GDPR Policy

TNB GDPR Privacy Notice Learners and Applicants V3 180518 JD

Privacy Notice – Learners and Applicants

May 2018


We, TNB Skills Training are a data controller for the purposes of the General Data Protection Regulation (GDPR). We collect information from you and may receive information about you from third parties.

The categories of applicant information that we collect, process, hold and share include:

  • personal information (such as name, date of birth, unique learner number and address)

  • special categories of data including characteristics information (such as age, ethnic group, language, nationality and country of birth)

  • personal learning record information from the Learner Records Service

  • education and employment history, if applicable

  • medical information (such as disabilities, allergies or illnesses)

  • emergency contact details

  • social needs, child in care details and support/key worker details (If applicable)

  • special educational needs information (such as care plans)

  • behavioural information (number of exclusions)

  • police record, conviction history, if applicable

Applicant information will be held electronically for a period of 12 months, unless an earlier request is received to erase the data. After 12 months all data held will be securely deleted from our CRM System.

The categories of learner information that we collect, process, hold and share include:

  • personal information (such as name, date of birth, unique learner number, address, NI number and parental custody orders if applicable)

  • special categories of data including characteristics information (such as age, ethnic group, language, nationality and country of birth)

  • education and employment history, if applicable

  • attendance information (such as sessions attended, number of absences and absence reasons)

  • assessment information (such as assessment results)

  • medical information (such as disabilities, allergies or illnesses)

  • emergency contact details

  • social needs, child in care details and support/key worker details (If applicable)

  • special educational needs information (such as care plans)

  • behavioural information (number of exclusions)

  • police record, conviction history, if applicable

  • personal learning record information from the Learner Records Service

  • bank account details to enable expenses payments to be made

Why we collect and use this information

We use the learner data:

  • to support learning

  • to monitor and report on learner progress

  • to provide appropriate pastoral care

  • to assess the quality of our services

  • to comply with the law regarding data sharing

  • to safeguard learners

TNB GDPR Privacy Notice Learners and Applicants V3 180518 JD

  • to maintain our own accounts and records

  • to support learner’s advice and career guidance

The lawful basis on which we process this information

We process this information under the following lawful basis:

  • Legal Obligation: the processing is necessary for us to comply with the law

o Safeguarding – Statutory requirement under Section 175 of the Education Act 2002 and Section 83 of the Children Act 1989.

o ESFA Funding Rules and Regulations to ensure learner eligibility for Government funding.

  • Consent: the data subject has given explicit consent to the processing of their personal data for one or more specific purposes:

o Photography and Images of learners – photographs of activities involving learners for displays, to be used

in our prospectus or other printed publications that we produce, as well as on our website and social media accounts. We may also make video or webcam recordings for marketing, monitoring or other educational use.

o Off-site education, employer visits and TNB representation at events – personal data, including medical information is processed for activities throughout the academic year.

o Applying for one our apprenticeship vacancies or courses via our recruitment sites, social media sites, career agencies, or outside referral or have signed up for our monthly newsletter via our website

  • Public interest: the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

o Publication of qualification results.

Collecting learner information

Whilst the majority of information you provide to us is mandatory, some of it is provided to us on a voluntary basis. In order to comply with data protection legislation, we will inform you whether you are required to provide this data or if you have a choice in this. In particular, parents, guardians and learners do have the right to decline to provide information on learner nationality and country of birth.

Where consent is required, TNB will provide you with specific and explicit information with regards to the reasons the data is being collected and how the data will be used.

Storing and retention of learner data

Your data is processed exclusively within the European Economic Area (EEA). We hold personal data electronically on our CRM computer system, PipeDrive (details of the PipeDrive Privacy Notice can be found at

This information will be stored securely on servers within the EEA until the learner reaches the age of 25, in accordance with the Limitation Act 1980 (Section 2) or the age of 30, if the student was statemented or had an EHCP in order to protect against a “failure to provide a sufficient education” case. After this time the only information we hold is the learner’s name, date of birth, email address, dates of attendance, examination results, destination, admission number and unique learner number. This remaining data will be held for historical purposes and to enable ex-students to allow potential employers to check this information.

Data Security

Our PipeDrive data storage system uses generally accepted industry standards to protect the information submitted both during transmission and once they have received it. We maintain appropriate administrative, technical and physical safeguards to protect personal data against accidental or unlawful destruction, accidental loss, unauthorised alteration, unauthorised disclosure or access, misuse and any other unlawful form of processing.

TNB GDPR Privacy Notice Learners and Applicants V3 180518 JD

This includes firewalls, secure data transfer sites such as password protected cloud storage and transfer platforms using AEB 365 bit standard encryption and other access and authentication controls. PipeDrive uses SSL technology to encrypt data during transmission through public internet and employ application-layer security features to further anonymise personal data.

Who we share learner information with

We share learner information with:

  • Further Education/Higher Education Providers that the learner’s attend after leaving us

  • current, past or prospective employers and education providers

  • our local authority, Kent County Council (KCC) – (privacy policy

  • the Education & Skills Funding Agency (ESFA) and central government (

  • Funding/Lead Providers e.g. London College of Beauty Therapy (LCBT) and IPS International (Privacy policies and

  • Learner Records Service (Privacy notice can be found at

  • Offsite learning/initial assessment provider, For Skills (Privacy notice at

  • TNB staff and contractors

  • Awarding and examining bodies (Privacy notices and

  • PipeDrive, who maintain our CRM system (Privacy notice can be found at

  • Triggerbee, our processor/marketing company (

  • the NHS and healthcare professionals, if applicable

  • parents, guardians and legal representatives of the person whose personal data we are processing

  • third party professional services i.e. Social Services, Social Care Teams

  • law enforcement organisation and courts

  • business associates and other professional advisers (such as Work Experience providers, careers advisors and employers)

  • financial organisations

  • security organisations

  • press and the media (in line with the consent provided)

  • insurance companies


It may sometimes be necessary to transfer personal information overseas. When this is needed, information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with all aspects of the GDPR.

