Request a Demo

Our Policies


  1. EDLounge Ltd. needs to keep certain information about its employees, learners and other users to allow it to monitor, for example, performance, achievements and health and safety records. It is also necessary to process information so that staff can be recruited and paid, courses organised and to comply with legal obligations to funding bodies and government. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this, EDLounge Ltd. must comply with the Data Protection Principles which are set out in the Regulation (EU) 2016/679 (General Data Protection Regulation). In summary these state that personal data shall be:
    • fairly and lawfully processed
    • processed for limited purposes
    • adequate, relevant and not excessive
    • accurate
    • not be kept longer than necessary 
    • processed in accordance with the data subject’s rights
    • secure
    • not transferred to countries without adequate protection 

2. See Appendix 2 for details of the eight principles. EDLounge Ltd. and all staff or others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, EDLounge Ltd. has set out its GDPR Policy.  

Notification of Data Held and Processed 

  1. All staff, learners and other users are entitled to:
  • know what information EDLounge Ltd. holds and processes about them and why
  • know how to gain access to it
  • know how to keep it up-to-date
  • know what EDLounge Ltd. is doing to comply with its obligations under the Regulation (EU) 2016/679 (General Data Protection Regulation)

2. EDLounge Ltd. will therefore provide all staff and learners and other relevant users with a standard request form, on request, for access to data. This will state all the types of data EDLounge Ltd. holds and processes about them.  

3. The Act requires EDLounge Ltd. to notify the Information Commissioner of the ways in which it processes personal data. Failure to notify the Information Commissioner is a criminal offence. EDLounge Ltd.'s notification must be renewed annually; however, the notification should be amended whenever necessary. It is the responsibility of all staff and learners to ensure that any processing of personal data that they undertake is within the terms of EDLounge Ltd.'s notification. If you believe that any processing which you intend to carry out falls outside of EDLounge Ltd.'s current notification, you must inform the Data Protection Officer. You should not carry out the intended processing until the Data Protection Officer confirms that it will be covered by EDLounge Ltd.'s notification. 

4. EDLounge Ltd. is only able to process personal data within the terms of its notification. If EDLounge Ltd. processes personal data outside of its notification, both it and the individual processing the data may incur civil and criminal liability. The Data Protection Officer will make the notification after he/she has received written confirmation of details. 

5. Current EDLounge Ltd. notification details can be found by entering EDLounge in the 'Name' box on the Information Commissioner’s web site at   

Internal Registration 

1. Detailed records of all computerised personal data and structured manual data files retained by EDLounge Ltd. must be registered with the Data Protection Officer who will ensure compliance with EDLounge Ltd.’s Data Protection Policy and the GDP Regulation.  


1. A small number of activities are exempt from certain provisions of the Regulation. Activities relevant to EDLounge Ltd. are:

  • Examination scripts (but not examiners' comments) are exempt from the Subject Access provision (Principle 6).
  • Personal data used for research purposes is exempt from a limited number of principles of the Regulation. However, the results of the research should not identify the data subject. 

2. Other exemptions that are available are of a very specific nature. They relate to matters such as National Security, Crime, Taxation and Health matters.  

Rights to Access Information/Appeal 

1. Staff, learners and other users of EDLounge Ltd. have the right to access any personal data that is kept about them either on computer or in certain files. Any person who wishes to exercise this right should write to EDLounge Ltd.’s Data Protection Officer. The data subject must supply sufficient information to enable EDLounge Ltd. to locate the information that the subject seeks. EDLounge Ltd. is not obliged to comply with open-ended requests. EDLounge Ltd. may refuse to disclose data that refers to the personal data of third parties. 

2. EDLounge Ltd. will make a charge of £10.00 on each occasion that access is requested, although EDLounge Ltd. has discretion to waive this. 

3. EDLounge Ltd. aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 40 working days unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the person making the request. 

Appeal and Internal Review 

If a subject is dissatisfied with the handling of a request, they have the right to ask to request an internal review. Internal review requests should be submitted within two months of the date of receipt of the response to the original request for information and should be addressed to: 

Data Controller

EDLounge Ltd.

