Privacy Policy


We believe that you should know what data we collect from you, how we use it and how we keep it safe.

This Privacy Notice describes how HBVC does this.

HBVC is the data controller for the purposes of data protection laws.

Our Privacy Notice is updated from time-to-time and, if it changes, we will put an alert on our website to tell you.

It applies to information we collect about:

What this notice applies to.

  • Visitors to our websites
  • People who use or may use our services. This includes for example:
    • individuals who study a course with us
    • employers who take a student on work experience or placement
    • employers who employ a student
  • Individuals who request information from us.

If you are asked to provide information to us, it will only be used in the ways described in this Privacy Notice.

Data Collection – the information we ask for.

We only ask for as much information as we need to fulfil your enquiry or application and meet our legal obligations. This might include, but is not limited to, the following:

  • name, date of birth, profession, employer
  • contact information including phone, email and postal addresses
  • educational information including qualifications, predicted grades, learning support needs
  • diversity data (e.g. sex, age, ethnicity, disability)
  • financial information i.e. bank details
  • information about personal preferences and interests
  • company information e.g. financial, staff, training needs analysis
  • individual achievements, attendance, results and performance on programme of study
  • website usage data.

Data Use – how we use your personal information and our lawful basis to do so.

Collecting this information helps us provide you with a service which meets your needs.

Specifically, we may use data:

PurposeLawful Basis
To meet our legal and  statutory duties and responsibilities Statutory obligation
To provide you with an education / deliver our  courses Statutory obligation /  performance of a contract
To process applications,  enrolments and workforce  development programmes  and contracts Contractual obligation
For our own internal  records so that we can  provide you with a high  quality service Legitimate interests so  that we can ensure that  we continually improve  our service provision
To contact you in response  to a specific enquiry Explicit consent
Legitimate interests – so we can send additional and relevant information relating to your initial enquiry.
To contact you about  services, products, offers  and other things provided  by us which we think may  be relevant to you Explicit consent
To contact you via email, telephone or mail for  research purposes Explicit consent
Disclosing your information to other parties, if required by law. Legal, public interest

At no time will we assume your permission to use information that you provide for anything other than the reasons stated here.

Retention – how long we keep your information.

We keep different types of data for different lengths of time depending on need and our obligations. These are explained in our Data Protection Policy (a copy of which is available on request).

Data Security – how we keep your information safe.

We will hold your information securely.

To prevent unauthorised disclosure or access to your information, we have implemented strong organisational and technical security safeguards.

If information is shared with another organisation (reasons for this are given in the section below) we will ensure an Information Sharing Agreement is in place.

We also follow stringent procedures to ensure we work with all personal data in line with the General Data Protection Regulation.

Any personal information we hold about you is processed in accordance with the General Data Protection Regulation.

We will not store your information outside the European Economic Area.

Information Sharing and Disclosure – who we share your information with.

We do not sell or rent your personal information.

We may be required to disclose it to appropriate staff members of HBVC to provide you with the services you have requested, and to government bodies to fulfil our statutory responsibilities such as the Education and Skills Funding Agency, Ofsted, the Department for Education, the Local Authority and auditors.  

Information may be shared with third parties if it is in connection with the service we are providing to you, for example we might share information with market research companies contracted to undertake work on our behalf to assess your satisfaction with our service. When we do this we always ensure that we have your consent to do so and that an Information Sharing Agreement is in place.

We may also share your personal information with any data processors we use to carry out certain functions, for example a mailing house, email service providers, SMS messaging service, your employer (e.g. CVs, interview records, achievement outcomes).

We will only share your personal information with other people e.g. parents or carers, or with agencies such as the Department for Work and Pensions with your permission.

If, as part of the entry requirements for your course or if you are applying for a job with HBVC, we need to take up a reference or obtain ‘disclosure’ from the Disclosure and Barring Service, we will inform you beforehand.

Third party software and applications – what we use.

We may use third party software tools and platforms for processing data. We will only ever use recognised suppliers who can demonstrate their compliance with GDPR. These include for example:

Groupcall – a messaging service which enables us to send reminders about events, classes, college emergency closures etc.

Visitors to our website

When someone visits we collect standard internet log information and visitor details of behaviour patterns. We do this to find out things such as the number of visitors to the different parts of the site. We collect the information in a way which does not identify anyone. If we do want to collect personally identifiable information through our website we will be upfront about this, will ask for explicit consent and will make the purpose clear.

