EPA Pro Login

Privacy Policy

Introduction

This document outlines Construction EPA Company (CEC’s) commitment to conduct its business in an honest and ethical manner and act with fairness and integrity in all its practices. In accordance with the guidance accompanying the UK GDPR, CEC has published this policy with the intention of informing all staff, partners and third parties of our commitment to upholding these principles and what standards it expects of those acting on its behalf.                      

About the Policy and Contents

The Chief Executive Officer has overall responsibility for ensuring that this policy complies with our ethical and legal commitments and that all CEC actions and activities are in line with the contents of this policy.

For the purposes of this policy, CEC have adopted the definition used by UK GDPR, defining data privacy as aiming to protect individuals’ personal data by ensuring it is processed lawfully, fairly and securely, while also empowering individuals with rights to control and access their data.

This Privacy Policy describes how Construction EPA Company (CEC, “we”, “us”) collect and use personal information about you in accordance with the UK General Data Protection Regulation (UK GDPR).

It contains important information on how and why we collect, store, use and share personal information, your rights in relation to your personal information and on how to contact us and supervisory authorities in the event you have a complaint.

CEC collects, uses and is responsible for certain personal information about you. When we do so we are regulated under the UK GDPR and we are responsible as ‘controller’ of that personal information for the purposes of those laws.

Section 1 – How We Collect Personal Information About You

Section 2 – What Personal Information Do We Use?

Section 3 – How and why will we use your personal information.

Section 4 – Lawful Bases

Section 5 – Communications for marketing / promotional purposes

Section 6 – How long do we keep your personal information?

Section 7 – Will we share your personal information?

Section 8 – Security storage of and access to your personal information

Section 9 – International Data Transfers

Section 10 – Exercising your rights.

Section 11 – Job Applicant Privacy Notice

Section 12 – Changes to this notice

Section 13 – Links and Third Parties

Section 14 – How to contact us.

Section 1 – How We Collect Personal Information About You

We collect personal information about you:

  • a. When you give it to us directly for example, personal information that you give to us when you communicate with us by email, phone or letter.
  • b. When we obtain it indirectly for example, your personal information will be shared with us by training/learning providers who are contracted with us to deliver EPA to you.
  • c. When it is available publicly. Your personal information may be available to us from external publicly available sources. For example, depending on your privacy settings for social media services, we may access information from those accounts or services.
  • d. When you visit our website. When you visit our website, we automatically collect the following types of personal information: (a) Technical information, including the internet protocol (IP) address used to connect your device to the internet, browser type and version, time zone setting, browser plug-in types and versions and operating systems and platforms. (b) Information about your visit to the websites, including the uniform resource locator (URL) clickstream to, through and from the website (including date and time), services you viewed or searched for, page response times, download errors, length of visits to certain pages, referral sources, page interaction information (such as scrolling and clicks) and methods used to browse away from the page. We also collect cookies on our site for performance related tasks. We collect information to analyse the performance of our websites and how different parts of our website are used.

Section 2 – What Personal Information Do We Use?

We may collect, store and otherwise process the following kinds of personal information:

a. your name and contact details including postal address, telephone number, email address and emergency contact details and, where applicable

b. your date of birth and gender

c. your financial information, such as bank details and/ or credit/ debit card details

d. information about your computer/ mobile device and your visits to and use of this website, including, for example, your IP address and geographical location

e. unique candidate identifiers/unique learner numbers

f. details of your qualifications/ experience; and/ or any other personal information which we obtain

Do we process special categories of data?

The UK General Data Protection Regulation (“UK GDPR”) recognises certain categories of personal information as sensitive and therefore requiring more protection, for example information about your health, ethnicity and religious beliefs. In certain situations, CEC may collect and/or use these special categories of data (for example, information on candidates’ medical conditions so that we can make arrangements for reasonable adjustments and/or special considerations). We will only process these special categories of data if there is a valid reason for doing so and where the UK GDPR allows us to do so.

