1. General Privacy Notice

About this notice

The Institute for Apprenticeships and Technical Education (IfATE) is committed to protecting the privacy and security of your personal data.

In carrying out our work we collect and use (or ‘process’) personal data. This means that we are a ‘data controller’ under the UK General Data Protection Regulation and the Data Protection Act 2018 (‘data protection law’).

As a data controller, we are required to inform you of our privacy rules and your rights pertaining to your personal data. This privacy notice describes how we process your personal data in accordance with data protection law.

Who does this notice apply to?

This notice applies to any individual whose personal data we process except where data is processed:

If you are not clear what personal data we process about you, or why, or you have any other questions about our use of your personal data you can contact us at Institute.DPO@education.gov.uk.

Individuals whose personal data we process include:

  • students, learners and apprentices
  • trailblazer group members
  • external experts, consultants and advisers
  • staff of stakeholders relevant to our work including employers, awarding organisations and Higher Education Institutions (HEIs)
  • suppliers and service providers
  • individuals who make (or are otherwise named in) enquiries, procedural review requests, complainants and their representatives (including whistleblowers and individuals who make freedom of information requests)
  • respondents to consultations and surveys
  • journalists and the media
  • lobbyists, research participants, event or conference attendees, route panel members, and
  • members of the public (including visitors to our offices who are captured on CCTV)

Links to other websites

Our website contains links to other websites. This privacy notice does not apply to those websites. If you go to another website from this one, you should read the privacy notice on that website to find out how your information is used.

If you come to our website from another website, we may receive information from the other website. We don’t use this data. You should read the privacy notice of the website you came from to find out more about this.

What personal data do we hold and how do we collect it?

We collect and store personal data in order to discharge our statutory functions. This may be information that you have provided when you visit our website, or information that we have otherwise collected in the course of our work such as when you contact us by telephone, through email or other written communication or during events that you attend.

Personal data that we collect includes:

  • your name, contact details and any other information that you provide when you use our website
  • questions, queries or feedback you leave on our website as well as our response (if any)
  • your email address and subscription preferences when you sign up to our newsletters, blogs or any other services
  • your IP address, and details of which version of which web browser you used
  • if you create an account for the trailblazer portal or members area, your name, email address and information about the organisation you represent as well as the trailblazer group or panel you belong to
  • diversity monitoring information that you provide when responding to a consultation or survey
  • your name, contact details and any accessibility or dietary requirements if you attend any of our events
  • the name and contact details of staff within employers, awarding bodies, HEIs or other relevant stakeholders - these may be provided, for example, by others within your organisation
  • records of engagement with relevant stakeholders such as: apprentice panel applicants and members, trailblazer applicants and members or staff of employers, awarding bodies or HEIs, respondents to our consultations and surveys
  • personal information that you provide when you contact us by telephone, through email or other written communication
  • photographs, videos or audio recordings of individuals recorded during in-person events or for the purpose of our social media or communications activity
  • audio or video recordings of online meetings with individuals in the course of our work (where meetings are held online e.g., Teams these may be recorded and stored within IfATE’s OneDrive and SharePoint systems)
  • personal information that is provided via our social media channels

We also collect information about how you use our website using cookies and page tagging techniques.

Why and how do we collect and use your personal data and what is our lawful basis for doing so?

We have a number of statutory functions conferred on us by the Apprenticeships, Skills Children and Learning Act 2009. We use the data we collect to support the effective delivery of these functions.

We are required to ensure that we have a lawful basis for any processing of personal data that we carry out. Article 6 of the UK GDPR allows us to process personal data where it is necessary to perform a public task or for official functions, and the task or function has a clear basis in law. As a public body that is required by law to carry out certain tasks, we rely on this basis where we use your data in order to enable us to carry out those tasks.

For example, we rely on this basis to enable us to hold the contact details of, and records of engagement with, individuals with expertise related to our work. This is because it is necessary for us to liaise with these individuals to obtain their opinions, input or expertise on a matter on which we have a statutory responsibility. This includes anyone who:

  • is on, or who has completed an expression of interest form to join, the Peer Review register
  • is a member of a Trailblazer group or T Level employer panel
  • is an employee of an awarding body or employer (including members of our Employer Directory), or
  • is, or who has applied to become, a member of any of IfATE’s panels or forums

We also rely on this basis where we use your personal data to:

  • improve our website by monitoring how you use it
  • gather feedback to improve our services
  • respond to any feedback you send us (if you have asked us to provide feedback)
  • send email alerts to users who request them
  • respond to an enquiry, complaint or procedural review request
  • contact users of the Apprenticeship Builder and members area, for example, to provide feedback
  • understand the demographics of the users of the Apprenticeship Builder and members area
  • ensure any accessibility or dietary requirements are met when individuals attend any of our events
  • contact you for other purposes in connection with our work such as where we conduct surveys to assess stakeholder satisfaction or to invite you to events or consult with you

We may also process personal data where the processing is necessary for us to comply with a legal obligation (not including contractual obligations). We rely on this basis where, for example, we process personal data in order to enable us to undertake diversity monitoring.

Finally, we may sometimes ask for your permission or consent to process your data. We rely on this basis where, for example, you have consented to us using photographs, video or audio recordings of you as part of our social media activity. Consent must be freely given in order to be valid and may be withdrawn at any time by contacting Institute.DPO@education.gov.uk
In some cases, there may be more than one lawful basis for processing your personal data.

Where the information we process is special category personal data (for example, diversity monitoring information or information about a person’s accessibility or dietary requirements), in addition to the above lawful bases, we also rely on the following for processing your special category personal data (under Article 9 of the UK GDPR):

  • explicit consent
  • public interest: the processing is necessary for reasons of substantial public interest (to promote equality of opportunity or treatment)

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated or new purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may, if necessary, process your personal data without your knowledge or consent, in compliance with this notice, where this is required or permitted by law.

Disclosure of personal data to third parties

We may in some circumstances have to share your data with third parties, including service providers, suppliers and other civil service bodies.

We will only share your data with third parties where we have a lawful basis to do so. We require third parties to respect the security of your data and to treat it in accordance with the law.

We will not, without your consent, share your information with any third parties for the purposes of direct marketing.

Data storage

We store your data on secure servers in the UK.

Some information may also be stored on our behalf on secure servers outside the UK. This includes data held on our behalf for the purpose of:

  • the IfATE newsletter - we use MailChimp to manage the mailing list for our external newsletter. You can learn more about how Mailchimp protects your information in the Mailchimp Privacy Policy
  • Apprenticeship Builder - we use Cognito Forms to provide some templates for our users to draft and submit apprenticeship standards to IfATE or to collect information as part of our consultations. You can learn more about how Cognito protects your information in the Cognito Privacy Policy
  • we store information on Microsoft systems such as SharePoint and Teams. You can learn more about how Microsoft protects your personal data by reading Microsoft Privacy Statement and MS Teams Privacy Information
  • other forms - we also use Microsoft Forms for other temporary data collection activity such as for 'expressions of interest' and public consultation responses
  • we use Microsoft Dynamics CRM for the collection and management of customer and stakeholder data, and to support our engagement activities with you
  • managing meetings – we use OnBoard to manage our meetings with external stakeholders such as route panel members. Learn more by reading OnBoard Privacy Policy
  • occupational maps - we use servers to store your data which are hosted on our behalf by PDMS – you can learn more about how PDMS protects your information in PDMS Privacy Policy. If you use the feedback form or request an API key on the occupational maps, your data is collected by Cognito Forms. You can learn more about how Cognito protects your information in the Cognito Privacy Policy

Data retention 

We only keep personal data for as long as is necessary. After this point, we will delete or securely dispose of personal data.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. In some circumstances we will anonymise your personal information so that it can no longer be associated with you, in which case we will use such information without further notice to you.

