1. Privacy Policy
At Enginuity, we create practical solutions for individuals, educators and engineering employers, using unmatched industry expertise and data – so engineers can change their world and ours. Our ‘Enginuity’ in marrying our engineering expertise with ingenuity with data, is how we design and constantly improve solutions that provide a great user experience, create new solutions that are easy to integrate and prove the business case for engineering skills development.
Excellence, Achievement & Learning (EAL) is part of the Enginuity Group and offers specialist skills, awarding and assessment services for organisations and industry, providing high quality, fit-for-purpose qualifications and rigorous and robust End-Point Assessment (EPA) that validates the quality of training. We are chosen by thousands of employers and educators and are recognised for delivering engineering skills solutions by engineers for engineers.
To be consistent with data protection laws, we’ve reviewed our Privacy Policy and made it easier to understand. We are committed to data security and transparency in what we do with your data. This privacy policy covers what we do with the data you give us, in particular under the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (together Applicable Laws)
This policy covers who we are, how and why we collect, store, use and share personal data, your rights in relation to your personal data, how to contact us and the relevant channels in the event that something goes wrong.
When we ask you to supply us with personal data we will make it clear whether the personal data we are asking for must be supplied, for example, so that we can provide products and services to you, or whether the supply of any personal data we ask for is optional. At no time will any personal data held by us be passed to organisations outside the Group for purposes other than those that are set out within this statement.
Changes to our Policy
Any changes we may make to our Policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our Policy. We will also provide you an archived version for reference.
2. Who are we?
Full name: Enginuity
Tel: 0845 643 9001
Customer services team : Customer.Services@enginuity.org
Registered number: 2324869
Charity Commission Registration: 1000328
Our postal address is below.
If you have any queries about this Policy, the way in which Enginuity processes personal data, or about exercising any of your rights, please contact us via email at gdpr@eal.org.uk or write to us at:
Data Officer, Enginuity Head Office, Unit 2, The Orient Centre, Greycaine Road, Watford, Herts, WD24 7GP
3. Summary of Data Used
The following list summarises the personal data may be held within Enginuity, further explanations around this are provided within the document:
Personal data
Identity
Contact details
Next of kin Job role and employer
Course applications and event attendance
Payment and financial information
Qualification and attainments
Unique learner number
Technical use data, eg, cookies, IP address, browsing experience etc
Special data
racial or ethnic origin
political opinions
religious beliefs
trade union activities
physical or mental health
sexual life, sexual orientation
criminal offences
genetic or biometric data
4. Information you provide to us: Definition and Stages of Appeals
If you:
• Complete a form on our website.
• Complete a survey.
• Correspond with us by phone, e-mail, or in writing.
• Sign up to receive our communications.
• Create an account with us.
• Enter a contract with us to receive products and/or services
we may collect identity and contact data, such as your name, personal/work e-mail address, postal address, telephone number and job role (including where relevant the name of your employer).
5. Information we collect about you
If you visit our Website, we may automatically collect the following information:
• technical information, including the internet protocol (IP) and other security address used to connect your computer to the Internet, login information (such as login, password and other security information), browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
• information about your visit to our Website such as the products and/or services you searched for and view, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.
Please also see the section below headed 'Website Cookie Use'.
6. Information we receive from other sources
We may also receive information about you if you use any of the other websites we operate or the other services we provide.
If you are a tutor, apprentice, or learner, we may also receive information about you from your centre, training provider, or employer when they register to receive products and/or services form us.
7. Information about other people
If you provide information to us about any person other than yourself, such as your relatives, next of kin, your advisers, or your suppliers, you must ensure that they understand how their information will be used, and that they have given their permission for you to disclose it to us and for you to allow us, and our outsourced service providers, to use it.
8. Sensitive personal data
In certain limited cases, we may ask for your consent to collect and process certain sensitive personal data from you (that is, information about your racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, sexual orientation, or details of criminal offences, or genetic or biometric data). Provision of that information is optional, and we will ask for your separate explicit consent before we collect or processed that data.
9. How do we use your personal data?
Contract performance: we may use your personal data to fulfil a contract, or take steps linked to a contract:
• To provide the products and/or services to you;
• To communicate with you in relation to the provision of the contracted products and services
• To provide you with administrative support such as account creation, security, and responding to issues; and
• Provide you with industry information, surveys, information about our awards and events, offers and promotions, related to the products and/or services.
Legitimate interests: where this is necessary for purposes which are in our, or third parties, legitimate interests. These interests are:
• providing you with newsletters, surveys, information about our awards and events, offers, and promotions, related to products and services offered by EAL which may be of interest to you;
• communicating with you in relation to any issues, complaints, or disputes;
• improving the quality of experience when you interact with our products and/or services, including testing the performance and customer experience of our Website;
• performing analytics on sales/marketing data, determining the effectiveness of promotional campaigns.
