Learner Privacy Notice

This Privacy Notice explains how Datalaw (“we”, “us”, “our”) collects, uses, stores and protects personal data relating to individuals undertaking training, courses, apprenticeships or assessments with us (“learners”). We are committed to protecting your privacy and handling your information lawfully, fairly and transparently.

Datalaw acts as a Data Controller for the personal data we collect directly from learners, and as a Data Processor when handling data on behalf of employers, training providers or government bodies (such as the ESFA).

1. Relevant Legislation

Your personal data is processed in accordance with the following UK laws:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)
  • Freedom of Information Act 2000 (where applicable to public sector partners)
  • Apprenticeships, Skills, Children and Learning Act 2009 (for funded apprenticeship learners)
  • Education and Skills Funding Agency (ESFA) Funding Rules (where applicable)

2. Personal Data We Collect

We may collect and process the following categories of information:

A. Personal Identification Data

  • Full name
  • Date of birth
  • Contact details (email, phone number, address)
  • Unique learner number (ULN) or funding-related identifiers
  • Employer details (if learning is employer-sponsored)

B. Course, Training & Assessment Data

  • Training records and progress
  • Assessment results, exam submissions and certifications
  • Attendance and engagement data from learning platforms
  • Tutor feedback and portfolio evidence

C. Financial Information (if applicable)

  • Payment details for course fees (if applicable)
  • Records required for funded learning programmes

D. Special Category Data (only when necessary)

We only process this data with your explicit consent or where legally required: health or disability information for reasonable adjustments; and demographic information required for ESFA or statutory reporting.

3. How We Collect Your Data

We collect personal data through course registrations and account sign-ups; apprenticeship enrolment forms; communications with our staff or support team; learning management systems, online portals and interactive assessments; and employers or training providers who enrol learners on your behalf.

4. Why We Use Your Personal Data (Lawful Basis of Processing)

Under the UK GDPR, we rely on the following lawful bases:

A. Contractual Necessity – to provide and administer your training, including creating learner accounts, delivering training and assessments, issuing certificates, and communicating course updates and support.

B. Legal Obligation – for compliance with education sector requirements, ESFA funding rules, HMRC or financial reporting laws, and retention requirements for training and regulatory audits.

C. Legitimate Interests – to improve our training services and platforms, monitor usage for quality and development, and prevent misuse or unauthorised access.

D. Consent – for optional activities such as marketing communications and use of special category data for learning support. You may withdraw consent at any time.

5. How We Use Your Information

We may use your data to enrol you on courses and maintain training records; monitor progress and provide learning support; issue certificates and verify qualifications; share required information with awarding bodies, regulators or the ESFA; maintain secure learner accounts; and improve our products, services and digital platforms. We do not sell or share your information for unrelated marketing purposes.

6. Who We Share Your Data With

We may share information with Awarding organisations (e.g., to issue certificates); The Education and Skills Funding Agency (ESFA); Employers or training providers (where learning is funded or provided through them); Regulatory bodies such as Ofsted; IT and system providers who support our learning platforms; and Payment processors for course fee transactions. All third-party partners are bound by data protection agreements.

7. International Transfers

If we transfer data outside the UK, we ensure lawful safeguards such as UK Adequacy Regulations and Data Transfer Agreements / Standard Contractual Clauses (SCCs).

8. Data Retention

We retain learner data only for as long as necessary. Typical retention periods include training records: 6–7 years (legal and audit requirements); ESFA-funded learning records: per ESFA funding rules; financial records: 6 years (HMRC compliance); and special category data: retained only as long as necessary for accommodations or legal obligations. After the retention period, data is securely deleted or anonymised.

9. Your Rights (UK GDPR)

You have the right to access your personal data; rectify inaccurate information; request erasure (“right to be forgotten”); restrict or object to certain types of processing; data portability; withdraw consent; and lodge a complaint with the Information Commissioner’s Office (ICO). ICO website: https://ico.org.uk.

10. Automated Decision Making

Datalaw does not use learner data for automated decision-making that has legal or significant effects.

11. Security

We implement appropriate technical and organisational measures, including encrypted storage; access controls; secure servers and firewalls; and staff training in data protection.

Reviewed Date

08th December 2025

Next Review Due Date

08th December 2026

Reviewed by

Sarah Parker

Signature

Sarah Parker