Section 1   Introduction

1.1            Scope of the policy

DNA Skills is committed to preserving the privacy of its staff and apprentices, to comply with the Data Protection Act (2018) and the General Data Protection Regulation (GDPR). 

The data protection principles are set out in the Data Protection Act (2018). In line with Article 5 of the General Data Protection Regulation DNA Skills will ensure that all personal data is: 

  • used fairly, lawfully, and transparently
  • used for specified, explicit purposes
  • used in a way that is adequate, relevant, and limited to only what is necessary
  • accurate and, where necessary, kept up to date
  • kept for no longer than is necessary
  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction, or damage

1.2         Purpose of the policy

This policy outlines the responsibilities of all staff (including third parties under contract, and or self-employed/volunteers) with regard to the Data Protection Act (2018) and the General Data Protection Regulation. 

Staff are required to handle and process data in any of DNA Skills records or systems in accordance with this policy and in accordance with other related policies concerning the handling or processing of data. DNA Skills will process personal data, examples include:

  • salary and benefits
  • contractual obligations
  • holiday and sickness 
  • performance and achievement
  • safeguarding
  • equality
  • diversity and inclusion
  • health & safety
  • accident reports
  • disciplinary
  • support and advice to the apprentices and clients
  • promotion of services
  • publications
  • financial and staffing records
  • statutory obligations

1.3         A shared responsibility

It is important that all staff who are involved in the delivery of DNA Skills End-Point Assessments and/or regulated qualifications are made aware of this policy and its range of outcomes.

1.4         Reviewing the policy

We will review this policy annually or:

  • Interim when there has been changes to policy or legislation
  • Where DNA Skills are approved for additional apprenticeship standards

Section 2    Definitions

2.1      Personal data 

Defined as data relating to a living individual who can be identified from that data alone, or with other data held by DNA Skills or which DNA Skills is likely to receive.  This includes sensitive data relating to an individual’s gender, age, ethnicity, disability, trade union membership, political opinions, religious or similar beliefs, physical or mental health, sexual life, commission or alleged commission of any offence or information concerning related criminal proceedings or outcomes.

 2.2      GDPR

Regulates the “processing” of personal information which has a very broad meaning and includes obtaining, storing, viewing, using, updating, disclosing, and destroying any data held electronically, in structured manual records and to a limited extent, to unstructured manual records. 


Section 3    Implementation 

To meet the responsibilities DNA Skills will:

  • Ensure any new or planned projects that involve personal data are preceded with a Data Privacy Impact Assessment (DPIA) if required. This is carried out by the DPO and Head of IT
  • Ensure that access controls are limited to role relevance 
  • Ensure any personal data is collected in a fair and lawful way 
  • Gain explicit consent where required 
  • Explain at the outset why information is being collected, what it will be used for and with whom it will be shared 
  • Ensure that only the minimum amount of information needed is collected and used 
  • Ensure the information used is up to date and accurate 
  • Review the length of time information is held, in line with relevant legislation 
  • Ensure information is kept safely 
  • Ensure the rights people have in relation to their personal data can be exercised.  
  • Dispose of data appropriately and without unnecessary delay
  • Ensure that anyone managing and handling personal information is trained to do so 
  • Ensure that all individuals are aware of the process to follow to make a Subject Access Request
  • Any disclosure of personal data will be in line with relevant legislation, and internal policies and procedures 
  • Any sharing of data to third parties is covered by a data sharing agreement


Section 4    Policies and Legislative Connections 

The following policies and guidance are relevant to personal information:

  • Privacy Policy
  • Equality and Diversity Policy
  • Safeguarding and Prevent Policy

DNA Skills will adhere to its obligations under the Regulation relevant to the use and monitoring of electronic communications, which are predominantly:

  • Regulation of Investigatory Powers Act 2000;
  • Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000;
  • Communications Act 2003;
  • Data Protection Act 1998; and General Data Protection Regulation
  • Human Rights Act 1998;
  • Defamation Act 1996;
  • Equality Act 2010;
  • Safeguarding Vulnerable Groups Act 2006.


