Privacy Notice
This Notice Explains how the Highway Electrical Association (HEA) and each associated part uses the personal information collected from you, or provided to the HEA to process the associated functions. It also describes how long the information is kept for and the limited circumstances in which we might disclose it to third parties.
Personal Details We Hold
The HEA manages seven types of personal information routes, which allow the HEA to manage the various activities in support of the Highway Electrical and other associated sectors.
- HEA – Member information which includes applicant provided information which includes; organisation, applicant name, position, contact details.
- HESA – ATO – Customer provided information to facilitate the approval and management of Approved Training Providers within the HESA requirements, this includes organisation name, trainer name, personal CV, contact e-mail address and phone number. Supporting evidence for course approval, which may include certifications and statements.
HESA – certification – for the production and reissue of certification. Customer provided information includes Learner Name, Trainer name, course title and course assessment outcome.
- HEA Training –Customer provided employee information for notification of training course attendance, this includes Learner Name, Reasonable Adjustments and HERS status. For Apprenticeship notification, additional information is required, which includes ethnic origin code, gender and date of birth.
- NVQ – Customer provided employee information for the registration of Learners on the Awarding Body (Lantra Awards) qualification registration system (further details on their privacy notice can be obtain from Lantra Awards. Information collected will include, Learner Name, Date of Birth, Ethnic Code, Gender and postcode. Where applicable information will be provided to Practical Performance Assessment Centres, information will include (ULN as applicable) Name, Awarding Body Learner Registration Number and name of employer.
- PPA Centre – Learner information provided by the associated NVQ centre, which includes (ULN as applicable) Name, Awarding Body Learner Registration Number and name of employer
- PPA Moderator/Certification – Learner information provided by the PPA centre, which includes (ULN as applicable) Name, Awarding Body Learner Registration Number and name of employer, it will also include associated assessment evidence in support of the final outcome.
- HERS – Customer provided employee information for ECS test request and HERS registration. Information provided includes operative name, gender, date of birth, National Insurance Number and name of employing company. Employee portfolio HERS documents and NVQ certification evidence will also be stored on the HERS system
- HEN – Contractor, Supplier and subscriber provided information, which includes name, address telephone number and e-mail address
Length of Time Held
In order to comply with the General Data Protection Regulations, your details will only be kept for the shortest time required. This will vary according to the type of data being held, and within which function.
- For HESA Training Provider, held for the duration of the provider provision, and archived as instructed.
- For HESA Certification, held for re-certification as required
- For HEA Training evidence course information is stored for 5 years
- For NVQ, Portfolios returned, scanned workbooks and certificates are held on the HERS system, achievement record and details held for 5 years.
- For PPA Moderation/Certification, held for re-certification as required
- HERS information is managed by the employer organisation, nominated persons for the HERS system
- For HEA Membership, held for the duration of the membership.
- For HEN subscription, held until subscription is removed by request
The only exceptions to this are where:
- the law requires us to hold your personal information for a longer period, or delete it sooner;
- you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted or required under the law;
- we bring or defend a legal claim or other proceedings during the period we retain your personal information, in which case we will retain your personal information until those proceedings have concluded and no further appeals are possible; or
- in limited cases, existing or future law or a court or regulator requires us to keep your personal information for a longer or shorter period.
Data Protection says that we are allowed to use and share your personal data only where we have a proper reason to do so. The law says we must have one or more of these reasons and these are:
- Contract – your personal information is processed in order to fulfil a contractual arrangement e.g. training or qualification.
- Consent – where you agree to us using your information in this way e.g. for storing your registration details, qualification registration, certification
- Legitimate Interests – this means the interests of HEA in managing our business to allow us to provide you with the best products and service in the most secure and appropriate way e.g. to transfer your data to certain Third Party’s such as the JIB, Lantra Awards and where applicable system software organisation.
- Legal Obligation – where there is statutory or other legal requirement to share the information e.g. when we have to share your information for law enforcement purposes.
Here is a list of the ways that we may use your personal information, and which of the reasons described above we rely on to do so. Where we list legitimate interests as a reason, we also describe below what we believe these legitimate interests are.
| What We Use Your Personal Information for |
Our Reasons (Legal Basis) |
Explanation of Legitimate Interests |
| To Set up your Account |
Legitimate Interest |
To ensure efficiency of dealing with this activity |
| Storage of payment details |
Consent |
None |
| Processing of your orders |
Legitimate Interest |
To ensure efficiency of dealing with this activity |
| Website personalisation and administration |
Legitimate Interest |
To promote providers, ATO service and HERS System |
| Communications to inform you of courses, updates, website updates, new services and safety notices |
Legitimate Interest |
Improving customer awareness |
| Contact you to undertake customer satisfaction surveys |
Legitimate Interest |
Develop and inform the HEA on possible improvements |
| Producing Certifications |
Legitimate Interest, Consent |
To provide appropriate certificates to reflect levels of approval, achievement and qualification requirements |
| Qualification Registrations |
Legitimate Interest, Consent |
To meet the requirements of the Awarding Body |
| HEA/HEMSA Membership |
Legitimate Interest, Consent |
To promote organisations and best practice |
How to Access Your Details
If you wish to see full details of the information held for ATO and HERS the HERS system can be accessed using your login details, for all other enquiries, and to initiate a subject access request email contact@thehea.org.uk
Sharing Personal Information
The HEA will not share your information to any other third party, except under the following situations;
- As required in support of HSE investigations
- To promote HEA Members, HERS registered organisations, Approved Training Organisations and CBQ/NVQ centres on the HEA web site
- To enable the process of certifications
- To enable the delivery and moderation of PPA requirements.
- To Awarding Bodies for Learner registration for qualifications/courses
- To the JIB and software organisation for the production of HERS registration and cards
- To transfer HERS registration from one organisation to another, which may include training certificates, personal profile/CV, and other personal details required for HERS initial set-up and identification.
The HEA, HESA and HEA Training may contact you relating to services, queries and safety alerts as these arise.
Data Controller and Data Processing
The HEA and HESA have fully committed to the adherence of the General Data Protection Regulations (GDPR). For the collection and processing of personal data, the following applies;
Collection of Data
The HEA and HESA will be the data controller for a number of functions, which includes, HEA, HESA ATO, HEA Training and related NVQ requirements.
Collected data will be held within secure electronic storage systems
Data Controller: HEA Office Manager – Sue East
Email sue.east@thehea.org.uk
Processing of Data
Personal data will be stored for the shortest time necessary
Under the GDPR you have the following rights to request information from the company:
- Right of access –to request access to your personal information and information about how we process it
- Right to rectification –to have your personal information corrected if it is inaccurate and to have incomplete personal information completed
- Right to erasure (also known as the Right to be Forgotten) – to have your personal information erased.
- Right to restriction of processing – to restrict processing of your personal information
- Right to data portability – to electronically move, copy or transfer your personal information in a standard form
- Right to object – to object to processing of your personal information
- Rights with regards to automated individual decision making, including profiling –rights relating to automated decision making, including profiling
Privacy Notice Iss 3.0
Published: 21 September 2020