Section 3 – How and why will we use your personal information

Your personal information, however provided to us, will be used for the purposes specified in this Notice. In particular, we may use your personal information:

a. to register you as a candidate and allow you to sit examinations/ End-point Assessments

b. for examination/ End-point Assessment administration purposes

c. to conduct examinations and assessments

d. to issue examination results and certificates and maintain records of achievement

e. to carry out any reviews or appeals

f. to otherwise provide you with services, products or information you have requested

g. to communicate as necessary with training/learning providers and employers

h. to provide further information about our work, services or activities (where necessary, only where you have provided your consent to receive such information)

i. to answer your questions/ requests and communicate with you in general

j. to manage relationships with our partners and service providers

k. to analyse and improve our work, services, activities, products or information (including our website), or for our internal records

l. to keep our facilities safe and secure

m. to run/administer the activities of , including our website, and ensure that content is presented in the most effective manner for you and for your device

n. to audit and/or administer our accounts

o. to satisfy legal obligations which are binding on us, for example in relation to regulatory, government and/or law enforcement bodies with whom we may work

p. for the prevention of fraud or misuse of services

q. for the establishment, defence and/ or enforcement of legal claims

r. to comply with Ofqual’s or any other regulatory body’s General Conditions of Recognition or equivalent documentation

s. to comply with the requirements of Equalities Law

t. to support effective account management in relation to our commercial activities

Section 4 – Lawful Bases

The UK GDPR requires us to rely on one or more lawful bases to use your personal information. We consider the grounds listed below to be relevant:

a. Where you have provided your consent for us to use your personal information in a certain way (for example, we may ask for your consent to collect special categories of your personal information so that you may sit an exam with reasonable adjustments and/or special considerations)

b. Where necessary so that we can comply with a legal obligation to which we are subject (for example, where we are obliged to share your personal information with regulatory bodies which govern our work and services)

c. Where necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering a contract

d. Where there is a legitimate interest in us doing so. The UK GDPR allows us to collect and process your personal information if it is reasonably necessary to achieve our or others’ legitimate interests (as long as that processing is fair, balanced and does not unduly impact your rights as an individual). In broad terms, our “legitimate interests” means the interests of running of CEC as a commercial entity and ensuring that appropriate levels of assessments are granted to candidates in line with our standards. When we process your personal information to achieve such legitimate interests, we consider and balance any potential impact on you (both positive and negative), and on your rights under data protection laws. We will not use your personal information for activities where our interests are overridden by the impact on you, for example where use would be excessively intrusive (unless, for instance, we are otherwise required or permitted to by law).

Section 5 – Communications for marketing / promotional purposes

We may use your contact details to provide you with information about our work, events, services and/or activities which we consider may be of interest to you (for example, about other products we offer or training/learning providers we work with). Where we do this via email, SMS or telephone, we will not do so without your prior consent (unless allowed to do so via applicable law).

Where you have provided us with your consent previously but do not wish to be contacted by us about our work, events, services and/or activities in the future, please let us know by email at [email protected].

Section 6 – How long do we keep your personal information?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including the purposes of satisfying any legal, accounting, or reporting requirements.

We will hold personal data for the period we are required to retain this information by applicable UK tax law (currently 6 years). In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. However, if before that date (i) your personal information is no longer required in connection with such purpose(s), (ii) we are no longer lawfully entitled to process it or (iii) you validly exercise your right of erasure, we will remove it from our records at the relevant time.

If you request to receive no further contact from us, we may keep some basic information about you on our suppression list in order to comply with your request and avoid sending you unwanted materials in the future.

Section 7 – Will we share your personal information?

We do not share, sell or rent your personal information to third parties for marketing purposes.

