Data Protection Policy

Moralbox – Data Protection Policy

Last revision date: 24 May 2023

This Policy describes the information we process and how we use it to provide Moralbox services. On 24 May 2018 it replaced our ‘Privacy Policy & Cookies’.

Moralbox will never sell or exchange Training Profile, Organisation, Training Provider or User information to/with a Third Party unless required to do so by law or as part of another lawful investigation by authorities.

Information such as National Insurance Numbers and User passwords are encrypted to prevent data theft.

Consent – The act of a person giving permission to another person or organisation to Manage their information.

Person – A person who has given consent to an Organisation or Individual to Manage their Moralbox Training Profile and the information therein.

Individual User – A user of Moralbox that is currently logged into Moralbox to manage their own Training Profile.

Organisation User – A user of Moralbox that is currently logged into Moralbox to manage the information of other people.

User(s) – A person who has a Moralbox user account.

Subject Access Request – When someone submits a request to access, rectify, port or delete their data on Moralbox.

Organisation – A company/employer, charity or other such entity that uses Moralbox services.

Organisation Administrator – The master User of an Organisation that can set the permission levels of all other Organisation Users.

Training Provider – An Organisation that schedules and manages courses. A Training Provider can also manage the Training Profiles associated with an Organisation they are Affiliated to.


Affiliated – The act of giving permission to a Training Provider to manage the Training Profiles and other Moralbox features of an Organisation.

Third Party – Any Person who is not an employee of your Organisation and is not an employee of Moralbox.

Training Record – A certificate or other method of logging training.

Scheduled Course – A course that is scheduled by a Training Provider either publicly and open for anyone to book onto or closed and private for a single Organisation to book onto.


 

How do we process Training Profile Data?

Why do we process it?

A Training Profile is a collection of personal information about a person that is created, modified and deleted by either the individual who owns the profile personally or a user of an Organisation on behalf of the individual who has given their Consent for the Organisation and its users to create, modify and delete information about them. The Training Profile is used for managing the individual’s training records for the benefit of the individual and Organisations by recording and analysing that individual’s training history, for example, to prevent training gaps in order for them to perform their job role and maintain compliance.

What do we process?

The following information about an individual is stored as part of their Training Profile:

         Personal information – Such as name, date of birth, address, National Insurance Number, reference numbers.

         Training records – Such as scanned or digitally created certificates along with achievement date, expiry date and course details.

         Access history – A log of which users have viewed, created, edited or deleted information within the Training Profile.

         Associated Organisations – A history of organisations that have been associated with and previously/currently had/have consent to Manage the individual and their Training Profile.

Who has access to it?

Training Profile information is not shared with a Third Party outside of the Moralbox system. By default you enter into Moralbox’s ‘Collaborative Mode’, this means other Moralbox Organisation Users can search for and add to their Organisation the Training Profiles of People in your Organisation. This is useful for Training Providers and other Organisations that need to manage the Training Profile of a Person or check validity of Training Records. Their Organisation needs to know specific challenge information such as last name, date of birth and National Insurance number. There also needs to be an agreement of consent between the Person and the Organisation that wants to access the Person’s Training Profile. Searching for Person Training Profiles that you do not have consent from the Person to manage is strictly prohibited and in breach of Moralbox Terms & Conditions. Consent is given to Training Providers to access a Person’s Training Profile when a course booking is confirmed or some other form of consent outside of Moralbox is agreed. Once the challenge information is met and consent is given, this allows the Training Provider or Organisation to add the Person’s Training Profile to their account and use all information and Training Records therein to view or manage their training on their behalf. If you prefer to completely opt out of this ‘Collaborative Mode’, you can enable our ‘Non-collaborative Mode’. We do not recommend this as collaboration is at the core of Moralbox efficiencies.

What is ‘Non-collaborative Mode’?

‘Non-collaborative Mode’ prevents the Training Profiles of People at your organisation being searched for and added by other Organisations. By enabling ‘Non-collaborative Mode’, you lose the ability to add existing Person Training Profiles, that may have a history of Training Records, to your Organisation’s account. You will lose the efficiency and anti-fraud benefits that the ‘Collaborative Mode’ offers. Contact us if you would like to enable ‘Non-collaborative Mode’.

How do we process Organisation Data?

Why do we process it?

Information is stored about Organisations as part of the fundamental configuration of an Organisation and its Users using Moralbox features.

What do we process?

The following information is stored to allow Organisations to function in Moralbox:

         Current and previously linked Training Profiles

         Current and previous Organisation Users

         Organisation details such as name, organisation type (e.g. Company), registration numbers.

