Effective: 01/09/2021

This is The National Response Academy (NRA) Privacy Notice.

NRA is a training provider. We sell training Courses via our website at www.nationalresponseacademy.co.uk.

1. In everything we do NRA respects your privacy and is committed to protecting your personal data. NRA complies with all UK GDPR requirements and for citizens of the EU we comply with EU GDPR.

  1. NRA is a data controller for all the data that it processes.
  2. We do not process any special category data nor do we not knowingly collect data from children.

2. This privacy notice supplements the other notices and is not intended to override them.

3. Purpose of this privacy notice

  1. This privacy notice explains how and why we process (collect, use, retain and share) the personal data of everyone who NRA interacts with:
    a. our customers – whether buying for yourself or others;
    b. our learners – including those who purchase the Courses themselves or who have been provided access to it by another e.g. their employer or organisation;
    c. those who interact with us through our websites;
    d. our suppliers and contractors;
    e. visitors to our premises.
    f. It also explains all of your rights in relation to your personal data including how to contact us or the supervisory authorities in the event you have a complaint.
  2.  If you have any concerns about this notice or any questions about NRA’s processing of data, please contact ourselves or our Data Protection Officer on the details at the bottom of this document.

4. The data we collect about you

  1. We collect a variety of information about people who interact with us.
    a. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
    b. For our learners we need to collect your name, email address to which we will send a PDF version of your certificate.
    c. Learners may be asked to create an account with NRA and this requires you to provide a username and secure password.
    d. For people who purchase a course from us (including those who purchase for others) we need to process your name; email address; telephone number and data that allows us to process your order such as Courses and quantities required, billing/invoice address and payment details.
    e. For people who supply us with goods and services we need to collect and process your name, contact information and bank details or payment methods.
    f. For people who visit our offices: we may collect your name and contact details. Our office operates CCTV for the prevention of crime so when visiting us your image will be stored in our CCTV system and held for a rolling 30 days.
    g. For those who sign up to our marketing information we will need to collect and process your email address.
    h. Those who interact with us through our website(s) which use limited technologies and cookies to help us to deliver an effective, personalised and tailored user experience.
  2. For further information on cookies please see our separate policy. It sets out in detail which cookies we use and why they are important not only for NRA but also to ensure that all of our learners and other visitors get an optimised experience and that the content you see is of interest to you personally.
  3. Those who interact with us on social media NRA do not take any data outside of social media platforms on which you make contact with us unless you have asked us to do so – for example if you have indicated through LinkedIn that you would like to receive communications from us.
  4. For more information about our use of social media see section below.

5. When is your personal data collected?

  1. There are various points of contact when NRA needs to process personal data. When you:
    a. purchase and/or take our training Courses;
    b. contact us for help;
    c. create an account on our website;
    d. subscribe to our service or publications;
    e. request marketing to be sent to you;
    f. contact us through social media platforms or request subscriptions through these services;
    g. enter a competition, promotion or survey;
    h. are involved in one of our customer surveys or focus groups;
    i. give us some feedback;
    j. When we enter into a contract with our suppliers, contractors and advisers (including steps at your request before entering into a contract).
  2. We also collect data through automated monitoring of our websites and other technical systems, such as our computer networks and connections, CCTV, access control and communications systems.
  3. We use instant messaging systems where customers or learners ask us to do so or where we re-tweet or re-post information within social media platforms.
  4. In very limited circumstances and only where required, we may also collect personal data from third parties such as that which is available publicly e.g. Companies House.
  5. We collect limited data at the time of payment:
    a. If you pay us by BACS or Cheque we will securely record your account name, payment reference and amount against your order in our accounting systems.
    b. If we pay you by BACS (in the event of a refund or payment to a supplier) we will need to receive your account name, sort code, account number and payment amount.
    c. All payments by credit/debit card are handled securely by third party providers to ensure NRA does not receive any sensitive payment data.
  6. How we use your personal data:
    a. We will only use your personal data when there is a lawful and legitimate reason for doing so.
    b. We use your personal data for the following reasons:
    c. Where we need to perform the contract (including pre contract negotiations) for example when you buy or take one of our training Courses or where we buy services or supplies to enable us to run our business.
    d. Where we need to comply with a legal or regulatory obligation for example where we retain data for HMRC reporting purposes.
    e. When you give us your consent for example when you subscribe to our newsletters, updates or marketing. As a learning provider NRA is always looking to learn from our customers so where a customer has consented to be involved in market research or customer focus groups, we will engage with them so that our range of Courses is up to date including the views from the perspective of those who use them.
    f. Legitimate interest: In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests.
    g. For example, we may use your purchase history to send you or make available personalised offers or send reminder emails to our learners when their Courses are due for renewal or when we launch a new course that may be of interest to the individual learner.
    h. Where you choose to leave us a review, we may do so through an independent third party and we may contact you regarding any issues you raise in the interests of improving our service.
    i. We may also send direct marketing emails to our customers and learners when you purchase or take a course with us and do not choose to opt out – this is often called a ‘soft opt in’. This marketing is always tailored to the recipient and we do not undertake blanket marketing of any kind at any time.
    j. In very limited circumstances, we may combine the data of customers to identify trends and ensure we keep up with demand to develop new products and Courses specific to them.