Aston House

Campbell way



S25 3QD

If an applicant is dissatisfied with the outcome of an internal review, he/she has the right to apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF   

Subject Consent 

1. In many cases, EDLounge Ltd. can only process personal data with the consent of the individual. In some cases, if the data is sensitive, express consent must be obtained (see below). Agreement to EDLounge Ltd. processing data collected on a learner's application form, enrolment form or other data provided by the learner or others whilst the subject is a learner, is subject to a declaration on EDLounge Ltd.'s application and enrolment forms signed by the learner. Agreement to EDLounge Ltd. processing personal data is also a condition of employment for staff. This includes information about previous criminal convictions. 

2. Some jobs or courses will bring the applicants into contact with children, including young people between the ages of 14 and 19. EDLounge Ltd. has a duty under The Children’s Act and other enactments to ensure that staff are suitable for the job, and learners for the courses offered. EDLounge Ltd. also has a duty of care to all staff and learners and must therefore make sure that employees and those who use EDLounge Ltd.'s facilities do not pose a threat or danger to other users. 

3. EDLounge Ltd. will also ask for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as asthma or diabetes.  EDLounge Ltd. will only use the information in the protection of the health and safety of the individual.  

Processing Sensitive Information 

1. Sometimes it is necessary to process information about a person’s health, criminal convictions, race and gender and family details. This may be to ensure EDLounge Ltd. is a safe place for everyone, or to operate other EDLounge Ltd.'s policies, such as the Sickness Reporting Policy or Equal Opportunities Policy. Because this information is considered sensitive, and it is recognised that the processing of it may cause particular concern or distress to individuals, staff and learners will be asked to give express consent for EDLounge Ltd. to do this.


Status of the Policy in relation to EDLounge Ltd. employees

1. This policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and policies made by EDLounge Ltd.   

2. Any member of staff, who considers that the policy has not been followed in respect of personal data about themselves, should raise the matter with EDLounge Ltd.’s Data Protection Officer.  (See page 7: The Data Controller and the Data Protection Officer)  

Responsibilities of Staff 

  1. All staff are responsible for:
  • Checking that any information that they provide to EDLounge Ltd. in connection with their employment is accurate and up-to-date
  • Informing EDLounge Ltd. of any changes to information, which they have provided. i.e. changes of address
  • Checking the information that EDLounge Ltd. will send out from time to time, giving details of information kept and processed about staff
  • Informing EDLounge Ltd. of any errors or changes.  EDLounge Ltd. cannot be held responsible for any errors unless the staff member has informed EDLounge Ltd. of them. 

2. If and when, as part of their responsibilities, staff collect information about other people, (i.e. about learners’ coursework, opinions about ability, references to other academic institutions, or details of personal circumstances), they must comply with the guidelines for staff, which are at Appendix 1.  

Data Security 

  1. All staff are responsible for ensuring that:
  • Any personal data that they hold on learners is kept securely
  • Personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party 

2. Staff should note that unauthorised disclosure may lead to disciplinary action being taken.  

3. Personal information should be:

  • Kept in a secure environment; or
  • In a locked drawer; or
  • If it is computerised, be password-protected; or
  • Kept only on disk which is itself kept securely.


Learner Obligations 

1. Learners must ensure that all personal data provided to EDLounge Ltd. is accurate and up-to-date. They must ensure that changes of address, etc. are notified using the Personal Details Amendment Form, which is available from their establishment's reception. This will enable EDLounge Ltd. to update its Management Information System.  

Examination Marks 

1. Learners will be entitled to information about their marks for both coursework and examinations  

Publication of EDLounge Ltd. Information 

1. Information that is already in the public domain is exempt from the GDP Regulation. It is EDLounge Ltd.'s policy to make as much information public as possible. Access to public information is available under The Freedom of Information Act 2000.   