However, in general we may disclose your personal information to selected third parties in order to achieve the purposes set out in this Notice. These parties may include (but are not limited to):

a. training/learning providers

b. individual examiners/ assessors

c. educational authorities such as Department for Education, ESFA

d. local authorities and other public bodies responsible for education

e. other educational establishments/prospective employers (for example if a reference is sought)

f. suppliers and sub-contractors for the performance of any contract we enter into with them, for example IT service providers such as website hosts or cloud storage providers

g. professional service providers such as accountants and lawyers

h. parties assisting us with research to monitor the impact/effectiveness of our work, events, services and activities

i. the police, for example in sharing data in relation to malpractice cases linked to fraud

j. regulatory bodies who govern our work, such as Ofqual

k. individuals contracted by CEC for the purposes of quality assurance and compliance. In particular, we reserve the right to disclose your personal information to third parties: • in the event that we sell or buy any business or assets, in which case we will disclose your personal information to the (prospective) seller or buyer of such business or assets • if substantially all of our assets are acquired by a third party, personal information held by us may be one of the transferred assets • if we are under any legal or regulatory duty to do so • to protect the rights, property or safety of CEC, its personnel, users, visitors or others.

Section 8 – Security storage of and access to your personal information

CEC is committed to keeping your personal information safe and secure and we have appropriate and proportionate security policies and organisational and technical measures in place to help protect your information.

Your personal information is only accessible by appropriately trained staff and contractors, and stored on secure servers which have features to prevent unauthorised access.

Section 9 International Data Transfers

Given that we are a UK-based organisation we will normally only transfer your personal information within the European Economic Area (“EEA”), where all countries have the same level of data protection law as under the UK GDPR. 

However, because we may sometimes use agencies and/or suppliers to process personal information on our behalf, it is possible that personal information we collect from you will be transferred to and stored in a location outside the EEA, for example the United States. 

Please note that some countries outside of the EEA have a lower standard of protection for personal information, including lower security requirements and fewer rights for individuals. Where your personal information is transferred, stored and/or otherwise processed outside the EEA in a country that does not offer an equivalent standard of protection to the EEA, we will take all reasonable steps necessary to ensure that the recipient implements appropriate safeguards (such as by entering into standard contractual clauses which have been approved by the European Commission) designed to protect your personal information and to ensure that your personal information is treated securely and in accordance with this Notice. If you have any questions about the transfer of your personal information, please contact us using the details below. 

Where transfers occur from the UK to nonEEA countries, we will ensure that UKapproved International Data Transfer Agreements (IDTAs), UK Addendums to EU Standard Contractual Clauses, or other legally recognised safeguards are used in accordance with the UK GDPR.

Unfortunately, no transmission of your personal information over the internet can be guaranteed to be 100% secure – however, once we have received your personal information, we will use strict procedures and security features to try and prevent unauthorised access. 

Section 10 – Exercising your rights

Where we rely on your consent to use your personal information, you have the right to withdraw that consent at any time. This includes the right to ask us to stop using your personal information for marketing purposes or to unsubscribe from our email list at any time.

You also have the following rights:

a. Right of access – you can write to us to ask for confirmation of what personal information we hold on you and to request a copy of that personal information. Provided we are satisfied that you are entitled to see the personal information requested and we have successfully confirmed your identity, we will provide you with your personal information subject to any exemptions that apply.

b. Right of erasure – at your request we will delete your personal information from our records as far as we are required to do so. In many cases we would propose to suppress further communications with you, rather than delete it.

c. Right of rectification – if you believe our records of your personal information are inaccurate, you have the right to ask for those records to be updated. You can also ask us to check the personal information we hold about you if you are unsure whether it is accurate/up to date.

d. Right to restrict processing – you have the right to ask for processing of your personal information to be restricted if there is disagreement about its accuracy or legitimate usage.

e. Right to object – you have the right to object to processing where we are (i) processing your personal information on the basis of our legitimate interests (see section 4 above), (ii) using your personal information for direct marketing or (iii) using your information for statistical purposes.

