Data Protection and Usage

EdgeWorks™ holds and processes information about employees, learners, and other data subjects for academic, administrative, operational and commercial purposes. This policy is written in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and associated legislation as amended from time to time, including the Data (Use and Access) Act 2025.

All staff, learners, and third parties who process or use personal information must comply with the following principles. Personal data must:

  • Be processed lawfully, fairly, and transparently.
  • Be collected for specified, explicit, and legitimate purposes.
  • Be adequate, relevant, and limited to what is necessary.
  • Be accurate and kept up to date.
  • Be kept only as long as necessary.
  • Be processed in a manner that ensures appropriate security.
  • Respect the rights of data subjects under UK GDPR.
  • Only be transferred outside the UK if appropriate safeguards are in place.

Definitions

  • “Data controller” means The Edge Works Limited, which determines the purposes and means of processing personal data. Further information is available from the Data Protection Officer.
  • “Other data subjects” and “third parties” may include contractors, suppliers, contacts, referees, friends or family members.
  • “Processing” refers to any action involving personal information, including obtaining, viewing, copying, amending, adding, deleting, extracting, storing, disclosing or destroying information.

Notification of data held

EdgeWorks™ will inform individuals about the personal data it holds and processes about them, including why it is collected and how it is used. This information is maintained in the organisation’s data inventory and may be updated as needed.

Lawful basis for processing

EdgeWorks™ will only process personal data where there is a lawful basis under UK GDPR Article 6. These include:

  • Consent.
  • Contractual necessity.
  • Legal obligation.
  • Vital interests.
  • Public task.
  • Legitimate interests.

For learners, processing will normally be based on contractual necessity and legal obligation relating to qualification registration, assessment and certification. Special category data (such as health information for reasonable adjustments) will be processed in accordance with Article 9 UK GDPR and relevant statutory conditions.

Where learners are sponsored by an employer, EdgeWorks™ may share relevant progress, activity and qualification-status data with that employer where this is necessary for programme administration, contractual reporting, quality assurance or regulatory compliance. EdgeWorks™ does not normally share full assessment content with employers unless this is required for quality assurance, regulatory, or legal purposes.

Where appropriate and lawful, EdgeWorks™ may also rely on recognised legitimate interests introduced or clarified by legislation, including in relation to safeguarding, public protection, or emergency situations, provided the relevant legal conditions are met.

Staff responsibilities

All staff shall;

  • Ensure that all personal information which they provide to EdgeWorks™ in connection with their employment is accurate and up-to-date.
  • Inform EdgeWorks™ of any changes to information, for example, changes of address.
  • Check the information which EdgeWorks™ shall make available from time to time, in written or automated form, and inform EdgeWorks™ of any errors or, where appropriate, follow procedures for updating entries on computer forms. EdgeWorks™ shall not be held responsible for errors of which it has not been informed.

When staff hold or process information about learners, colleagues or other data subjects (for example, learners’ course work, pastoral files or personal details), they should comply with the Data Protection Guidelines.

Staff shall ensure:

  • Personal data must only be processed on devices compliant with organisational cyber security standards aligned to Cyber Essentials.
  • That all personal information is kept securely.
  • That personal information is not disclosed either orally or in writing, accidentally or otherwise to any unauthorised third party. Unauthorised disclosure may be a disciplinary matter and may be considered gross misconduct in some cases.

Learner responsibilities

All learners shall:

  • Ensure that all personal information which they provide to EdgeWorks™ is accurate and up-to-date.
  • Keep usernames/passwords and any resources shared in the undertaking of their qualification confidential.
  • Check the information which EdgeWorks™ shall make available from time to time, in written or automated form, and inform EdgeWorks™ of any errors or, where appropriate, follow procedures for updating entries on computer forms. EdgeWorks™ shall not be held responsible for errors of which it has not been informed.

Rights to access information

Staff, learners and other data subjects have the right to access personal data held about them by EdgeWorks™ in accordance with applicable data protection law.

Any person may exercise this right by submitting a request in writing to the Data Protection Officer or designated contact.