NOTE: you have the right to object to the processing of your personal data on the basis of legitimate interests as set out below, under the heading Your rights.
Consent: where you have given your express consent to process personal data for any given purpose specified in that consent. For example you may give consent to receive marketing communications, in which case we may use your personal data to:
• send you newsletters, surveys, information about our awards and events, offers, and promotions, related to products and services offered by EAL which may be of interest to you;
• developing, improving, and delivering marketing and advertising for products and services offered by EAL.
Please note that any such consent given by you (including consent to receive marketing communications) can be withdrawn at any time.
When you visit our websites, agree to the terms and conditions for the use of our services or agree to conduct services on our behalf we will request certain data from you. These services include, but may not be limited to:
Products and Services
• When you are an organisation who wishes to contract with us to provide services, we will require certain key contact details and personal information in order to use our products or services.
• When you are an individual who wishes to enrol on any of our qualifications or courses we collect personal learner data, via the centre providing your course, to help prove your identity and for the purposes of administering, awarding and verifying qualification achievement.
• When you create an account with us using one of our products or services.
• Entering into a contract with us to receive products or services.
• Technical data such as your internet protocol (IP) address, login data, operating system and platform will be collected for monitoring and security purposes.
• When you are engaged as a sub-contractor in the capacity of an assessor, moderator, examiner or auditor to assist with our regulatory monitoring and awarding services, we collect personal and sensitive information to verify your identity and suitability for the role.
• When we receive an enquiry, appeal or complaint from an individual we will collect contact information in order that we can respond in a timely and efficient manner.
• Transaction data such as details of the software products and services you have obtained from us, purchase order details, and payments made to/from us
Events and Meetings
• When we receive a booking for a professional event, network or meeting we will collect personal information relevant for the booking. This will be used to contact you about the booking if we need to clarify anything, issue joining instructions and send you other information relating to the event, network or meeting that you have booked onto.
• We will include your name, job title and the name of the organisation that you work for on a delegate list that will be made available to the other people attending the same event, network or meeting.
• We may use your personal information to send you details of other professional development events, networks or meetings that you may be interested in.
• If we send you information on other events, networks or meetings you will have the option to “opt out” of receiving future emails or other forms of communication.
• Marketing data such as your marketing and communication preferences in receiving communications from us and our third parties, the technologies used, and any related correspondence
Website Services
• When you make an enquiry online, book on an event or engage with us through social media about the products and services we offer we only collect enough information to respond fully to your requests.
• Information collected through surveys and cookies is analysed to improve our products and services for our customers. This enables us to personalise your experience of our site by recording details about use of the site as a file on your computer. You can disable the use of cookies, but this may limit the functionality of web pages on our site, or your access to our site. For further information about how Enginuity uses cookies, read through our Cookies Policy.
• Please note that our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over other websites. Therefore, we do not accept responsibility for the protection and privacy of any information which you provide whilst visiting other sites outside of the Enginuity Group. These sites are not governed by this privacy policy and therefore you should exercise caution and look at the privacy statement applicable to the website visited.
Marketing Opt Out
Where you have consented to receive marketing communications from us (or a third party), you may change your preferences or unsubscribe from marketing communications at any time by clicking the unsubscribe link in an email from us (or the third party concerned) or by following other marketing preferences/opt outs displayed on our websites (or on the website of the relevant third party).
Where required by law: We may also process your personal data if required by law, including responding to requests by government or law enforcement authorities, or for the prevention of crime or fraud.
10. How do we use your personal data?
We may share your personal data with members of the Enginuity Group (including EAL).
We take all reasonable steps to ensure that our staff protect your personal data and are aware of their information security obligations. We limit access to your personal data to those who have a genuine business need to know it.
We may also share your personal data with trusted third parties including:
• legal and other professional advisers, consultants, and professional experts;
• service providers contracted to us in connection with provision of the products and services such as providers of IT services and customer relationship management services;
• Official bodies who we act on behalf of in relation to the services we provide; and
• analytics and search engine providers that assist us in the improvement and optimisation of our Website
We will ensure there is a contract in place with the categories of recipients listed above which include obligations in relation to the confidentiality, security, and lawful processing of any personal data shared with them.
Some of the third parties with whom we may share your data (as referred to above) may be based outside the European Economic Area (EEA). Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission
Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. We are also registered under Privacy Shield on a voluntary basis.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
We will share personal data with law enforcement or other authorities if required by applicable law.
11. How do we use your personal data?
We may share your personal data with members of the Enginuity Group (including EAL).