Section 5    Data Security

DNA Skills staff must adhere to the following guidelines to ensure personal information is protected from unauthorised viewing and from loss (including computer documents, emails, and paper copies) by ensuring staff are provided with adequate awareness training and follow guidelines set out in the GDPR code of practice

5.1      Data Transfer Guidelines 

  • Password protected attachments for sensitive personal information sent by email
  • All emails containing personal data must be marked ‘confidential’ 
  • Robust and trustworthy IT security features 
  • Secure data flows across organisation and third-party data sharing requirements 
  • Ensure data is not shared without the explicit consent of the subject, where no exemptions apply 
  • Where personal data is to be transferred in hardcopy form it should be passed directly to the recipient 
  • All personal data to be transferred physically, whether in hardcopy form or on removable electronic media shall be transferred in a suitable container marked ’confidential’
  • Continuous review of all measures 

5.2      Data Storage Guidelines 

  • Use lockable cupboards (restricted access to keys) where hardcopies are kept
  • Mandatory renewal of passwords to agreed frequency 
  • Password protection on personal information files 
  • Set adequate access controls – role specific 
  • Not allowing personal data to be taken off site (as hard copy, on laptop or on memory stick) without adequate safeguarding i.e., encryption 
  • If personal data can be taken off site, in which forms (paper, memory stick, and laptop) and give instruction to staff about keeping it safe 
  • Secure and reliable security back up of data (Third-party security arrangements – e.g., Microsoft Teams, Creatiogreen, Cirrus Assessment, Proctorio Remote Proctoring)

DNA Skills will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. All EPA staff must take reasonable responsibility to ensure the data is accurate and up to date, relevant and not excessive.  Any unauthorised disclosure of personal data to a third party by any staff member may result in disciplinary or legal action. 

Failure to comply with DNA Skills policies and procedures for handling staff/apprentice data is a disciplinary offence which may be considered gross misconduct and may also involve personal criminal liability (please see DNA Skills Disciplinary Policy). 


Section 6    Data Subject Rights/Subject Access Requests 

Individuals have a right under the Regulation to ask DNA Skills if it holds their personal data, and if so, be provided with a copy of it.  Any person wishing to exercise this right should apply in writing to DNA Skills, or via email at 

To ensure DNA Skills has met the security requirements of the GDPR, the following information will be required before access is granted:

  • Relevant identifying details (full name, date of birth, national insurance number)
  • Proof of identity (birth certificate, passport, or driving licence)

Subject Access Requests will be dealt with in line with the GDPR recommended timescales. DNA Skills will aim to comply with requests for access to personal information as soon as possible but will ensure it is provided within one month as required by the Regulation from receiving the written request.  DNA Skills will provide the information in a clear format that is easily understood and, in a format, suitable for the requester’s needs. DNA Skills may request further details to clarify the exact requirements prior to the start of the one-month timeline. 

If an individual considers the details provided in response to a Subject Access Request are incorrect or out of date, they should contact DNA Skills immediately. 

Anyone whose personal information is processed by DNA Skills has the right to know

  • What information DNA Skills hold and processes about them 
  • The legitimate reasons for processing 
  • The right to consent or withdraw consent 
  • How to gain access to this information 
  • How to keep it up to date 
  • To receive this data in a clear format 
  • To receive this data within one month 
  • Data Subjects have the right to prevent processing of their personal data in some circumstances and have the right to correct, rectify, block or erase information regarded as incorrect  
  • To be informed of any miss use or loss of this data if the loss represents a high risk to the rights and freedoms of individuals 
  • The right to erasure of personal information – commonly referred to as the right to be forgotten 
  • The right to complain and/or seek compensation 

It is a criminal offence under the GDPR for any user to alter, illegally access, deface or remove any record (including e-mails) following receipt of an information request.  DNA Skills will take necessary action against any individual who is found to have carried out this act, which may result in disciplinary or legal action. Other criminal acts under GDPR may also result in disciplinary or criminal proceedings; definitions can be found at

If you have any queries or concerns regarding DNA Skills management of personal data, then you can contact DNA Skills directly. 

Any comments or complaints will be dealt with through DNA Skills Complaints Policy. DNA Skills will maintain records of all complaints and their outcome.  