Ensuring your personal data is accurate and current

It is important that the information we hold about you is accurate and current. Please keep us informed if your personal data changes during your working relationship with us.

Your data protection rights

Your right of access - you have the right to ask us for copies of your personal data (known as ‘making a data subject access request’).

Your right to rectification - you have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to request restriction of processing - you have the right to ask us to restrict the processing of your data in certain circumstances.

Your right to object to processing - you have the right to object to the processing of your personal data in certain circumstances.

Your right to erasure – you have the right to ask us to erase your personal data in certain circumstances.

Your right to request the transfer of personal data – you have the right to ask that we transfer the data you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a subject access request, we have one month to respond to you.

Please contact us at Institute.DPO@education.gov.uk if you wish to make a request or object to the processing of your personal data.

If you’ve signed up for our newsletters, you can unsubscribe or change your settings at any time.

If you’ve created an account for the trailblazer portal or members area, you can delete your account and your personal information at any time. Personal information associated with the deleted account will be removed from our systems.

We will review inactive accounts as part of our regular Route Review exercises. You can read more about reviews to learn more about the frequency of these exercises.

How to contact us

Our Data Protection Officer is responsible for ensuring compliance across our data processing activities. For any questions, concerns or complaints about how we process your personal data you can contact our Data Protection Officer:

Simon Love - Institute.DPO@education.gov.uk

You can also write to us:

IfATE
Sanctuary Buildings
20 Great Smith Street
London SW1P 3BT

How to contact the Information Commissioner’s Office

You can also complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we have processed your personal data.

The ICO’s address:

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow
Cheshire SK9 5AF
Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk 

Changes to this privacy notice  

This privacy notice was last updated on 1 May 2024. We reserve the right to update this privacy notice at any time, with changes published on our website, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.

 

2. Privacy Notice for the Employer Directory

About this notice

The Institute for Apprenticeships and Technical Education (IfATE) is committed to protecting the privacy and security of your personal data. 

In carrying out our work we collect and use (or ‘process’) personal data. This means that we are a ‘data controller’ under the UK General Data Protection Regulation and the Data Protection Act 2018 (‘data protection law’).

As a data controller, we are required to inform you of our privacy rules and your rights pertaining to your personal data. This privacy notice describes how we process your personal data in accordance with data protection law. 

Who does this notice apply to?

This notice applies to any individual whose contact details we hold on our directory of professional and employer-led bodies (‘Employer Directory’).

What personal data do we hold?

The personal data we hold about you includes your:

  • name
  • work email
  • work telephone number
  • employer’s name
  • personal data contained in communications between you and IfATE

Why and how do we collect and use your personal data?

Organisations need to apply for entry to the Employer Directory. As part of the application process, organisations are asked to provide the details of a nominated person through whom all contact will be made.

The Employer Directory is designed to support our statutory functions in connection with the quality assurance of apprenticeship end-point assessments. 

We will store the contact details of the person named on the application form in order to contact them to seek their organisation’s views and insight in connection with these assessments. 

You can find out more about the purpose of the Employer Directory here: Directory of professional and employer-led bodies.

We may also contact you for other purposes in connection with our work such as where we conduct surveys to assess stakeholder satisfaction or to invite you to events or consult with you.

What is our lawful basis for processing your personal data?

Under data protection law, we are required to ensure that we have a lawful basis for processing your personal data.  Article 6 of the UK GDPR allows us to process personal data where it is necessary to perform a public task or for official functions, and the task or function has a clear basis in law.

We have a legal obligation to carry out the quality assurance of apprenticeship end-point assessments or make arrangements for other persons to carry out the evaluations on our behalf. We rely on this basis where we use your data, including sharing it as described below, in order to enable us to carry out this obligation.

We also rely on this basis where we contact you for purposes such as those relating to stakeholder satisfaction surveys, events or consultation. 

We may sometimes ask for your permission or consent to process your data. We rely on this basis where, for example, you have consented to us using photographs, video or audio recordings. Consent must be freely given in order to be valid and may be withdrawn at any time by contacting Institute.DPO@education.gov.uk.

We may also process your personal data where it is necessary for us to comply with a legal obligation (not including contractual obligations).  

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated or new purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may, if necessary, process your personal data without your knowledge or consent, in compliance with this notice, where this is required or permitted by law.

Disclosure of personal data to third parties

We may in some circumstances have to share your data with third parties, including service providers, suppliers and other civil service bodies. 

We sometimes make arrangements for other organisations to carry out work, in relation to the quality assurance of end-point assessments on our behalf and we may share your details with those organisations for that purpose. These include Ofqual, the Office for Students (OfS), or any body appointed by Ofqual or the OfS including any qualifying body designated under paragraph 3 of Schedule 4 to the Higher Education and Research Act 2017. 

We will only share your data with third parties where we have a lawful basis to do so. We require third parties to respect the security of your data and to treat it in accordance with the law. 

We will not, without your consent, share your information with any third parties for the purposes of direct marketing. 

Data storage 

We hold your data in our Directory of Professional and Employer-led Bodies. This is stored on secure servers in the UK. 

Some information may also be stored on our behalf on secure servers outside the UK. This includes data held on our behalf for the purpose of:

  • the IfATE newsletter - we use MailChimp to manage the mailing list for our external newsletter. You can learn more about how Mailchimp protects your information in the Mailchimp Privacy Policy
  • Apprenticeship Builder - we use Cognito Forms to provide some templates for our users to draft and submit apprenticeship standards to IfATE or to collect information as part of our consultations. You can learn more about how Cognito protects your information in the Cognito Privacy Policy
  • we store information on Microsoft systems such as SharePoint and Teams. You can learn more about how Microsoft protects your personal data by reading Microsoft Privacy Statement and MS Teams Privacy Information
  • other forms - we also use Microsoft Forms for other temporary data collection activity such as for 'expressions of interest' and public consultation responses
  • we use Microsoft Dynamics CRM for the collection and management of customer and stakeholder data, and to support our engagement activities with you
  • managing meetings – we use OnBoard to manage our meetings with external stakeholders such as route panel members. Learn more by reading OnBoard Privacy Policy 

Data retention 

We only keep your personal data for as long as is necessary. After this point, we will delete or securely dispose of the personal data. 

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. In some circumstances we will anonymise your personal information so that it can no longer be associated with you, in which case we will use such information without further notice to you. 

Ensuring your personal data is accurate and current

It is important that the information we hold about you is accurate and current. Please keep us informed if your personal data changes during your working relationship with us.

Your data protection rights

Your right of access - you have the right to ask us for copies of your personal data (known as ‘making a data subject access request’).   

Your right to rectification - you have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. 

Your right to request restriction of processing - you have the right to ask us to restrict the processing of your data in certain circumstances.   

Your right to object to processing - you have the right to object to the processing of your personal data in certain circumstances.  

Your right to erasure – you have the right to ask us to erase your personal data in certain circumstances.  

Your right to request the transfer of personal data – you have the right to ask that we transfer the data you gave us to another organisation, or to you, in certain circumstances.  

You are not required to pay any charge for exercising your rights. If you make a subject access request, we have one month to respond to you. 

Please contact us at Institute.DPO@education.gov.uk if you wish to make a request or object to the processing of your personal data.

How to contact us

Our Data Protection Officer is responsible for ensuring compliance across our data processing activities. For any questions, concerns or complaints about how we process your personal data you can contact our Data Protection Officer:  

Simon Love – Institute.DPO@education.gov.uk 

You can also write to us: 

IfATE
Sanctuary Buildings
20 Great Smith Street
London SW1P 3BT

How to contact the Information Commissioner’s Office 

You can also complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we have processed your personal data.  

