List of active policies

Name Type User consent
Privacy Policy Privacy policy All users
Data Protection Privacy policy All users


This Privacy Statement describes what Challenge-trg Skills (the Company) does with the personal information you provide it with. Occasionally you will be asked to give the Company personal information about yourself in order to become a learner or client, to use Company’s systems and services etc. It applies to information the Company collects about people who use or may use our services. This includes for example:

Individuals who request information from the Company

Visitors to the Company website

Individuals who undertake a course of study through the Company

Phoenix Training Alumni

Employers who purchase training from the Company

Employers who take a learner on work experience or placement, facilitate workplace visits or support the employability skills of our learners

Employers who employ an Apprentice

If you are asked to provide information to us, it will only be used in the ways described in this Privacy Statement. The Privacy Statement will be updated on occasion and the latest version is published on the Company’s website. If you have any questions about this statement, please contact our Data Protection Officer who will be happy to provide more detail.

Full policy

Why do we collect personal information?

Challenge-trg Skills collects and processes personal data about members of the public who enquire about courses and services, learners and employers to effectively offer advice, manage learning programmes and to meet statutory obligations to the agencies who provide funding for these activities.  The company is committed to being clear and transparent about what data it collects, how it is used, and to meeting its data protection obligations.

We need to process data so we can provide you with the highest standards of education and training we are able to give, and to meet our legal obligations from government organisations including the DfE and ESFA.  Data regarding employment status and whether you or your parents are receiving benefits is required to assess your eligibility for government funded fees and financial support.

Where we processes other special categories of personal data, such as information about ethnic origin, disability or health, this is done for the purposes of equal opportunities monitoring.  This monitoring is performed by the Company and by the ESFA and DfE, and helps us to improve our services to specific groups.  We also use the data so we can personalise the provision to each learner to provide you with the best possible opportunities to succeed.

Contact details will not be used for marketing or survey purposes without your consent, which can be withdrawn at any time.   However, the Company will use your contact information to contact you in order to carry out our duties to you, for example to notify you of a change of course date, follow up on absences, and to obtain further information from you where required, such as your destination in the months after you have completed your course.

LRS privacy notice

Privacy notice for pupils, students, learners and trainees

1. Tier 1 privacy notice text

The information you supply is used by the Learning Records Service (LRS). The LRS issues Unique Learner Numbers (ULN) and creates Personal Learning records across England, Wales and Northern Ireland, and is operated by the Education and Skills Funding Agency, an executive agency of the Department for Education (DfE).For more information about how your information is processed, and to access your Personal Learning Record, please refer to:

What personal information do we collect?

We collect the following personal data to provide education and training to our learners;

·         Details about you including your name, date of birth and gender

·         Contact details – including address, telephone numbers and email address

·         Details of your previous qualifications, educational history and employment status

·         Information about your nationality and residency, and previous address if applicable

·         Information about medical or health conditions, including whether or not you have a learning disability or difficulty, and if so whether you have an EHCP (Education Health Care Plan)

·         Ethnicity

·         Household information (this is collected only for the ESFA is not used by Challenge-trg Skills)

·         Financial Information (bank details)

We collect data about unspent criminal convictions in order to protect vital interests of others and to carry out our duty to support those with a conviction.

We collect emergency contacts.  This information is optional for those aged 19 or over at the start of the academic year.

We collect information about use of our website, company and employee information, and information about personal preferences, interests and career aspirations in order to provide high quality advice and guidance on the range of services we offer.

We collect information about staff, including dates of employment, hours worked, posts, roles, salary, annual leave, absence, performance and professional development in order to manage contracts of employment and business operations.

How is this collected?

Most of the information about you and your learning programme is collected directly from you via an application or enrolment form. However, some information such as previous qualifications or information to support any special needs, may be collected from other organisations such as the DfE (Department for Education).

Information about staff is collected directly from individuals as well as from the observations of managers.

CCTV footage is collected at a number of our sites, and used in line with the Data Protection Policy.

Cookies and analytics services are used to collect information about visitors to our website.  Cookies do not provide us with access to an individuals’ computer, or any personal information about them.