We take all reasonable steps to ensure that our staff protect your personal data and are aware of their information security obligations. We limit access to your personal data to those who have a genuine business need to know it.
We may also share your personal data with trusted third parties including:
• legal and other professional advisers, consultants, and professional experts;
• service providers contracted to us in connection with provision of the products and services such as providers of IT services and customer relationship management services;
• Official bodies who we act on behalf of in relation to the services we provide; and
• analytics and search engine providers that assist us in the improvement and optimisation of our Website.
We will ensure there is a contract in place with the categories of recipients listed above which include obligations in relation to the confidentiality, security, and lawful processing of any personal data shared with them.
Some of the third parties with whom we may share your data (as referred to above) may be based outside the European Economic Area (EEA). Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
• Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
• Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. We are also registered under Privacy Shield on a voluntary basis.
• Please get in touch if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
We will share personal data with law enforcement or other authorities if required by applicable law.
12. Sharing your data with organisations outside of Enginuity IT companies, platforms or services supplied to Enginuity
We engage with external IT companies to provide services and in some cases, we may use their platforms to support our products and other essential services. We have separate agreements with these organisations to ensure that we transfer any shared personal information through a secure application programming interface (API). We ensure that there is a contract in place with third party service providers, which includes obligations in relation to confidentiality, security and lawful processing of any personal data shared with them, and which upholds your rights and freedoms with respect to personal data.
We may share your personal data but only with trusted third-party service providers, such as:
• Legal and other professional advisers, consultants and professional experts and bodies
• Service providers contracted to us in connection with our Website, learning and assessment platforms or portals
• Providers of IT services and customer relationship management services; and
• Analytics and search engine providers that assist us in the improvement and optimisation of our digital products and services
Products and Services (EAL)
We require all recognised centres that are delivering EAL’s qualifications to have their own privacy (fair processing) notices and to ensure that all learners are aware of how and when their data may be used by them and others.
We will pass regulated learner qualification achievement data to the organisations listed below in line with the timescales specified and agreed in individual agreements with each of these organisations. Once this information is shared with these organisations, we are no longer the data controller but remain the authoritative source of all achievements
Project Work and Events
We may share your personal information with your employing organisation for the purposes of reporting on how the organisation has access and used project work managed by Enginuity. We may have to share your personal information with the organisation providing project funding
We will share your personal information in delegate lists shared with other people attending the same event, network or other meeting. We will not share your email address with other people attending the same event, network or other meeting unless we have your permission to do so
Education and Skills Funding Agency (ESFA):
The information you supply will be used by the ESFA, the agency accountable for funding education and skills for children, young people and adults, sponsored by the Department for Education, to issue you with a Unique Learner Number (ULN), and to create your Personal Learning Record (PLR). Further details of how this information is processed and shared may be viewed on the EFSA website.
We will submit learner qualification achievement data to the PLR when the learner achievement has been verified and where a ULN has been provided by the centre. The PLR is managed by the Learning Records Service (LRS).
The Department for Education (DfE):
The DfE uses qualification registration and achievement data for research and statistical purposes to inform and improve educational policy. We submit achievement data annually to government departments or agencies acting on their behalf to support Schools Performance Tables. If you wish to know more about the data held please reference the DfE website.
UCAS:
UCAS is the organisation responsible for managing applications to higher education courses in the UK. Qualifications that have UCAS tariff points mean they are recognised as contributing to entry to university.
We report the achievement of these qualifications annually to UCAS directly. If you wish to learn more about how this data is stored and protected please reference the UCAS website.
The Qualifications Regulators:
The Regulators process enrolment and achievement data for regulated qualifications. This data is used for research and statistical purposes to enable the Regulators to fulfil their regulatory duties
If you wish to learn more about the data collected by the Regulators, please consult the information listed on their website(s) below:
• Ofqual
• Qualifications Wales
• CCEA Regulation
• SQA
• Welsh Government
13. How long will we keep your personal data?
We only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Where there is a contract between us, we will retain your personal data for the duration of the contract period, and any specified term agreed by the parties in regard to termination or expiry, to ensure we are able to comply with any contractual, legal, audit and other regulatory requirements, or any orders from competent courts or authorities
In some circumstances, we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we can use this information indefinitely without further notice to you.
14. How and where do we store your personal data and how is it protected?
We can store personal data in paper or electronic format. We take reasonable steps to protect your personal data from loss or destruction. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so
Where you have a username or password (or other identification information) which enables you to access certain services or parts of our Website, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
We are committed to ensuring that your information is secure and we take all reasonable steps to ensure that both we and our third party service providers, protect your personal data. This includes but is not limited to:
• Ensuring our staff are aware of their information security obligations, providing GDPR training and limiting access to personal data to staff who have a genuine business need to know.
