Privacy Notice: Virtual Academy Limited

Virtual Academy Limited is committed to protecting your privacy and safeguarding your personal information. We’ll use your personal information in accordance with UK Data Protection Legislation, inclusive of The Data Protection Act 2018, PECR (the Privacy and Electronic Communications Regulations), and any subsequent amendments.

Virtual Academy Limited will collect and process personal information about you to enable us to administer products and services, provide you with other related services, and manage our relationship with you.

It is important to read and understand this Privacy Notice and any other Privacy Notice or fair processing notice we may provide on specific occasions carefully, as it is meant to help you understand what information we collect, why we collect it, and how you can update, manage, export, and delete your information

Does this notice apply to you?
This Privacy Notice is for anyone who contacts us in connection with our products or services:

• current, past, and prospective customers who use our product;
• current, past, and prospective customers of users under the age of sixteen
• current, past, and prospective home users and learners
• current, past, and prospective visitors;
• users of our website;
• current, past, and prospective third parties that provide services to us.

Other relevant policies and pages:

• Cookies policy
• Terms and conditions
• Contact us
• Employee Privacy Policy (For attention of Virtual Academy staff)

We’/’Virtual Academy Limited’ means Virtual Academy Limited, Ascentis House, Lancaster Business Park, 3 Mannin Way, Lancaster, LA1 3SW. We are the data controller for the purposes all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended (“UK Data Protection Legislation”).

Virtual academy limited is a flexible and comprehensive learning management system which provides online courses in relation to agile, safe, comfortable, and efficient working. Virtual Academy provides a degree of flexibility to accommodate agile business change, Integration with other systems to allow for accurate and automated transfer of data, all in a format where customers should be able to use the platform, with little interaction from Virtual Academy staff, utilising a self-service experience.

VAL have voluntarily appointed ‘The DPO Centre Ltd’ as our external Data Protection Officer (DPO), they can be contacted at hello@dpocentre.com should you require their assistance following contact or communications with our Legal, Risk & Data Protection department.

The Ascentis House has appointed IT Governance Europe Limited as our EU representative; If you are a data subject within the EU, and you wish to exercise your rights under the EU General Data Protection Regulation (EU GDPR) or have any queries in relation to your rights or general privacy matters, please email our Representative at: eurep@itgovernance.eu

2a – For what purposes do we process your personal data?

We will only use your personal information for the purposes for which it is collected.
We will process your data under contractual obligation, for you to take and complete our online services and be issued with your certificate(s). We also may need to deal with and respond to any queries or complaints you have and maintain security on the online platform.

We may use your personal data in order to comply with a legal or regulatory obligation:

• We are required to co-operate with a police investigation after a court order ordered us to.
• Required by police, law enforcement agencies and regulatory bodies for the purpose of preventing and detecting fraud, crime and criminal activity.
• To deal with legal disputes involving you.
• To detect and prevent fraud, money laundering and other crimes.

2b – How long do we retain your personal information?

We will only store your personal information for as long as we need it for the purposes for which it was collected. Where we provide you with any service, we will retain any information you provide to us at least for as long as we continue to provide that service to you.

Customer and relevant data can be deleted once they have withdrawn service; this means your data will be immediately deleted from the system, and backups are kept for another 30 days.

Card payments can be handled via BACS or through the payment gateway called Stripe. Stripe will retain your data for as long as is necessary to process your payments. Any payments involving BACS (invoicing for large orders) will be handled by our finance team so that no bank or financial data is stored on the site. For audit purposes, all personal information related to payments will be retained for 6-7 years to maintain an audit trail.

Retention periods are further demonstrated in the table below.

2c – Do we share your personal data?

We use the information that you provide to us so that we can provide our products and services to you. To share this data, we will use the following platforms: the Virtual Academy webpage, Microsoft Office 365 and BT Cloud Services. We also share your information with various external legal services that aid our services. We will not share your data with anyone outside the UK unless the individuals using the service are in a different country. Data in this instance would then be between the user’s country and the UK.

