GDPR Data Audit

The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

The regulation was adopted on 27 April 2016. It becomes enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation and is thus directly binding and applicable.

What do data do we store?


We store information for a variety of reasons:- first and foremost to comply with the Education & Skills Agency funding eligibility and funding requirements, but also to be able to create individual learning plans, and to effectively communicate and provide a highly responsive service

  • Address
  • Phone number
  • NI number
  • Ethnicity
  • Additional support needs
  • Date of Birth
  • Email address
  • Learning programme details
  • Previous qualifications achieved and schools attended
  • Gender
  • Unique learner number (ULN)
  • Notes from communication e.g. meetings
  • Next of kin


We store information for a variety of reasons:- first and foremost to comply with the Education & Skills Agency funding eligibility and funding requirements, but also to create solution based training proposals, and to effectively communicate and provide a highly responsive service

  • Address
  • Phone number
  • Company size
  • EDRS number ( unique employer number needed for funding purposes)
  • Email address
  • Notes from communication e.g. meetings
  • Accounts details

What data do we store on leavers?

As above, but in addition we keep a record of any certificates gained, attendance and learning records etc. in line with ESFA audit requirements.

Where did we get this data?

From application forms completed by learners, verbal and written communications, from information you have provided when requesting information for us, via our website

Where do we store this data?

We store any data we collect on PICS (see below) which is used to transfer information to our funders the ESFA, or on our internal PDrive which is backed up to our server, and basic employer information on Maximiser, our employer CRM system.

ESFA via PICS(Pellcomp)

What type of data do we send?

  • Full name
  • Address
  • Phone number
  • NI number
  • Ethnicity
  • Disability
  • Date of birth
  • Email address
  • Gender
  • Learning programme details
  • Right to work
  • Previous qualifications
  • Support needs (if required)

Why do we send it?

To prove eligibility for funding and to be able to meet contractual obligations as an approved and regulated training provider.

This information is processed under the legal basis of consent and legal obligation.

How long do they retain it?

All data must be retained for 7 years as per ESFA guidance. As we host our own version of PICS they don’t store our data as such, we store this ourselves on the server in line with the ESFA requirements. PICS only have access to our data if we send them a back up when they’re assisting with technical issues. They hold the back up for a maximum of two weeks on their system and then this is deleted.

How do they treat leavers?

As above, the ESFA guidance is to retain records for 7 years. Once the 7 years have elapsed we can fully delete learner records from PICS.

What security measures do they have in place?

Even though PICS don’t store our data it’s useful to know what security measures they have in place. As of February 2018 they already had a solid information security management system in place and are accredited to ISO 27001:2013. They have a DPO who has been improving processes and systems and has carried out security audits, risk assessments and staff training etc. Pellcomp also provide us with the software to be compliant with data portability and the right to be forgotten.

Within our own team, PICS is password protected and access can only be given to another team member by a PICS superuser. This account is also password protected and everyone is required to change the passwords regularly. Only the relevant team members are given an account. PICS is not directly used by any learners or customers.


On PDrive we store things such as;

  • Learner evidence packs for audit – information on the learner and their programme
  • Copies of learners certificates – to prove exemptions from functional skill exams
  • New learner start forms – between team members to inform of a new start. These forms include learner and employer details
  • Company MIS reports – we have a number of reports that we store on PDrive that we pull from our MIS systems. These are monitored and updated as part of us keeping track of our company KPI’s
  • Health & Safety’s – a requirement of the ESFA is to conduct H&S audits and the paperwork for these is stored within PDrive

We also store a small amount of historic paper based learner files which we are require to keep for a minimum of 7 years. These are held in locked cabinets within the office which only the DPO has access to. We no longer create paper based files as everything is now held on PDrive.

What security measures do we have in place?

PDrive can only be accessed by people in our company who have a domain log in. All accounts are password protected with secure passwords that are updated regularly. The PC then has to have the PDrive mapped into it. Everything is backed up to the server.

We work with a company called Gekko who are responsible for our IT and cyber security.

Maximizer – CRM

What type of data do we store?

  • Company name
  • Number of staff
  • Telephone
  • Contact name
  • Email address
  • Services purchased
  • Services interested in
  • Activity history

Why do we store it?

To ensure we meet needs of potential clients and our customers now and in the future.

What security measures do they have in place?

Maximizer CRM Live is a cloud based solution, available in both their Canadian and UK Data Centres. Their UK Data centres are managed independently of the Canadian Data Centres and there is no exchange of customer data between the two environments.

The UK located Data Centres deliver the software using state-of-the-art scalable high performance technologies. Customer data is synchronised, backed up, encrypted and stored securely within two purpose built Tier IV Data Centres, compliant with GDPR and providing customers with uncompromising security and constant availability.

Who do we send data too? (Third parties)

  • ESFA – via our PICS system
  • OneFile – our E-portfolio system
  • BKSB – our Functional Skills on-line learning system
  • Awarding bodies/End Point Assessment organisations – such as ILM and SkillsFirst
  • Sub-contractors- such as Peak Accountancy Training

If you require further information please contact our Data Controller Kevin Bunn at