Use of cookies

A cookie is a small file placed on your computer’s hard drive. It enables our website to identify your computer as you view different pages on our website.

Cookies allow websites and applications to store your preferences in order to present content, options or functions that are specific to you. They also enable us to see information, such as how many people use the website and what pages they tend to visit.

Cookies do not provide us with access to your computer or any information about you, other than that which you choose to share with us.

You can use your web browser’s cookie settings to determine how our website uses cookies. If you do not want our website to store cookies on your computer or device you should set your web browser to refuse cookies. However, please note that doing this may affect how our website functions. Some pages and services may become unavailable to you.

Unless you have changed your browser to refuse cookies, our website will issue cookies when you visit it.

Controlling information about you

When you fill in a form or provide your details on our website, you may see one or more tick boxes allowing you to:

  • Opt in to receive marketing communications from us by email, telephone, text message or post
  • Opt in to receive marketing from our sponsors, third party partners by email telephone, text message or post.

If you have agreed that we can use your information for marketing purposes, you can change your mind easily, via one of these methods:

  • Call us on 0121 359 1714
  • Send an email to:
  • Write to us: Shelley Ball, 19a Cato Street, Birmingham, B7 4TS

We will include unsubscribe options on all of our marketing communications.

We will not lease, distribute or sell your personal information to third parties unless we have your permission or the law requires us to.

Links from our site

Our website may contain links to other websites. Please note that we have no control of websites outside of If you provide information to a website to which we link, we are not responsible for its protection and privacy. You are advised to read the privacy policy or statement of other websites prior to using them.

Your rights

  1. You have the right to ask for a copy of any of your personal information held by HBVC. You can make a ‘subject access request’ under the General Data Protection Regulation.
  2. You have the right to ask for your information to be corrected or updated.
  3. You have the right to ask (in certain circumstances) for your information to be deleted.
  4. You have the right to data portability.
  5. You have the right to object to or restrict the processing of your information.
  6. You have the right to withdraw your consent at any time.
  7. You have the right to complain to the Information Commissioner’s Office (ICO).

Complaints or Queries

 If you have any questions about our collection and use of personal data please contact us. We are happy to provide additional information if it is required.


We issue this privacy notice in the interests of transparency over how we use (“process”) the personaldata that we collect from employees/job applicants (“you”).

Personal data for these purposes means any information relating to an identified or identifiable person.

Sensitive personal data”meanspersonal data consisting of information as to:

  1. the racial or ethnic origin of the individual
  2. their political opinions
  3. their religious or philosophical beliefs
  4. their membership of a trade union
  5. their physical or mental health or condition
  6. their sexual life
  7. the commission or alleged commission by them of any offence
  8. any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings
  9. genetic data; and
  10. biometric data where processed to uniquely identify a person (for example a photo in an electronic passport)

Data Controller

Fordata protection purposes the“data controller” means the person or organisation who determines the purposes for which and the manner in which any personal data are processed.

The data controller is Heart of Birmingham Vocational College Limited, whose registered office is 19a Cato Street, Birmingham, B7 4TS.

Purpose of processing the data  

It is necessary for us to process personal data of both employees and job applicants for the following reasons:

  1. We will need the information in order to identify the individual for the purposes of recruitment;
  2. We will need to maintain that information for the general purposes of the ongoing employment relationship including performing the employment contract and maintaining the health and safety of individuals on our premises. 

Our legal basis for processing personal data of applicants and staff is that: 

  1. Processing the personal data is necessary for the purpose of carrying out the employment contract or to take steps to enter into an employment contract
  2. Processing is necessary to comply with a legal obligation (for example we are obliged under employment law to include in a written statement of employment terms the identity of the parties to the employment contract)
  3. Processing the data is necessary to protect the vital interests of an individual (for example we are legally responsible for the health and safety of staff and job applicants when they are on our premises) and so it is necessary to process data relating to those individuals for that reason); and/or
  4. Processing the data is necessary for the purposes of our “legitimate interests” as the data controller (except where such interests are overridden by the interests, rights or freedoms of the individual).

Our “legitimate interests” for these purposes are:

  1. The need to process data on applicants and staff for the purposes of assessing suitability for employment and then carrying out the employment contract
  2. The need to gather data for the purposes of safeguarding the health and safety of job applicants and employees
  3. The need to transfer employee data intra-group for administrative purposes; and
  4. The need to process employee data for the purposes of ensuring network and information security.

