Home Forums Data issues GDPR

This topic contains 45 replies, has 15 voices, and was last updated by  yazz1992 24 minutes ago.

Viewing 25 posts - 1 through 25 (of 46 total)
  • Author

  • Alison_ITS


    Has anyone devised a letter and/or consent form for learners and/or Employers yet with regards to GDPR? If so would you mind sharing! I’m finding it all a minefield with regards to how much information to give to learners/employers and exactly what consent we need.




    Hi Alison

    Bear in mind we have Contractual reasons (and possibly Public Task and Legal reasons) for processing the vast majority of information we collect on learners (certainly everything that goes in the ILR!), so relying on consent is not required except, I’d suggest, for marketing activities?

    Happy to be corrected, I’m not an expert on this.

    • This reply was modified 1 month, 2 weeks ago by  steveh. Reason: clarity


    Not sure whether this adds much, but we are currently awaiting the revision to the ESFA’s own privacy notice, which will hopefully address the issues and basis for capture and retention of information.

    We have a wider GDPR project ongoing which has yet to complete, this may put additional burden on us over and above ESFA’s notice, but I am unclear what that would be until I see ESFA’s own notice.




    Handily, ICO have just updated their privacy notices page

    so I’m sure our ESFA colleagues are hard at work on providing us with something…



    Thanks folks, I too am eagerly awaiting the ESFA’s updated privacy notice which I hope will be of some help.

    I’ll take a look at the link you’ve sent too Steve – thanks for that.


    Paul Rogers

    Hi all,

    As a member of the Technical User Group, I have raised this issue on numerous occasions. I have expressed that the communications going out from the DoE are very focused against schools, and they need to make it more explicit on the impacts for ILR data.

    My understanding is that there should be some guidance coming out, but when and how is not yet determined. I do believe that it is very late in the day however and this is a concern the sector should be raising. I mean, we have had webinar after webinar on how to log into the apprenticeship service, yet nothing on this topic at all!




    Thanks for this Paul.

    I suspect it might not be a bad idea to contact AoC and AELP (and HOLEX!) to apply a little extra pressure? Time is running out on this and I suspect having a learning provider as the first big story about Data Protection post-May wouldn’t be in anyone’s interests!




    I am going on the following course next week, hopefully it will enlighten us……………..

    4. AELP Workshop – The General Data Protection Regulation (GDPR) Workshop
    Wednesday, 7 February 2018, Birmingham
    Due to popular demand, this workshop is being repeated

    Overview – The General Data Protection Regulation (GDPR) is coming in to force at the end of May 2018. The new regulation (along with the current draft Data Protection Bill) requires providers to make significant changes to the ways in which they gather, manage and use personal data with considerable fines for the most serious non-compliance (up to €20 million or 4% of turnover, whichever is greater).
    It’s not just the fines, but also the other reputational consequences of being associated with breach. However, the new laws provide a fantastic opportunity to develop a clear data strategy. It is important to note that all organisations will have to prepare for GDPR differently. Having considered the questions and problems posed by providers, Shoosmiths and PublicCo have developed a one-day workshop tailored specifically to learning providers.

    Developed by Shoosmiths and PublicCo, the workshop will provide delegates with an opportunity to gain specific and developed solutions to their compliance challenges, exploring the issues associated with learner data and ESFA data agreements. Practical examples will also give delegates experience approaching some of the most immediate challenges GDPR raises and will provide energy and clarity to the topic in hand.

    Our workshop will cover:
    • The new GDPR requirements and the key differences with current data protection for learning providers
    • The core principles and organisational change needed for understanding and delivery, again tailored to the environment and structure of training providers
    o GDPR and the ILR – what’s in and out the scope of the Department for Education’s role as a controller for learner data, and what that means for providers
    o GDPR impact on HR and Employment matter – A practical assessment of your employment contracts and policies changes which will need to be made
    o Assessing compliance – Applying a sector based tool to prepare organisations for readiness and ongoing compliance
    • Implementation – how to get ready for GDPR
    Target audience: This one day workshop will be of interest to people responsible for compliance in organisations or for areas of the business dealing with personal data.

