H&F Learning Management System privacy notice for non council employees

SAP SuccessFactors Learning Management System (LMS) 

We use a cloud based service to administer and deliver learning within the council. This includes instructor led, e-learning and web based training. This service is known as the SAP SuccessFactors Learning Management System (LMS).

This privacy notice explains how and why the London Borough of Hammersmith & Fulham (also referred to as “council” “we” “us”) uses personal data about individuals who register to use the LMS including volunteers, agency workers, and staff who work on council premises. Such individuals are not employed by the council. This privacy notice does not apply to employees of the council.

We maintain the content (courses and attendees) of the LMS. To do this properly, we need to collect and process personal data about you. 

We respect your privacy and your right to confidentiality and we are committed to following the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018. 

The information we collect 

“Personal data” is any information that relates to an identifiably natural person. Your name, address, contact telephone numbers, and email address are all examples of your personal data, if they identify you.

The term “process” means any activity relating to personal data, including by way of example, collection, transmission, and storage.

The council is a so-called “controller” of your personal data. This means that we make decisions about how and why we process your personal data and because of this, we are responsible for making sure it is used in accordance with data protection laws.

We collect and process a range of your personal data. This includes your first name, your last name and email address. This information is used: 

  1. to create an online account, which will be used to identify and authenticate you when you visit the LMS;
  2. for the purpose of assigning training and development services to your learning account;
  3. to contact you regarding training and development services you have registered an interest in; and
  4. to maintain records of training events you have attended or have completed online for reporting.

Why we process your personal data

We are required by law to always have a “lawful basis” (i.e. a reason or justification) for processing your personal data.

The legal basis for our use of this information is that it is necessary for the performance of a task carried out in the public interest. Processing personal data from you in order to register you on the LMS allows us to provide you with learning and training facilities to ensure that you conduct yourself appropriately when acting for the council, in the council’s provision of public services.

You are under no statutory or contractual obligation to provide personal data to us however, if you do not provide the information you may not be able to use the LMS and this may have consequences for your role. For example, mandatory training (e.g. in health and safety) is required for you to carry out your role. If you do not provide your personal data and/or register on the LMS this may mean that you are no longer able to carry out your role until such time as the mandatory training is completed.

We do not use your personal data to make any decisions about you which are based solely on automated decision-making.

Who has access to data

Sometimes we need to share your personal data with other people.

Within the council:

Your information may be shared internally, including with members of the HR and learning and careers team, managers in the business area in which you work and IT staff if access to your personal data is necessary for the performance of their roles.

Staff and data processors: The information you give to us will be used by our staff and third parties who provide council services on our behalf.

Developing and testing business applications: We may use the information you give to us to maintain and improve the services which we deliver, this includes developing and upgrading the systems which we use to process your information.

Corporate business intelligence: We may share the information you give to us with other council services for research and analysis purposes, to help us design the services we provide and to identify and contact residents who may benefit from them.

Outside the council:

We will share your data with government, police, regulators or law enforcement agencies including the council’s corporate anti-fraud service, where we are required to do so by law, for example, by a court order, statutory power or for the purposes of prevention of fraud or other crime.

We will not transfer your data to countries outside the European Union unless the transfer is to a country approved by the European Commission as providing adequate protection and appropriate safeguards.

How do we protect data

We take security of your data seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed by our employees except in the performance of their duties. Further information on Data Protection and supporting Codes of Practice is available on request.

The system and infrastructure of the LMS is maintained by Hampshire County Council (“HCC”). Personal data may therefore be held by HCC on behalf of the council. All data will be held or processed securely in the UK. As HCC process personal data on our behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

What are your responsibilities 

  • You are responsible for keeping your registration details to the LMS safe and you must not share these or any other account details with any other person.
  • You are responsible for the security of your personal devices, your email account and your passwords.
  • You should protect all your devices against unauthorised use and keep them updated with the latest security updates and virus protection software.
  • You should not use a shared email address with your LMS account.
  • Your password is used to protect your information on LMS, so you must keep it safe. You should never write your password down or share it with anyone else.

How long do we keep data

Retention periods are set by regulation, or where none exists, is based on business practice. As legislation is regularly updated, the time that information is kept may change. Currently course administration records are kept for 6 years. 

Certain health and safety training may be kept for longer. To determine the appropriate retention period for personal data relating to mandatory training e.g. health and safety training, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

After the retention period, your data will be deleted.

What are your rights

Subject to certain conditions, you have some legal rights in respect of the personal information we collect from you. These are:

  • the right to be informed;
  • the right of access;
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to data portability;
  • the right to object;
  • rights in relation to automated decision-making and profiling.

Please see our website Data Protection page for further details.

If you would like to exercise any of these rights, or have any questions in connection with this privacy notice please contact handfintouch@lbhf.gov.uk.

Alternatively, as a public authority we are required to appoint a data protection officer who assists us monitor internal data protection compliance, informs and advises us on our data protection obligations, advises us on our data protection impact assessment process and acts as our contact point with the Information Commissioner. You can contact the Council’s Data Protection Officer at dpo@lbhf.gov.uk

If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance, or directly to the Information Commissioner’s Office.