The ICO’s address: 

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow
Cheshire SK9 5AF

Helpline number: 0303 123 1113  

ICO website: www.ico.org.uk

Changes to this privacy notice    

This privacy notice was last updated on 1 May 2024. We reserve the right to update this privacy notice at any time, with changes published on our website, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data. 

 

3. Privacy Notice for Higher Technical Qualifications (HTQ)

About this notice 

The Institute for Apprenticeships and Technical Education (IfATE) is committed to protecting the privacy and security of your personal data.

In carrying out our work we collect and use (or ‘process’) personal data. This means that we are a ‘data controller’ under the UK General Data Protection Regulation and the Data Protection Act 2018 (‘data protection law’).

As a data controller, we are required to inform you of our privacy rules and your rights pertaining to your personal data. This privacy notice describes how we process your personal data in accordance with data protection law.  

Who does this notice apply to?

We have a number of statutory functions conferred on us by the Apprenticeships, Skills Children and Learning Act 2009, including responsibility for approving Higher Technical Qualifications (HTQs) for new or existing level 4 and 5 qualifications. To effectively discharge those functions, we engage with awarding organisations and other stakeholders which requires us to process personal data.

Links to other websites 

Our website contains links to other websites. This privacy notice does not apply to those websites. If you go to another website from our website, you should read the privacy notice on that website to find out how your information is used. 

If you come to our website from another website, we may receive information from the other website. We don’t use this data. You should read the privacy notice of the website you came from to find out more about this. 

What personal data do we hold?

We may collect, store and use the following categories of your personal data: 

  • name of the primary contact
  • telephone number
  • email address
  • personal data contained in communications between you and IfATE

Why and how do we collect and use your personal data?

All of the personal information we process is provided to us directly by you or your awarding organisation/body through the online form for one of the following reasons:

  • maintaining contact with the applicant throughout the HTQ approvals process
  • maintaining contact with the applicant post HTQ approval (for example, where we need to contact the applicant in relation to changes to standards or qualifications)

We use the information that you or your awarding organisation/body have given us in order to:

  • call or email the primary contact to address questions/queries related to the submission for HTQ approval
  • call or email the primary contact to provide additional information on the submission for HTQ approval
  • call or email the primary contact post review for the purposes of feedback on the submission for HTQ approval
  • call or email the primary contact for the purposes of renewal of the approved status for HTQs
  • call or email the primary contact to discuss adherence to quality mark usage guidance and terms and conditions of approval

We may also contact you for other purposes in connection with our work such as where we conduct surveys to assess stakeholder satisfaction or to invite you to events or consult with you.

What is our lawful basis for processing your personal data?

Under data protection law, we are required to ensure that we have a lawful basis for processing your personal data. Article 6 of the UK GDPR allows us to process personal data where it is necessary to perform a public task or for official functions and the task or function has a clear basis in law, or where it is needed for the performance of a contract. As a public body that is required by law to carry out certain tasks, including those described above, we rely on this basis where we use your data in order to enable us to carry out those tasks. 

We may sometimes ask for your permission or consent to process your data. We rely on this basis where, for example, you have consented to us using photographs, video or audio recordings. Consent must be freely given in order to be valid and may be withdrawn at any time by contacting Institute.DPO@education.gov.uk.

We may also process your personal data where it is necessary for us to comply with a legal obligation (not including contractual obligations).

Change of purpose 

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated or new purpose, we will notify you and we will explain the legal basis which allows us to do so. 

Please note that we may, if necessary, process your personal data without your knowledge or consent, in compliance with this notice, where this is required or permitted by law.  

Disclosure of personal data to third parties 

We may in some circumstances have to share your data with third parties, including service providers, suppliers and other civil service bodies. 

We may share this information with the Department for Education, Ofqual, and the Office for Students for the purpose of evaluation of the programme and/or evaluation of the submitted qualifications. They may wish to contact you during the approvals process. Each of these public bodies has a power to share information with the other public bodies for the purpose of their statutory functions. We will ensure that any personal data disclosed is only disclosed for the purpose of these functions.

We will not, without your consent, share your information with any third parties for the purposes of direct marketing. 

Data storage 

We store your data on secure servers in the UK. 

Some information may also be stored on our behalf on secure servers outside the UK. This includes data held on our behalf for the purpose of:

  • the IfATE newsletter - we use MailChimp to manage the mailing list for our external newsletter. You can learn more about how Mailchimp protects your information in the Mailchimp Privacy Policy
  • Apprenticeship Builder - we use Cognito Forms to provide some templates for our users to draft and submit apprenticeship standards to IfATE or to collect information as part of our consultations. You can learn more about how Cognito protects your information in the Cognito Privacy Policy
  • we store information on Microsoft systems such as SharePoint and Teams. You can learn more about how Microsoft protects your personal data by reading Microsoft Privacy Statement and MS Teams Privacy Information
  • other forms - we also use Microsoft Forms for other temporary data collection activity such as for 'expressions of interest' and public consultation responses
  • we use Microsoft Dynamics CRM for the collection and management of customer and stakeholder data, and to support our engagement activities with you
  • managing meetings – we use OnBoard to manage our meetings with external stakeholders such as route panel members. Learn more by reading OnBoard Privacy Policy 

Data retention 

We keep the name, email address and telephone number information for the applicant’s primary contact for seven years from the date of registration/application. We will then review our need to retain this information, where we dispose of this information, we will do so securely by deleting all electronic copies of the data.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. In some circumstances we will anonymise your personal information so that it can no longer be associated with you, in which case we will use such information without further notice to you. 

Ensuring your personal data is accurate and current 

It is important that the information we hold about you is accurate and current. Please keep us informed if your personal data changes during your working relationship with us.  

Your data protection rights 

Your right of access - you have the right to ask us for copies of your personal data (known as ‘making a data subject access request’).   

Your right to rectification - you have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.   

Your right to request restriction of processing - you have the right to ask us to restrict the processing of your data in certain circumstances.   

Your right to object to processing - you have the right to object to the processing of your personal data in certain circumstances.  

Your right to erasure – you have the right to ask us to erase your personal data in certain circumstances.  

Your right to request the transfer of personal data – you have the right to ask that we transfer the data you gave us to another organisation, or to you, in certain circumstances.  

You are not required to pay any charge for exercising your rights. If you make a subject access request, we have one month to respond to you. 

Please contact us at Institute.DPO@education.gov.uk if you wish to make a request or object to the processing of your personal data.

How to contact us 

Our Data Protection Officer is responsible for ensuring compliance across our data processing activities. For any questions, concerns or complaints about how we process your personal data you can contact our Data Protection Officer:  

Simon Love – Institute.DPO@education.gov.uk 

You can also write to us: 

IfATE
Sanctuary Buildings
20 Great Smith Street
London SW1P 3BT

For enquiries regarding HTQs and the approval process please contact us at:

HTQ.approvals@education.gov.uk  

How to contact the Information Commissioner’s Office 

You can also complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we have processed your personal data.  

The ICO’s address: 

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow
Cheshire SK9 5AF

Helpline number: 0303 123 1113  

ICO website: www.ico.org.uk

Changes to this privacy notice    

This privacy notice was last updated on 1 May 2024. We reserve the right to update this privacy notice at any time, with changes published on our website, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data. 

 

4. Privacy Notice for Peer Reviewers

About this notice 

The Institute for Apprenticeships and Technical Education (IfATE) is committed to protecting the privacy and security of your personal data.

In order that you can carry out your role as a Peer Reviewer, IfATE will collect and use (or ‘process’) personal data about you. This means that we are a data controller under the UK General Data Protection Regulation and the Data Protection Act 2018 (‘data protection law’).

As a data controller, we are required to inform you of our privacy rules and your rights pertaining to your personal data. This privacy notice describes how we process your personal data in accordance with data protection law.

Links to other websites

Our website contains links to other websites. This privacy notice does not apply to those websites. If you go to another website from our website, you should read the privacy notice on that website to find out how your information is used.