6. Marketing and promotional communications

  1. As described above we do undertake marketing to subscribers; customers and those who have opted in. You have the right to opt out of receiving promotional communications at any time by:
    a. contacting us at opportunities@NationalResponseAcademy.co.uk
    b. using the ‘unsubscribe’ link in our emails;
    c. update your marketing preferences by logging in to your account.
  2. Where you have unsubscribed from our email updates or where you ask us to stop sending promotional or other offers this will not affect any other interaction you have with NRA – for example we will continue to send course renewal reminders at the appropriate time.
  3. We may ask you to confirm or update your marketing preferences if you instruct us to provide further Courses or content in the future, or if there are changes in the law, regulations, or the structure of our business.
  4. We do not process data for any other party nor do we sell data to any third parties for direct marketing purposes.

7. Website and third-party links

  1. Our website includes links to third-party websites, plug-ins and applications. If you access other websites using the links provided, the operators of these websites may collect information from you which will be used by them in accordance with their own privacy policies, which may differ from ours. Therefore, if you use these links to leave our Site and visit websites operated by third parties, we cannot be responsible for the protection and privacy of any information that you provide to them. Please check these policies before you submit any personal data to these websites.
  2. NRA websites use Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out such things as the number of visitors to the various parts of the site. This information is only processed in a way that does not directly identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our websites.

8. Social media

  1. Information or comments you post or disclose on NRA’s social media platforms (for example Linkedin, Twitter, or other social media applications) is public and will be treated as such for the purposes of this notice and NRA’s use of that data. NRA cannot control the use of information disclosed in such platforms. You should always take care and exercise caution when posting or disclosing information in public spaces, this includes personal information or data. Content posted in NRA’s social media pages and interactive parts of the Hub, including advice and opinions, represents the views of the individuals who post that content and such individuals bear sole and exclusive responsibility for the posting of that content. NRA does not necessarily endorse, support, verify, or agree with any content posted on our social media pages and forums.

9. Social media widgets

  1. NRA websites include social media widgets, such as the Facebook, LinkedIn, Twitter buttons and widgets, such as the “Share” button (embedded in specific articles on our Hub). Social Media widgets are either hosted by a third party or hosted directly on NRA’s website. Your interactions with these widgets are governed by the privacy policy of the company providing it. These widgets may collect (a) your IP address, (b) which NRA webpage you are visiting, and (c) may set a cookie to enable the feature to function properly. NRA advises anyone using these widgets to be aware of the privacy notices related to each widget.

10. Who we share your data with

  1. It may be necessary to share your information with our contractors and sub-contractors so they can provide a service to you or to enable us to deliver our Courses and other learning resources. The contractors and sub-contractors are contractually required to ensure that they adhere to the security requirements imposed by the Data Protection Act and/or the General Data Protection Regulation; or any other applicable laws and regulations following the end of the transition period for the UK leaving the EU (as applicable).
  2. Our contractors and sub-contractors will not share your information with any other parties (except where expressly agreed in writing with NRA) and will only be able to use the information when completing work on behalf of NRA whether as joint controller of data for example our accountants or a processor of data for example those who we engage to supply data storage of our Learning Management System.

11. Whilst there are no plans for any change to NRA’s business or ownership if our business was sold, we will transfer your personal data to a third party as follows:

  1. in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets (at all times in accordance with all applicable data protection laws); or
  2. if NRA or substantially all of its assets are acquired by a third party, in which case personal data held by NRA about its customers will be one of the assets transferred to the purchaser.
  3. In each case, the legal basis on which we process data in these circumstances is our legitimate interest to ensure our business can be continued by a purchaser. If you object to our use of personal data in this way, the relevant seller or buyer of our business may not be able to provide products or services to you.

12. In certain circumstances we may also need to share your personal data if we are under a duty to disclose or share personal data in order to comply with any legal obligation.