We may from time to time need to process sensitive personal data, for example medical records or other information relating to the health and wellbeing of an individual.  

In that case we will either obtain the explicit consent of the individual to the processing of such data or we may consider the processing of that data as being necessary for carrying out our obligations as an employer. That will be assessed on a case by case basis.

There is no strict statutory or contractual requirement for you to provide data to us. However, if you do not provide at least that data that is necessary for us to assess suitability for employment and then to conduct the employment relationship, then it will not practically be possible for us to employ you. 

Who your personal data might be shared with

Your personal data may be shared with the following categories of people:

  1. Our HR department 
  2. Your line manager on occasions and in specific circumstances
  3. Our Finance/Payroll department
  4. In the case of job applicants, the interviewer and prospective manager
  5. Any individual authorised by us to maintain personnel files
  6. Our payroll provider Payplus Ltd
  7. Our pension provider(s) – Teachers Pension and Local Government Pension Scheme
  8. Our car insurance provider – Zurich
  9. DVLA (where applicable)
  10. External companies/employers in response to reference requests
  11. Any clients where there is a need to provide employee qualifications/certificates
  12. Our professional advisers Stephanie Mackey (Independent Personnel Ltd/Kirstie Phillips, Sands/IT Consultant) (where applicable)
  13. Appropriate external regulators and authorities (such as HMRC and HSE) 

We do not envisage that your data would be transferred to a third country. If we perceive the need to do that we would discuss that with you and explain the legal basis for the transfer of the data at that stage. 

Retention/storage of personal data 

We will keep personal data for no longer than is strictly necessary, having regard to the original purpose for which the data was processed. In some cases, we will be legally obliged to keep your data for a set period. 

Examples are below:

Income tax and NI returns, income tax records and correspondence with HMRC: We are obliged to keep these records for not less than 3 years after the end of the financial year to which they relate.

Wage and salary records: We are obliged to keep these records for 6 years. 

Please refer to the Document Retention Details at Appendix 1.

Your rights in relation to your personal data

  1. The right to be forgotten
    You have the right to request that your personal data is deleted if: 
    1. It is no longer necessary for us to store that data having regard to the purposes for which it was originally collected; or 
    2. In circumstances where we rely solely on your consent to process the data (and have no other legal basis for processing the data), you withdraw your consent to the data being processed; or 
    3. You object to the processing of the data for good reasons which are not overridden by another compelling reason for us to retain the data; or
    4. The data was unlawfully processed; or
    5. The data needs to be deleted to comply with a legal obligation.
  2. However, we can refuse to comply with a request to delete your personal data where we process that data:
    1. To exercise the right of freedom of expression and information
    2. To comply with a legal obligation or the performance of a public interest task or exercise of official authority
    3. For public health purposes in the public interest
    4. For archiving purposes in the public interest, scientific research, historical research or statistical purposes; or
    5. The exercise or defence of legal claims.
  3. The right to data portability
    You have the right to receive the personal data which you have provided to us, in a structured, commonly used and machine-readable format. You also have the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided (us) where:
    1. The processing is based on consent or on a contract; and
    2. The processing is carried out by automated means.
      Note that this right only applies if the processing is carried out by “automated means” which means it will not apply to most paper-based data. 
  4. The right to withdraw consent
    Note that this right only applies if the processing is carried out by “automated means” which means it will not apply to most paper-based data. 
    1. Where we process your personal data in reliance on your consent to that processing, you have the right to withdraw that consent at any time. You may do this in writing to your line manager.  
  5. The right to object to processing
    Where we process your personal data for the performance of a legal task or in view of our legitimate interests,you have the right to object on “grounds relating to your particular situation”. If you wish to object to the processing of your personal data, you should do so in writing to your line manager stating the reasons for your objection.