    Pricing – AELP Member rate: £299.00 + VAT | Non-Member rate: £399.00 + VAT
    More info/Bookings –



    Thanks Julie.

    I am attending a workshop in Sheffield that is being held by our Solicitors at the end of the month but I have also booked onto the AELP workshop being held in Leeds on 10th April. Asit’s specifically for Training Providers and covers both the ILR and HR/Governance I’m hoping it will be extremely useful.



    I think there is a lot of confusion and mis-information about GDPR. I think it’s vital that the ESFA come up with some sort of guidance for providers. It’s true that if the collection of personal data is for contractual, legal reasons then the individual shouldn’t be given the option as to whether they consent to it or not. The issue is, as SteveH mentioned around what else happens with the data and importantly where it is stored and who has access to it – the ESFA, the Awarding Organisations, Software houses, CRM providers to name a few.

    It would be great to hear if the AELP workshop addresses these sorts of questions, I can’t attend unfortunately. It would be really useful too if the ESFA would issue some form of guidance.


    Simon France

    I agree that it is vital we get some guidance on this from the ESFA. Since we are giving the data them then they must surely have to let the learners know what they are doing with it.

    One part I’m struggling with is the data retention period? We know that for match-funded provision we have to keep documents up to 31/12/2030 but do we have to keep the data for the same length of time? How long will the ESFA be keeping it for?



    Has anyone got a GDPR statement yet to add to learner registration forms? Clearly we have to collect the data and it should mainly be around the sharing of data for other uses (as we have on the ILR at the moment re: contact via mobile, email.
    It would be good to have a statement that is pretty watertight.


    Ibrahim Mayat

    The ILR 2018/19 V1 has an updated privacy notice which I guess we should be using from May?

    Changes include Opt-in for contact preferences:

    Kind regards


    Martin West

    The ESFA need to update the link and detail in the ILR specifications as this says:
    Information about restrictions on the use of the learner’s record should be captured using the opt-out questions detailed in Appendix F.


    Martin West

    The EU’s General Data Protection Regulation (GDPR) will apply from 25 May 2018

    The ESFA have revised the current Appendix F – Privacy Notice 2017 to 2018 from ‘opt-out’ to ‘opt-in’ but have given no guidance to Providers as to when this is to apply from.

    The advice from Jisc is that organisations will need to assess the processing activities for which they rely on consent, and if necessary, take steps to “re-paper” those consents.

    As this change needs to apply at the latest from 25 May 2018 Providers will need to ensure not only that they use the revised Privacy Notice and record the corresponding data in their MI systems and on the ILR.

    Following the advice from Jisc, my advice to the following is:

    For Providers
    Ensure you use the revised Privacy Notice to collect Contact Preference entity data before 25 May 2018, you may also need to review your enrolment data capture documentation or systems.

    For MI Software Suppliers
    Update your software to comply with the ‘opt-in’ requirements before 25 May 2018.

    For the ESFA
    Update the ILR specifications for 2017 to 2018 to comply with the ‘opt-in’ requirements before 25 May 2018 and provide some proactive guidance to the sector on how they should implement this change.

    I cannot understate the importance of compliance with the GDPR regulation and the following from Jisc outlines the risk.

    ‘Where organisations rely on consent for processing, the GDPR will introduce a higher standard for this to be valid; it specifically prohibits silence, inaction or pre-ticked boxes as being a means to obtain consent. Failure to have the proper consents in place can expose an organisation to the risk of a higher tier fine’.

    These are my own views and I may be totally incorrect on my interpretation, what do others think?



    I get the feeling the sector isn’t very prepared for GDPR and the Agency has produced very little guidance.

    In my view, the new privacy notice is fairly scant and doesn’t go any further than the bare minimum laid out in the ICO guidance. I’d urge providers to consider that they will likely also have unfunded learners – so what privacy notice covers those learners? You may also collect data outside of that covered by the ESFA notice, worth considering what PN covers that. (though that should really have been in place for DPA already)

    For the Agency funded learners, providers are collecting data on their behalf, so you’d expect there to be some guidance on reporting breaches, document retention periods, rights (erasure, portability etc).

