Privacy Statement

Data Privacy Statement

Approved by: IAMI Directors Version: Ver 1 Issue Date: Jan 2025 Review Date: Jan 2027 Contact Person: Secretary, IAMI

Contents

Introduction
Information We Collect
How We Use Your Information
How We Protect Your Information
Information Sharing
Data Retention
Your Data Protection Rights
Contact Us
Policy Review
Related Policies

1. Introduction

We, the International Association of Maritime Institutions (IAMI) value your privacy and are committed to protecting the personal information you provide during educational assessments. This Privacy Statement outlines how we collect, use, store, and protect your information in compliance with applicable data protection laws.

2.Information We Collect

We will collect the following types of information directly from you, or from an IAMI membership organisation with whom you undertook your training:

PersonalInformation:Name,dateofbirth,andcontactdetails, so we can identify individuals.
Assessment Data: All application and exam results pertaining to the assessment you require us to undertake. By applying to undertake an assessment with IAMI, you consent that IAMI can process your information to progress your assessment request.

HowWeUseYourInformation
The information collected is used for purposes such as:
1. AssessmentAdministration:Deliveringandmanaging
  educational assessments that you have requested.
2. Performance outcome: Your data is used to create final
  assessment outcome certificates.
3. Compliance: To ensure we comply with our contractual
  obligations with the regulatory body, for example with the UK Maritime and Coastguard Agency (MCA)
How We Protect Your Information
a. Weimplementindustry-standardsecuritymeasuresto safeguard your data, including:
1. Use of secure web portals that receive and store your information.
2. Restricting access to these portals to IAMI employees or authorised users with reduced data access
3. The use of secure storage solutions, with regular back- ups.
4. Regular system updates to ensure robust cyber security protection and prevent unauthorized portal access.
Information Sharing

a. We do not share any of your personal data. We may share information only in the following situations:

With authorized personnel involved in assessment processing.
With UK regulatory bodies, such as the MCA
With those educational institutions that you have used for your assessment process.
When legally obligated to comply with court orders or legal processes.

6. DataRetention

We retain your personal information only as long as necessary for the purposes of your assessment and issuing of your assessment results. We are required by the MCA maritime regulator to retain your assessment outcome data until you reach the age of 70 (seventy) should you need to request a replacement certificate from us. All data is securely retained and can be deleted on request.

7.YourDataProtectionRights

a. Youhavetherightto:
1. Access your personal data.
2. Request corrections to inaccurate information held by us.
3. Request that we transfer your information to another
  organisation, or to you
4. Withdraw consent for your data to be shared.
5. Request deletion of your data, subject to legal or contractual restrictions.
8.Contact Us

For all questions about this Privacy Statement or how your data is handled, please contact us at:

IAMI Secretary at secretary@iami.org.uk or IAMI Exams Officer at examofficer@iami.org.uk

9. PolicyReview

The Privacy Statement will be reviewed every three years considering experience and best practice. This mechanism recognises that changes or legislation changes may prompt a review of the policy before the end of this three-year period.

10.Related Policies

IAMI Data Protection Policy, which includes appendix 1 and 2

11.Appendix 1 - Data processing

Data Protection – our procedure and processes for data protection are reviewed to ensure it meets the standards and requirements of the Data Protection Act / GDPR and maintain the security of all data held by us. IAMI are committed to using only UK/EU based hosting services.

Cyber Protection. IAMI have a separate policy on Cyber Protection to protect employees and systems from external threats which would compromise our systems and data held on them.

Data Retention – we are required to maintain a database of all certificates issued by IAMI, and only data pertaining to certification validation process will be retained, to ensure we meet the ‘data minimisation’ and ‘storage limitation’ principles and that personal information is stored, archived and destroyed compliantly and ethically. The retention of personal data will be maintained until the candidate reaches the age of 70.

Data Breaches – where we suspect, or it is reported to us that a data breach has occurred, then the Data Protection Officer (DPO) appointed by the IAMI Directors will identify, assess, investigate and report this at the earliest possible time. The DPO has a duty to report any data breach to the Information Commissioner’s Office https://ico.org.uk/for-organisations/report- a-breach/

International Data Transfers – IAMI members transfer personal data onto the secure and encrypted web based YDES, EKES, GUEST or EPA interface, and hence data storage on site or on personal equipment is not required by members or their staff.

Subject Access Request (SAR) – IAMI can receive requests for individual data held by them, and this pertains to a verification check of certification held under the YDES, EKES, GUEST or EPA systems. IAMI will respond within 30 days to any such requested received in writing/by email.

Privacy Notice/Policy – all individuals who enrol to undertake either an YDES examination, EKES examination, GUEST assessment or EPA assessment are informed that their personal information is used for the purposes of their certification only.

Direct Marketing – IAMI do not, nor will, undertake any direct marketing to people enrolled onto YDES, EKES, GUEST or EPA assessment.

Processor Agreements – IAMI do use third parties to process personal information on our behalf, they are required to comply with their own GDPR / Data Protection Act obligations as a UK company. These measures include initial and ongoing reviews of the service provided, the necessity of the processing activity, the technical and organisational measures in place and compliance with the GDPR / Data Protection Act.

Data Subject Rights
In addition to the procedures mentioned above, individuals can enforce their data protection rights, and IAMI will provide, where requested, information about:

What personal data we hold about them
The purposes of the processing
The categories of personal data concerned
The recipients to whom the personal data has/will be disclosed
How long we intend to store your personal data for
The right to have incomplete or inaccurate data about them corrected
or completed and the process for requesting this
The right to request erasure of personal data (where applicable) or to
restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use
The right to lodge a complaint or seek judicial remedy and who to contact in such instances

12.Appendix 2 - Data Protection Act / GDPR Roles

IAMI Directors have designated the IAMI Secretary as the Data Protection Officer (DPO), and they are responsible for promoting awareness of the Data Protection / GDPR across the organisation, maintaining our Data Protection Act / GDPR compliance, identifying any gap areas and implementing the new policies, procedures and measures.

IAMI will maintain its registration with the Information Commissioner’s Office (ICO) through annual subscription.
Organisation name: International Association of Maritime Institutions Reference: ZA316916

13.How to complain

You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office

Wycliffe House Water Lane Wilmslow Cheshire

SK9 5AF

Helpline number: 0303 123 1113 ICO website: https://www.ico.org.uk