Highfield   |   Highfield Privacy Policy


Highfield Awarding Body for Compliance Limited, Highfield Products Limited, Highfield e Learning Limited (“Highfield”) has created this document to demonstrate its commitment to data privacy and its alignment to the requirements of the Data Protection Act 1998 and, in substitution from 25 May 2018, the General Data Protection Regulation 2018 (“GDPR”) in respect of handling and processing personal data.

Highfield is registered with the UK Information Commissioner’s Office as a Data Controller and Data Processor.

Data received from Centres

We (or our third party sub-processors acting on our behalf) will collect and process data that is provided to us by centres/customers. Personal data may be included in the data you provide about learners, tutors, assessors and centre contacts. It is important that contractual arrangements with those individuals clearly set out how you will use their data and with whom it could potentially be shared. We require all our customers to comply with the GDPR.

By adding individuals’ personal data to Highfield’s systems, or by sending personal data via email or by other methods to Highfield, you give consent to us processing the data and you confirm that you have obtained the appropriate consent from the relevant individuals for the personal data to be processed by Highfield.

Highfield will retain and use this data to perform the contract between us whilst you remain a Highfield Customer and further will use it where it is in Highfield’s legitimate interest, for example fraud prevention.

We collect Tutor and Centre contact personal data as a Data Controller and uses it for the purpose of centre applications, Once the application has been successful this data will be held securely on our systems for the duration of the contract.

We will review incomplete Tutor and Centre applications annually and delete those over 12 months old.

Learner Data

You may provide us with personal data about learners when you add learner details to courses, work-based learning awards or exams. We will collect this as a Data Controller in our role as an Awarding Body. The personal data is usually limited to the details required for us to undertake the basic functions of an Awarding Body and the certification process. These details will include (but may not be limited to) a learner’s name, date of birth, gender, telephone number and qualification awarded. For certain qualifications, such as those within the security industry, data held will include photo images and signatures in line with the Security Industry Authority’s (“SIA”) requirements.

In line with our regulatory requirements and requirements to deliver future services such as certificate re-prints and the confirmation of awards, this basic learner-level data will be held by Highfield indefinitely.

Information processed as part of a learner’s qualification, such as physical exam papers, will be held for a maximum of 6 months. Personal data captured as part of a quality visit (such as video evidence of training) will be used for the purpose and outcomes of the visit, and then destroyed or deleted.

Learners may also contact Highfield to request certificate replacements. In these circumstances, a record of a learner’s address is taken so that the certificate can be sent. This is held on file for a maximum of 6 months before it is destroyed or deleted.

Centre contacts

You may provide us with information about centre contacts who will administer the activities associated with Highfield on behalf of the centre. We will collect this information as a Data Controller. These details may include:

  • names, email addresses, telephone numbers, billing information;
  • information about other personnel and contacts for the centre. For example, organisational charts, health and safety and other policies which may include personal data.

It is important that you seek permission from the centre contacts if you provide their personal data to us. We may use the centre contact’s personal data for the functions described in the Highfield Centre Agreement, which include:

  • communicating activities between the centre and the Awarding Body. For example, to inform the centre of course or exam results and to send certificates;
  • identifying relevant people with whom we should communicate in order to organise and undertake external quality visits;
  • communicating regulatory changes and updates, and, if permitted, marketing Highfield’s products or services.
  • Purchasing, and delivery and goods and products.

The centre contact’s details will be retained for as long as we provide a service to a centre. If centre contacts leave the organisation, it is the organisation’s responsibility to inform Highfield so that personal details and accounts can be disabled and removed.

Tutors, assessors and internal quality assurance (IQA) staff

Tutors, assessors and quality assurance staff provide Highfield with information about their experience and qualifications that confirm their ability to teach Highfield qualifications. As such, Highfield may hold a substantial set of personal details about a tutor, assessor and other staff. These may include:

  • names, email addresses, telephone numbers and other contact information;
  • teaching and training qualification certificates;
  • proof of professional qualifications;
  • employment history and training experience; and
  • references

This data is required for regulatory purposes to ensure that we meet the necessary conditions of the Awarding Body. We collect this information in the capacity of a Data Controller.