If you come to our website from another website, we may receive information from the other website. We don’t use this data. You should read the privacy notice of the website you came from to find out more about this. 

What personal data do we hold?  

We may collect, store and use the following categories of your personal data:

  • name
  • contact details
  • photograph
  • job history
  • gender
  • marital status
  • age
  • nationality

We may also collect, store and use the following types of your special category personal data:

  • information about your race, ethnicity, religious beliefs, sexual orientation and any disability and/or medical conditions

Why and how do we collect and use your personal data?

We collect your personal data for purposes relating to your recruitment and your role as a Peer Reviewer, including for contacting you in relation to your role. Most of the personal data we process is provided to us directly by you, for example, within the following:

  • recruitment documentation
  • statistical disclosure form
  • diversity monitoring form
  • declaration of interest form
  • our contract with you

We may also collect your personal data if you respond to emails or other communications from us, and through the reviews you have carried out and any feedback scores provided in relation to those reviews.

We use your personal data for the purposes of enabling you to carry out your role as a Peer Reviewer, including:

  • ensuring that our contractual arrangements are fulfilled
  • communicating with you in respect of your role and availability and liaising with you in relation to reviews
  • providing ratings of reviews you have carried out and sharing these with you
  • sending newsletters and other updates

What is our lawful basis for processing your personal data?

Under data protection law, we are required to ensure that we have a lawful basis for processing your personal data. Article 6 of the UK GDPR allows us to process personal data where it is necessary to perform a public task or for official functions, and the task or function has a clear basis in law. As a public body that is required by law to carry out certain tasks, including those described above, we rely on this basis where we use your data in order to enable us to carry out those tasks. 

We may also process your personal data where it is necessary for us to comply with a legal obligation (not including contractual obligations).

In relation to special category data, Article 9 of the UK GDPR allows us to process special category data where it is necessary for reasons of substantial public interest (to promote equality of opportunity or treatment). We rely on this basis to process your special category data for equality, diversity and inclusion monitoring.

We may also request your explicit consent to process your special category data for other purposes.

We may also process your personal data where it is necessary for us to comply with a legal obligation (not including contractual obligations).  

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated or new purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may, if necessary, process your personal data without your knowledge or consent, in compliance with this notice, where this is required or permitted by law.  

Disclosure of personal data to third parties

We may in some circumstances have to share your data with third parties, including service providers, suppliers and other civil service bodies.

We will only share your data with third parties where we have a lawful basis to do so. We require third parties to respect the security of your data and to treat it in accordance with the law.

We will not, without your consent, share your information with any third parties for the purposes of direct marketing.

Data storage

We store your data on secure servers in the UK.

Some information is also stored on our behalf on secure servers outside the UK:

  • your name, contact details and curriculum vitae are stored on Airtable. You can learn more about how Airtable protects your personal data by reading the Airtable Privacy Policy
  • we store information, including your name, contact details and curriculum vitae, on Microsoft systems such as SharePoint and Teams. You can learn more about how Microsoft protects your personal data by reading Microsoft Privacy Statement and MS Teams Privacy Information
  • we use Microsoft Dynamics CRM for the collection and management of customer and stakeholder data, and to support our engagement activities with you
  • we use Cognito in relation to the collection of information for public surveys, you can learn more about how Cognito protects your information in the Cognito Privacy Policy
  • the IfATE newsletter - we use MailChimp to manage the mailing list for our external newsletter. You can learn more about how Mailchimp protects subscribers’ information in the Mailchimp Privacy Policy

Data retention 

We only keep your personal data for as long as is necessary. After this point, we will delete or securely dispose of the data.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. In some circumstances we will anonymise your personal information so that it can no longer be associated with you, in which case we will use such information without further notice to you. 

Ensuring your personal data is accurate and current

It is important that the information we hold about you is accurate and current. Please keep us informed if your personal data changes during your working relationship with us.

Your data protection rights

Your right of access - you have the right to ask us for copies of your personal data (known as ‘making a data subject access request’).   

Your right to rectification - you have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.   

Your right to request restriction of processing - you have the right to ask us to restrict the processing of your data in certain circumstances.   

Your right to object to processing - you have the right to object to the processing of your personal data in certain circumstances.  

Your right to erasure – you have the right to ask us to erase your personal data in certain circumstances.  

Your right to request the transfer of personal data – you have the right to ask that we transfer the data you gave us to another organisation, or to you, in certain circumstances.  

You are not required to pay any charge for exercising your rights. If you make a subject access request, we have one month to respond to you. 

Please contact us at Institute.DPO@education.gov.uk if you wish to make a request or object to the processing of your personal data.

How to contact us

Our Data Protection Officer is responsible for ensuring compliance across our data processing activities. For any questions, concerns or complaints about how we process your personal data you can contact our Data Protection Officer:

Simon Love – Institute.DPO@education.gov.uk

You can also write to us: 

IfATE
Sanctuary Buildings
20 Great Smith Street
London SW1P 3BT

How to contact the Information Commissioner’s Office 

You can also complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we have processed your personal data.  

The ICO’s address: 

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow
Cheshire SK9 5AF

Helpline number: 0303 123 1113  

ICO website: www.ico.org.uk

Changes to this privacy notice    

This privacy notice was last updated on 1 May 2024. We reserve the right to update this privacy notice at any time, with changes published on our website, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data. 

 

5. Privacy Notice for Post 16 Qualifications

About this notice 

The Institute for Apprenticeships and Technical Education (IfATE) is committed to protecting the privacy and security of your personal data.

In carrying out our work we collect and use (or ‘process’) personal data. This means that we are a ‘data controller’ under the UK General Data Protection Regulation and the Data Protection Act 2018 (‘data protection law’).

As a data controller, we are required to inform you of our privacy rules and your rights pertaining to your personal data. This privacy notice describes how we process your personal data in accordance with data protection law.  

Who does this notice apply to?

We have a number of statutory functions conferred on us by the Apprenticeships, Skills Children and Learning Act 2009, including responsibility for approving new and revised technical qualifications at level 2 and 3. To effectively discharge those functions, we engage with awarding organisations and other stakeholders, which requires us to process personal data.

Links to other websites 

Our website contains links to other websites. This privacy notice does not apply to those websites. If you go to another website from our website, you should read the privacy notice on that website to find out how your information is used. 

If you come to our website from another website, we may receive information from the other website. We don’t use this data. You should read the privacy notice of the website you came from to find out more about this. 

What personal data do we hold?

We may collect, store and use the following categories of your personal data: 

  • name of the primary contact
  • telephone number
  • email address
  • personal data contained in communications between you and IfATE

Why and how do we collect and use your personal data?

Most of the personal information we process is provided to us directly by you or your awarding organisation/body through the online form for one of the following reasons:

  • maintaining contact with the applicant throughout the approvals process
  • maintaining contact with the applicant post approval (for example, where we need to contact the applicant in relation to changes to standards or qualifications)

We use the information that you or your awarding organisation/body have given us in order to:

  • call or email the primary contact to address questions/queries related to the registration of interest and/or submission for Post 16 Qualification approval
  • call or email the primary contact to provide additional information on the registration of interest and/or submission for Post 16 Qualification approval
  • call or email the primary contact post review for the purposes of feedback on the submission for Post 16 Qualification approval
  • call or email the primary contact for the purposes of renewal of the approved status for Post 16 Qualifications

What is our lawful basis for processing your personal data?

Under data protection law, we are required to ensure that we have a lawful basis for processing your personal data. Article 6 of the UK GDPR allows us to process personal data where it is necessary to perform a public task or for official functions and the task or function has a clear basis in law, or where it is needed for the performance of a contract. As a public body that is required by law to carry out certain tasks, including those described above, we rely on this basis where we use your data in order to enable us to carry out those tasks. 

