Data Protection and GDPR Policy

This policy ensures compliance with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, and supports the secure, lawful, and transparent use of personal data.

1. Purpose

This policy outlines how Hydurage Limited collects, processes, stores, and protects personal data to comply with the UK GDPR, the Data Protection Act 2018, and relevant regulatory requirements.

  1. . Data Protection Principles

In accordance with the UK GDPR, we ensure that personal data is:

  1. Processed lawfully, fairly and transparently
  2. Collected for specified, explicit and legitimate purposes
  3. Adequate, relevant and limited to what is necessary
  4. Accurate and kept up to date
  5. Kept no longer than necessary
  6. Processed securely to protect against unauthorised access, loss or damage

2. Lawful Basis for Processing

We process personal data under one or more of the following lawful bases:

  • Contractual necessity (e.g., registering a learner for a qualification)
  • Legal obligation (e.g., compliance with Ofqual or HMRC requirements)
  • Legitimate interests (e.g., maintaining quality assurance and service delivery)
  • Consent (e.g., for marketing or optional surveys)
  • Vital interests (e.g., safeguarding concerns)

3. Types of Personal Data Collected

We may collect:

  • Full name, date of birth, gender
  • Contact details (address, email, phone number)
  • Unique learner numbers or centre ID codes
  • Assessment and qualification records
  • Special category data (e.g., disability, ethnicity) where relevant and with safeguards

4. Data Subject Rights

Data subjects have the right to:

  • Access their personal data
  • Request correction of inaccurate or incomplete data
  • Request erasure (right to be forgotten), subject to legal obligations
  • Object to or restrict processing
  • Data portability (where applicable)
  • Withdraw consent at any time (where processing is based on consent)

Requests can be made by emailing contact@hydurage.com, and we will respond within 30 days.

5. Data Retention

We retain personal data only for as long as necessary to fulfil our obligations. This may vary by qualification type and regulatory requirement.

6. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encrypted data storage
  • Secure transfer protocols
  • Access controls and role-based permissions
  • Regular staff training on data protection

7. Sharing and Transfers

Personal data may be shared with:

  • Regulatory bodies (e.g., Ofqual, Qualifications Wales)
  • Centres and their authorised staff
  • External verifiers or contractors under strict confidentiality agreements

We do not transfer personal data outside the UK unless adequate safeguards (e.g., Standard Contractual Clauses) are in place.

8. Data Breaches

Any data breach will be assessed and reported in accordance with the ICO’s guidelines. Where necessary, individuals and the Information Commissioner’s Office will be notified within 72 hours.

9. Roles and Responsibilities

  • Data Protection Officer (DPO): Oversees compliance and handles queries/data requests.
  • All Staff and Centres: Must follow this policy and report concerns or breaches immediately.