1. Introduction

The purpose of this policy is to set out the principles that must be observed by anyone who works for Specialised Training Services Limited and has access to the person or firm identifiable information.

Specialised Training Services Limited takes personal and private data supplied by you very seriously and your personal data i.e. name, address, postcode, phone numbers, the email address will not be sold to another party i.e. website, advertiser or other 3rd party without your permission.

Sometimes your data will be used, so that our suppliers/training centres can complete the work on your behalf, but please be assured this is done in within the privacy laws and regulations that apply and will require the suppliers and training centres to protect the information they receive and use it only for the purposes provided.

Sometimes your data may be used by Specialised Training Services Limited for future marketing purposes; this will only be done with your permission. Specialised Training Services Limited will endeavour to record each customer’s permission to exercise this proposition. Alternatively, you have the right to request that no marketing correspondence is used by Specialised Training Services Limited or another 3rd party supplier by using our opt out service via email or by calling us.

2. Responsibility for confidentiality, data protection and security

Joe Gleeson shall be responsible for:

3. Duty of confidentiality

All employees working within Specialised Training services Limited owe a duty of confidentiality to protect all personal and firm information they come into contact with during the course of their work.


4. Data Protection

4.1  Introduction

The Data Protection Act 1998 regulates data use. Unlike with the duty of confidentiality referred to above, the Data Protection Act is only concerned with how firms use personal data of individuals.  This includes customers, non-customers and employees. It governs not only information held on the computer but also information held in manual form (e.g. on file).

4.2  The Data Protection Information Commissioner

The Data Protection Information Commissioner enforces and oversees the Data Protection Act 1998.  The Commissioner has a range of duties including the promotion of good information handling and the encouragement of Codes of Practice for the data controllers, that is, anyone who decides how and why personal data are processed.

The Commissioner is a UK independent supervisory authority reporting directly to the UK Parliament.

The information provided within this procedural manual is drawn from the requirements laid down by the Office of the Information Commissioner.

Further information is available from visiting the Information Commissioner’s website at https://ico.org.uk

4.3  Why Data is Important

It is therefore essential that those that collect and use personal data to maintain the confidence of those who are asked to provide it by complying with the requirements of the Data Protection Act.

All Data Controllers must comply with the eight principles that are at the heart of the Act, including the requirement to obtain and process data fairly.

4.4  Individual Rights

Under the Act any individual concerned has a right to see almost all personal information held about them, whether it is stored on a computer or in manual form.  Information held by Joe Gleeson must not be amended/deleted following a request to use it.  In the event of receiving a so-called ‘subject access request’ please refer to ‘Subject Access Procedures’.

4.5  Accuracy

The Act places an obligation to ensure the accuracy of an individual’s personal data.  Such information should not be misleading as to any matter of fact.

4.5.1  Personal obligations of all staff

4.6  The Data Protection Principles

The 1998 Act sets out 8 principles, which define the obligations of the firm as a registered data user of personal data.  These principles are as follows: –

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

  1. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes
  2. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
  3. Personal data shall be accurate and, where necessary, kept up to date
  4. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes
  5. Personal data shall be processed in accordance with the rights of data subjects under this Act
  6. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
  7. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data

Personal data covers both facts and opinions about the individual.  It also includes information regarding the intentions of the Data Controller towards the individual.

4.7   Requirements of the Principles

4.7.1 First Principle

‘Personal data shall be processed fairly and lawfully’

The firm must ensure that the processing is fair and lawful. Where the data is obtained from the data subject the firm must ensure that the data subject is provided with, or have made readily available to them at the time of obtaining the data: the identity of the firm the purpose of processing other necessary information as circumstances require to ensure that the processing is fair

The firm’s application forms should take into account the following requirements:

Firms will only need to hold or process customer’s personal data for business needs, for example, the need to carry out a credit search in respect of an application for a loan.  The customer would have been requested to sign our standard declaration in order for their consent to be provided.

4.7.2  Second Principle

‘Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes’

4.7.3  Third Principle

‘Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed’

Personal data held for specific purposes must be more than sufficient for the purpose or purposes.

It would therefore not be sufficient to hold information on the basis that one day it may be useful, without a firm idea of how it will be used.