The Data Controller and the Data Protection Officer 

1. EDLounge Ltd. is:

a. The Data Controller for its staff information

b. The ESFA and EDLounge Ltd. acknowledge that they are both Data Controllers in common of the Personal Data collected and held by EDLounge Ltd. in performing its services and provided to the ESFA.

c. A data processor for student information as defined within the SFA Financial Memorandum is currently in position and will comply fully with the requirements stated within. 

2. EDLounge Ltd.'s designated Data Protection Officer is:   Name: Cara Radford:  Office Manager email: 

3. In the absence of the Data Protection Officer, any issue needing urgent attention relating to the provisions of this policy should be raised with Senior Management acting on behalf of the Data Protection Officer. 

Retention of Data 

EDLounge Ltd. will keep some forms of information for longer than others. Because of storage limitations, information about learners cannot be kept indefinitely, unless there are specific requests to do so. In general, information about learners will be kept for a maximum of 10 years after they leave EDLounge Ltd. This will include names and addresses and academic achievements. 

EDLounge Ltd. will need to keep information about staff for longer periods. This will include information necessary in respect of pensions, taxation, potential or current disputes or litigation regarding the employment, and information required for job references. See Appendix 3 for a full list of information regarding retention times.  

Disposal of Data 

Particular care must be taken with the disposal of personal data. Staff should be aware that the same standards should be applied to informal records, lists and printouts held by individual members of staff containing personal data as to records that are part of the formal EDLounge Ltd.'s records systems. 

Personal data must be destroyed by secure methods such as shredding or confidential waste sacks handled by authorised contractors.  

Formal records may only be destroyed with the appropriate authority. 

Data Protection and the Internet 

The provisions of the GDP Regulation apply equally to processing on the World Wide Web as they do to processing on all other information systems. When personal data is requested on the EDLounge Ltd. website the following information must be supplied to the data subject:

  • the purpose for which the data is collected;
  • the description of the organisations or individuals to whom the data might be disclosed;
  • the details of any direct marketing for which the data might be used together with the opportunity for the individual to object to this use of the data;
  • a statement regarding the security of the internet as a mode of communication. 

When personal data is obtained from the website of another organisation, the relevant manager must ensure that the subsequent use of the personal data conforms to the information provided to the data subject. If any further subsequent use of this data is proposed that was not disclosed at the time of collection consent must be obtained from the data subject before commencing this processing. 

No Personal Data is placed on a public website and data is not transferred outside the EEA (European Economic Area).    


1. Compliance with the 2018 Regulation is the responsibility of all members of EDLounge Ltd. Any deliberate breach of the GDPR policy may lead to disciplinary action being taken, or access to EDLounge Ltd. facilities being withdrawn, or even a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the designated Data Protection Officer.  

2. Further guidance on Data Protection issues is available from the following websites: 

  • The office of the Information Commissioner at:

  • The JISC Code of Practice for HE and FE Sectors at: 


Appendix 1 – Staff Guidelines for Data Protection  

1. Staff will process data about learners on a regular basis, when marking registers, or EDLounge Ltd. work, writing reports or references, or as part of a pastoral or academic supervisory role. EDLounge Ltd. will ensure through registration procedures, that all learners give their consent to this sort of processing, and are notified of the categories of processing, as required by the 2018 Regulation. The information that staff deal with on a day-to-day basis will be ‘standard’ and will cover categories such as:

  • general personal details such as name and address
  • details about class attendance, coursework marks and grades and associated comments
  • notes of personal supervision, including matters about behaviour and discipline 

2. Information about a learner’s physical or mental health; sexual life; political or religious views; trade union membership or ethnicity or race is sensitive and can only be collected and processed with the learner’s consent. Consent is obtained on the processing of ethnicity data at enrolment. However, if staff members need to record any other information, they should seek the learner’s written consent. For example: recording information about dietary needs, for religious or health reasons prior to taking learners on a field trip; recording information that a learner is pregnant, as part of pastoral duties. 