We may sometimes ask for your permission or consent to process your data. We rely on this basis where, for example, you have consented to us using photographs, video or audio recordings. Consent must be freely given in order to be valid and may be withdrawn at any time by contacting Institute.DPO@education.gov.uk.

We may also process your personal data where it is necessary for us to comply with a legal obligation (not including contractual obligations).

Change of purpose 

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated or new purpose, we will notify you and we will explain the legal basis which allows us to do so. 

Please note that we may, if necessary, process your personal data without your knowledge or consent, in compliance with this notice, where this is required or permitted by law.  

Disclosure of personal data to third parties 

We may in some circumstances have to share your data with third parties, including service providers, suppliers and other civil service bodies. 

We may share information with the Department for Education, Ofqual, and the Office for Students for the purpose of evaluation of the programme and/or evaluation of the submitted qualifications. They may wish to contact you during the approvals process. Each of these public bodies has a power to share information with the other public bodies for the purpose of their statutory functions. We will ensure that any personal data disclosed is only disclosed for the purpose of these functions.

We will not, without your consent, share your information with any third parties for the purposes of direct marketing. 

Data storage 

We store your data on secure servers in the UK. 

Some information may also be stored on our behalf on secure servers outside the UK. This includes data held on our behalf for the purpose of:

  • the IfATE newsletter - we use MailChimp to manage the mailing list for our external newsletter. You can learn more about how Mailchimp protects your information in the Mailchimp Privacy Policy
  • Apprenticeship Builder - we use Cognito Forms to provide some templates for our users to draft and submit apprenticeship standards to IfATE or to collect information as part of our consultations. You can learn more about how Cognito protects your information in the Cognito Privacy Policy
  • other forms - we also use Microsoft Forms for other temporary data collection activity such as for 'expressions of interest' and public consultation responses
  • we use Microsoft Dynamics CRM for the collection and management of customer and stakeholder data, and to support our engagement activities with you
  • managing meetings – we use OnBoard to manage our meetings with external stakeholders such as route panel members. Learn more by reading OnBoard’s Privacy Policy 

Data retention 

We keep the name, email address and telephone number information for the applicant’s primary contact for seven years from the date of registration/application. We will then review our need to retain this information, where we dispose of this information, we will do so securely by deleting all electronic copies of the data.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. In some circumstances we will anonymise your personal information so that it can no longer be associated with you, in which case we will use such information without further notice to you. 

Ensuring your personal data is accurate and current 

It is important that the information we hold about you is accurate and current. Please keep us informed if your personal data changes during your working relationship with us.  

Your data protection rights

Your right of access - you have the right to ask us for copies of your personal data (known as ‘making a data subject access request’).   

Your right to rectification - you have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to restriction of processing - you have the right to ask us to restrict the processing of your information in certain circumstances.

Your right to object to processing - you have the right to object to the processing of your personal data in certain circumstances.

Your right to erasure - you have the right to ask us to erase your personal information in certain circumstances.

Your right to request the transfer of personal data - you have the right to ask that we transfer the data you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a subject access request, we have one month to respond to you. 

Please contact us at Institute.DPO@education.gov.uk if you wish to make a request or object to the processing of your personal data.

How to contact us

Our Data Protection Officer is responsible for ensuring compliance across our data processing activities. For any questions, concerns or complaints about how we process your personal data you can contact our Data Protection Officer:

Simon Love - Institute.DPO@education.gov.uk

You can also write to us:

IfATE
Sanctuary Buildings
20 Great Smith Street
London SW1P 3BT

For enquiries regarding Post 16 please contact us at:

Email: Ifate.POST16@education.gov.uk

How to contact the Information Commissioner’s Office 

You can also complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we have processed your personal data.  

The ICO’s address: 

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow
Cheshire SK9 5AF

Helpline number: 0303 123 1113  

ICO website: www.ico.org.uk

Changes to this privacy notice    

This privacy notice was last updated on 1 May 2024. We reserve the right to update this privacy notice at any time, with changes published on our website, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data. 

 

6. Privacy Notice for Route Panel Members

About this notice 

The Institute for Apprenticeships and Technical Education (IfATE) is committed to protecting the privacy and security of your personal data. 

In carrying out our work we collect and use (or ‘process’) personal data. This means that we are a ‘data controller’ under the UK General Data Protection Regulation and the Data Protection Act 2018 (‘data protection law’).

As a data controller, we are required to inform you of our privacy rules and your rights pertaining to your personal data. This privacy notice describes how we process your personal data in accordance with data protection law.

Who does this notice apply to?

We have a number of statutory functions conferred on us by the Apprenticeships, Skills Children and Learning Act 2009 and Route Panel members play a crucial role in our work. As leaders and sector experts, Route Panel members help to guide the current and long-term direction of their route, allowing us to ensure that education and training within our remit is appropriate for those who undertake it.

In order that you can carry out your role as a member of a Route Panel, IfATE will collect, store and use (or ‘process’) your personal data.

Links to other websites 

Our website contains links to other websites. This privacy notice does not apply to those websites. If you go to another website from our website, you should read the privacy notice on that website to find out how your information is used.

If you come to our website from another website, we may receive information from the other website. We don’t use this data. You should read the privacy notice of the website you came from to find out more about this. 

What personal data do we hold?

We may collect, store and use the following categories of your personal data:

  • name
  • contact details
  • photograph
  • audio/video recordings of meetings you attend
  • job history
  • gender
  • personal data contained in communications between you and IfATE

Why and how do we collect and use your personal data? 

Most of the personal data we collect is provided to us directly by you, for example, within the following:

  • statistical disclosure form
  • declaration of interest form
  • diversity monitoring form
  • our contract with you

We may also collect your personal data from your communications and interactions with us, including by email or other correspondence and during meetings. Where meetings are held online (e.g. Teams) these may be recorded and stored within IfATE’s OneDrive and SharePoint systems. Where it is intended for a meeting to be recorded, you will be given advance notice of this.

We use your personal data for the purposes of enabling us to discharge our statutory functions, including collecting your views and expertise. As part of this, we may use your personal data to: 

  • approve your membership of the Route Panel, and any renewal of membership  
  • communicate with you in respect of your role and availability
  • create your access to OnBoard (through inputting your personal data). More information can be found on OnBoard further down this notice, including access to OnBoard’s privacy policy
  • communicate with you in respect of consultations or surveys and analyse your responses in relation to the route you sit in
  • send relevant newsletters and other updates or communications 

We may also contact you for other purposes in connection with our work such as where we conduct surveys to assess stakeholder satisfaction or to invite you to events or consult with you.

What is our lawful basis for processing your personal data?

Under data protection law, we are required to ensure that we have a lawful basis for processing your personal data. Article 6 of the UK GDPR allows us to process personal data where it is necessary to perform a public task or for official functions, and the task or function has a clear basis in law. As a public body that is required by law to carry out certain tasks, we rely on this basis for processing your personal data for the purposes described above.

We may sometimes ask for your permission or consent to process your data. We rely on this basis where, for example, you have consented to us using photographs, video or audio recordings. Consent must be freely given in order to be valid and may be withdrawn at any time by contacting Institute.DPO@education.gov.uk.

We may also process your personal data where it is necessary for us to comply with a legal obligation (not including contractual obligations).

Change of purpose 

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated or new purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may, if necessary, process your personal data without your knowledge or consent, in compliance with this notice, where this is required or permitted by law.

Disclosure of personal data to third parties 

We may in some circumstances have to share your personal data with third parties, including service providers, suppliers and other civil service bodies.

We will only share your data with third parties where we have a lawful basis to do so. We require third parties to respect the security of your data and to treat it in accordance with the law.

We will not, without your consent, share your information with any third parties for the purpose of direct marketing.