    Where you exercise your right to object we must stop processing the personal data unless:
    • We can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or
    • The processing is for the establishment, exercise or defence of legal claims
  6. The right of subject access
    So that you are aware of the personal data we hold on you, you have the right to request access to that data. This is sometimes referred to as making a “subject access request”. For details of how to make such a request please contact the Principal.
  7. The right to rectification
    If any of the personal data we hold on you is inaccurate or incomplete, you have the right to have any errors rectified.
    Where we do not take action in response to a request for rectification, you have the right to complain about that to the Information Commissioner’s Office.
  8. The right to restrict processing
    In certain prescribed circumstances, such as where you have contested the accuracy of the personal data we hold on you, you have the right to block or suppress the further processing of your personal data.
  9. Rights related to automated decision making and profiling
    The GDPR defines “profiling” as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular to analyse or predict:
    • performance at work
    • economic situation
    • health
    • personal preferences
    • reliability
    • behaviour
    • location; or
    • movement

You have the right not to be subject to a decision when it is based on automated processing; and it produces a legal effect or a similarly significant effect on you.

However, that right does not apply where the decision is necessary for purposes of the performance of a contract between you and us. We may use data related to your performance or attendance record to make a decision as to whether to take disciplinary action. We consider that to be necessary for the purposes of conducting the employment contract. In any event that is unlikely to be an automated decision in that action will not normally be taken without an appropriate manager discussing the matter with you first and then deciding whether the data reveals information such that formal action needs to be taken. In other words, there will be “human intervention” for the purposes of the GDPR and you will have the chance to express your point of view, have the decision explained to you and an opportunity to challenge it. 


Where you take the view that your personal data is processed in a way that does not comply with the GDPR, please contact the Principal at You also have a specific right to lodge a complaint with the relevant supervisory authority. The supervisory authority will then inform you of the progress and outcome of your complaint. The supervisory authority in the UK is the ICO. 


Employee Document Retention Details

The following summarises the minimum retention periods required. Where there is any doubt it is a good idea to keep records for at least 6 years (to cover the time limit for bringing any civil legal action).

RecordStatutory Retention Period
Accident books, accident records/reports 3 years from the date of last entry
Accounting records 3 years
Income tax and NI returns, income tax records and correspondence with HMRC Not less than 3 years after the end of the financial year to which they relate
Medical records as specified by the Control of Substances Hazardous to Health Regulations (COSHH) 40 years from the date of last entry
Retirement Benefits Schemes – records of notifiable events, for example, relating to incapacity 6 years from the end of the scheme year in which the event took place
Statutory Maternity Pay records, calculations, certificates (Mat B1s) or other medical evidence 3 years after the end of the tax year in which the maternity period ends
Wage/salary records (also overtime, bonuses, expenses) 6 years
Records relating to children and young adults Until the child/young adult reaches the age of 21
Records relating to children and young adults Until the child/young adult reaches the age of 21
National minimum wage records 3 years after the end of the pay reference period following the one that the records cover
Records relating to working time2 years from date on which they were made
Actuarial valuation reportsPermanently
Application forms, CVs and interview notes (for unsuccessful candidates)6 months to 1 year
(Because of the time limits in the various discrimination Acts, minimum retention periods for records relating to advertising of vacancies and job applications should be at least 6 months. A year may be more advisable as the time limits for bringing claims can be extended. Successful job applicants’ documents will be transferred to the personnel file in any event
CVs for hired applicants2 years
Assessments under health and safety regulations and records of consultations with safety representatives and committeesPermanently
Compensation data (e.g. after a tribunal case for example)6 years
Disciplinary – Resolution1 year
Disciplinary – Verbal warning to be kept on file12 months from date of warning
Disciplinary – Written warning to be kept on file18 months from date of warning
Disciplinary – Final written warning to be kept on file18 months from date of warning
HR files for staff who leave employment or have their employment terminated6 years from date of leaving
Inland Revenue/HMRC approvalsPermanently
Money purchase details6 years after transfer or value taken
Non-personal data7 years
Parental leave5 years from birth/adoption of the child or 18 years if the child receives a disability allowance
Pension scheme investment policies12 years after benefit ceases
Pensioners’ records12 years after benefit ceases
Personnel files and training records (including disciplinary records and working time records)6 years after employment ceases
Redundancy details, calculations of payments, refunds, notification to the Secretary of State6 years from the date of redundancy
Senior executives’ records (i.e. those on a senior management team or their equivalents)Permanently for historical purposes
Statutory Sick Pay records, calculations, certificates, self-certificatesAlthough there is no longer a specific statutory retention period, employers still have to keep sickness records to best suit their business needs. It is advisable to keep records for at least 3 months after the end of the period of sick leave in case of a disability discrimination claim. However, if there were to be a contractual claim for breach of an employment contract, it may be necessary to keep records for 6 years after the employment ceases.