13. Security and your personal information

  1. We know how much data security matters to all our customers and everyone we interact with. With this in mind, we will treat your data with the utmost care and take all appropriate steps to protect it. The information that you provide is stored securely whether it be digital or physical.
  2. Across all of our business we have appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
  3. We secure access to all transactional areas of our websites and apps using ‘https’ technology and all payment transactions are encrypted (using SSL technology) – payments are handled securely under contract by external providers such as Worldpay.
  4. The account information associated with NRA is password protected for your privacy and security. You choose your password for your NRA account so the strength of that password is determined by you. We recommend that you choose a unique password and not share your password with anyone else.
    a. Access to your personal data is password-protected, and any sensitive data is protected through appropriate use of encryption technologies.
    b. All systems are password protected which expect strong passwords and require regular changes.
    c. We continually maintain firewalls, malware and anti-virus software.
    d. We maintain and monitor systems which alert NRA to any potential data attack.
    e. Any data which is accessed off site or on a mobile device is kept on devices which require secure password access and are kept locked when not in use and never left unattended.
    f. We monitor our systems for possible vulnerabilities and attacks, and we carry out random penetration testing to identify ways to further strengthen security.
    g. Any documentation retained in paper form is kept in our offices which are access controlled and secure at all times. All paper documents are access protected.
    h. Only relevant members of staff will have access to the information you provide to us.

14. All members of staff receive appropriate data protection training at induction and it is refreshed annually to ensure each is aware of their data responsibilities. Further each is aware that any breach of our data protection policy could result in a breach of their contract of employment and could result in disciplinary action and potentially dismissal.

a. Our offices are protected by security and CCTV as a deterrent against criminal offence or threat to data security.
b. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
c. These measures and procedures are audited and reviewed regularly.

15. International data transfers

  1. NRA’s stores and backs up your data to servers based in the UK.
  2. However, to deliver our learning in the most effective way we sometimes need to share your personal data with third parties and suppliers outside the UK or the European Economic Area (EEA). This is for example if you are based outside the UK and place an order with us, we will transfer the personal data that we collect from you to NRA in the UK. Other examples are
    a. (1) where services are used to support the smooth running of our business.
    b. (2) where you contact us by email there is always a risk that a third-party processor may transfer the communication outside of the UK or EEA including the USA.

16. Protecting your data outside the EEA

  1. If your data is transferred outside of the UK or EEA, we have procedures in place to ensure your data receives the same protection as if it were being processed inside the UK or EEA. For example, our contracts with third parties stipulate the standards they must follow at all times.
  2. Any transfer of personal data will follow applicable laws and we will treat the information under the guiding principles of this Privacy Notice.

17. How long will you use my personal data for?

  1. We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, this includes our obligation as a learning provider, including for the purposes of satisfying any legal, accounting, or reporting requirements.
  2. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
  3. We currently:
    a. retain the learners’ data for the lifetime of the learner so that the training records or certificates are available to them at any time in the future or if we are required to provide evidence of training in the event of a legal request.
    b. we retain limited financial information which includes personal data for 7 years to satisfy HMRC regulations.

18. Your rights

  1. Access – The right to be provided with a copy of your personal information (the right of access).
  2. Rectification – The right to require us to correct any mistakes in your personal information.
  3. To be forgotten – The right to require us to delete your personal information, in certain situations.
  4. Restriction of processing – The right to require us to restrict processing of your personal information, in certain circumstances, e.g. if you contest the accuracy of the data.
  5. Data Portability – The right to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party, in certain situations.
  6. Objection
    a. At any time you have the right to object:
    i. at any time to your personal information being processed for direct marketing (including profiling);
    ii. in certain other situations to our continued processing of your personal information, e.g. processing carried out for the purpose of our legitimate interests.
    iii. to be subject to automated individual decision making
    iv. to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.
  7. For further information on each of those rights, including the circumstances in which they apply, please contact us or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the UK General Data Protection Regulation. For citizens of the European Union NRA applies the same standards through compliance with EU GDPR – more information can be found through individual countries local data protection authorities

19. If you would like to exercise any of those rights, please:

  1. email, call or write to us or our Data Protection Officer—see below: ‘How to contact us’; and
  2. let us have enough information to identify you (e.g. your full name, address, email and customer or matter reference number);
  3. let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill); and
  4. let us know what right you want to exercise and the information to which your request relates.

20. Your right to withdraw consent

  1. Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent. You can do this by contacting us or our Data Protection Officer on the details below.
  2. Where we rely on our legitimate interest
  3. In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation.
  4. We will then stop processing your information unless we believe we have a legitimate overriding reason to continue processing.


  1. We hope that we can resolve any query or concern you may raise about our use of your information in the first instance.
  2. The General Data Protection Regulation also gives you the right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area (EEA)) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns or telephone: 0303 123 1113. If you are an EU Citizen please refer to your individual Data Protection Authority: https://edpb.europa.eu/about-edpb/board/members_en

22. Changes to this privacy policy

  1. This privacy notice was published and last updated on 01/06/2021.
  2. We may change this privacy notice from time to time—when we do, we will inform you via our website.

23. How to contact us

  1. Please contact us or our Data Protection Officer by post, email or telephone if you have any questions about this privacy notice or the information we hold about you.

The National Response Academy (NRA)
Data Protection Officer

Unit 5, Brunel House, Heather Lane, Hathersage, Derbyshire. UK S32 1DP



Subject ‘For attention Data Protection Officer’