Where information is collected for use with consent, this is very clearly shown as part of the process of asking for the information, and you will always be asked for your agreement to use the information for the specific intended purposes.

Where do we store data?

Data will be stored in a range of different places, including the learner information management system, on paper files in secure places, or on electronic documents within our secure network.

Learner information is stored within our Learner Records Management System, which is hosted by a 3rd party.  Our contractual arrangements with 3rd parties ensure that they meet the same standards for data security and protection.

How do we protect data?

We take the security of your data seriously. We have internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by employees in the performance of their duties. The Data Protection policy is available to view on our website, or can be obtained in print by contacting our reception.

To prevent unauthorised disclosure or access to information, we have strong technical security safeguards in place, and provide staff with regular training and briefings to ensure that they follow our agreed processes.  

If information is shared with another organisation (as discussed below), we will ensure that a robust information sharing agreement is in place.

Who has access to data?

Your information may be shared internally, including with any Challenge-trg Skills  staff member who needs the data to provide services to you.  This will include special categories of data where appropriate.

Where we engage non-statutory third parties to process personal data on our behalf, we require them to do so on the basis of written instructions.  They are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

We will not lease, distribute or sell personal information to third parties unless we have permission or a legal requirement to do so.

Most of the information collected and processed in relation to the learning programmes we provide is shared on a regular basis with other Providers and Government Agencies to meet the requirements of funding contracts.  The Company is a data processor for the Education and Skills Funding Agency and for organisations who subcontract funding to us.  This means that the company will pass information to these organisations if they provide funding for your learning programme.

The information provided may be shared with other organisations for purposes of administration, the provision of career and other guidance and statistical and research purposes, relating to education, training, employment and well-being. This will only take place where the sharing is in compliance with the Data Protection Act 1998.

Do we process data outside of England or the European Economic Area (EEA)?

Part of the funding for your course may be coming from the European Social Fund (ESF).  This is not confirmed until after you have completed your course.  If your course is part funded by ESF, your data may be lawfully shared with them via the ESFA.  The Company will not transfer your data to countries outside the European Economic Area.

Do we use automated decision-making?

No.  None of our decisions are based solely on automated decision-making.  If you feel that a decision affecting you has been made unfairly on the basis of information you have provided, please contact the Data Protection Officer.

What if I do not provide personal data?

Failure to provide data required to meet the obligations set by our funding organisations will result in us not being able to enrol you as a learner. Failure to provide other information (except where we ask for your consent), for example learning difficulty information, may result in us being unable to provide the standard of service we would wish to provide.

What are my rights?

Challenge-trg Skills will always ensure that your rights as an individual are protected in the way we operate our services.  You can:

·         Obtain a copy of the data we hold about you by making a request to us

·         Ask us to change incorrect or incomplete data

·         Ask us to delete or stop processing your data, for example where the data is no longer needed for the reason(s) it was collected


If you would like to request any of these services, please visit our website, contact our data protection officer or contact our centre reception for further information.

Complaints or Queries

If you have any questions about the Company’s collection and use of personal data please contact our Data Protection Officer. They will be happy to provide additional information if it is required.

If you believe that Challenge-trg Skills has not complied with your data protection rights, you can complain to the Information Commissioner.

Changes to This Privacy Statement

We will keep this Privacy Statement under regular review and reserve the right to change it as necessary from time-to-time or if required by law. Any changes will be immediately posted on our website.


The Data controller

Challenge-trg Skills

Cambrai Court, 1231 Stratford Road, Hall Green, Birmingham, B28 9AA

The Data Protection Officer


Data Protection Law controls what Challenge-trg Skills does with the personal information provide by individuals who work for us, study with us or access services we provide.

Our Privacy Statement describes what we do with the personal information we are provided with. You may be asked to give us personal information to become a student, client or to use the services we offer.

Full policy

1.0   Introduction

Challenge-trg Skills is responsible for compliance with UK General Data Protection Regulation (UK GDPR): is based on the EU GDPR (General Data   Protection Regulation ((EU) 2016/679)) which came into effect on 25 May 2018 and applied in the UK until 1 January 2021. EU GDPR was amended on 01 January 2021 by regulations under the European Union (Withdrawal) Act 2018, to reflect the UK’s status outside the EU, it sits alongside and supplements the UK GDPR. Personal Data is subject to the legal safeguards specified in the UK GDPR.