4.7.4  Fourth Principle

‘Personal data shall be accurate and, where necessary, kept up to date’

All reasonable steps must be taken to ensure the accuracy of data at all times.

Firms must have controls in place to ensure that in the event of inaccurate personal data being identified procedures will exist to allow for information to be rectified, blocked or destroyed.

4.7.5 Fifth Principle

‘Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that or those purposes’

4.7.6 Sixth Principle

‘Personal data shall be processed in accordance with the rights of data subjects under this Act’

In addition, Principle 6 covers how individuals have a right to be made aware of how their personal information is used and by whom it is used.

Under Data Protection Legislation, the firm must be able to prevent processing of data where the individual objects in writing. For example, a customer may request not to receive any direct marketing material from the company or wish to have personal details passed through to a third party.

The firm must have systems in place to suppress this type of information being sent out to their customers.

4.7.7 Seventh Principle

‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against loss or destruction of, or damage to, personal data’

4.7.8 Eighth Principle

‘Personal data shall not be transferred to a country of territory outside the European Economic Area without adequate protection.

When assessing ‘adequacy of protection’, all circumstances surrounding the data transfer should be considered (e.g. the nature of the data, the purposes and timescales of the processing etc.).

5. Other Data & Internet Information

Each time someone visits our website, an IP address assigned to you by your ISP is captured for data analysis and security purposes.

The data Specialised Training Services Limited captures is then used to analyse, number of visitors, repeat visitors, time spent on web site, last page visited before exit etc…This web based data assists us to analyse and improve our overall internet proposition and services.

6. Links to Other Websites

Specialised Training Services Limited may have other links to other websites, but we are not responsible for the privacy policy of those said web sites for their content, accuracy and conduct.

7. Privacy Policy Statement

Specialised Training Services Limited reserves the right to change or update this Policy at any time without notice. This Policy is not intended to and does not create any contractual or other legal rights in or on behalf of any party.

Privacy notices

The Data Protection Act does not define fair processing. But it does say that, unless a relevant exemption applies, personal data will be processed fairly only if certain information is given to the individual or individuals concerned.

It is clear that the law gives organisations some discretion in how they provide fair processing information – ranging from actively communicating it to making it readily available.

The oral or written statement that individuals are given when information about them is collected is often called a “fair processing notice”, although ICO recent guidance uses “privacy notice” instead. However, it is probably helpful to avoid technical language altogether.

In general terms, a privacy notice should state:

The last of these requirements are vague. However, because the Data Protection Act covers all sorts of processing, it is hard to be prescriptive. When deciding whether you should give any other information in the interests of fairness, you have to take into account the nature of the personal data and what the individuals concerned are likely to expect. For example, if you intend to disclose information to another organisation, fairness requires that you tell the individuals concerned unless they are likely to expect such disclosures. It is also good practice to tell people how they can access the information you hold about them, as this may help them spot inaccuracies or omissions in their records.

When deciding how to draft and communicate a privacy notice, try to put yourself in the position of the people you are collecting information about. Ask yourself:

The ICO has issued a Privacy notices code of practice to help organisations draft clear privacy notices and to ensure they collect information about people fairly and transparently.

The code explains that the duty to give a privacy notice is strongest when the information is likely to be used in an unexpected, objectionable or controversial way, or when the information is confidential or particularly sensitive. It also says there is no point telling people the obvious when it is already clear what their information will be used for.


When an individual enters into a mobile phone contract, they know the mobile phone company will keep their name and address details for billing purposes. This does not need to be spelt out. However, if the company wants to use the information for another purpose, perhaps to enable a sister company to make holiday offers, then this would not be obvious to the individual customer and should be explained to them.


4.8 Processing Personal Data

Processing of personal data can be broadly defined when any operation is carried out on personal data.  The Act requires that personal data be processed ‘fairly and lawfully’.  Personal data will not be considered to be processed fairly unless certain conditions have been met.

Processing may only be carried out where one of the following conditions has been met:

4.9 Collecting Personal Data

When collecting personal data, it is essential that people know:

This information can often be provided on an application form or similar document.

Data Protection wording is included within the firm’s application package, which when signed by the customer provides necessary comments for processing the customer’s data.