3. All staff members have a duty to make sure that they comply with the data protection principles, which are set out in the EDLounge Ltd. Data Protection Policy. In particular, staff must ensure that records are:

  • accurate
  • up-to-date
  • fair
  • kept and disposed of safely, and in accordance with the EDLounge Ltd. policy 

4. Should a member of teaching staff consider it necessary to collect sensitive data or be asked to process this data, they should refer to their Line Manager in the first instance.  

The only exception to this will be if the staff member is satisfied that the processing of the data is necessary:

  • in the best interests of the learner or staff member, or a third person or EDLounge Ltd., or
  • he or she has either informed the authorised person of this, or has been unable to do so and processing is urgent and necessary in all the circumstances. 

This should only happen in very limited circumstances. For example, a learner is injured and unconscious, but in need of medical attention, and a staff tutor tells the hospital that the learner is pregnant or a Jehovah’s Witness.  

5. The curriculum teaching teams will be responsible for ensuring that all data is kept securely.  

Staff Checklist for Recording Data

6. Staff must not disclose personal data to any learner, unless for normal academic or pastoral purposes, without authorisation or agreement from the Data Protection Officer, or in line with the EDLounge Ltd. policy.  

7. Staff shall not disclose personal data to any other staff member except with the authorisation or agreement of the designated Data Protection Officer, or in line with the EDLounge Ltd. policy.  

8. Before processing any personal data, all staff should consider the checklist:  

  • Do you really need to record the information?
  • Is the information ‘standard’ or is it ‘sensitive’?
  • If it is sensitive, do you have the data subject’s express consent?
  • Has the learner been told that this type of data will be processed?
  • Are you authorised to collect/store/process the data?
  • If yes, have you checked with the data subject that the data is accurate?
  • Are you sure that the data is secure?
  • If you do not have the data subject’s consent to process, are you satisfied that it is in the best interests of the learner or the staff member to collect and retain the data?

Appendix 2 – Data Protection Principles  

The Regulation (EU) 2016/679 (General Data Protection Regulation) contains eight governing Principles relating to the collection, use and disclosure of data, and the rights of the subject to have access to Personal Data concerning themselves. These Principles are: 

The First Principle 

Personal Data should be processed fairly and lawfully and, should not be processed unless certain conditions are met.  

All Personal Data processed must satisfy at least one of the conditions of Schedule 2 of the Regulation. The requirements of Schedule 2 can be summarised as follows:

  • with consent;
  • to perform a contract with the individual;
  • under a legal obligation;
  • to protect the vital interests of the individual;
  • to carry out public functions conferred by or under enactment;
  • for the administration of justice;
  • to pursue the legitimate interests of the Data Controller unless prejudicial to the interests of the individual. 

Sensitive personal data processed must meet at least one of the conditions of Schedule 2 (above). In addition, it must also satisfy one of the conditions of Schedule 3 of the Regulation. The conditions of Schedule 3 can be summarised as follows:

  • with explicit consent;
  • exercising or performing any right or legal obligation conferred or imposed on the Data Controller in the context of employment;
  • to protect the vital interests of the individual where consent cannot be given or is unreasonably withheld;
  • by certain non-profit bodies in the course of their legitimate activities;
  • where the information has manifestly been made public;
  • in any legal proceedings;
  • to carry out certain government functions (justice, government  department, crown);
  • for medical purposes undertaken by a Health Professional or suitably qualified individual;
  • certain ethnic monitoring to ensure equality. 

The Second Principle 

Personal data will be obtained for only one or more specified lawful purpose and will not be further processed in any manner incompatible with that purpose or those purposes. 

Personal data obtained for one stated purpose cannot be used for a completely different purpose without the individual being informed of the different purpose. 

The Third Principle 

Where Principle 2 applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.

The Controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

The Fourth Principle 

Personal data shall be accurate and, where necessary, kept up to date. 

This obligation will apply to personal data not only obtained directly from the data subject but also to personal data obtained from third parties. You must take reasonable steps to ensure that any personal data that you obtain is accurate. Personal data that is likely to change from year to year, such as learner addresses, should be reviewed annually. 

