mixpanel.init('03027c3fc4335bd0e80d22f5107113a8', { autocapture: true });
top of page

BroadShield Diplomas Data Protection and Privacy Policy

This policy sets out how BroadShield Ltd collects, manages, and protects personal data processed in connection with the delivery of regulated Diplomas through the Myrus learning platform.  It applies to all aspects of Diploma delivery, including enrolment, learning activity, assessment, certification, and learner support.

​

Policy Overview

BroadShield is committed to ensuring that all personal data relating to learners, employers, and staff is processed lawfully, fairly, and transparently, and that the rights of individuals are respected at all times.  This policy should be read alongside our main Data Protection Policy and Procedures, Information Security Policy, and Privacy Notice for BroadShield Customers using Myrus, which together form the foundation of BroadShield’s data governance framework.

​​

Legal Framework

BroadShield complies with the requirements of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Ofqual General Conditions of Recognition.  Data relating to Diploma learners is also managed in accordance with the awarding-body standards and retention requirements.  All processing of personal data within the Diploma delivery context is subject to these legal and regulatory obligations.

​

Responsibilities

BroadShield acts as the data controller for all personal data processed for Diploma delivery.  The Data Protection Representative oversees compliance with data-protection legislation, manages data-subject access requests, and maintains records of processing activities.

 

The Senior Management Team (SMT) is responsible for ensuring that the principles of data protection are embedded within operational practices and that all staff, assessors, and contractors are appropriately trained and supported to uphold these standards.

 

All employees and contracted personnel who handle personal data as part of their duties must do so responsibly, using data only for legitimate and clearly defined purposes connected with qualification delivery and assessment.

​​

Lawful Basis for Processing

BroadShield processes personal data only where a lawful basis applies, as defined under Article 6 of the UK GDPR.  The lawful bases most relevant to Diploma delivery are:


Contractual necessity – to enrol learners, deliver training and assessment, and issue certificates.


Legal obligation – to meet Ofqual, awarding body, and other regulatory requirements.


Legitimate interests – to manage learner progression, quality assurance, and compliance monitoring.


Consent – for optional communications or promotional use of feedback or images.


Vital interests – where processing is required to protect an individual’s safety or wellbeing, such as in safeguarding situations.


Any new processing activity must be reviewed to confirm that at least one lawful basis applies before it begins.

​

Principles of Data Protection

BroadShield upholds the six data-protection principles defined in Article 5 of the UK GDPR.  


Lawfulness, fairness and transparency – Personal data must be processed lawfully and in a way that individuals can clearly understand. Learners and employers are informed how their information is used through enrolment materials and published privacy notices.


Purpose limitation – Data is collected only for specified, explicit, and legitimate purposes connected with qualification delivery, assessment, and certification.


Data minimisation – Only information that is necessary for those purposes is collected and stored.

 

Accuracy – Records are kept accurate and up to date. Individuals are encouraged to inform BroadShield of any changes to their personal details.


Storage limitation – Data is retained only for as long as needed to meet awarding-body, regulatory, or contractual obligations and is then securely deleted or anonymised.


Integrity and confidentiality – Appropriate technical and organisational measures are in place to safeguard data against unauthorised access, alteration, loss, or destruction.

​

These principles underpin all decisions made regarding data collection, use, storage, and sharing. Any processing activity that cannot meet these principles is not permitted.

​

Data Collected

In the delivery of Diploma programmes, BroadShield may collect and store information such as names, contact details, dates of birth, employment information, qualification enrolment records, progress reviews, assessment results, and certification data.  Limited special category data, such as information about health or accessibility needs, may be collected to support reasonable adjustments or safeguarding obligations.


Technical data generated by the Myrus platform, such as login history, IP addresses, and device information, may also be recorded for the purposes of security monitoring, system maintenance, and audit verification.

​

Data Security and Access Control

All personal data held by BroadShield is protected through a combination of organisational, technical, and procedural safeguards.  


Key security measures include:

​

 

  1. Role-based access permissions within Myrus and internal systems.

  2. Encryption of data during storage and transmission.

  3. Multi-factor authentication for system access.

  4. Continuous monitoring for vulnerabilities and threats.

  5. Mandatory staff training on data protection and information security.

  6. Secure disposal of any paper or electronic records no longer required.


Employees and contractors are required to complete data-protection and information-security training upon induction and at least annually thereafter.  Printed or physical records are minimised wherever possible; when created, they are stored securely and destroyed through confidential-waste procedures once no longer required.

 

Data Retention and Disposal

BroadShield retains learner and assessment data only for as long as necessary to meet regulatory and awarding-body requirements.  Learner and assessment records are held for three years following the completion of the qualification, in accordance with awarding body and Ofqual guidance.

 

Data Sharing and Third Parties

BroadShield shares personal data only where necessary to fulfil qualification and regulatory requirements.  Data may be shared with the awarding body for learner registration and certification, with employers for progress and completion reporting, and with regulatory authorities where legally required.


Any organisation or individual acting as a data processor on BroadShield’s behalf is subject to a written Data Processing Agreement, ensuring compliance with UK GDPR.  BroadShield does not sell or trade personal data, and no learner information is transferred outside the UK unless suitable safeguards are in place.

 

Individual Rights

All learners, employers, and staff have rights under UK GDPR in relation to their personal data. These include the right to be informed about how data is used, to request access to data held about them, to correct inaccuracies, to request deletion or restriction of processing, to object to certain processing, and to request portability of their data.


Requests to exercise these rights should be submitted in writing to our support team via support@broadshield.co.uk.  All requests will be acknowledged within five working days and responded to within thirty calendar days, unless a lawful exemption applies.

​

Data Breach Management

Any suspected or confirmed breach must be reported immediately to the Data Protection Representative, who will:

 

  1. Investigate and assess the scope and impact of the breach.

  2. Contain the incident and take steps to mitigate further risk.

  3. Record the incident in the data-breach register.

  4. Notify the Information Commissioner’s Office within 72 hours if required.

  5. Inform affected individuals where there is a high risk to their rights or freedoms.

 

Failure to report a suspected breach or follow the required procedure may result in disciplinary action.

​

Monitoring, Review, and Continuous Improvement

This policy is reviewed at least annually or sooner where there are changes in legislation, regulatory requirements, or organisational structure. Outcomes of internal or external audits, complaints, or incidents will inform revisions to ensure continual improvement in BroadShield’s data-protection and privacy practices.

 

Approved by: AC

Issue Date: October 2025  |  Version: 1.0 

© BroadShield Ltd 2025

bottom of page