where legally possible)

  • Restrict or object to processing

  • Request data portability

12. Monitoring & Review

  • Annual compliance checks led by the General Manager.

  • Policy reviewed annually, or sooner if legislation changes.