It is important that our customers seek permission from staff members before providing us with their personal data.

  • This data remains on Highfield’s systems for as long as the individuals continue to be a tutor, assessor or IQA for Highfield. If a tutor, assessor or IQA requires their personal data to be removed from Highfield’s systems because they are no longer fulfilling the role, they need to inform Highfield so that relevant data can be removed from the systems.

End Point Assessment

Highfield will process personal data for the performance of End point Assessment. It collects this personal data in the capacity of a Data Controller. Employers will provide Highfield with data for the processing of assessments for learners; it is the responsibility of the Employer to ensure that learners are aware and have consented to their data being share with Highfield. Highfield may share this data with Associate End Point Assessors, Awarding Organisations and Regulators. We have carried out a comprehensive review of their activities in relation to GDPR via questionnaires and agreements are in place which will be reviewed annually.

Data sharing

Other than as set out in the next paragraph and even where we collect personal data in the capacity of a Data Controller, we will never distribute or share personal data that is held on our system with any third parties other than Highfield’s employees, consultants and sub-contractors.

We may share personal data with regulatory bodies in respect of:

  • security qualifications: learner details, including photo ID and signatures, will be provided to the SIA; and
  • the national Learning Record Service (“LRS”) – where unique learner numbers (ULNs) have been provided, learner and qualification data is shared with the LRS.
  • investigations carried out by regulatory bodies.

Highfield have a number of suppliers of services where personal data is shared including but not limited to:

  • On screen assessment provider used for Functional Skills assessments
  • Pension provider for the administration of the corporate pension scheme
  • Database hosting supplier for the hosting of our databases

We have carried out a comprehensive review of their activities in relation to GDPR via questionnaires and agreements are in place which will be reviewed annually.

Further information regarding specific companies can be provided on request.

Highfield provides a certificate verification service that allows members of the public to check that a certificate presented to them is valid and has been produced by Highfield. The website address for this service is https://checkcert.highfieldqualifications.com. The personal data we provide to individuals using this service is a learner’s forename and surname, the qualification they attained, and the date of award.

Highfield has a course finder function that is available to the public and allows users to search for publicly available courses. The address of this website is https://www.highfieldqualifications.com/coursefinderplus. The contact details of the centre contact will be displayed on the website if the centre provides this information.

We are also required to provide data to RM Results for DfE under the legal basis contained within Section 537A of the Education Act 1996 and Regulation 6 (d) of the Education (Individual Pupil Information) (Prescribed Persons) (England) Registrations 2009, and section 47 of the Statistics and Registration Service Act
2007 and the Statistics and Registration Service Act 2007 (Disclosure of Pupil Information) (England) Regulations 2009. The DfE and RM Results ensure that the
Data is processed in line with the replacement Data Protection Act 2018 and GDPR.


Highfield maintains a marketing database that contains the basic details of individuals who have consented to Highfield sending information about products, qualifications, events or services, as well as general news about the Highfield companies, to them, via email.

Each marketing email that is sent provides you with the ability to unsubscribe from receiving marketing emails at any time. Alternatively, you can opt-out by sending a request specifying your new choice to marketing@highfield.co.uk.

We will at times contact you (or your head of centres, if this is not you) by email with important updates that you must be made aware of as a Highfield approved centre. These updates are mandatory and for regulatory reasons you are unable to unsubscribe from these. We will also on occasion send you communications which we believe will be of legitimate interest to you regarding new products and qualifications, which you will be able to unsubscribe to should you wish.

External Consultants, EQS, SME’s, End Point Assessors, Exam Markers, Suppliers

Highfield engage the services of external freelance consultants and suppliers for various purposes within the company.

