Back to policies
Download policy


The company holds and processes information about company employees, associates1, apprentices, and other data subjects for academic, administrative and commercial purposes.

This policy should be read in conjunction with the GDPR policy.

When handling such information, all company personnel must comply with the Data Protection Principles which are set out in the Data Protection Act 2018 (the Act). In summary, these state that personal data shall:

  • Be processed fairly and lawfully,
  • Be obtained for a specified and lawful purpose and shall not be handled in any manner incompatible with the purpose,
  • Be adequate, relevant and not excessive for the purpose
  • Be accurate and up-to-date,
  • Not be kept for longer than necessary for the use,
  • Be processed in accordance with the data subject’s rights,
  • Be kept safe from unauthorised processing, and accidental loss, damage or destruction,
  • Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data, except in specified circumstances.

1Personnel includes PAL employees, associates and consultants


  • “Data controller” further information about the company data controller is available from the Data Protection Officer.  Note the ICO evaluation notes PAL does not require a Data Protection Officer based on its survey and the nature of PAL business
  • “Personnel”, “apprentices” and “other data subjects” may include past, present and potential members of those groups.
  • “Other data subjects” and “third parties” may include contractors, suppliers, contacts, referees, friends or family members.
  • “Processing” refers to any action involving personal information, including obtaining, viewing, copying, amending, adding, deleting, extracting, storing, disclosing or destroying information.

Notification of Data Held

The company will notify all personnel and candidates and other relevant data subjects of the types of data held and processed by the assessment company concerning them, and the reasons for which it is processed. When processing for a new or different purpose is introduced the individuals affected by that change will be informed, and the Data Protection Register entry will be amended.

Personnel Responsibilities

All personnel1 shall:

  • Ensure that all personal information which they provide to the company in connection with their employment is accurate and up-to-date;
  • Inform the company of any changes to information, for example, changes of address;
  • Check the information which the company will make available from time to time, in written or automated form, and inform the company of any errors or, where appropriate, follow procedures for up-dating entries on computer forms. The company will not be held responsible for errors of which it has not been informed.

When personnel hold or process information about apprentices, employers, training organisations, colleagues or other data subjects (for example, learners’ coursework, references, or details of personal circumstances), they should comply with the following:

Personnel shall ensure that:

  • All personal information is kept securely;
  • Personal information is not disclosed either orally or in writing, accidentally or otherwise to any unauthorised third party. Unauthorised disclosure may be a disciplinary matter and may be considered gross misconduct in some cases.

PAL’s assessment and administration personnel will advise stakeholders, what information is being held; why it is being held and how the information will be used and will request consent for such data usage.

In the context of assessment, in line with the criterion of standards, which frequently require assessment around communication and data processing the synoptic assessment process will establish that apprentices know the correct regulations and apply these regarding the processing of personal information, and the need to secure consent.

Training Provider, Employer and Apprentices Responsibilities’ (clients/customers)

All Clients/customers shall:

  • Ensure that all personal information which they provide to the assessment company is accurate and up-to-date. Where the Apprentice, employer or training provider provide inaccurate data and as a result of this, there is a need to re-certificate, or a delay in claiming an apprenticeship certificate, and additional costs are incurred, or there is a delay in payment to the EPAO (PAL); PAL reserves the right to charge for any financial inconvenience
  • Inform the company of any changes to that information, for example, variations of address or name, via the online management information system, which apprentices and employers will have log-in access to;
  • Check the information which the company will make available for endpoint assessment and certification, in written or automated form, and inform the assessment company of any errors or, where appropriate, follow procedures for up-dating entries on computer forms. The assessment company will not be held responsible for errors of which it has not been informed.

1Personnel includes PAL employees associates and consultants

Rights to Access Information

Personnel, Apprentices, employers and training providers and other data subjects have the right to access any personal data that is being kept about them either on a computer or in structured and accessible manual files. Any person may exercise this right by submitting a request in writing to the appropriate designated data controller, the Business Development Director.

The assessment company aims to comply with requests for access to personal information as quickly as possible but will ensure that it is provided within 40 days unless there is a good reason for the delay. In such cases, the reason for the delay will be explained in writing by the designated data controller to the data subject making the request.

Subject Consent

In some cases, such as the handling of sensitive information or the processing of research data, the assessment company is entitled to process personal data only with the consent of the named individual.  Agreement to the company handling some specified classes of personal data is a condition of acceptance of an apprentice, employer and training organisation enrolling for endpoint assessment and a condition of employment for personnel.

The assessment company may process sensitive information1 about a person’s health, disabilities, criminal convictions, race or ethnic origin in pursuit of the legitimate interests of the assessment company to do so. For example, where assessment activities are undertaken with candidates under the age of 18  in contact with children, including young people and people who could be considered at risk,  the company has a duty under the Children Act 1989; Safeguarding Vulnerable Groups Act (2006);  Protection of Freedom Act (2012);  and other enactments to ensure that personnel are suitable for the job, and apprentices are fit and ready for assessment. Additionally, all stakeholders are treated with professional courtesy and respect, and the company demonstrates concern for all stakeholders’ well-being.

The company may also require such information from company personnel for the administration of the sick pay policy, the absence policy or the equal opportunities policy, or for course assessment.

The assessment company also asks for information from company personnel about particular health needs, such as allergies to specific forms of medication, or conditions such as asthma or diabetes. In some assessment scenarios, the company may need to request such information from Apprentices. The company will only use such information to protect the health and safety of the individual, for example, in the event of a medical emergency. The consent of the data subject will always be sought before the collection of any sensitive data as defined by the Act.

The Data Controller and the Designated Data Controllers

The data controller under the Act, the Business Development Director is ultimately responsible for implementation. Information and advice about the holding and processing of personal information is available from the Data Protection Officer

Assessment Marks

Apprentices and employers shall be entitled to information about their grades for assessments and endpoint assessment feedback and reports; with the sponsoring employer receiving the feedback in the first instance. Grades and outcomes of assessments will be shared with the relevant training organisations unless the employer or apprentice provides a legitimate reason for withholding such information The Company may withhold awards, certificates, accreditation or references if monies are due.

1PAL in the majority of cases should neither have to acquire or process sensitive data for apprentices.

Retention of Data

The assessment company will keep different types of information for differing lengths of time, depending on legal, academic and operational requirements. The ESFA and relevant training organisations may use Apprentices’ information as part of their ESFA Funding claim. For the 2014 to 2020 programmes to include apprenticeship programmes, all apprentice data and documents must be retained at least until 31 December 2029.

Regarding retention of assessment evidence that the apprentice has developed and presented and is located on an employer or training provider portal, PAL will advise parties of the need to retain such data /information for a period of six years. PAL will not retain or copy such documents and for the purpose of audit and EQA, reference to such evidence will be clear in assessment records.


Compliance with the Act is the responsibility of all apprentices, employers and training organisations and PAL company personnel and associates. Any deliberate or reckless breach of this Policy by PAL personnel or associates may lead to a disciplinary hearing, and where appropriate, legal proceedings. Any questions or concerns about the interpretation or operation of this policy should be taken up with the senior management team.

Any individual, who considers that the policy has not been followed in respect of personal data about him or herself, should raise the matter with their line manager initially. If the issue is not resolved either the grievance or whistleblowing policies should be referred to in the case of assessment company personnel; and the complaints policy and procedure in the case of apprentices; employers and training organisations.