    GDPR implications haven’t even made it onto a well known spring data conference agenda, despite an strong Agency presence there – which was a surprise.

    Here is a teaser for the Agency on the consent part (marketing / research). If a learner contacts the agency removing their consent – how is it ensured that feeds back to all relevant providers to update their systems? Seems to me that a provider would be unaware and resubmit an ILR and override the recently ‘withdrawn’ consent at the EFSA end! All sorts of permutations for learners studying at multiple providers and the notion that ILR files are self contained snapshots of data (ie not a live reflection of consent).



    Dear All

    I have noticed that the ESFA have also updated the 2017-18 privacy notice –




    While they have updated the notice and the last paragraph:
    “information about how long we retain your data, and how to change your consent to being contacted, please visit:”

    Sadly, that link takes you to an Oct 17 document, which neither states the retention periods nor has any information about consent!


    Alastair Gilbert

    Has anyone seen any discussion of how the contact preference data for existing learners should be handled?

    If MI systems map opt out “consent” given by a learner enrolled before 25th to the new opt in consent, is that allowed? If not, are we going to have to treat all learners enrolled before the 25th as can’t contact unless we ask them again?



    You won’t be able to use the current consent from ‘opt out’ and convert that to the new ‘opt in’ for existing learners.

    Effectively that means on 25th May all your records, where ‘consent’ is your legal basis for processing, will become do not contact. I believe many colleges are tackling this now by asking for (positive) consent now, while they have their learners on site.



    Is anyone creating their own Privacy Notice or are Providers just using the updated Appendix F which contains the ‘Opt In’ tick boxes?



    Appreciating the current discussion focuses around learners as our primary lump of data, but not forgetting staff, suppliers, employers etc I’m starting to receive various communications both business and personal from companies contacting me to explain why they hold my data, what they do with it, for how long, checking my consent, telling me my rights and so on. The approach in the wider world appears to be don’t assume, demonstrate you are aware of the new legislation, and provide an opportunity for them to alter consent/ask questions.

    The 3 key messages i’m getting out into my organisation – 1) saying we do it doesn’t cut it anymore (policies /procedures), we need to be able to prove we do it – evidence, evidence, evidence. 2) rights of the individual greatly strengthened – the law is very much on their side. 3) Serious financial implications for non compliance / breaches.

    This is a far greater task than i first assumed! We are compliant under the DPA, the shift i’m seeing is could i prove it under GDPR? probably not at this stage.



    I completely agree.

    This is why I’m baffled why so little has come from the ESFA and also from other WBL-specific bodies and user-groups.

    There are a lot of agencies springing up offering to provide guidance (the term ‘license to print money’ comes to mind!) but surely there should be some definitive guidance we should follow relating specifically to learner data being submitted to the ESFA and it makes FAR more sense to have one set of guidance and statements to follow rather than everyone doing something slightly different which can only lead to issues.

    My MD has emailed the ESFA and AELP to see if anything is happening centrally around guidance. I’d urge for others to do the same if possible.



    I agree Rob!

    I am amazed at the lack of information and support from the ESFA/other groups. I imagine most Providers are frantically pulling together their own guidance/statements/opt in consent forms etc. There should be clear statements in place for use by all.



    Hi Alison

    It’s my opinion that the new Annex F is only the very bare minimum to cover the consent element of ESFA contacting learners and is not fit for purpose for us as providers to cover everything else. It’s a massive failure of duty of care by the agency to my mind and I agree with Rob that we should all be pushing our representative bodies and the agency to do better on this…

    Interestingly, DfE released this video recently

    but it’s *very* 101 and completely aimed at schools (also, no sign of the follow ups mentioned at the end…)

Viewing 25 posts - 1 through 25 (of 46 total)

You must be logged in to reply to this topic.