The Fifth Principle 

Personal data processed for any purpose or purposes will not be kept for longer than is necessary for that purpose or those purposes. 

Please refer to the guidelines for Retention of Personal Data in Appendix 3. 

The Sixth Principle 

Personal data will be processed in accordance with the rights of data subjects under this Regulation. 

The rights of the data subject include the following:

  • the right of data subjects to request access to the information held about them, the purpose (s) for which the information is being used and those to whom it is or may be disclosed;
  • to prevent processing likely to cause damage or distress;
  • to prevent processing for the purposes of direct marketing;
  • to be informed of the logic behind any automatic decision-making;
  • to take action for compensation if they suffer damage for any contravention of the Regulation by the Data Controller;
  • to take action to rectify, block, erase or destroy inaccurate data;
  • the right to ask the Information Commissioner to assess whether or not it is likely that any processing of personal data has not been carried out in accordance with the Regulation. 

The Seventh Principle 

Appropriate technical and organisational measures will be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data.

An adequate level of security must be in place for the handling of all EDLounge Ltd. personal data from collection through to disposal. This is all data held on computers (including email) and in manual filing systems (including both formal and informal notes and records). It also applies to personal data handled by external contractors, consultants and partners on behalf of EDLounge Ltd. When using these agencies, a written contract should be entered which ensures that all EDLounge Ltd. data protection policies and procedures are complied with at all times. 

The Eighth Principle 

Personal data must not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. 

While EDLounge Ltd. is registered to transfer information outside of the EEA it would not transfer data to any unapproved region (i.e. not on the EU Commission ‘s list of countries or territories providing adequate rights and protection for freedoms of data subjects or, in the case of the United States, the recipient of the data must be signed up to the US Department of Commerce Safe Harbour Scheme).  

There are exceptions to the general rule that may allow information to be transferred outside the EEA. These exceptions can be summarised as follows:

  • with consent;
  • to make or perform a contract;
  • in legal proceedings;
  • to protect the vital interests of the individual;
  • for substantial public interest;
  • where the information is on a public register;
  • on terms approved by the Information Commissioner or where authorised by the Information Commissioner;

Appendix 4 – Glossary of Terms  

The Act - Regulation (EU) 2016/679 (General Data Protection Regulation). 

Data - Any information that will be processed or used within or by a computerised or manual system. This can be written, taped, photographic or other information. 

Data Subject - The person to whom the data relates. 

Data Controller - The person or organisation responsible for ensuring that the requirements of the GDP Regulation are complied with. 

Designated Data Controller - Individual appointed by EDLounge Ltd. to carry out the day-to-day duties of the Data Controller. 

JISC – Joint Information Systems Council 

Manual System - Any paper filing system or other manual filing system which is readily structured so that information about an individual is readily accessible. 

Personal Data - Information about a living person that by itself, or in conjunction with other information which is kept in a manual or computerised system, is sufficient to identify an individual. This information is protected by Regulation (EU) 2016/679 (General Data Protection Regulation) 

Processing - Accessing, altering, adding to, changing, disclosing or merging any data will be processing for the purpose of the Regulation (EU) 2016/679 (General Data Protection Regulation). 

Sensitive Data - Information about a person's religion or creed, gender, trade union membership, political beliefs, sexuality, health or criminal record. 

Subject Consent - Before processing personal data, EDLounge Ltd. must have the agreement of the individual to do so. In the case of sensitive data, this must be specific consent, but in other cases, it can be more general. 

The Data Protection Principles - the underlying principles of the Act that determine what data can be collected, processed and stored. A failure to abide by the principles will be a breach of the Regulation (EU) 2016/679 (General Data Protection Regulation). 

The Data Protection Commissioner - Person Appointed by the government to administer the provisions of the Regulation (EU) 2016/679 (General Data Protection Regulation) including notification and to provide guidance and assistance to organisations and individuals. 

The Data Protection Tribunal - The tribunal established to deal specifically with matters of enforcement under the Regulation (EU) 2016/679 (General Data Protection Regulation). 