As Virtual Academy is a subsidiary company to the Ascentis Group, we may share the information that you provide to us with Ascentis and the other company in the Ascentis Group, International Dyslexia Learning Solutions Limited (IDLS). As Tintisha is the system used to create Virtual Academy, employees of Tintisha will have access to the personal data you share with us. Your employer or admin can also keep track of your progress and see your personal data throughout the courses you are taking, and your use of Virtual Academy. Tintisha will only access your personal data to aid with the functionality of Virtual Academy, to respond to queries, technical problems, and provide advise where required.

In order to collect payment from you via credit card, we use an external service called Stripe which will collect your card details and full name to process this transaction. Stripe will collect a transaction ID, your card details, and your full name. On receipt of a payment through the Stripe payment gateway, the appropriate number of licenses will be put onto the Employer Access System so the employer can allocate them. For large orders, we use invoices that are handled by our finance team. There will be an integration between the payment gateway and the finance system so that data will be passed across to the finance system.

Virtual Academy will not sell, rent, or lease your personal data to any third party. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions and lawful bases.

All personal data we acquire is saved on our servers in the UK and no personal, sensitive, or special category data is shared with third parties.

We may share some information, where it is lawful to do so, with the following organisations who provide us with assistance in delivering our products, applications, or services or where we are legally obliged to share information (including providing IT services and assisting us with carrying out marketing activities): other companies within our group and our employees, consultants and agents and our professional advisers, such as lawyers and accountants.

• our business partners, clients, suppliers, and sub-contractors
• courts of law and government or regulatory authorities
• third parties to which we outsource certain services such as couriers, IT systems or software providers, IT support service providers, and document and information storage providers
• third-party service providers to assist us with client insight analytics.
• other organisations for the purposes of fraud/crime protection and investigation
• where it is required as part of any proposed sale, reorganisation, transfer, financial arrangement, asset disposal or other transaction relating to our business and/or business assets
• anyone else with your permission

Third-party organisations that provide services to us (including providing IT services and assisting us with conducting marketing activities):

• • Hilton Baird – Debt Collectors
  • Lawyers (various)
  • Royal Bank of Scotland – payments to suppliers
  • Microsoft
  • Inventry – visitor and employee record of visit
  • FCS Protect – Backups and business continuity
  • Eventbrite
  • Stripe
  • 21 Digital
  • RBS Credit card services
  • Tintisha
  • Mailchimp
  • Veremark – Right to work checks

It is important that the personal data we hold is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

We collect, use, store and/or transfer different kinds of personal data about you depending on our relationship with you:

3ai – You may give us information when you:

• contact us via telephone, letter, or email
• use our website, online forms, applications, surveys, or reports
• book any training
• provide data concerning your marketing preferences
• enquire about, or apply for job vacancies
• enquire about, search, apply for, or purchase our products or services
• take part in discussion boards or other forms of social media
• give us feedback or contact us
• provide us with identification
• contact us
• network with us
• to provide you with details and updates about our products and services, and products and services from our partners and other relevant third parties.
• to provide you with important services communications, including communications in relation to any information on products and services you are contracted with us to provide
• We use your information for market research and identify trends. Market research agencies acting on our behalf may contact you by post, telephone, email, or other methods of communication to invite you to take part in the research.

3aii – Information we receive about you from other sources:

Information we receive is from vetted and approved third-party agencies, these include:

• Mailchimp
• Tintisha

Any other information we gather from publicly available sources in the public domain.

3b – The Virtual Academy website uses “cookies” to help you personalise your online experience:

A cookie is a piece of information that is held on the hard drive of your computer which records how you have used a website. Cookies allow website operators to accumulate useful information, such as whether the computer (and sometimes its user) has visited the site before. This is done on a repeat visit by checking to see, and finding, the cookie left there on the last visit. To see the cookies that will be placed on theVirtual Academy website, please see the Virtual Academy cookie policy here.

3c – If you fail to provide personal data:

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel a service you have with us, but we will notify you if this is the case at the time.

Do you use personal information about Children?

We will only process personal information regarding children in the instance where an employer enrols a child onto a workplace course. This information will relate to their full name and business email (although we recommend alias names are used).

In the event we learn that we collected personal information from anyone under the age of sixteen beyond the above scope, and do not have a guardian’s consent, we will delete that information as quickly as possible.

