Policy for Ensuring the Privacy and Information Security of Learners’ Records

1.0 Purpose

The purpose of this policy is to establish clear guidelines and procedures for ensuring the privacy, confidentiality, integrity, and security of all learner records maintained by Branagh Group. This policy addresses the entire lifecycle of learner information, from input and maintenance to release and issuance, following the completion of learning events. 

2.0 Scope

This policy applies to all Branagh Group personnel, including employees, contractors, and any third-party service providers who are involved in the collection, input, processing, maintenance, storage, release, or issuance of learners’ records for any learning event offered by Branagh Group. This includes, but is not limited to, data within the Learning Management System (LMS), administrative databases, physical files, and any other systems or media containing learner information.

3.0 Policy Statement

Branagh Group is committed to safeguarding the privacy and security of its learners’ records. We recognize the sensitive nature of personal and academic information and are dedicated to implementing and maintaining rigorous security measures to prevent unauthorized access, disclosure, alteration, or destruction of this data. This policy outlines the specific procedures and responsibilities designed to achieve this commitment.

4.0 Definitions

  • Learner Records: Any information pertaining to an individual learner, including but not limited to, personal identifying information (e.g., name, contact details), registration information, course enrollment details, attendance records, assessment results, completion status, certificates, and any communications related to their learning journey.
  • Information Input: The process of collecting and entering learner records into Branagh Group’s systems.
  • Information Maintenance: The ongoing process of storing, updating, and ensuring the accuracy and security of learner records.
  • Information Release: The controlled disclosure of learner records to authorized individuals or entities, typically with the learner’s consent.
  • Issuance of Records: The provision of official documents, such as certificates of completion or transcripts, to learners or authorized parties.
  • Confidentiality: Ensuring that information is accessible only to those authorized to have access.
  • Integrity: Maintaining the accuracy and completeness of information and processing methods.
  • Availability: Ensuring that authorized users have access to information and associated assets when required.

5.0 Procedures

5.1 Information Input

Responsibility: Engineering Team, Technical Support Team

Procedure:

  • Secure Data Collection: All learner personal and academic information will be collected using secure, encrypted systems, primarily through Branagh Group’s designated Learning Management System (LMS) and administrative databases. 
  • Accuracy Verification: Personnel responsible for inputting data will verify the accuracy of all information at the point of entry to minimize errors.
  • Authorized Access: Only personnel with explicit authorization and training will have access to systems for inputting learner information.
  • Minimum Necessary Data: Only information essential for the purpose of the learning event and record-keeping will be collected.

5.2 Information Maintenance

Responsibility: Engineering Team 

Procedure:

  • Secure Storage: All learner records will be stored in secure, access-controlled environments. Digital records will reside on secure servers with firewalls and intrusion detection systems. 
  • Data Encryption: All digital learner records will be encrypted in transit to protect against unauthorized access during transmission.
  • Regular Security Updates: The Engineering Team and IT Consultants will regularly update security software, systems, and protocols to address emerging threats and vulnerabilities. This includes applying patches, updating antivirus definitions, and configuring firewalls.
  • Access Controls: Strict role-based access controls will be implemented for all systems containing learner records. Access privileges will be granted based on the principle of least privilege, meaning personnel only have access to the information necessary to perform their job functions. Access will be reviewed periodically and revoked upon changes in roles or termination of employment.
  • Data Backups: Databases on the Branagh Group’s cloud servers are backed up on a nightly basis. A two-week retention period for these backups is maintained on-site for immediate recovery.  In addition, nightly snapshots of the entire database are securely replicated and backed up at an alternate, geographically dispersed off-site location to facilitate robust disaster recovery in the event of a catastrophic incident at the primary site. All learning event records are maintained for a minimum of seven (7) years from the learning event completion date. Records older than seven years may be reviewed and, if no longer legally or operationally required, may be moved to secure archival cloud storage or securely purged according to data retention policies.
    • Off-site Disaster Recovery: In addition, nightly snapshots of the entire database are securely replicated and backed up at an alternate, geographically dispersed off-site location to facilitate robust disaster recovery in the event of a catastrophic incident at the primary site.
  • Data Audits: The Engineering Team will conduct regular audits of access logs and system activities to monitor for suspicious behavior or unauthorized access attempts.
  • Data Retention: Learner records will be retained for a minimum of 7 years, per IACET guidelines. 

5.3 Information Release

  • Who: Learners, Technical Support Team
  • What: Providing a standardized mechanism for learners to request access to their historical training records.
  • When: As needed by learners.
  • How:
    • Learners can submit a Training Record Request Form (available on the Branagh Group website or by contacting Technical Support).
    • The form requires: learner’s full name (at time of training), training event title, approximate date of completion, and contact information.
    • Requests can be submitted via the online form (which will be processed by the Technical Support Team),  or by phone/email to the Technical Support Team.
5.4 Providing Records to Learners
  • Who: Technical Support Team
  • What: Responding to and fulfilling learner requests for training records.
  • When: Within seven (7) business days of receiving a complete request.
  • How:
    • The Technical Support Team will verify the identity of the requester using provided information to ensure records are disclosed to the correct individual.
    • The requested records will be retrieved from the CourseMill LMS or the cloud storage system. If the record is in archival storage, the learner will be notified of a potentially extended retrieval time (up to 15 business days).
    • Digital copies of the requested records (e.g., PDF of certificate, transcript) will be provided to the Learner by the Technical Support Team via email.

6.0 Roles and Responsibilities

  • Technical Support Team:  Responsible for assisting learners with securely accessing their records and ensuring the secure issuance of records to learners and other authorized parties. Oversee the entire lifecycle of learners’ records, including input, maintenance, release, and issuance. 
  • Engineering Team: Responsible for implementing and maintaining data security infrastructure, including encryption, access controls, regular security updates, and conducting security audits. They will also manage data backups and disaster recovery plans.

7.0 Learner Responsibilities

In alignment with Branagh Group’s End User License Agreement (EULA), learners also have a responsibility to protect their own information:

  • Login Security: Learners are responsible for the security of their login information and for all activities that occur under their account.
  • Confidentiality of Login Information: Login information is confidential and proprietary and may not be disclosed or shared with any third parties.
  • Immediate Notification: If a password is lost, or if any unauthorized use of login information or any other breach of security is suspected, learners agree to immediately notify Branagh Group.:

The Learner must agree to the EULA as part of the registration process to obtain access to training.  

8.0 Data Security and Awareness Training

To ensure ongoing employee awareness and adherence to data security standards, all employees are required to acknowledge receipt of the Branagh Group Data Security and Confidentiality Policy. Regular email reminders are sent to reinforce the importance of data security.

Effective Date: 9/24/2013
Revision Date: 6/18/2025
Approved by: Dave Clark, CTO/CIO