• In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect through our online systems.
• We have arrangements in place to protect your personal data from loss or destruction and have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulatory body or contractual partner of a suspected data security breach where we are legally required to do so.
• We secure access to our websites, online portals and platforms by using industry standard TLS encryption.
• Access to your personal data is password protected and where required accessed through secure virtual private network technology (VPN). It is your responsibility to keep your password safe.
• We carry out regular penetration testing and daily monitoring of our systems for vulnerabilities and attacks.
• We have regularly updated virus and malware protection.
• We have appropriate storage and retention procedures for both physical and electronic data.
• Our project management and change control processes include structured assessment of information security and data privacy risks.
• Enginuity complies with the requirements and is certified under the Cyber Essentials Plus Scheme which is a government-backed and industry supported programme that requires businesses to maintain technical controls to protect themselves against common online security threats.
Although we will do our best to protect your personal data, we cannot guarantee the security of your personal data transmitted to our Website; any transmission is at your own risk. Once we have received your personal data, we will use strict procedures and security features to try to prevent unauthorised access.
15. Terms of website use
Please visit our Website terms and conditions page for details on all our terms and conditions for the use of any of the Enginuity websites.
16. Your rights
Under the GDPR, you have various rights with respect to our use of your personal data. We have summarised theses rights below. To exercise any of these rights, please contact us using our email or postal address given below under the heading 'Contact'.
Right to access
You have the right to request a copy of the personal data that we hold about you and to check that we are processing it lawfully. Please include with your request information that will enable us to verify your identity. We will respond within a calendar month of request. Please note that there are exceptions to this right. We may be unable to make all information available to you if, for example, making the information available to you would adversely affect the rights and freedoms of others
Right to rectification
We aim to keep your personal data accurate and complete. You have the right to require us to rectify/complete any inaccurate or incomplete personal data we hold about you. We encourage you to contact us to let us know if any of your personal data is not accurate, is incomplete or changes, so that we can keep your personal data up-to-date
Right to erasure
You have the right to request the deletion of your personal data where, for example, the personal data are no longer necessary for the purposes for which they were collected, where you withdraw your consent to processing, where there is no overriding legitimate interest for us to continue to process your personal data, or your personal data has been unlawfully processed or to comply with the law. Please note that these are exceptions to this right (e.g. compliance with law); if any such exception applies we will inform you when you make your request to us.
Right to object
In certain circumstances, you have the right to object to the processing of your personal data where, for example, your personal data is being processed on the basis of legitimate interests (of us or a third party) or for the performance of a task in the public interest and there are no compelling overriding legitimate grounds for us to continue to process your personal data.
You also have a separate right to object to the processing of your personal data for direct marketing.
Right to restrict processing
In certain circumstances, you have the right to request that we restrict the further processing of your personal data. This right arises where, for example, you have contested the accuracy of the personal data we hold about you and we are verifying the information, you have objected to processing (see above, right to object) and we are considering whether there are any overriding legitimate interests, or the processing is unlawful and you elect that processing is restricted rather than deleted or we no longer need the personal data for the purposes of processing, but you require the data in connection with legal claims.
Right to data portability
In certain circumstances, you have the right to request that your personal data is provided to you, and/or to another data controller, in a structured, commonly used, machine-readable format. This right only arises where you have provided your personal data to us, the processing is based on consent or the performance of a contract, and processing is carried out by automated means. Please note that the GDPR sets out exceptions to the above rights. If we are unable to comply with your request due to an exception we will explain this to you in our response.
17. What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
18. Third-party links
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
19. Contacting the Information Commissioner’s Office (ICO)
If you are unhappy with the way your data has been handled and we have been unable to give you a satisfactory response to your request you may contact the Information Commissioner’s Office (ICO) via the ICO website.
If we become subject to any data breach of any significance where the rights of individuals are prejudiced in any way i.e. where there is potential for an individual’s identity to be stolen or confidentiality is breached, we will report that breach to the ICO.
20. Contact
Full name: Science, Engineering and Manufacturing Technologies Alliance trading as Enginuity
Tel: 0845 643 9001
Customer services team : Customer.Services@enginuity.org
Registered number: 2324869
Charity Commission Registration: 1000328
Our postal address is below.
If you have any queries about this Policy, the way in which Enginuity processes personal data, or about exercising any of your rights, please contact us via email at gdpr@enginuity.org or write to us at:
Data Officer, Enginuity Head Office, Unit 2, The Orient Centre, Greycaine Road, Watford, Herts, WD24 7GP
21. Cookies
Please visit our Cookie page for details on all of our cookie use and how to block them
If you have any questions or concerns, please contact us at marketing@enginuity.org