When handling, collecting, processing or storing personal data staff must ensure that:

The Data Protection Act is considered when setting up new systems or when considering use of the data for a new purpose.  Any changes could affect the company’s existing registration with the Data Protection Registrar and an amendment to the registration sought.

It is equally important not to:

4.10 Rights of Individuals ‘Subject Access’ and ‘Subject Rights’

The Data Protection Act enables individuals who are the subject of personal data a general right of access to the personal data, which relates to them.

Personal data may take the form of computerised or, in some cases, paper records.  These rights are known as ‘subject access rights’.

4.10.1  Individuals, who the data relates to, have various rights:

When a subject access request is received, it is important to:

What is a Subject Access Request?

Often a customer will not have heard of the term ‘Subject Access Request’.  Staff should be able to distinguish between a casual enquiry and a ‘Subject Access Request’.

A Subject Access Request is not, for example, where:-

A Subject Access Request is where:

Subject Access Requests

It is important that subject access requests are recognised and dealt with quickly.

A subject access request may be as simple as a letter from one the firm’s customers asking what information we hold about them.

If a request is received the enquirer must be sent:

Before any request is auctioned the Data Controller should verify the identity of the person making the request.

Subject access requests must be dealt with within 40 days from the date of receipt.  If further details are needed from the person making the request to assist with finding the data the 40 days will begin when the extra information is received.

A maximum fee of £10 can be imposed and the 40 days will not commence until the fee has been received.

All information sent in response to a subject access request should be easy to understand and therefore the sending of computer printouts may not be acceptable without a covering explanation on codes used.

4.10.2   Identifying the Customer

Subject Access Requests

Firms are not obliged to comply with a subject access request until sufficient information to clearly identify the individual requesting the file has been given.  Before releasing data staff should satisfy themselves as to the identity of the customer.  This is important to firms, as releasing information to the wrong person is likely to amount to a breach of security.

Any of the documents listed below may be used to identify the customer(s):

All documents must be original, not photocopies, and dated within the last three months.  It must show the customer’s full name or first initial, surname and current address.

It is important that all documentation is returned to the customer once identity has been verified.

In the rare circumstances where the customer is unable to provide any of the above items, they must provide a letter confirming their identity.  This must be an original, typed or headed paper, dated within the last three months and authenticated with an official stamp if applicable.  This should be from an employer, solicitor or other professional body or person.

Telephone requests for information

It is important not to release any personal information to customers before you have established their identity.  Requests should be treated with great care, particularly as the issues of proof of identity are difficult to manage.

The steps that need to be taken to verify the identity of the customer will depend upon the type of information, and possibly the customer.

Although wherever possible access to a data subject’s personal information should be provided ‘without excessive constraints or delay’.  This needs to be balanced against the responsibilities of the data controller to safeguard personal information and to avoid giving personal data to another individual.


Therefore, depending on the circumstances, staff should be asking customers to confirm selective information to verify identity from the following:

If the customer requests a Subject Access report then the customer needs to be reminded that the request needs to be put in writing, and will be dealt with in accordance with the procedures as detailed in section 4.

4.11 Credit Reference Agencies

There are two major credit reference agencies in the UK at present.  They are Experian and Equifax.  Their main purpose is to supply factual information to providers of financial services in order to establish peoples credit histories.

Customers have a legal right to have access to the data held by credit reference agencies.  Customers also have a right to request that the agency remove/amend incorrect data.  Customers can write to the agency to obtain a copy of their credit file.  Generally a small fee is payable.


Equifax Europe UK Limited                                                Experian Plc.

PO Box 3001                                                                         PO Box 8000

Glasgow                                                                                 Nottingham

GS1 2DT                                                                                 NG1 5GX

4.12   Consent to Obtain Credit Search

Credit searches on an individual must not be conducted without the consent of that individual.  The firm’s policy is to obtain this consent in writing, normally as part of the application process, however, verbal consent of the customer will be considered in certain circumstances.  Staff should contact Compliance Department if they are unsure if adequate consents have been obtained.

4.13   Processing for Direct Marketing Purposes

To comply with the requirements of the Data Protection Act all customers both new and existing have to be given the right to opt out from receiving advertising and marketing material from the firm.

Likewise, customers have to be informed if the firm intends to pass information to a third party for marketing purposes.