EdgeWorks™ will not normally charge a fee for responding to a Subject Access Request. A reasonable fee may be charged where a request is manifestly unfounded or excessive, in accordance with applicable data protection law.

EdgeWorks™ will respond to Subject Access Requests within the applicable statutory timeframe. This period may be extended where permitted by law, including where requests are complex or numerous. Where EdgeWorks™ reasonably requires further information to confirm identity, clarify the scope of the request, or identify the information requested, the response period may pause until that information is received.

When responding to a request, EdgeWorks™ will undertake searches that are reasonable and proportionate in the circumstances. Where an extension or pause applies, the reason will be explained to the requester in writing.

The data controller responsibility and designated contacts

The Edge Works Limited is the data controller for the purposes of applicable data protection law.

The Managing Director is ultimately responsible for the implementation of this policy on behalf of the organisation. Responsibility for day-to-day operational matters may be delegated to designated managers. Information and advice about the holding and processing of personal information is available from the Data Protection Officer.

Assessment marks certification

Learners shall be entitled to information about their marks for assessments; however, this may take longer than other information to provide. EdgeWorks™ may withhold enrolment, awards, certificates, accreditation or references in the event that monies are due.

AI (artificial intelligence)

AI tools may be used to support professional judgement within assessment and quality assurance processes. AI systems do not make autonomous assessment decisions.

Learner work must not be used to train external AI models, or processed by systems that store or reuse data, unless EdgeWorks™ has identified a documented lawful basis, provided appropriate transparency information, and implemented suitable contractual, technical and organisational safeguards.

All AI use must comply with UK GDPR and EdgeWorks™ data protection and information security requirements. Any suspected misuse must be reported immediately in line with incident reporting procedures.

Data breach response

All staff must report any data breach or suspected breach to the Data Protection Officer immediately. EdgeWorks™ will investigate and report notifiable breaches to the ICO within 72 hours.

Data protection complaints

Any data subject who believes that EdgeWorks™ has not handled their personal data in accordance with data protection law may raise a data protection complaint directly with EdgeWorks™.

Complaints may be submitted by email to the Data Protection Officer, in writing, or through any published complaint channel made available for this purpose.

EdgeWorks™ will:

  • Provide a clear way for individuals to make data protection complaints.
  • Acknowledge receipt of a complaint within 30 days of receiving it.
  • Take appropriate steps to investigate and respond without undue delay.
  • Make enquiries proportionate to the nature of the complaint.
  • Keep the complainant informed of progress where appropriate.
  • Communicate the outcome without undue delay.

Where a complaint identifies a broader compliance issue, EdgeWorks™ may also review related processing activity, records, systems, training or controls.

Raising a complaint with EdgeWorks™ does not affect the individual’s right to complain to the Information Commissioner’s Office.

International data transfers

Personal data will only be transferred outside the UK where appropriate safeguards are in place in accordance with UK data protection law.

Retention of data

Different types of data are retained for different periods based on legal and operational needs. Details are provided in EdgeWorks™ Records Retention Schedule.

Care Academy learner platform accounts are subject to defined inactivity rules. An account is considered inactive where there has been no login activity and no active qualification. The 10-year retention period is calculated from the later of last login, employment status change to “ex-employee”, or qualification completion, withdrawal or lapse. Further operational detail is set out in the Records Retention Schedule and internal Retention SOP.

Records must not be retained beyond the periods defined in the Records Retention Schedule unless a documented lawful basis for continued retention exists.

Compliance

Compliance with UK GDPR and the Data Protection Act 2018 is the responsibility of all learners and members of staff. Any deliberate or reckless breach of this Policy may lead to disciplinary, and where appropriate, legal proceedings. Any questions or concerns about the interpretation or operation of this policy should be taken up with the Data Protection Officer.

Any individual who considers that this policy has not been followed in respect of personal data relating to them should raise the matter through the Data Protection Complaints Process in the first instance. This does not prevent the individual from using any separate staff grievance, learner complaints or whistleblowing route where that is more appropriate to the nature of the concern.

Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None