4a – Legitimate interests:

Wherever we process your personal data for these purposes, we ensure that your interests, rights, and freedoms are carefully considered.
We process your personal data using Legitimate Interests for our legitimate business purposes:

• • for the use of CCTV on the Ascentis House site.
  • to ensure our website and systems are secure
  • to improve and update our services for the benefit of our clients
  • Review and improve our existing products, systems and services and develop new ones
  • to train our staff to continuously ensure a great service
  • If you enquire about or apply for a job vacancy, we use your personal information as part of the recruitment process, to assess your suitability for a particular role.
  • Interact and respond to any communications you send us, including where you use the Contact Us section and any social media posts that you tag us in
  • Let you know about any significant changes to our business or policies

We also use Legitimate Interests for marketing purposes, if you wish to opt-out of this type of processing, please contact us using the information above.

• • To tell you about events and our other products or services that we think may be of interest to you.
  • To invite you to participate in market research. If we do contact you about market research, you do not have to participate. If you tell us that you do not want to receive market-research communications, we will respect this.
  • If you have already bought a product or service from us, or you have already obtained a quote from us, we may contact you with some information about products or services that are similar.
  • We may also notify you about important updates or changes to our products or services.

Whether you choose to receive marketing communications or market-research communications is entirely up to you. You can choose to receive both, none, or just one or the other. Your choice will not affect any products or services that you have received from us, nor will it affect any products or services you receive from us in the future. You can update your preferences by using the links in any of our emails to you, or by getting in touch using the Contact Us section of the website or emailing customersupport@virtualacademyltd.co.uk
For the above internal direct marketing purposes to colleges and adult education centres, we have performed a Legitimate Interests Assessment (LIA) to ensure we are compliant with UK Data Protection Laws. This assessment has also been completed for International Dyslexia Learning Solutions to share data with the Ascentis House.

4b – Contractual Obligation:

We use your personal data for the following purposes on the basis that it is necessary for us to provide our services to you. We use contractual obligation as a lawful basis when there are contracts between you and a learning centre which you are employed by or are attending as a learner, or from any contracts between you and us including in connection with providing products or services;

• To verify your identity
• to respond to your enquiry if you contact us and provide pre-contractual information about our services or make a decision to supply our products/services
• to notify you about changes to our services and to otherwise communicate with you; for example, we will use your contact details in order to respond to any queries that you submit to us
• to carry out billing and administration activities, such as processing payments
• to customise, manage and administer our services and relationship with you and the learning centre
• to comply with our legal obligations and with instructions from 3rd parties or regulators
• Administer online and paper examinations, reasonable adjustments, and special considerations
• Support learners
• Provide services and products to learners
• Provide you with information about your contract with us and about our products and services
• Deal with any complaints or appeals you may have
• Make arrangements for the termination of our contract
• Administer our website, including troubleshooting problems, analysing statistics, conducting research and tests, and keeping the site secure
  /li>
• Logistics management and planning, including accounting and auditing

Accordingly, if you are unable to provide such personal data this may make it difficult or prevent us from providing our services to you.

4c – Compliance with laws:

We use your personal data to comply with a legal or regulatory obligation (for example, if we are required to co-operate with a police investigation after a court order ordered us to). We may use your information where it is necessary to meet our legal obligations to deal with legal disputes involving you, ensure the information we have on you is accurate and up to date, or detect and prevent fraud, money laundering and other crimes.
Regarding visitors on the premises, we collect data to comply with legal obligations regarding building access and visitor safety for appropriate access and monitor the frequency of visitors and the resources to support them; also, legitimate interests to identify you in an emergency evacuation and detect and prevent criminal activity and protect our staff.

Virtual Academy needs to collect data about learners who are registered for the award of their qualifications. This data is then reported to our various regulators as part of their assurance that Virtual Academy is operating properly.

4d – Consent:

We do not rely on consent as a legal basis for processing your personal data. But sometimes we may have to get your consent to use your personal data such as when we collect and use sensitive information about you. You have the right to withdraw consent at any time using the contact information above.

If you tell us we can, we may also use your personal information to provide you with information about services, promotions and offers that may be of interest to you. We may use your personal information to identify additional products and or services that are likely to be of particular interest to you.

Virtual Academy have adopted the principle of Data Protection by Design and Default. This means that at the beginning and continuing through any new project or system, we keep the safety and security of everyone’s personal data at the forefront and implement whatever measures are necessary to comply with data protection laws.

