Back to policies
Download policy


This Privacy Policy is for Professional Assessment Ltd. Our ICO registration number is ZA275792.

This Privacy Policy explains in detail how we collect personal data, the reasons for this collection, the legal basis for processing and how we handle and maintain the security of the personal data we process.

You should note that we may change this privacy policy without notice. Please check back frequently to see any updates or changes made to this statement.

What Information do we Process and Why?

We do not collect more information than we need to fulfil our stated purposes and will not retain it for longer than is necessary.

We hold personal data of four data subject categories. These include Apprentices, Employers, Suppliers and our Employees. This policy will focus on Apprentices and Employers only. Suppliers will receive the relevant information in the data processor agreements we hold with them, and our Employees have internal notification not appropriate to this document.

We may occasionally send relevant information in the form of newsletters, industry news, similar products and services, invitations to events and surveys in accordance with a data subject’s preferences on an opt-in basis within our Contact Preference Centre.


We process apprentice personal data to provide our assessment, compliance and consultancy services.

For end-point assessment, we require specific information for registration and certification with the relevant External Quality Assurance organisation and the ESFA.

For compliance audit, observation and consultancy work, service level agreements will specify the nature of any data we will require, collect and collate and store. Any data collected will be for the sole function of offering the contracted service.

For end-point assessment services, once an employer has enlisted Professional Assessment Ltd for end-point assessment, we will notify the ESFA, and we will require information of the apprentice and employer to facilitate assessment.

Required information for end-point assessment

To enrol and certificate the outcomes of end-point assessment, Professional Assessment requires the following:

  • Training Provider Details
  • Employer Details
  • Learner Details
  • Standard Details
  • Declaration

Training Provider details

Provider Name – The name of the main training provider. It can be selected from the drop-down menu.

UKPRN – The training provider UKPRN is automatically populated when you select their name.

Employer details

Employer Reference Number – The Employer Data Service (EDS) issues the ERN. The main provider will obtain this number.

Employer name, main contacts and address.   This information is used to schedule assessments and is also where the certificate will be posted to.

Apprentice Details

Registration Requires Professional Assessment to specify how the apprenticeship is funded.

Unique Learner (apprentice) Number – This is the apprentice’s ten-digit Unique Learner Number issued by the Learner Record Service. The main provider will generate this number and will share with the relevant End-point assessment organisation (EPAO).

First name and family name – This is the name that will appear on the certificate.  It should be the name the apprentice registered with the main training provider to take their apprenticeship recorded in the Individualised Learner Record (ILR).

Date of Birth The apprentice’ date of birth for identification purposes.

Sex – The gender of the apprentice, based on the options provided by the ESFA.

Standard details

Standard Code – The Standard Code listed on the Learning Aims Reference Service (LARS).

Apprenticeship Level – The level of the Standard as it appears on LARS.

Option – For some Standards, the learner can take different options. For example, the Standard for Hospitality Team Member has a range of routes and PAL will need to confirm which route the apprentice is assigned to.

Publication Date – The date the Apprenticeship Standard was published.

Overall Grade The overall grade awarded for the achievement of the Standard. For some Standards, there is no grade awarded.

Learning Start Date – The date on which the learning for the Standard began.

Achievement Date – This is the date you confirm the learner has passed the end-point assessment and achieved the Standard.

We will collect this data from the apprentice, employer and training provider as appropriate, and all of this data is required for certification purposes.

For audit and compliance and observation and consultancy work, the level of data required is influenced by the nature of the commissioned work and Professional Assessment Ltd, will consult with the client as to what information is needed, the purpose of that data and how the data will be used and stored.

How do we Collect your Personal Data?

Points of collection include:

  • Apprentices and Employers contacting us directly;
  • Our website(s) contact us form;
  • Various job vacancy and website enquiry forms;
  • Industry events we attend;
  • Our employees or designated agencies as part of our legitimate interests for business development and
  • Other training, assessment or funding organisations passing us Apprentice or Employer personal data upon request from an Employer or the ESFA.

Data Retention

Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was received.

We maintain a policy of retaining Employer and Apprentice personal data in accordance with the Education and Skills Funding Agency (ESFA) who is our governmental funding body. The ESFA ’s current retention period is seven years after the final use of personal data related to our services and products have been rendered. Thie period of seven years is stipulated by the ESFA, due to how EPAOs are funded and audted by government agencies and public bodies.