Why we share learner information

We do not share information about our learners with anyone without consent unless the law and our policies allow us to do so.

Education & Skills Funding Agency (ESFA)

We share learners’ data with the ESFA and our Funding Lead Providers on a statutory basis. This data sharing underpins our funding and educational attainment policy and monitoring.

We are required to share information about our learners with the ESFA under regulation 5 of The Education (Information about Individual Learners) (England) Regulations 2013.

To find out more about the data collection requirements placed on us by the ESFA go to

TNB GDPR Privacy Notice Learners and Applicants V3 180518 JD

Youth support services

Learners aged 16+:

We will also share certain information about learners aged 16+ with our local authority (KCC) and / or provider of youth support services as they have responsibilities in relation to the education or training of 13-19 year olds under section 507B of the Education Act 1996.

This enables them to provide services as follows:

  • post-16 education and training providers

  • youth support services

  • careers advisers

KCC has a legal responsibility to track all young people up to the age of 19 (and young adults with learning difficulties or disabilities up to the age of 25). The purpose of collecting this information is to assist the planning of education and training for young people and the support services they require. KCC may inform us of your current activity once you have left TNB.

This is in relation to education, training, employment with training you may be undertaking and whether you are NEET (not in Education, Employment or Training). Some of this information is then shared with the Department for Education (DfE) who use the information to plan at a national level.

For more information about services for young people, please visit our local authority website

Learning Records Service

Learners aged 14+:

For learners enrolling for post 14 qualifications, the Learning Records Service will give us a learner’s unique learner number (ULN) and may also give us details about the learner’s previous learning or qualifications.

The National Learner Database (NPD)

The NPD is owned and managed by the DfE and contains information about learners in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.

We are required by law, to provide information about our learners to the DfE as part of statutory data collections. Some of this information is then stored in the NPD. The law that allows this is the Education (Information About Individual Learners)

(England) Regulations 2013.

To find out more about the NPD, go to

The department may share information about our learners from the NPD with third parties who promote the education or wellbeing of children in England by:

  • conducting research or analysis

  • producing statistics

  • providing information, advice or guidance

The Department has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:

  • who is requesting the data

  • the purpose for which it is required

TNB GDPR Privacy Notice Learners and Applicants V3 180518 JD

  • the level and sensitivity of data requested: and

  • the arrangements in place to store and handle the data

To be granted access to learner information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data.

For more information about the department’s data sharing process, please visit:

For information about which organisations the department has provided learner information, (and for which project), please visit the following website:

To contact DfE:

Requesting access to your personal data Under data protection legislation, parents and learners have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your child’s educational record, contact our designated Date Protection Officer at

Subject Access Requests for information will be processed within 30 days and in most cases you will not be charged for us complying with your request. We can refuse or charge for requests that are manifestly unfounded or excessive. We can also

refuse requests if they encroach on someone else’s privacy. If we refuse a request, we will tell you why and give you details about your right to complain to the supervisory authority and to a judicial remedy.

If applicable Subject Access Requests will be referred to the relevant Lead provider within 48 working hours of receipt. The Lead provider will then process the request in its capacity as data processor for the ESFA.

You also have the right to:

  • object to processing of personal data that is likely to cause, or is causing, damage or distress

  • prevent processing for the purpose of direct marketing

  • object to decisions being taken by automated means

  • in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and

  • claim compensation for damages caused by a breach of the Data Protection regulations

  • object to your personal data being processed

  • request to request erasure from our records, but only to a certain extent where some of the data we hold is required to be retained for the purposes of complying with our legal obligations, Statutory Funding Rules, insurance purposes, HMRC requirements.

Where the processing of your data is based on your consent, you have the right to withdraw this consent at any time.

If you have a concern about the way we are collecting or using your personal data, we ask that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office at

Personal Data Breaches

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.

TNB GDPR Privacy Notice Learners and Applicants V3 180518 JD

Personal data breaches can include:

  • access by an unauthorised third party

  • deliberate or accidental action or inaction by a controller or processor

  • sending personal data to an incorrect recipient

  • computing devices containing personal data being lost or stolen

  • alteration of personal data without permission

  • loss of availability of personal data

If we recognise that a personal data breach has occurred we will instigate our response plan. Responsibility for managing and investigating breaches has been allocated to the company directors and staff are aware that they should escalate a security incident directly to the directors so they can determine whether a breach has occurred. All breaches will be recorded even if they do not need to be reported to the Supervisory Authority (ICO).

If a breach has occurred the directors will:

  • Notify the relevant Lead Funding Provider, if applicable, within 24 working hours of the breach being identified

  • Assess the likely risk to individuals as a result of the breach and inform you about the breach without undue delay when it is likely to result in a high risk to your rights and freedoms. This could be because we assess there is a high and immediate risk of the data breach resulting in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage to you.

  • Notify the ICO without undue delay and no later than 72 hours after the breach has been identified if it is established that the likelihood and severity of the resulting risk to individual’s rights and freedoms is high

Further information

If you would like to discuss anything in this privacy notice, please contact:

Data Protection Officer

TNB Skills Training, 10 Guildhall Street, Folkestone, Kent, CT20 1DZ

01303 256305