Data Protection in Practice


1. In general, disclosures to external bodies/companies/agencies/individuals should not be made over the telephone. It is strongly advised that you ask enquirers to submit their requests in writing (where appropriate on headed paper). This will give you time to check whether the request is legitimate and where possible obtain consent for the disclosure from the member of staff or learner about whom information is requested. You should, wherever possible, reply to the request in writing. 

2. EDlounge Ltd. recognises that in some, exceptional situations, time constraints and other factors make it a necessity to disclose information over the telephone. Good practice is considered to be only releasing information to those individuals who have access to a unique identifier (UCAS no., staff or learner number) or know at least 3 identifying pieces of data (e.g. name, address and date of birth) about the data subject. This should minimise the potential for damages because a relationship between the data subject and the caller has been established. If you find yourself in a position where it is necessary to disclose information over the telephone, you should take a contact number and ring the enquirer back.  This will go some way to ensuring that the caller is who they say they are. Even the above procedures could be subject to fraud and should only be used when no other alternative exists. In such cases, EDLounge Ltd. should at least be regarded as having taken reasonable precaution given the circumstances - i.e. that the security in place was appropriate to the risk involved in unlawful processing of data. As always, particular care should be taken when disclosing sensitive personal data or information that could potentially cause the learner or member of staff to suffer subsequent damage and/or distress. Always keep records of actions taken. 

3. Please note that even confirming whether a learner or member of staff studies or works at EDLounge Ltd. could be a potential breach of the Regulation (EU) 2016/679 (General Data Protection Regulation) .

Disclosure to Employers (Learner Information) 

1. EDLounge Ltd. has no responsibility or obligation to disclose any personal information relating to learners to employers or other sponsors, unless they are contributing to tuition fees. Even if the organisation is sponsoring the learner only attendance and achievement details may be provided, no other personal data is to be disclosed.  

    Remember to keep records of the actions taken. 

Disclosure to Parents (Learner Information) 

1. EDLounge Ltd. has no responsibility or obligation to disclose any personal information relating to learners to parents or other relatives, even if they are contributing to tuition fees.  Regulation (EU) 2016/679 (General Data Protection Regulation) and The Children’s Act clearly explains that parental responsibility for educational records passes to the young person, once they leave statutory school age. 

2. Learners may provide the name of a nominated individual (parent, guardian or other family members for example), to whom EDLounge Ltd. may disclose personal information. Learners in the 16 – 19 age range are encouraged to involve their parents in their education. Remember it is their choice. You should not assume that copies of reports, invitations to open evenings etc. must be sent to parents. Always check a learner's record to see whether they have given consent and identified a nominated individual. You may come under pressure to discuss individual learners with parents/guardians or even friends over the telephone. However, in these situations it is essential that you do not disclose personal data without the prior consent of the learner - it would be a breach of the Regulation (EU) 2016/679 (General Data Protection Regulation) to do so. If the learner has identified a nominated individual (see above) they are understood to have given prior consent. 

3. You are, of course, free to discuss institutional procedures with parents (eg describing reassessment procedures, releasing dates of graduation ceremonies according to team or course, advising on when invoices should be paid) but the specific circumstances of an individual learner cannot be discussed without the consent of that learner. 

4. There may be occasional, exceptional circumstances (in which a learner’s life or health is threatened) in which the usual need to get consent before disclosing to parents/guardians may be waived. Learning establishments working with EDLounge Ltd. must hold details of learners' "next of kin" for such purposes. 

    Remember to keep records of the actions taken.  

What to do if someone calls claiming to be a learner 

1. You may receive telephone calls from individuals claiming to be learners and asking, for example, for their examination results. Unless you are 100% sure that the person on the line is who they claim to be, you should not disclose information over the telephone. You are advised to ask for confirmation of the learner's ID number, home address and date of birth before proceeding with the call. If the caller can provide the details accurately, make a note of the information that they require and inform them that you will send it to their previously-stated email address. If this is not possible, because, for instance, they have not submitted an email address you should send the information to them at an address recorded on EDLounge Ltd.'s database, EBS. If the caller insists that they need the information urgently, you may take a contact telephone number and call them back with the information.    