The organisation processes personal data in accordance with the following data protection principles:

.  The organisation processes personal data lawfully, fairly and in a transparent manner.

.  The organisation collects personal data only for specified, explicit and legitimate purposes.

.  The organisation processes personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.

.  The organisation keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.

.  The organisation keeps personal data only for the period necessary for processing.

.  The organisation adopts appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.

The organisation tells individuals the reasons for processing their personal data, how it uses such data and the legal basis for processing in its privacy notices. It will not process personal data of individuals for other reasons.

1.1   Where the organisation processes special categories of personal data or criminal records data to perform obligations or to exercise rights in employment law, this is done in accordance with a policy on special categories of data and criminal records data.

The organisation will update personal data promptly if an individual advises that their information has changed or is inaccurate.

Personal data gathered is held in the individual’s personnel, learner and customer files (in hard copy or electronic format, or both), and on HR systems. The organisation keeps a record of its processing activities in respect of personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).

Personal data is data which relates to an identified or identifiable natural person.

2.0   Individual Rights

As a data subject, individuals have a number of rights in relation to their personal data.

2.1   Subject access requests

Individuals have the right to make a subject access request. If an individual makes a subject access request, the organisation will tell them:


.  Whether or not their data is processed and if so why, the categories of personal data concerned.

.  To whom their data is or may be disclosed, including to recipients located outside the European Economic Area (EEA).

.  For how long their personal data is stored (or how that period is decided).

.  The individual’s rights to rectification or erasure of data, or to restrict or object to processing.

The organisation will also provide the individual with a copy of the personal data undergoing processing.

To make a subject access request, the individual should send the request to the company’s main office address. In some cases, the organisation may need to ask for proof of identification before the request can be processed. The organisation will inform the individual if it needs to verify their identity and the documents it requires.

The organisation will normally respond to a request within a period of one month (30 days) from the date it is received.

If a subject access request is manifestly unfounded or excessive, the organisation is not obliged to comply with it. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which the organisation has already responded. If an individual submits a request that is unfounded or excessive, the organisation will notify him/her that this is the case and whether or not it will respond to it.

2.2   Other rights

Individuals have a number of other rights in relation to their personal data. They can require the organisation to:

.  Rectify inaccurate data.

.  Stop processing or erase data that is no longer necessary for the purposes of processing.

.  Stop processing or erase data if the individual’s interests override the organisation’s legitimate grounds for processing data (where the organisation relies on its legitimate interests as a reason for processing data).

.  Stop processing or erase data if processing is unlawful.

.  Stop processing data for a period if data is inaccurate or if there is a dispute about whether or not the individual’s interests override the organisation’s legitimate grounds for processing data.

3.0   Data Security

The organisation takes the security of personal data seriously. The organisation has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties.

Where the organisation engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

4.0   Individual Responsibilities

Individuals are responsible for helping the organisation keep their personal data up to date. Individuals should let the organisation know if data provided to the organisation changes, for example, if an individual moves house or changes his/her bank details.

Individuals may have access to the personal data of other individuals and of our customers and clients in the course of their employment, contract, volunteer period,  or apprenticeship. Where this is the case, the organisation relies on individuals to help meet its data protection obligations to staff and to customers and clients.

4.1   Individuals who have access to personal data are required:

.  To access only data that they have authority to access and only for authorised purposes.

.  Not to disclose data except to individuals (whether inside or outside the organisation) who have appropriate authorisation.

.  To keep data secure (for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction).

.  Not to remove personal data, or devices containing or that can be used to access personal data, from the organisation’s premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device.

.  Not to store personal data on local drives or on personal devices that are used for work purposes.

Failing to observe these requirements may amount to a disciplinary offence, which will be dealt with under the organisation’s disciplinary procedure. Significant or deliberate breaches of this policy, such as accessing employee or customer data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.

