europe-3220208_1920.jpg

From the 25th of May, TQUK will be adopting several measures to ensure compliance with the new General Data Protection Regulation (GDPR) coming into force. We’re sure many of our centres will have questions regarding GDPR, so we wanted to provide an overview to help you get started and understand what this new regulation involves. While we’re more than happy to offer advice, as I’m sure you understand, every situation is different, and so we would certainly recommend seeking additional advice from other relevant organisations.

This isn’t us being fastidious or polite (though we are). The General Data Protection Regulation (GDPR) is a new regulation being implemented by the European Parliament, Council of the European Union and the European Commission in order to strengthen various data protections for individuals living in the European Union and address various concerns around the export of data outside the European Union. The regulation will apply to all organisations that collect personal data of any kind. It will not require national governments to pass any enabling legislation. Some of you might be wondering how Brexit affects GDPR. The UK government has confirmed its support for the commencement of GDPR.

The definition of ‘data’ was made as broad as possible. According to the European Commission, ‘personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking sites, medical information or a computer’s IP address’. The regulation also applies to organisations based outside the EU if they collect or process personal information of EU residents.

Rather than a negative, and I’m sure you’ve seen some of the news stories regarding the subject, we’re viewing GDPR an excellent opportunity to build upon our previous data protection policies and support a long overdue change in the way personal data is processed. To support this, you will notice, largely among our newly launched systems, new information procedures and policies. We will also be asking centres to undertake a resigning of their centre agreement which is designed to safeguard TQUK, our centres and all personal data subjects involved.

According to the new regulation, TQUK can only process data on one or more of the following lawful bases:

The data subject (Citizen) has given consent to the processing of their data for one or more specific purposes

  • Processing is necessary for the performance of the contract to which the data subject is partly or in order to take steps at the request of the data subject prior to entering the contract
  • Processing is necessary for compliance with a legal obligation to which the controller is subject
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

For the vast majority of cases, TQUK will be processing data for the purposes of a legitimate interest. For example, we will collect and process learner information because it is a legitimate interest that is integral to the completion and later verification of their qualification. There may also be certain cases where we collect and process data because of a contractual requirement. Full reasons for why and how we collect and process data will be available within our updated GDPR privacy policy, which will be introduced upon the implementation of GDPR.

As a centre, you will largely have a lawful reason for processing your learner information based upon, again, a combination of legitimate interests and contractual requirements. An area in which you will need to pay special attention to is the sharing of any special category data, such as health or ethnicity of candidates. This is especially important when thinking about course registers or sign up forms that may collect this information for the purposes of sharing with the awarding organisation to support reasonable adjustments and special considerations, plus our requirement to monitor equality and diversity among our learners. In this situation, it is important that the learners provide consent to their personal information being shared in this case.

In regards to consent, the main area where TQUK will be required to have consent to process personal data will be in relation to its direct marketing. This will largely apply to individuals, but certain centres are affected by this requirement. For business-to-business marketing, the vast majority of our centres fall under what is known as a corporate subscriber. We are able to contact corporate subscribers who are existing customers of TQUK without the need for consent under what is known as ‘soft opt-in’. You will have the opportunity to opt out of this and no longer receive direct marketing. The one category of centre that would not fall under the category of corporate subscriber is so-called one-man-bands. We will require their consent to continue direct marketing.

For more information, visit the Information Commissioner’s Office website or the European Commission’s Data Protection page. If you have any burning questions please contact our Data Manager, Tom Costigan at This email address is being protected from spambots. You need JavaScript enabled to view it..

To keep up to date with our incisive commentary and the latest news in the further education sector, return to our blog or follow us on Twitter, Facebook or Instagram.

See you out there!