We require our staff and any third parties who carry out any work on our behalf to comply with appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of information.

Virtual Academy has a range of other technical and organisational measures in place to protect your personal data including being Cyber Essentials certified, two-factor authentication, access controls to restrict access on a need-to-know basis, uniquely identifying users to monitor and review access attempts, and physical security. Personal data is never disclosed or shared with unauthorised people. Virtual Academy has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse, or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties. All your information is stored on secure servers within the UK.

We have procedures in place to deal with any suspected data security breach. This applies to a security breach leading to the accidental loss, damage, destruction or unlawful access or disclosure to your personal data. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so. If we discover that there has been a breach of personal data, it will be reported to the data controller without undue delay. We will record all data breaches regardless of their effect. However, it would not be considered a breach if the personal data was received unknowingly or unintentionally and then erased in line with data minimisation policies. For example, if you sent us personal information that we did not require or request, we shall delete this as soon as possible and ask you to refrain from sending any unnecessary personal or special data again.

In certain circumstances, the GDPR allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.

We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this notice. We try to ensure that all information you provide to us is transferred securely via the website. We do not, however, have any control over what happens between your device and the boundary of our information infrastructure. You should be aware of the many information security risks that exist and take appropriate steps to safeguard your own information.

The right to be informed – We have a legal obligation to provide you with concise, transparent, intelligible, and easily accessible information about your personal information and our use of it. We have written this notice to do just that, but if you have any questions or require more specific information, you can get in touch using the information above.

The right to access your personal data – You have the right to ask us to confirm whether or not we hold any of your personal information. If we do, you have the right to have a copy of your information and to be informed of the following:

• Why we have been using your information
• What categories of information we were using
• Who we have shared the information with
• How long we envisage holding your information

To maintain the security of your information, we will have to verify your identity before we provide you with a copy of the information we hold. We may ask for your date of birth, address and/or photo identification. If someone is obtaining this information on your behalf, we will need sufficient proof that they are authorised to make this request on your behalf. For example, if a solicitor is acquiring this information for you, we will need proof of a power of attorney letter or written consent.

We will respond to your request without undue delay or within one month of receiving it. We have the right to extend disclosure for a further two months as per UK GDPR allowances – please refer to the ICO website for more details. The first copy of the information that you request from us will be provided free of charge. If you require further copies or make multiple requests, we may charge an administrative fee to cover our costs.

The right to correct any inaccurate or incomplete personal data – Where you have requested a copy of the information, we hold about you; you may notice that there are inaccuracies in the records, or that certain parts are incomplete. If this is the case, you can contact us so that we can correct our records.

The right to be forgotten – There may be times when it is no longer necessary for us to hold personal information about you. This could be if:

• The information is no longer needed for the original purpose that we collected it for
• You withdraw your consent for us to use the information (and we have no other lawful purpose to keep using it)
• You object to us using your information and we have no overriding reason to keep using it.
• We have used your information unlawfully, then we are subject to a legal requirement to delete your information

In those situations, you have the right to have your personal data deleted. If you believe one of these situations applies to you, please get in touch using the Contact Us section of the website. We can also refuse complete erasure if processing or holding your information is necessary to protect the right or freedom of expression and information or to exercise or defend legal claims.

The right to have a copy of your data transferred to you or a third party in a compatible format – Also known as Data Portability, you have the right to obtain a copy of your personal data for your own purposes. This right allows you to move, copy or transfer your personal data more easily from one IT system to another, in a safe and secure way. The right only applies if we are processing information based on your consent or for the performance of a contract (not legitimate interests or public task) and the processing is automated (does not include items like paper files).
If you would like us to transfer a copy of your data to you or another organisation in a structured, commonly used and machine-readable format, please contact us. There is no charge for you to exercise this right.

The right to object to direct marketing – You can tell us at any time that you would prefer Virtual Academy not to use your information for direct marketing purposes. If you prefer not to receive any direct marketing from us, please contact us or use the links provided in any of our marketing communications, and we will stop sending direct marketing immediately.