After seven years, your data will be anonymised so that it can be used in a non-identifiable way for statistical analysis and business planning.

Sharing of your Personal Data

We share personal data with trusted third parties categorised under five headings: Assessing, Consultancy, Funding, Certification and Internal Business Systems. The entries are designed to indicate the work function each third party is associated with:

  • Assessing for the provision of assessment materials, reports and assessment outcomes accessible to Apprentices, Training Organisations and Employers via our assessment scheduling plaform and email This includes sharing of data with other EPAOs, where we commission their services for the issuing of tests.
  • Consultancy for the provision of training, observation or audit and compliance services
  • Funding for the governmental funding organisations we receive funding from directly or via employers and /or training organisations.
  • Apprentice certificate via the ESFA.
  • Internal Business Systems to store and facilitate all communication, training, reporting, and for the management and monitoring and the running of our business.

Without the use of these third-party services, we would not be able to operate in the way we do. The policy we apply to those organisations to keep your data safe and protect your privacy:

  • We provide only the information they need to perform their specific services.
  • They may only use your data for the exact purposes we specify in our data processor contract/agreement with them.
  • We work closely with them to ensure that your privacy is respected and protected at all times.
  • If we stop using their services, any of your data held by them will either be deleted or rendered anonymous.

We may, from time to time, move supplier. If this happens, your personal data will, where relevant, be transferred to the new data processor in alignment with the policy mentioned above. If you require further specific information around our third parties data processors, please contact us using the information below, specifying the exact nature of the information you need:

  • email:
  • post: Data Protection Officer, Unit 20, Maisies Way, The Village, South Normanton, Derbyshire DE55 2DS

Data Security

We recognise the importance of data security and take a number of measures to ensure the security of personal data. These include training all staff on data protection and cyber security via an in-house set of training videos and tests conducted upon induction and annually.

Access to your personal data is password-protected, and only those with permission are granted access. Any misuse of personal data by our employees is considered a disciplinary offence and a full investigation is automatically initiated. All breaches are recorded in a breach log as required, and we regularly review how improvements can be made at every stage.

We conduct randomised checks on offices, employees and equipment as part of our ongoing and continual improvement of organisational and technical security measures.

How you can Access your Data

We try to be as open as we can be regarding giving people access to their personal information. Individuals can find out if we hold any personal data by making a ‘Subject Access Request’ (SAR). There is no charge for such a request, and we will respond within 30 days of a verified* request. If we do hold information about you, we will:

  • give you a description of it
  • tell you why we are keeping it
  • tell you who it could be disclosed to
  • let you have a copy of the information in an intelligible form

To make a SAR to us for any personal information we may hold you need to put the request in writing addressing it to either:

  • email: with the subject ‘SAR’
  • post: Business Development Director, Unit 20, Maisies Way, The Village, South Normanton, Derbyshire DE55 2DS1

To protect the confidentiality of your information, we will ask you to verify your identity before we proceed with any request you make under this Privacy Policy. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act. From the date, we receive this information we will respond within 30 days.

We will try to deal with your request informally if you agree this is the best way to proceed, for example by providing you with the specific information you need over the telephone or by email. If we do hold information about you, you can ask us to correct any mistakes by using the same email or postal address above.

If we choose not to action your request, we will explain to you the reasons for our refusal. If we feel your application isn’t covered under the definition of a SAR, we shall endeavour to assist you to the best of our ability.

1 Note we have checked with the ICO and we are not required to have a data officer, based on organisation size, we will review this status on a regular basis.

Further Data Subject Rights

In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.

Individuals whose personal data we hold, and process have the following rights:

  • If the personal data we hold about you is incorrect or incomplete, you can ask us to rectify or add to it (in the first instance we would ask a Learner to do this through their Trainer).
  • Where we are using consent as our legal basis for processing your personal data (e.g. electronic communications inclusive of newsletters, industry news, similar products & services, invitations to events and surveys) you have the right to object at any time. Send your request to
  • Where we are using your personal data because it is in our legitimate interests to do so, you can object to us using it this way.
  • In some circumstances, you can restrict our processing of your personal data, request a machine-readable copy of your personal data to transfer to another service provider and compel us to erase your personal data if there is no other legal basis for its retention.

Contacting the Regulator

If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to complain with the Information Commissioner’s Office (ICO).  You can contact them by calling 0303 123 1113. Or go online to (opens in a new window; please note we can’t be responsible for the content of external websites).