f. Right to data portability – to the extent required by the UK GDPR, where we are processing your personal information (that you have provided to us) either (i) by relying on your consent or (ii) because such processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contact, and in either case we are processing using automated means (i.e. with no human involvement), you may ask us to provide the personal information to you – or another service provider – in a machine-readable format.

g. Rights related to automated decision-making – you have the right not to be subject to a decision based solely on automated processing of your personal information which produces legal or similarly significant effects on you, unless such a decision (i) is necessary to enter into/perform a contract between you and us/another organisation; (ii) is authorised by EU or Member State law to which CEC is subject (as long as that law offers you sufficient protection); or (iii) is based on your explicit consent.

h. Please note that some of these rights only apply in limited circumstances. For more information, we suggest that you contact us using the details below. We encourage you to raise any concerns or complaints you have about the way we use your personal information by contacting us using the details provided in section 13 below. You are further entitled to make a complaint to the Information Commissioner’s Office – www.ico.org.uk. For further information on how to exercise this right, please contact us using the details below.

Section 11 Job Applicant Privacy Notice

As part of any recruitment process, CEC collects and processes personal data relating to job applicants. CEC is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.

This notice applies to all applicants, whether applying directly or through third‑party recruitment agencies.

What information does CEC collect?

CEC collects a range of information about you. This includes:

  • your name, address and contact details, including email address and telephone number.
  • details of your qualifications, skills, experience and employment history.
  • information about your current level of remuneration, including benefit entitlements.
  • whether or not you have a disability for which CEC needs to make reasonable adjustments during the recruitment process.
  • information about your entitlement to work in the UK; and
  • equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health, and religion or belief.

CEC may also collect information generated during assessments, screening activities, or testing processes, where applicable.

CEC collects this information in a variety of ways. For example, data might be contained in application forms, CVs or resumes, obtained from your passport or other identity documents, or collected through interviews or other forms of assessment.

Where legally required, we will notify you if we receive information about you from sources other than yourself and will specify the categories of data obtained.

CEC will also collect personal data about you from third parties, such as references supplied by former employers. Unless otherwise required for safeguarding, regulatory, or fraud‑prevention purposes, we will only seek references once a conditional offer has been made.

Data will be stored in a range of different places, including on your application record, in HR management systems and on other IT systems (including email). Access controls and audit logging are in place to protect your information from unauthorised access.

Why does CEC process personal data?

CEC needs to process data to take steps at your request prior to entering into a contract with you. It also needs to process your data to enter into a contract with you.

In some cases, CEC needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check a successful applicant’s eligibility to work in the UK before employment starts.

CEC has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows CEC to manage the recruitment process, assess and confirm a candidate’s suitability for employment and decide to whom to offer a job. CEC may also need to process data from job applicants to respond to and defend against legal claims. [Where CEC relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by the rights and freedoms of employees or workers and has concluded that they are not.]

CEC processes health information if it needs to make reasonable adjustments to the recruitment process for candidates who have a disability. This is to carry out its obligations and exercise specific rights in relation to employment.

Where CEC processes other special categories of data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is for equal opportunities monitoring purposes.

We will only retain special category data where this is strictly necessary and permitted under Schedule 1 of the Data Protection Act 2018.

For some roles, CEC is obliged to seek information about criminal convictions and offences. Where CEC seeks this information, it does so because it is necessary for it to carry out its obligations and exercise specific rights in relation to employment.

Where we rely on consent—for example, retaining your details for future vacancies—you may withdraw this consent at any time.

CEC will not use your data for any purpose other than the recruitment exercise for which you have applied.

Who has access to data?

Your information will be shared internally for the purposes of the recruitment exercise. This includes members of the HR and recruitment team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles.

As part of the recruitment process, CEC may share your personal information (including but not limited to your application details, CV, interview notes, and assessment results) with selected third-party recruitment agencies. This sharing occurs irrespective of whether your application is successful or leads to employment with CEC.

We ensure that all third‑party agencies undergo appropriate due‑diligence checks and can demonstrate compliance with UK GDPR, including secure transfer and deletion of applicant data.

