Hair Education Company General Data Protection Regulation (GDPR) & Privacy Policy


Relating to learners and employers


This policy applies to all learners and employers.

Compliance with this policy is a condition of engagement in learning programmes and any deliberate breach of this policy will result in disciplinary action, which may include removal from employment and possible legal action. Any employee found to be accessing personal data without authority this will be treated as gross misconduct.

All data/information processed by the organisation is covered by this policy.


HED CO. Ltd holds personal data on learners and employers in order to facilitate their training and education and to provide funding information to the ESFA in support of their learning aims.

HED CO. Ltd is legally obliged to collect personal data from learners and employers in order to fulfil their obligations for delivering apprenticeships, other government funded training programmes and HED CO. certificated courses.

Sharing Personal Data

Data sharing is restricted to the following relevant third parties. Data is shared only when necessary and required in order for a learner to complete their programme of learning.

·         The ESFA, who are the Government body providing funding delivered by HED Co.

·         Awarding organisations for quality assurance, assessment and certification

·         Ofsted for the purpose of ensuring HED providing a quality service and learning experience.

·         Regulatory authorities, sector skills councils, professional bodies, and similar industry bodies;

·         Employers who are offering an apprenticeship position within their organisation. (Permission from the applicant must be obtained prior to sharing any personal data and CVs.)

We will ensure there is a contract in place with such third parties which includes obligations in relation to the confidentiality, security, and lawful processing of any personal data shared with them.


This legislation protects people against the misuse of personal data, and covers both manual and electronic records. The Act requires that any personal data held should be:

·       processed fairly and lawfully;

·       obtained and processed only for specified and lawful purposes;

·       adequate, relevant and not excessive;

·       accurate and kept up to date;

·        held securely and for no longer than is necessary; and

·       not transferred to a country outside the European Economic Area unless there is an adequate level of data protection in that country.

The 2018 General Data Protection Reforms (GDPR) provides additional protection under law in the new digital age and allows individuals much greater control over their own data.

HED Co.  is committed to compliance with the principles and the responsibilities under GDPR. All data collected by HED Co. will comply with these principles set out in Article 5 of the GDPR. All data must be:

a)     processed lawfully, fairly and in a transparent manner in relation to individuals;

b)     collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c)      adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d)     accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e)      kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f)        processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

The 2018 GDPR provides the following rights for individuals and forms a key element of this policy:

a)        Right to be informed: Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.

b)        Right of Access: Individuals have the right to access their personal data and supplementary information, which allows individuals to be aware of and verify the lawfulness of the processing.

c)        Right to Rectification: The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.

d)        Right to erasure: The GDPR introduces a right for individuals to have personal data erased, also known as ‘the right to be forgotten’.  The right is not absolute and the legal responsibilities of HED Co. a provider contracted to the ESFA for funding of Apprenticeships and other training programmes take precedent.[1]

e)        Right to restrict processing: Individuals have the right to request the restriction or suppression of their personal data. However, this is not an absolute right and only applies in certain circumstances.

f)          Right to data portability:  Allows individuals to obtain and reuse their personal data for their own purposes across different services. It enables them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability

g)        Right to object:  Individuals may object to the data processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority; direct marketing (including profiling); or processing for purposes of scientific/historical research and statistics.


Responsibility for the Processing of Personal Data

The organisation’s Data Controller is the Training Manager who is responsible for ensuring all

personal data is controlled in compliance with the GDPR legislation.

Employees who manage personal data of a learner or employer are referred to as Processors

and must comply with this policy and adhere to the procedures laid down by the Data Controller.

Regular audits on data processing will be carried out under the supervision of the Data Controller.

When a breach of this policy occurs it should be reported to the Data Controller immediately so that he can inform the ICO. A breach that is not malicious will be dealt with sensitively and in proportion.

Malicious and purposeful violations of personal data will result in a disciplinary and could lead to summary dismissal.

What personal data do we collect?

We collect a learner’s name, gender, date of birth, proof of eligibility, ethnicity, learning needs and any health issues that might impact on learning. We may also collect other categories of personal data if required in relation to a specific qualification or programme, and personal data if required to carry our quality assurance processes, investigations, complaints and appeals. This personal data is provided to us by individuals when they first register with HED Co.

In exceptional circumstances, we may be provided with sensitive personal data, such as information about mental health. In such circumstances this data is only obtained and used to enable us to respond appropriately to an individual’s needs.

How do we use personal data?

We will use an individual’s personal data where this is necessary to pursue our legitimate interests as a provider of training services, including to:

·         provide information on products and/or services;

·         undertake administration in relation to products and/or services for which an individual has registered;

·         provide learners with an online portfolio / record of learning;

·         contact learners directly in relation to our quality assurance processes, investigations, appeals, and complaints;

·         contact learners directly in relation to new and existing products, services, news, awards and events offered by HED Co.

·         provide information, advice and guidance on progression and destinations.

We may also process personal data if required by law, including where we are obliged to respond to requests by government or law enforcement authorities, or for the prevention of crime or fraud.

How long will we keep personal data?

We will retain personal data relating to learning, assessment, and certification to enable us to provide information about your learning or a replacement certificate.

We will retain personal data relating to our quality assurance processes, appeals, or investigations for a period of 7 years to ensure we are able to comply with any contractual, legal, audit and other regulatory requirements, or any orders from competent courts or authorities.

Where do we store personal data and how is it protected?

We take reasonable steps to protect personal data from loss or destruction. We also have procedures in place to deal with any suspected data security breach. We will notify the learner and any applicable regulator of a suspected data security breach where we are legally required to do so.

Concerns or complaints

If you believe that your data protection rights may have been breached, and we have been unable to resolve your concern, you may lodge a complaint with the applicable supervisory authority or to seek a remedy through the courts. Please visit for more information on how to report a concern to the UK Information Commissioner’s Office.

Changes to our Policy

Any changes made to our policy in the future will be communicated to employers and learners by e-mail and/or post.

Related Policies

·         Confidentiality Policy

·         Email and Internet Policy

·         Disciplinary Policy

·         Equal Opportunities Policy

[1] Learner and employer data is collected on behalf of the ESFA in accordance with the terms and conditions of funding imposed on HED Co. The data collected from learners and employers is processed by the ESFA, as explained in their Privacy Notice.