EPA privacy notice
Pearson Education Limited (Pearson) is a registered End-Point Assessment Organisation (EPAO) with the Education and Skills Funding Agency (ESFA) and provides end-point assessment services to apprentices (learners).
In the course of the performance of its end-point assessment services, Pearson collects and processes personal data relating to learners as detailed below:
- To fulfil its legal obligation as a registered EPAO.
- We might also need to process the data for the performance of our contract with your Training Provider and other relevant parties, and for the purposes of our legitimate interests.
- We might also need to use your personal information in the following situations, which are likely to be rare:
- where we need to protect your interests (or someone else’s interests)
- where it is needed in the public interest or for official purposes
Pearson is committed to data privacy and to the requirements of the Data Protection Act 2018 and the General Data Protection Regulation 2018 (GDPR) in respect of its processing of personal data.
Pearson is registered with the UK Information Commissioner’s Office as a Data Controller and a Data Processor.
Data received from Training Providers
Pearson collects learner personal data as a Data Controller. Training Providers and, in some cases, assessors will provide Pearson with data for the processing of assessments for learners. The personal data is usually limited to the details required for us to undertake the basic functions of an EPAO, including performing assessment services and claiming a certificate on behalf of learners. Personal data will include (but may not be limited to):
- a learner’s name, date of birth, gender, workplace address, email address. mobile telephone number, Unique Learner Number (ULN), assessment results and qualification awarded.
In line with our regulatory requirements, learner data will be held by Pearson for six years following the end-point assessment.
Special Category data
We might also collect, store and use the following special categories of more sensitive personal information (Special Categories) for the purpose of complying with any legal obligation we have under the Equality Act 2010, such as to apply access arrangements and reasonable adjustments to your end-point assessment:
- information about your health, including any medical condition, health and sickness records
- information about your race or ethnicity, religious beliefs, sexual orientation
We will process this data strictly for the purpose described and will disclose it only as necessary to ESFA or other regulator, and to any External Quality Assurance body for the purposes of audit to evidence compliance with legal and regulatory obligations.
Pearson will share other learner data with:
- the assessor(s) performing the end point assessment
- the External Quality Assurance (EQA) body selected to carry out this function as part of the end points assessment
- the Institute for Apprenticeships to claim a certificate on the learner’s behalf
We may additionally share personal data with regulatory bodies, in respect of audits and investigations carried out by regulatory bodies, such as the ESFA, Ofqual, the EQA.
In all cases, including special category data, if we do share data, we require third parties to take appropriate security measures and only process your data for specified purposes.
Where we store data
Pearson has organisational and technical measures in place to safeguard the security of learners’ data. These include limiting access to folders and files; enforcing a rigorous data retention and destruction policy; having in place a security incident management process; having in place physical safety and security safeguards wherever data is processed; having in place contracts with third parties to protect data from unauthorised use, modification, destruction or disclosure, regardless of where it is located. Pearson ensures that contracts and commercial agreements with vendors include robust information privacy and security control clauses. Outsourced services, processing and storage facilities are monitored and reviewed to ensure compliance with Pearson’s policy.
General Data Protection Regulation 2018
Pearson has adapted its policies and procedures to ensure it is compliant with the GDPR. This document has been produced to represent our current status and will be reviewed annually and updated as processes are developed.
Under GDPR, individuals have certain rights when it comes to the control of personal data:
|The right to be informed. Each individual has the right to be given information about how their data is being processed and why. Pearson has provided this policy to show how we handle your data.|
|The right of access. Pearson has a duty to comply with the requirements of Subject Access Requests (SAR).|
|The right to rectification. The GDPR includes a right for individuals to have inaccurate personal data rectified or completed if it is incomplete.|
|The right to be forgotten. You have the right to ask Pearson to remove your data, though we might have a legal obligation to retain the information for the period stated above in the Privacy Notice.|
|The right to restrict processing. You may restrict processing for a legitimate reason, though we might have the right to decline the request for legal or other legitimate purposes.|
|The right to data portability. You may be able to obtain the information we hold about you and use it for your own purposes. Conditions apply.|
Should you wish to exercise any of your rights above, please email firstname.lastname@example.org stating the following information:
- contact details
- relationship to subject
- full details of information relating to your request
- reason for request
- the right being exercised
You will be asked to verify your identity if you are the subject. Alternatively, you will be asked to provide consent from the subject if you are a representative.
Should we require further information, we will contact you.