The requirements DNA Skills has for processing personal data are recorded on the public register maintained by the Information Commissioner.  DNA Skills notify and renew the notification on an annual basis as the law requires. If there are any interim changes, these will be notified to the Information Commissioner within 28 days.  DNA Skills (trading name of SCL Education and Training) registration with the Information Commissioner’s Register of Data Controllers is: ZA063549 and can be found using this link: 

If you are still unhappy after having made a complaint you may contact the Information Commissioner’s Office through their website:


Section 7    Data Sharing

There are occasions when it is necessary for DNA Skills to share data with other organisations or people and where consent is required DNA Skills will seek and gain this from the Data Subject, except where exemptions apply:

  • To fulfil legal obligations 
  • In the vital interests of the individual
  • Pay and benefit details - HM Revenue and Customs 
  • UK Border Control 
  • Police or other law enforcement or investigatory institutions 
  • Professional bodies e.g., solicitors, GPs, child protection agencies 
  • Other educational bodies or institutions
  • Education and Skills Funding Agency 
  • Internal and external audit 
  • Research purposes where data has been fully anonymised
  • Ofqual

For further information, access the website of the Information Commissioner’s Office:

Section 8    Personal Data collected held and processed

Below is a table to show the data collected and processed by DNA Skills

Name - All Data Subjects – Identification purposes 

Telephone/Mobile Number - All Data Subjects – To contact if required

Email Address - All Data Subjects – To contact if require


Employees – For contact and payroll/HMRC purposes
Employers – For contact purposes and where to send certificates 
Training Providers – For contact purposes 
Assessors – For contact purposes

Date of Birth

Employees – Tax purposes
Apprentices – To identify if under 18


Employees – To ensure suitability for job role
Assessors – To ensure suitability for job role
Apprentices – Meet requirements for end-point assessment

Photo ID

Apprentices – Proof of Identity
Employees – Proof of identity

ULN - Apprentices – For regulatory/certification purposes

Disabilities/Special Educational Needs - Apprentices – For reasonable assessment adjustments and special considerations

Next of Kin - Employees – For health and safety purposes

Family Circumstances

Employees – Assessing suitability for the role and conflicts of interest
Assessors - Assessing suitability for the role and conflicts of interest

Opinions/Interview Notes

Employees – Assessing suitability for the role
Assessors - Assessing suitability for the role 


Employees - Assessing suitability for the role
Assessors - Assessing suitability for the role

Section 9   Retention and disposal of Data

DNA Skills will retain information about staff and apprentices for a period of 7 years and where necessary to comply with the law and for legitimate business needs.  This will include information needed in connection with administering pensions and taxation, for potential or current disputes or litigation regarding employment, in the case of job applicants, in relation to any complaints or claims regarding the selection process, and information required for job references. 

DNA Skills will dispose of data in line and conjunction with the JISC recommended data retention principles for Further Education and any legal and funding audit requirements.  Once the retention period has elapsed, DNA Skills will ensure that any information is destroyed by secure means, i.e., by shredding, pulping, or burning for hard copy, deletion etc. for electronic/digitised copy. DNA Skills will use a reputable ISO Accredited company and obtain destruction certification. See website:


Section 10    Data security breach procedure

DNA Skills takes the risk to security loss very seriously and adheres to the legal framework set down by the Information Commissioner’s Office and industry standards. Actions may include: 

  • Containment and recovery – DNA Skills will respond to the incident immediately which includes a recovery plan and, where necessary, implement procedures for damage limitation
  •  Assessing the risks – DNA Skills will assess any risks associated with a breach, as these could affect any procedures after the breach has been contained. In particular, DNA Skills will assess the potential adverse consequences for individuals; how serious or substantial these are; and how likely they are to re occur

Notification of breaches – if appropriate DNA Skills will inform the following parties:

  • the Data Subject
  • ICO
  • Other regulatory bodies
  • Other third parties such as the police and the banks
  • The media

Section 11   Contacts

Your contact for this policy

If you have any queries about the contents of the policy, please contact our DNA Skills EPA Team:


Telephone: 01344 944675

DNA Skills Team
7 Lakeside Business Park
GU47 9DN

Title & Key Responsibilities

General Manager - Accountable for the strategic objectives of DNA Skills and its regulatory compliance. Ensures all policies are effectively implemented

Head of Quality & Compliance - Responsible Office and point of contact for regulatory bodies. Oversees the version control of policies

Head of Product & Assessment Development - Acting Deputy for Responsible Officer. Manages the development and life cycle of our products

Quality & Performance Manager - Responsible for the delivery of assessments and quality assurance processes

Head of IT/DPO - Data Controller