1. Employer Providers and Employer Organisations
1.1. As with Training Providers, the Employer Provider would be the data controller and the EPAO organisation the data processor.
2. For the certification claim the ESFA will validate the following data as submitted by the EPAO: • ULN • Learner Name • Standard Code (available on the relevant assessment standard plan stating ST number) • Achievement Outcome in the ILR is set to Achieved • Employer name and address; town; postcode (this must be the name and address of the person nominated by the employer organisation to receive the apprentice certificate).
2.1. This information regarding the data subject constitutes personal data, as it relates to an identifiable person, and as such PAL must protect such information and ONLY USE it for the purpose of claiming an apprentice certificate or notifying the ESFA of a final outcome of EPA.
3. Who are PAL's third parties ?
3.1. ESFA
3.2. Other EPAOs, were we commission Multiple choice tests or provide an assessment service.
3.2.1. Note EPAOs may have partners who support them with this aspect of their business, so they are also 'third parties' and PAL needs to map and know every organisation who is using the data we collect.
3.3. Training Providers we work with.
3.3.1. Note for EPA business the Training Provider is the data controller and PAL is the data processor (or any other EPAO is the data processor).
3.4. EQA bodies, note PAL will work with a range of EQAs, who will have access to data subject information.
4. The parent company - who handles data? PAL on an individual basis can be data subjects. As a business, our clients are data subjects and depending on our relationship, we can be data controllers OR data processors OR both at the same time. If we make a mistake we cannot hide behind the parent company.
4.1. IT, Quality and HR
4.1.1. TPs process a range of apprentice data information and, as clients, control and provides data to PAL, relating to apprentices. PAL has a responsibility to safeguard this data and only use this information for expressed purposes.
4.1.2. Test data information provided to other EPAOs - such data includes apprentice details, which constitutes personal data and where we work as a subcontractor we are, as PAL, a third party data processor, BUT we are still responsible for the appropriate use of data and the safeguarding of that data.
4.1.3. HR acts as a data controller and our information is shared for the purpose of payroll, expenses, pensions and health insurance (note our data is held on Bonnie). The parent company has a responsibility to protect and safeguard such information that they control and ensure data processes, such as DBS, look after the data they provide. You have a responsibility to ensure your data is accurate.
5. Who do we send data to?
5.1. Employers
5.2. Apprentices
5.3. EQA bodies
5.4. ESFA
5.5. Training Providers
5.6. Other EPAOs and their third party agncies
6. What data do we require?
6.1. We only require data necessary for fulfilling our service level agreements and contracts. The nature of offer to clients, means we will need access to a range of information but for data collation and data processing the information requirements for EPA will be as stated.
6.1.1. Website insights - our website policies indicate how we will use the data and we ask permission to send insights.
6.1.2. Audit and compliance, in their role as a service, will access a range of personal data and The Director of Compliance with the other PAL SMT members will agree on protocols regarding the treatment of data subjects information and data processing.