Data storage 

We store your data on secure servers in the UK.

Some information may also be stored on our behalf on secure servers outside the UK. This includes data held on our behalf for the purpose of:

  • the IfATE newsletter - we use MailChimp to manage the mailing list for our external newsletter. You can learn more about how Mailchimp protects your information in the Mailchimp Privacy Policy
  • Apprenticeship Builder - we use Cognito Forms to provide some templates for our users to draft and submit apprenticeship standards to IfATE or to collect information as part of our consultations. You can learn more about how Cognito protects your information in the Cognito Privacy Policy
  • we store information on Microsoft systems such as SharePoint and Teams. You can learn more about how Microsoft protects your personal data by reading Microsoft Privacy Statement and MS Teams Privacy Information
  • other forms - we also use Microsoft Forms for other temporary data collection activity such as for 'expressions of interest' and public consultation responses
  • we use Microsoft Dynamics CRM for the collection and management of customer and stakeholder data, and to support our engagement activities with you
  • managing meetings – we use OnBoard to manage our meetings with external stakeholders such as route panel members. Learn more by reading OnBoard Privacy Policy

Data retention 

We only keep your personal data for as long as is necessary. After this point, we will delete or securely dispose of the data. The data is retained for the duration of the panel membership. When a member of the panel leaves the panel, we will retain their data for a period of 12 months, before removing it.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use of disclosure of your personal data, the purpose for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. In some circumstances we will anonymise your personal information so that it can no longer be associated with you, in which case we will use such information without further notice to you.

Ensuring your personal data is accurate and current 

It is important that the information we hold about you is accurate and current. Please inform your Route Manager if your personal data changes during your working relationship with us.

Your data protection rights 

Your right of access - you have the right to ask us for copies of your personal data (known as ‘making a data subject access request’).

Your right to rectification - you have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to request restriction of processing - you have the right to ask us to restrict the processing of your data in certain circumstances.

Your right to object to processing - you have the right to object to the processing of your personal data in certain circumstances.

Your right to erasure – you have the right to ask us to erase your personal data in certain circumstances.

Your right to request the transfer of personal data – you have the right to ask that we transfer the data you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a subject access request, we have one month to respond to you. 

Please contact us at Institute.DPO@education.gov.uk if you wish to make a request or object to the processing of your personal data.

How to contact us 

Our Data Protection Officer is responsible for ensuring compliance across our data processing activities. For any questions, concerns or complaints about how we process your personal data you can contact our Data Protection Officer:

Simon Love – Institute.DPO@education.gov.uk 

You can also write to us: 

IfATE
Sanctuary Buildings
20 Great Smith Street
London SW1P 3BT

How to contact the Information Commissioner’s Office 

You can also complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we have processed your personal data.  

The ICO’s address: 

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow
Cheshire SK9 5AF

Helpline number: 0303 123 1113  

ICO website: www.ico.org.uk

Changes to this privacy notice    

This privacy notice was last updated on 1 May 2024. We reserve the right to update this privacy notice at any time, with changes published on our website, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data. 

 

7. Privacy Notice for Trailblazer Groups

About this notice

The Institute for Apprenticeships and Technical Education (IfATE) is committed to protecting the privacy and security of your personal data.

In carrying out our work we collect and use (or ‘process’) personal data. This means that we are a ‘data controller’ under the UK General Data Protection Regulation and the Data Protection Act 2018 (‘data protection law’).

As a data controller, we are required to inform you of our privacy rules and your rights pertaining to your personal data. This privacy notice describes how we process your personal data in accordance with data protection law.  

Who does this notice apply to?

The Apprenticeships, Skills, Children and Learning Act 2009 requires occupational standards and end-point assessment (EPA) plans to be developed by groups of persons (Trailblazers) approved by IfATE. The Trailblazer group must be a group of employers recognised by IfATE and reflective of those who employ people in the occupation, including small employers. Members of Trailblazer groups can also assist IfATE with other work including in relation to route reviews, the promotion of occupational standards and their linked apprenticeships and technical qualifications and the monitoring of their performance.

In order that you can carry out your role as a member of a Trailblazer group, IfATE will collect, store and use (or ‘process’) personal data about you.

Links to other websites

Our website contains links to other websites. This privacy notice does not apply to those websites. If you go to another website from our website, you should read the privacy notice on that website to find out how your information is used. 

If you come to our website from another website, we may receive information from the other website. We don’t use this data. You should read the privacy notice of the website you came from to find out more about this. 

What personal data do we hold?  

We may collect, store and use the following categories of your personal data: 

  • name
  • contact details 
  • job title and employer
  • job description 
  • audio/video recordings of meetings you attend
  • personal data contained in communications between you and IfATE

Why and how do we collect and use your personal data? 

Most of the personal data we collect is provided to us directly by you, for example, within the following: 

  • recruitment documentation
  • statistical disclosure form
  • diversity monitoring form
  • declaration of interest form
  • our agreement with you

We may also collect your personal data from your communications and interactions with us, including by email or other correspondence and during meetings. Where meetings are held online (e.g. Teams) these may be recorded and stored within IfATE’s OneDrive and SharePoint systems.  

We use your personal data for the purposes of enabling us to discharge our statutory functions. This includes in relation to the approval of groups of persons (Trailblazers) to prepare occupational standards and EPA plans, and the approval of those occupational standards and EPA plans. As part of this, we may use your personal data to: 

  • approve your membership of the Trailblazer group  
  • communicate with you in respect of your role and availability
  • liaise with you in respect of your role including in relation to route reviews, the preparation of occupational standards and/or EPA plans and related matters
  • communicate with you in respect of relevant consultations or surveys and analyse your responses
  • send relevant newsletters and other updates or communications regarding IfATE and any of its activities

We may also contact you for other purposes in connection with our work such as where we conduct surveys to assess stakeholder satisfaction or to invite you to events or consult with you.

What is our lawful basis for processing your personal data?

Under data protection law, we are required to ensure that we have a lawful basis for processing your personal data. Article 6 of the UK GDPR allows us to process personal data where it is necessary to perform a public task or for official functions, and the task or function has a clear basis in law. As a public body that is required by law to carry out certain tasks, including those described above, we rely on this basis where we use your data in order to enable us to carry out those tasks. 

We may sometimes ask for your permission or consent to process your data. We rely on this basis where, for example, you have consented to us using photographs, video or audio recordings. Consent must be freely given in order to be valid and may be withdrawn at any time by contacting Institute.DPO@education.gov.uk.

We may also process your personal data where it is necessary for us to comply with a legal obligation (not including contractual obligations).  

Change of purpose 

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated or new purpose, we will notify you and we will explain the legal basis which allows us to do so. 

Please note that we may, if necessary, process your personal data without your knowledge or consent, in compliance with this notice, where this is required or permitted by law.  

Disclosure of personal data to third parties 

We may in some circumstances have to share your data with third parties, including service providers, suppliers and other civil service bodies. 

We will only share your data with third parties where we have a lawful basis to do so. We require third parties to respect the security of your data and to treat it in accordance with the law. 

We will not, without your consent, share your information with any third parties for the purposes of direct marketing. 

Data storage 

We store your data on secure servers in the UK. 

Some information may also be stored on our behalf on secure servers outside the UK. This includes data held on our behalf for the purpose of:

  • the IfATE newsletter - we use MailChimp to manage the mailing list for our external newsletter. You can learn more about how Mailchimp protects your information in the Mailchimp Privacy Policy
  • Apprenticeship Builder - we use Cognito Forms to provide some templates for our users to draft and submit apprenticeship standards to IfATE or to collect information as part of our consultations. You can learn more about how Cognito protects your information in the Cognito Privacy Policy
  • we store information on Microsoft systems such as SharePoint and Teams. You can learn more about how Microsoft protects your personal data by reading Microsoft Privacy Statement and MS Teams Privacy Information
  • other forms - we also use Microsoft Forms for other temporary data collection activity such as for 'expressions of interest' and public consultation responses
  • we use Microsoft Dynamics CRM for the collection and management of customer and stakeholder data, and to support our engagement activities with you
  • managing meetings – we use OnBoard to manage our meetings with external stakeholders such as route panel members. Learn more by reading OnBoard Privacy Policy 

Data retention 

We only keep your personal data for as long as is necessary. After this point, we will delete or securely dispose of the personal data. 