We engage with these agencies to support fair and efficient hiring practices, and they are contractually obligated to handle your data securely and in compliance with the UK GDPR and other applicable data protection laws.

Your information will only be used for recruitment related purposes and will not be retained for longer than necessary. For further details on how we process your data, including your rights, please refer to the relevant sections within this GDPR & Privacy Policy.

 CEC will then share your data with former employers to obtain references for you, employment background check providers to obtain necessary background checks and the Disclosure and Barring Service to obtain necessary criminal records checks if required.

We will notify you in advance before engaging background screening providers, and you may be asked to provide explicit consent for certain checks, depending on the role.

How does CEC protect data?

CEC takes the security of your data seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties. The data will be stored on a private drive which will only be viewed by relevant members of staff (HR and/or Managing Director).

We operate a ‘least‑privilege’ access principle, ensuring only individuals with a demonstrable business need can view your data.

For how long does CEC keep data?

CEC will hold your data for 24 months after the end of the relevant recruitment process. This helps us deal with any questions or complaints and allows us to consider the applicant for similar roles in the next recruitment cycle. At the end of that period or once you withdraw your consent, your data is deleted or destroyed.

If your employment application is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained for the duration of your employment. The periods for which your data will be held can be found in section 9 of this GDPR & Privacy Policy.

We maintain a retention schedule to ensure data is deleted promptly and securely once no longer required.

Your rights

As a data subject, you have a number of rights. You can:

  • access and obtain a copy of your data on request.
  • require CEC to change incorrect or incomplete data.
  • require CEC to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing.
  • object to the processing of your data where CEC is relying on its legitimate interests as the legal ground for processing; and
  • ask CEC to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override CEC’s legitimate grounds for processing data.
  • request portability of your data (where applicable)

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if you believe your data has been mishandled.

If you would like to exercise any of these rights, please contact [email protected]

What if you do not provide personal data?

You are under no statutory or contractual obligation to provide data to CEC during the recruitment process. However, if you do not provide the information, we may not be able to process your application properly or at all.

You are under no obligation to provide information for equal opportunities monitoring purposes and there are no consequences for your application if you choose not to provide such information.

Automated decision-making

As part of our recruitment process, we use AI software to evaluate CVs against role-specific criteria. The AI tool helps us to identify potential matches based on experience, qualifications, and skills. While this supports our hiring workflow, all decisions regarding interviews or offers are made by human staff. You have the right to request information about how decisions are made and to object to this processing.

We regularly test and audit our AI tools to ensure they do not introduce bias or discriminatory outcomes.

Your duty to inform us of changes. 

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during the application process, or in the 12 months following your application if you have consented to be informed of other vacancies. 

Section 12 – Changes to this notice

We may revise this Privacy Policy through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, CEC will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidence acceptance. Please contact us if you have questions or concerns about the Privacy Policy or any objection to any revisions.

Section 13 – Links and Third Parties

CEC conducts the majority of data processing activities required to provide you with the services.

However, we do engage third-party service providers to assist with supporting our services, including (but not limited to):

  • Cloud storage providers
  • Customer support tools
  • Product development tools
  • IT and security service providers,
  • Marketing or analytics tools.

Our carefully selected partners and service providers may process personal information about you on our behalf as described below:

Each service provider is vetted and bound by contractual obligations that are equivalent to the provision of this Policy or more stringent. This Notice does not cover external websites, and we are not responsible for the privacy practices or content of those sites. We encourage you to read the privacy policies of any external websites you visit via links on our website.

Section 14 – How to contact us.

Please let us know if you have any questions or concerns about this Notice or about the way in which CEC processes your personal information by contacting us at the channels below.

Please ask for / mark messages for the attention of Data Protection Team

Email: [email protected]

Telephone: 0345 601 9576

Post: FAO Compliance

Construction EPA Company / Head Office

Preston New Road

Samlesbury

Preston

PR5 0UP