5.0   Equality and Data Collection and Monitoring

Although there is no legal duty to collect monitoring information against individual protected characteristics, in order to demonstrate due regard to the aims of the general equality duty held by public bodies, Social Enterprise Kent will sometimes collect equality data upon which to measure its equality and diversity profile.

Equality monitoring relates to one or more of the nine protected characteristics established by the 2010 Equality Act: age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex and sexual orientation and if monitored properly, particularly in relation to recruitment, can help the organisation to better balance its workforce and develop fair opportunities for all. Equality monitoring for staff and volunteers will also assist Social Enterprise Kent to identify and address any inequalities in the application of employment and placement practices.

Challenge-trg Skills will keep all collected equality data pertaining to individuals confidential and securely stored whilst awaiting periodic analysis in line with the above aims, after which it will be destroyed.

6.0   Storage of Records

The Company stores most of its records online, on Company servers which are located within the EU and protected by firewalls and virus software. Permission levels for Company employees to access specific files and folders within the server (and other software used by the Company, such as PICS, Salesforce) is managed by the Company’s IT Manager, delegated by the Board. Any unusual requests for access will require authorisation by a Company Director.

The Company also maintains a contract with a 3rd party IT firm, who provide backup support for the Company’s servers in the event of an emergency.

Records held electronically are backed up electronically overnight.

Certain Company records are still required to be stored in paper form.

These records are stored on site at:

Challenge-trg Skills

Cambrai Court, 1231 Stratford Road, Hall Green, Birmingham, B28 9AA

Electronic documents are stored in a secure cloud base location:

Challenge-trg Skills


The ESF Programme Action Note 018/18 sets out the lawful basis for processing personal data under ESF.

The General Data Protection Regulation (GDPR) and ESF Who All ESF beneficiary organisations, European Social Fund Division and Greater London Authority. What The UK is updating its data protection legislation and it will come into force on 25 May 2018. The new laws aim to update current data protection legislation including the Data Protection Act 1998, increase the privacy protection of all UK and EU citizens and reduce the risk of data breaches. It will apply to all public and private organisations processing personal data. Established key principles of data privacy will remain relevant in the new data protection laws but there are also changes that will affect commercial arrangements, both new and existing, with suppliers. The new General Data Protection Regulation 2018 ((EU) 2016/679) (GDPR), which forms part of the new data protection legislation, specifies that any processing of personal data, by a data processor, should be governed by a contract with certain provisions included. All ESF projects and partners should check Annex A: Q&A Briefing on General Data Protection Regulation (GDPR) and ESF to find out more about what action they will need to take. Projects will need to comply with new GDPR regulations / requirements from 25 May 2018 and should, in the first instance, refer to Annex A: Q&A briefing for further details. Cleared Janet Downes / Dan Mumford Action Please read the supplementary Annex A: Q&A Briefing on General Data Protection Regulation (GDPR) and ESF. Contact For questions please contact:

More information can be found at the following:

018-18_General_Data_Protection_Regulation__GDPR__and_ESF.pdf (


This Action Note provides an update to information provided in Action Note 018/18 – and includes details on action to take with regards to data right of access requests (RARs) (formerly known as subject access requests or SARs) and personal data security breaches.

Action Note 020/18 GDPR and ESF - additional advice (


This guidance explains the requirement for, and the process by which contact details for all participants on European Social Fund (ESF) and Youth Employment Initiative (YEI) provision must be submitted to the Managing Authority (MA). This document covers: · The regulatory and legal basis behind the requirement to collect and share participant data, including contact details; · The requirement for the participant privacy notice to be used with all ESF and YEI participants; · What contact details need to be collected and how they will be reported to the MA; · The handling of contact details for certain ‘sensitive’ groups. This guidance applies to both ESF and ‘match’ funded participants. 1.1. Who should use this guidance? This guidance should be used by all grant beneficiary organisations, including ‘direct bid’ organisations, Co-Financing Organisations (CFOs) and partners and Intermediate Bodies (IBs). Grant beneficiary organisations will be expected to provide contact details data for all delivery partners or projects within their operation. The grant beneficiary organisation will be responsible for the quality of the data submitted.

Guidance on ESF and YEI Participant Contact Details version 5 (