Home Addresses, Telephone Numbers and E-mail addresses 

  1. You should never give out personal/home addresses or telephone numbers of staff or learners to third parties over the telephone unless you have been given explicit (in writing) permission by the individual. Instead you could:
  • take the caller's contact details and say you will pass a message asking the learner or member of staff to contact them if they are in EDLounge Ltd., or
  • offer to forward correspondence to a learner or a member of staff on behalf of the caller.

2. You must take care when handling such requests. Remember that an individual's learner/staff status is personal data. Therefore, if you receive such a request it is important to neither confirm nor deny that that person is a learner or member of staff at EDLounge Ltd. 

3. However, it would usually be deemed appropriate to disclose a colleague's work contact (telephone and departmental address) details in response to an enquiry regarding a particular function for which they are responsible. If you are asked to disclose another member of staff's email address, you should ask the caller to send the email to you and inform them that you will forward the message on to the individual they are trying to contact if they are a member of EDLounge Ltd. It would not usually be appropriate to disclose a colleague's work details to someone who wished to contact them regarding a non-work related matter.  

Learner References 

1. Telephone references for learners are not usually recommended. However, they are acceptable if you have been specifically asked by a learner or a member of staff to provide a reference at short notice. The identity of the person requesting the reference should always be confirmed prior to disclosure. As a minimum security measure it is recommended that you ring the enquirer back to check that they are who they claim to be. 

2. When disclosing information in the form of personal references please ensure that:

  • the information you disclose is FACTUALLY correct; 
  • the disclosure is kept to a minimum (course(s). dates of study and marks); 
  • sensitive data (e.g. details of health to explain absences from EDLounge Ltd.) are not disclosed without the explicit consent of the learner or member of staff; 
  • where opinions about a person's suitability are disclosed, your comments are defensible and justifiable on reasonable grounds; 
  • if you are unable or unwilling to give a reference, such a refusal is communicated carefully, without, in effect, implying a negative reference.  

 Remember to keep records of the actions taken.   

Staff References 

Refer to the Board of Directors.  

Disclosures to the Police 

1. Disclosures to the Police are NOT compulsory except in cases where EDLounge Ltd. is served with a Court Order requiring information. However, Section 29 of the Regulation (EU) 2016/679 (General Data Protection Regulation) does allow EDLounge Ltd. to release information to the Police WITHOUT the consent of learners or members of staff in LIMITED circumstances. Such disclosures should only be made if the Police confirm that they wish to contact a named individual about a specific criminal investigation and where EDLounge Ltd. believes that failure to release the information would prejudice the investigation. 

2. If you are contacted by the Police and are not sure how to deal with their request you can get in touch with the Data Protection Officer or Senior Management for advice on how to deal with the enquiry. 

3. The Police MUST request the information from EDLounge Ltd. in writing. You are NOT obliged to release information to the Police over the telephone. Most Police Forces will have their own request form, which should always include:

  • a statement confirming that the information requested is required for the purposes covered in Section 29; 
  • a brief outline of the nature of the investigation; 
  • the data subject's role in that investigation; 
  • the name and signature of the investigating officer. 

  Remember to keep records of the actions taken.

Created: Jan 2018
Last reviewed: Jan 2019
Next review: Jan 2020


Related Links to Associated Groups

Rackspace New Data Protection Law Overview

Wonde - Data protection policy

Wonde - Security Information


To request a Demo of EDClass please click here or fill in the contact form below

Contact Us


Multi-coloured separator
  • Member of BESA
  • AQA
  • NCFE
  • City & Guilds
  • Edexcel
  • CPD Accredited Course
  • BETT Show 2016
  • BETT Show 2017
  • BETT Show 2018
  • ICO
  • Matrix
  • NOCN
  • OCN NI
  • Oxford University Press
  • Active IQ
  • Highfield
  • Disability Confident