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. In some circumstances we will anonymise your personal information so that it can no longer be associated with you, in which case we will use such information without further notice to you. 

Ensuring your personal data is accurate and current 

It is important that the information we hold about you is accurate and current. Please keep us informed if your personal data changes during your working relationship with us.  

Your data protection rights 

Your right of access - you have the right to ask us for copies of your personal data (known as ‘making a data subject access request’).   

Your right to rectification - you have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.   

Your right to request restriction of processing - you have the right to ask us to restrict the processing of your data in certain circumstances.   

Your right to object to processing - you have the right to object to the processing of your personal data in certain circumstances.  

Your right to erasure – you have the right to ask us to erase your personal data in certain circumstances.  

Your right to request the transfer of personal data – you have the right to ask that we transfer the data you gave us to another organisation, or to you, in certain circumstances.  

You are not required to pay any charge for exercising your rights. If you make a subject access request, we have one month to respond to you. 

Please contact us at Institute.DPO@education.gov.uk if you wish to make a request or object to the processing of your personal data.

How to contact us 

Our Data Protection Officer is responsible for ensuring compliance across our data processing activities. For any questions, concerns or complaints about how we process your personal data you can contact our Data Protection Officer:  

Simon Love – Institute.DPO@education.gov.uk 

You can also write to us: 

IfATE
Sanctuary Buildings
20 Great Smith Street
London SW1P 3BT

How to contact the Information Commissioner’s Office 

You can also complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we have processed your personal data.  

The ICO’s address: 

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow
Cheshire SK9 5AF

Helpline number: 0303 123 1113  

ICO website: www.ico.org.uk

Changes to this privacy notice    

This privacy notice was last updated on 1 May 2024. We reserve the right to update this privacy notice at any time, with changes published on our website, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data. 

 

8. Data Protection Policy

Purpose and application

  1. The purpose of this document is to outline:
  • how IfATE will ensure compliance with the UK GDPR and Data Protection Act 2018
  • explain the roles and responsibilities relevant to internal compliance
  • how compliance with this policy will be monitored
  1. All IfATE staff, contractors, agents, consultants and any other parties who may have access to any personal data held on or behalf of IfATE are required to respect the personal data and privacy of others and must ensure that appropriate protection and security measures are taken against the unlawful or unauthorised processing of personal data, accidental loss or damage to personal data.   
  2. All personal data shall be handled and dealt with appropriately, however it is collected, recorded, and used, and whether it is on paper, in electronic records or recorded in other formats, on other media, or by any other means. It includes information held on computers (including email), paper files, photographs, audio and video recordings and CCTV images.

 

Introduction

  1. This policy provides a framework for ensuring that IfATE meets its obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
  2. IfATE complies with data protection legislation guided by the six data protection principles found in Article 5 of the UK GDPR. In summary, they require that personal data is:
  • processed fairly, lawfully and in a transparent manner
  • used only for limited, specified stated purposes and not used or disclosed in any way incompatible with those purposes
  • adequate, relevant, and limited to what is necessary
  • accurate and, where necessary, up to date
  • not kept for longer than necessary; and
  • kept safe and secure
  1. In addition, the accountability principle requires us to be able to evidence our compliance with the above six principles and make sure that we do not put individuals at risk because of processing their personal data. To meet our obligations, we put in place appropriate and effective measures to make sure we comply with data protection law.
  2. Our staff have access to policies, operational procedures and guidance to give them appropriate direction on the application of data protection legislation and ICO requirements.

 

Information captured by data protection legislation

  1. Data protection legislation is concerned with the processing of ‘personal data.’
  2. The UK GDPR definition of "personal data" includes any information relating to an identified or identifiable natural living person. Pseudonymised personal data is covered by the legislation, however anonymised data is not regulated by the UK GDPR or DPA 2018, providing the anonymisation has not been done in a reversible way.

 

Personal data processed by IfATE

  1. IfATE collects personal data from a variety of sources such as:
  • personal data given to us directly when you contact us
  • personal data we receive while carrying out our activities, and
  • personal data provided to us as part of recruitment for volunteering, (e.g. route panel membership) and employment opportunities
  1. Some personal data is more sensitive and is afforded more protection, this is known as ‘special category data’ and is information related to:
  • race or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data and/or biometric ID data
  • health data, and
  • sexual life and/or sexual orientation
  1. This policy also applies to criminal offence data, to the limited extent such data is processed by IfATE.
  2. IfATE will provide training for staff to enable them to identify personal data, special category data or criminal offence data that they may be involved in processing, to ensure that it is handled in compliance with legal requirements and processing does not breach the rights of the individuals to whom it relates.
  3. More information about the legal basis and safeguards that IfATE has put in place for sensitive processing, the processing of special categories of personal data and criminal convictions data can be found in the IfATE Appropriate policy for processing sensitive personal information.

 

Data subject rights 

  1. Individuals have rights in relation to the way we handle their personal data. These include: 
  • right to be informed about the collection and use of personal data
  • right of access and receive a copy of written or recorded (audio and video) personal data, and other supplementary information
  • right to rectification to have inaccurate personal data rectified, or completed if it is incomplete
  • right to erasure of personal information in certain circumstances
  • right to restrict processing of personal data in certain circumstances
  • right to data portability in certain circumstances
  • right to object to processing of personal data in certain circumstances
  • rights related to automated decision-making including profiling. Individuals have the right not to be subject to a decision based solely on automated processing, including profiling 
  • right to complain


Our commitment

  1. IfATE is committed to transparent, lawful, fair and proportionate processing of personal data. This includes all personal data we process about staff and those who work or interact with us.
  2. We publish and maintain privacy notices on our website. We track and make available any changes in our privacy notices. We also publish and maintain a staff privacy notice.
  3. All staff are required to complete data protection training as part of their induction and are required to complete annual mandatory refresher training on data protection and security.
  4. Additionally, we have the following processes, procedures and frameworks in place to ensure compliance with our obligations regarding data protection:
  • we produce policies and guidance on information management and compliance that we communicate to staff through our intranet
  • colleagues in our commercial and legal divisions oversee that our contracts comply with UK GDPR
  • we have a dedicated team and clear processes to handle subject access requests (SAR) and other information rights requests
  • we record and monitor our processing activities through Records of Processing Activities (ROPAs)
  • we take personal data breach incidents seriously. We have bespoke guidance and clear handling processes and, reporting mechanisms that are communicated to all staff. We assess whether we need to report breaches to the ICO as the Regulator. We take appropriate action to make data subjects aware, if needed

 

Roles and responsibilities

  1. We have a data protection champion network that ensures any risk to personal data across IfATE is identified and appropriately managed.
  2. IfATE’s Senior Information Risk Owner is responsible for making information governance decisions regarding data protection compliance.
  3. Specific roles are assigned throughout IfATE to manage the personal data we process and the associated risks in terms of responsibilities, decision making and monitoring compliance:
  • Data Protection Officer (DPO). IfATE’s Data Protection Officer (DPO) is primarily responsible for advising on and assessing our compliance with the DPA and UK GDPR and making recommendations to improve compliance. IfATE’s DPO is Simon Love. He can be contacted at institute.dpo@education.gov.uk
  • Senior Information Risk Owner (SIRO). The SIRO owns the overall risk arising from the processing personal data by IfATE. Our SIRO is IfATE’s Chief Operating Officer
  • Information Asset Owners (IAOs). IAOs have local responsibility for data protection compliance in their area/directorate
  • Data protection champions (DPC). DPCs advise their divisions on information management and carry out specified information management tasks
  1. Several teams across IfATE are responsible for issuing, reviewing and communicating corporate information management policies and procedures. The teams also advise on compliance with data protection and implement IT solutions to ensure we take a privacy by design approach.

