GDPR & ESFA Privacy Notice


The General Data Protection Regulation (GDPR) is European legislation replacing the Data Protection Act in May 2018. The basic principles for looking after personal data remain in line with existing principles, but there are stricter standards to adhere to, and increased penalties for non-compliance. 

All staff and learners must adhere to the SPS Data Protection Policy and Acceptable Use Policy. The policies will be published here in the upcoming weeks:

  • Data Protection Policy
  • Acceptable Use Policy for Staff
  • Acceptable Use Policy for Learners

Staff and learners are asked to be mindful or potential data breaches at all times. A personal data security breach may come from theft; a deliberate attack on your systems; unauthorised use of your own personal data; or accidental loss or equipment failure.

Should you have any queries relating to GDPR at SPS Training or wish to report a data breach or potential data breach please contact the SPS Data Protection Officer:

Data Protection Officer (DPO)

Mehul Shah, Director

Breaches can occur at any time; therefore, it may not always be possible to reach the DPO so any opportunity to contain the breach should be taken immediately. Examples of this include removing a webpage; informing unauthorised recipients of an email to delete it and not share it further; disconnect your device from any the SPS network; informing Technical Services staff or your line manager.

ESFA Privacy Notice

This privacy notice is issued by the Education and Skills Funding Agency (ESFA) on behalf of the Secretary of State for the Department of Education (DfE) to inform learners about the Individualised Learner Record (ILR) and how their personal information is used in the ILR. Your personal information is used by the DfE to exercise our functions under article 6(1)(e) of the UK GDPR and to meet our statutory responsibilities, including under the Apprenticeships, Skills, Children and Learning Act 2009.

The ILR collects data about learners and learning undertaken. Publicly funded colleges, training organisations, local authorities, and employers (FE providers) must collect and return the data to the ESFA each year under the terms of a funding agreement, contract or grant agreement. It helps ensure that public money distributed through the ESFA is being spent in line with government targets. It is also used for education, training, employment, and well being purposes, including research. We retain ILR learner data for 3 years for operational purposes and 66 years for research purposes. For more information about the ILR and the data collected, please see the ILR specification at

ILR data is shared with third parties where it complies with DfE data sharing procedures and where the law allows it. The DfE and the English European Social Fund (ESF) Managing Authority (or agents acting on their behalf) may contact learners to carry out research and evaluation to inform the effectiveness of training. In these cases, it is part of our statutory duties and we do not need your consent.

Where sharing is not part of our statutory duties, you can give your consent to be contacted by other third parties about:
[ ] courses or learning opportunities, or [ ] for surveys and research by:
[ ] post
[ ] phone
[ ] e-mail
Please tick relevant boxes to give your consent.

For more information about how your personal data is used and your individual rights, please see the DfE Personal Information Charter ( and the ESFA Privacy Notice (

If you would like to get in touch with us, you can contact the DfE in the following ways:

If you are unhappy with how we have used your personal data, you can complain to the Information Commissioner’s Office (ICO) at – Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. You can also call their helpline on 0303 123 1113 or visit