FAQ Customer Data Retention Policy

General

This FAQ aims to help answer common questions relating to the general policy we apply to retaining customer data in connection in connection with the use of the Cyber Training Centre. It is important for registered users visitors and to understand our data retention policy and how and when we apply it. Reference should also be made to our privacy policy and terms and conditions,

With regard to collecting and processing personal (PI) data, we are obliged to comply with UK Data Protection legislation and on that basis, we will not process any personal data any longer than is strictly necessary. Our policy therefore requires that at the earliest opportunity, we will delete personal data. The following sections describe our approach to data retention and deletion. Our separate privacy policy explains what PI data we collect and process including the legal basis for doing so.

What does customer data include?

Customer data can include things like personal business contact information, user registration details, order details, details relating to courses, course progress, and assessments that a user takes, course certificates etc as well as comments and reviews that are posted by a user and when a user or visitor completes online forms.

When processing customer data, what does “Strictly Necessary” mean and when would data become no longer strictly necessary to process?

It is strictly necessary for us to process customer data in order to deliver our services to registered users including those who purchase licenses to access courses and related products. Similarly, it is strictly necessary for us to collect and process customer data to develop our business.

It may no longer be strictly necessary to process customer data if a registered user has not accessed the website for an extended period, or no longer has a valid user license to access the services.

It may no longer be appropriate for us to process some customer data if the customer has requested certain data to be deleted and we have agreed to that, or a customer has requested to be removed (ie wishes to unsubscribe) from electronic communications.

Do you retain any customer data at all after that customer data is deleted in accordance with your retention policy?

Yes. We may be required by UK laws and regulations to retain some business records. We may also have to retain some records to ensure that we comply with UK data protection legislation and other regulations.

How long do you generally process and retain customer training data for?

We retain and process training course and assessment-related data for the period of the license and a short period thereafter, allowing the customer to download a record or certificate of course completion.

Do you automatically delete any data when access to a course or license expires?

Yes. Once the course license expires we will permanently delete course data usually within 90 days, or earlier if the customer requests us to do so. If the user was granted access to a course through a group license then data deletion will normally occur within 90 days of group license expiry. Once the deletion is complete there will be no record of the user ever taking the course, no results of any assessments taken, and no course certificate. If the user was a member of a group, in which they were enrolled then any reference to the group membership will also be deleted.

Why do you not retain student course records after license expiry?

Firstly it is not strictly necessary for us to do so and secondly, if the student wishes to enrol on and complete the same course again (ie repeat the same course) then it is necessary for us to delete all previous course progress records.

Deleting unnecessary records also helps maintain website performance and comply with our security policies as well as comply with Data Protection legislation.

Would you extend access to permit users time to download certificates?

We will consider requests to extend access and delay deletion but we cannot guarantee this will be possible and there may be an administration fee.

Is any data deleted if I don’t login and access the service for a set period of time

Yes. If a registered user has not logged into the website for at least 12 months, and that user does not have a current valid license for access to any products then the account will be deleted. When a user account is deleted, then all personal and any related customer data that we no longer are required to retain will also be deleted from the system.

Is data also deleted from third-party processors?

When we delete a registered user from the website will will delete data from related third-party systems that we are not required to retain under our policy. We will however retain important records in customer support and customer relationship management systems, payment/accounting systems and communications logs.

If a user unsubscribed from electronic communications, we need to retain minimal records to apply rules preventing further electronic communications.