         Organisation structure for sorting people into organisation groups

Who has access to it?

Individual Users can see information about the Organisations they are linked to, they can also sever this link if required. Organisation Users can view, create, modify and delete Organisation information and see Organisation structure information, depending on their permission level set by the Organisation Administrator. Consent is given to Training Providers to access information relating to an Organisation when a course booking is confirmed.

How do we process Training Provider Data?

Why do we process it?

Information is stored about Training Providers in order to support the Training Provider features of Moralbox.

What do we process?

         Current and previously linked Training Profiles

         Current and previous Organisation Users

         Scheduled Course information such as name, venue, awarding body and joining instructions

         Terms and Conditions and/or other policies

         Training Provider details such as address, schedule dates, trainers.

Who has access to it?

Individual Users and Organisation Users can see information about the Training Providers they are Affiliated with, they can also sever this link if required.

Individual Users and Organisation Users can browse and book onto open public Scheduled Courses and view details about the Training Provider.

Visitors to the Moralbox course marketplace website coursescanner.co.uk can browse and book onto open public Scheduled Courses and view basic details about the Training Provider and their courses.

How do we process User Data?

Why do we process it?

Information is stored about all Users of Moralbox in order to provide support of Moralbox services and login sessions, track system usage to help with making improvements and for security reasons.

What do we process?

         Personal information about the User such as name, email address

         Session information such as IP address, web browser type, screen resolution, device type, date and time of logins and their usage within the system

         Activity log for traceability and security monitoring

         User experience and performance information

         When a User views, creates or deletes Training Profile, Organisation or Training Provider information it is logged.

Who has access to it?

Organisations can see information about Users associated with their Organisation.

Moralbox employees have access to User information as part of our ongoing improvements and security monitoring processes. User information is strictly used for system management purposes.

Third party analysis tools may be used such as Google Analytics but visitor personal information is not identifiable.

How do we handle Payments?

When you make payments within Moralbox for subscriptions or booking courses, we may store incomplete payment card details so you can identify which card you used to make a payment. This includes the last 4 digits of the payment card along with the expiry date, card type and card holder name. This information cannot be used to make purchases so is not considered sensitive.

We do not store complete payment information on Moralbox.

We use Stripe.com to process card payments and any card details stored at Stripe undergo thorough security checks and are subject to Stripe’s own policies. Stripe Payments UK Limited is regulated by the Financial Conduct Authority.


 

Why do we use Cookies?

We use cookies to distinguish you as a user and to enhance your visit to our websites. Cookies help you to sign into our services without repetition and limit fraud, forming small text files on your hard drive or device, containing information such as personal data that can be read by a web server in the domain issuing the cookie.

When do you give Consent?

If you give us any information about yourself or another person, you hereby confirm that you have given consent or the other person has appointed you to act on his/her behalf and has agreed that you can give consent on his/her behalf to the processing of his/her personal data.

What is our legal basis for processing data?

We collect data, use and share the data detailed above to:

         Assist the collaboration and efficiency of training management within industry

         Prevent duplication of Training Profiles

         Reduce fraud

         Enable Individuals to view their own Training Records in a centralised Training Profile throughout their entire career

         Allow Organisations and Training Providers to contribute to Training Records and support Individuals to ensure training compliance

         Promote safety, integrity and security

         Respond to you when you contact us

         Provide measurement, analytics and other business services

         Research and innovate to provide a better service

How will we notify you of changes to this Policy?

Whenever we make changes to this Policy you will be notified when you next log into Moralbox. To make it easier to understand we will simply highlight the changes between the previous and current versions and provide a link back to this policy if you prefer to read it in its entirety.

How can you exercise your rights provided under the GDPR?

Under the General Data Protection Regulation (GDPR) you have the right to access, rectify, port and delete your data stored on Moralbox. This can be done directly within Moralbox where options are available or by submitting a Subject Access Request using the ‘How can you contact us?’’ section below. Please note Subject Access Requests require ID before they can be actioned by us and may take several days for us to respond.

Data Processing Addendum (DPA)

There is a data processing addendum to our Terms & Conditions and this Data Protection Policy available upon request.

How can you contact us?

If you would like to discuss our policies further, have any questions or would like to submit a Subject Access Request please contact us by email or in writing at:

[email protected]

Moral Box Limited

Incorporated in England and Wales with Company number 08642375 whose registered office at Hope Street Xchange, Sunderland, SR1 3QD.

We are committed to being transparent and to process your data responsibly. If you have any suggestions on how we can provide a better service, please contact us using the details above.