The right to object to us using your information for our own legitimate interests – Sometimes, we use your personal information to achieve goals that will help us as well as you. This includes:

• When we tell you about products or services that are similar to ones that you have already bought
• When we use your information to help us make our business better
• When we contact you to interact, communicate or let you know about changes we are making

We aim to always ensure that your rights and information are properly protected. If you believe that the way we are using your data is not justified due to its impact on you or your rights, you have the right to object. We must stop using your personal data for these purposes unless we can prove legitimate and compelling grounds of the processing that overrides your interests, rights, and freedoms, or for the establishment or defence of legal claims.

You have the right to restrict how we use your personal data – You have the right to ask us to stop using your personal data in any way other than simply keeping a copy of it. This right is available where:

• You have informed us that the information we hold about you is inaccurate, and we have not yet been able to verify this
• You have objected to us using your information for our own legitimate interests and we are in the process of considering your objection
• We have used your information in an unlawful way, but you do not want us to delete your data
• We no longer need to use the information, but you need it for a legal claim

If you restrict the processing of your personal data, Virtual Academy can store but not process that data, unless you consent to lift the restriction, the processing is necessary for legal claims, to protect the right of another person, or for the interests of the wider public.

You have rights related to automated decision making and profiling – Any automated decision-making or profiling we undertake is solely for the purpose of tailoring the information which we provide to you. We will not use automated decision-making or profiling to make any decisions that will have a legal effect upon you or otherwise significantly affect you, and you have the right not to be subject to such decisions.

No personal data is used in these baselines. If you have any concerns or questions about this right, please contact us.

You have the right of data portability – This is where a copy of your data is transferred to you or a third party (like another organisation) in an accessible and compatible format. This allows you to move, copy or transfer your personal data easily from one IT system to another, in a safe and secure way. The right applies in this circumstance as we are processing information for the performance of a contract and the processing is automated. Please contact us using the information above to exercise this right; there is no charge for this service.

Upon request, Virtual Academy will provide you with information about whether we hold any of your personal information. You may access, correct, or request deletion of your personal information by contacting us. We will respond to your request within a reasonable timeframe.

Where required by applicable law, and notably by the General Data Protection Regulation (GDPR) for residents of the UK and European Union, you have the right to obtain confirmation of the existence of certain Personal Data relating to you, to verify its content, origin, and accuracy, as well as the right to access, review, port, delete, or to block or withdraw consent to the processing of certain Personal Data (without affecting the lawfulness of processing based on consent before its withdrawal), by contacting us as detailed below.  You have the right to object to our use of Personal Data for any direct marketing and in certain other situations at any time.  Please note that certain Personal Data may be retained as required or permitted by applicable law.

We may charge the allowable fee under applicable law for provision of this information. We will respond to your request within a reasonable timeframe. Please note that additional information may be required to confirm and enable us to assist with your request. The timeframe to address the request may vary depending on the nature of the request, however, we will endeavour to address the request as promptly as possible, typically within thirty (30) days and as may be required by law
If you wish to submit a request, please do so using the relevant format of a DSAR (Data subject access request) and send it to our data inbox: data@virtualacademyltd.co.uk
Guidance for this can be found on the ICO Website

We reserve the right to make changes to this Privacy Notice from time to time. If you have any questions or queries about the changes that we make from time to time, please tell us via the contact details provided below in this Privacy Notice.

Virtual Academy will review and update this Privacy Notice to reflect company and customer feedback and changes to laws and regulations. Virtual Academy encourages you to periodically review this notice to be informed of how Virtual Academy is protecting your information.

Equally, it is important that the personal data we hold about you is accurate and up to date. Please keep us informed if your personal data changes during your relationship with us.

We hope that we can resolve any query or concern you raise about our use of your information. So please contact us first and we will try our best to deal with your concerns.

The supervisory authority in the UK is the Information Commissioner’s Office which may be contacted by clicking here or by calling 0303 123 1113. The ICO’s complaints page can be found here: https://ico.org.uk/make-a-complaint/

We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

If you have any questions about this Privacy Notice or data protection generally or want to exercise your rights, please contact us as follow:

Email: data@virtualacademyltd.co.uk

Telephone us on: 01524 845046 (You will be directed to our parent company Ascentis, once there, please ask for Virtual Academy services)

Or, if you prefer, write us a letter and post to the following address: Virtual Academy Limited, Ascentis House, Lancaster Business Park, 3 Mannin Way, Lancaster, LA1 3SW