Customer’s personal data is collected on application forms and the election for customers not be receive marketing material is covered through the inclusion of an ‘opt-out’ box.

4.14   Preference Services

There are a number of marketing preference services available to customers:

The MPS is funded by the direct mail industry to enable customers to have their names and home addresses in the UK removed from or added to lists used by the direct mail industry.

Firms must ensure that customers that have registered with the MPS do not receive any marketing material.

4.15  Third Parties and Data Processors

4.15.1   General Guidelines

In the event of a query reference should be made to senior management

4.16 Data Protection Act Definitions

4.16.1  Data

Automated and manual data that is recorded as part of a relevant filing system

4.16.2   Data Controller

The data controller is Compliance Officer/Nominated Officer

4.16.3        Data Protection Commissioner

This is the name for the Data Protection Registrar

4.16.4        Data Subject

The individual who is the subject of the personal data

4.16.5        Manual Data

Manual records are those which are structured by reference to individuals or criteria relating to individuals, and which allow easy access to the personal data they contain

4.16.6        Notification

Notification by the firm of certain basic information about the data held; the purposes for which it is held; the persons to whom it may be disclosed; a general description of the technical and organisational steps a Data Controller takes to protect data held from unauthorised access, disclosure or loss; and the identity of the Data Controller i.e. Compliance is responsible for ensuring that notification / registration is completed as necessary.

4.16.7        Personal Data

This is data relating to an individual who can be identified from that data and/or other information which is the possession of or likely to come into possession of the firm

4.16.8        Processing of Personal Data

Obtaining or recording the information to be contained in the data or carrying out an operation, including disclosure by transmission / documentation, organisation, adaptation, alteration of the information or data, retrieval, blocking, erasure or destruction of the data.

4.16.9        Relevant filing systems / manual data

Any set of information relating to individuals which is structured either by reference to individuals i.e. by name/employee code etc., or by reference to criteria i.e. age job type, credit history etc. relating to individuals so that specific information relating to an individual is readily accessible.

4.16.10     Sensitive Data

Means data pertaining to: racial or ethnic origin; religions or similar beliefs; trade union membership; physical or mental health or sexual life; political options; criminal offices.  This data may only be held in strictly defined situations or where explicit consent has been obtained.

4.16.11     Subject Access

The right of individuals to have access to the data about them and any other related information

4.16.12     Third Party

Any person other than the firm or its staff, data subject, or data processor

5. Data security

5.1  Data security obligations

Firms have a responsibility under FCA Regulations to put in place systems and controls that keep the data of customers secure whilst also minimising the risks of data loss. The nature of the steps that firms will be expected to take will depend on the size, complexity and nature of the services that the firm provides. We recommend that firms seek expert advice about both assessing their data security risks and formulating appropriate policies, as these will be unique to individual firms.

Example of policies that firms could be expected to implement in order to comply with the above include but are not limited to requirements that:

5.2  Dealing with data security incidents

Where data loss has been encountered Joe Gleeson shall write to customers within 24 hours after the incident to advise them that data has been lost, and the manner in which it was lost.  Specialised Training services Limited shall also ensure that following data loss it conducts a review of the systems that led to the loss.


of HGV / LGV / PCV Training

The HGV Training Centre trains over 200 people per month. We are the UK’s largest specialist vehicle training company, training for some of the UK’s biggest organisations.

  • Over 60 HGV / LGV / PCV Training Centres across the UK
  • We train for some of the biggest organisations in the UK, including HSS Hire, Hackney Council, Enterprise PLC, DHL, the DWP and Job Centre Plus
  • Get your HGV / LGV / PCV licence in under a week
  • One of the highest pass rates in the UK
  • Access to 1000’s of jobs via our unique Jobs Portal
  • Super-competitive prices across the board - save £££’s with daily discounts.



Just fill in your details below and we’ll send you a free theory test practice with.
Just let us know your score...

We reserve the right to contact you in the
future via this email

By Signing up, you agree to our Terms & Privacy Policy


By Signing up, you agree to our Terms & Privacy Policy


By Signing up, you agree to our Terms & Privacy Policy


By Signing up, you agree to our Terms & Privacy Policy


By Signing up, you agree to our Terms & Privacy Policy