 

Monitoring

  1. Compliance with this policy will be monitored via the DPO, reporting to the Senior Information Risk Officer and IfATE’s Audit and Risk Assurance Committee.

 

Further information

  1. Further information regarding our policies and contact details can be found here.


Data Protection Policy: Version 0.3 
 

 

9. Appropriate policy for processing sensitive personal information

Description of data processed

  1. This document provides information about the legal basis and safeguards that the Institute for Apprenticeships and Technical Education (IfATE) has put in place for the sensitive processing of special categories of personal data and criminal convictions data.
  2. The Data Protection Act 2018 (DPA 2018) outlines the requirement for an appropriate policy document when processing special category data and criminal offence data under certain specified conditions.
  3. Almost all the substantial public interest conditions in Schedule 1 part 2 of the DPA 2018 require an appropriate policy document to be in place to demonstrate compliance with the requirements of Article 5 UK GDPR.
  4. As part of IfATE’s statutory and corporate functions, we process special category data and criminal offence data in accordance with the requirements of Article 9 and 10 of the UK GDPR and Schedule 1 of the DPA 2018. More information about our processing of this data can be found in our Data Protection Policy. In summary, we process the following categories of data about our employees, consultants, volunteers, prospective employees, prospective consultants and prospective volunteers, to fulfil our obligations as an organisation that engages the services of others. We also process this data, for reasons of substantial public interest, to perform our statutory regulatory role.
  5. Special category data is defined as data revealing or concerning:
  • physical or mental health details
  • racial or ethnic origin
  • religious or other beliefs
  • political opinions
  • sexual life, sexual orientation
  • trade union membership
  • biometric data (as part of our data security measures some of our employees are equipped with devices which use biometric scanners to identify registered users. IfATE does not otherwise process this category of data) genetic data
  1. Criminal offence data is defined as data revealing or concerning:
  • offences (including alleged offences)
  • criminal proceedings, outcomes and sentences (regulated qualifications, including allegations of fraud and malpractice; relevant criminal convictions related to staff)

 

Conditions for processing special category data and criminal offence data

  1. We process special categories of data under the following UK GDPR Articles:
  • Article 9(2)(b) – where processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law or in connection with employment, social security or social protection
  • Article 9(2)(g) – reasons of substantial public interest. In performing its statutory functions, IfATE processes personal data in this context for the purposes of substantial public interest and this processing is necessary for carrying out its role
  • Article 9(2)(j) – archiving, research and statistics. IfATE is permitted to carry out programmes of research and development connected with apprenticeships and technical education qualifications. Personal data is processed under this condition in accordance with Article 89(1) UK GDPR
  • Article 9(2)(f) – for the establishment, exercise or defence of legal claims
  • Article 9(2)(a) – explicit consent
  • Article 9(2)(c) – where processing is necessary to protect the vital interests of the data subject or another natural person
  1. We process criminal offence data in accordance with Article 10 UK GDPR.

 

Schedule 1 condition for processing

  1. Schedule 1 of the DPA 2018 identifies that to rely on certain conditions for processing data, an appropriate policy document must be in place. We process personal data for the following purposes where the processing is necessary for:
  • the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection (Sch 1, Part 1, Paragraph 1)
  • reasons of substantial public interest (Sch 1, Part 2)
  • statutory or government purposes (Sch 1, Part 2, Paragraph 6)
  • the purposes of preventing and detecting unlawful acts (Sch 1, Part 2, Paragraph 10)
  • the purposes of protecting the public against dishonesty (Sch 1, Part 2, Paragraph 11)
  • the purposes of research and/or statistical purposes (carried out in accordance with Article 89(1) UK GDPR and is in the public interest) (Sch 1, Part 1, Paragraph 4)
  • the purposes of equality of opportunity or treatment in identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained (Sch 1, Part 2, Paragraph 8)
  • the processing consists of the disclosure of personal data to an elected representative or a person acting with the authority of such a representative, and in response to a communication to the controller from that representative or person which was made in response to a request from an individual (Sch 1, Part 2, Paragraph 24)
  • the processing is necessary for the purposes of obtaining legal advice, establishing, exercising or defending legal rights or in connection with, any legal proceedings (including prospective legal proceedings) (Sch 1, Part 3, Paragraph 33)

Procedures for ensuring compliance with the principles

Accountability principle

  • we maintain documentation for all our processing activities (ROPAs)
  • we adopt and implement data protection requirements and have written contracts in place with data processors IfATE engages with. We also implement information sharing agreements with other data controllers, where appropriate
  • we routinely carry out data protection impact assessments, when required
  • we implement appropriate security measures in relation to the personal data we process
  • we adopt a ‘data protection by design’ approach
  • we have appointed a data protection officer who reports to a senior management level.


Principle (a): lawfulness, fairness and transparency

  • we provide clear and transparent information about why we process personal data, including our lawful basis for processing, in our privacy notices and policy documents which we make publicly available (including this policy document)
  • our processing for purposes of substantial public interest is necessary for the exercise of a function conferred on IfATE by the legislation for which we act as a public authority; namely the Apprenticeships, Skills, Children and Learning Act 2009 (as amended)
  • our processing for the purposes of employment relates to our obligations as an employer. We also process special category personal data to comply with other obligations imposed on IfATE in its capacity as a public authority e.g. the Equality Act 2010

 

Principle (b): purpose limitation

  • we process personal data for purposes of substantial public interest when the processing is necessary for us to fulfil our statutory functions, to protect the public from dishonesty, or for disclosure to elected representatives
  • we are authorised by law to process personal data for these purposes. We may process personal data collected for any one of these purposes (whether by us or another controller), for any of the other purposes here, providing the processing is necessary and proportionate to that purpose
  • if we are sharing data with another controller, we will document that they are authorised by law to process the data for their purpose. We will not process personal data for purposes incompatible with the original purpose it was collected for

 

Principle (c): data minimisation

  • we collect personal data necessary for the relevant purposes and ensure it is not excessive. The information we process is necessary for and proportionate for our purposes. Where personal data is provided to us or obtained by us, but is not relevant to our stated purposes, we will erase it in line with our retention schedule

 

Principle (d): accuracy

  • where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to ensure that data is erased or rectified without delay. If we decide not to either erase or rectify it, for example because the lawful basis we rely on to process the data means these rights don’t apply, we will document our decision

 

Principle (e): storage limitation

  • all special category data processed by us for the purpose of employment or substantial public interest will be, unless retained longer for archiving purposes, retained for the periods set out in our retention schedule We determine the retention period for this data based on our legal obligations and the necessity of its retention for our business needs. Our retention schedule is reviewed regularly and updated when necessary

 

Principle (f): integrity and confidentiality (security)

  • electronic information is processed within our secure network. Hard copy information is processed in line with our security procedures. Our electronic systems and physical storage have appropriate access controls applied. The systems we use to process personal data allow us to erase or update personal data at any point in time where appropriate

 

Retention and erasure policies

Our retention and erasure practices will be set out in our retention schedules.

APD review date

The policy will be reviewed on an annual basis (or more regularly if circumstances require it) and updated as necessary at these reviews. This policy will be retained for as long as we process these categories of data, and for six months after processing ceases.


Appropriate policy for processing sensitive personal information: Version 0.2

 

Page last updated 12 July 2024
(JT, NS)