It is necessary to obtain and retain personal data for the fulfilment of contracts. We collect this personal data in the capacity of a Data Controller. Data including but not limited to: names, addresses, contact details, professional qualifications, identification documents, bank details – will be held on Highfield Systems and Finance Software.

Contracts are reviewed annually, and inactive partnerships deleted from systems.

It is necessary to share bank details with our bankers to make payments for services, Highfield will always make sure that the details are only processed using secure banking systems.

Highfield will never share this information elsewhere, outside of the company unless required to do so by a regulatory or legal authority.

Website use – tracking and monitoring

Users of Highfield Group websites should refer to the privacy section of Highfield’s terms and conditions, which are located at the following address: www.highfieldqualifications.com/terms-and-conditions. This provides details on how information that is collected on the website is managed by Highfield.

Our websites and online systems use cookies to distinguish you from other users of our website. For detailed information on the cookies we use please refer to the terms and conditions on the website. We may automatically collect the following information when you visit our website:

  • your IP (Internet Protocol) address, your login information, your browser type, time zone settings, browsers and operating systems used; and
  • information about your visit, such as the pages visited, or documents downloaded.


Highfield will only process and hold staff data for the legitimate purpose of employment.

Personal data including name, address, contact details, NI number, date of birth, bank details, employment history, medical history, next of kin contact details is stored and processed on the Highfield HR drive and Sage payroll system and will be held for the duration of the employment.

On leaving the company all data will be removed from systems and personnel files and be archived for a period of 3 years before being securely destroyed. PAYE information will be held on Sage 50 payroll for 6 years after as required by HMRC.

CV’s and interview notes will be held for 6 months after the recruitment of a role before being securely destroyed or deleted. Data for successful candidates will be stored with employment data.

Prospective CV’s will be considered on receipt, shared with internal departments and destroyed should no suitable vacancies be available. Highfield does not store prospective CV’s.

References will be requested from former employers as part of employment terms. Factual references for former staff will only be provided on request from future employers, Highfield will only state dates of employment and final role. On receipt of financial reference requests, HR staff will seek consent before providing information.

Personal data will be shared with relevant agencies for the appropriate performance of pensions schemes, tax affairs, benefit schemes, insurances, fleet management, illness cover. Staff participation in such services will indicate consent to share required data for the performance of the service.


Highfield’s online systems have security measures in place to help protect against the loss or misuse of any data under our control.

When the websites are accessed by users, data traffic is encrypted using up to date secure socket layer (SSL) technology so that it can only be accessed by the end user.

All sensitive information on the website, such as passwords, are encrypted by a proprietary encryption system. All personal data can only be accessed by the relevant end users by way of unique user names and passwords that must be entered when a user logs in to the systems.

Highfield are PCI DSS (Payment Card Information Data Security Standard) compliant. Credit card information is never stored on Highfield’s systems and is only used to authorise the specific transaction through Highfield’s card payment authority (Sage Pay) and then removed. Where credit card data is held (for speed of future payments), this is only held by Sage Pay. Under no circumstances will your credit card information be passed to any other third party.

Where we store data

All data in Highfield’s systems is stored on a secure set of servers hosted by our hosting provider. The servers reside in the United Kingdom. Data is frequently backed up and stored in the provider’s backup / disaster recovery facility, which is also in the UK.

This is in a secure server hosting facility with the necessary environmental, physical and technical controls in place to ensure unapproved access is prevented.

Highfield’s email data is stored with Microsoft located in EU data-centres and follows Microsoft standard security and backup processes.

Destruction of physical data

Highfield employees are trained to destroy all personal data securely. Highfield have contracts in place to have all paperwork containing personal data securely shredded on site. Certificates are provided to confirm secure shredding.

Data breach incidents

In line with our regulatory requirements, Highfield has a set of processes for issue and incident management, including data breaches. These processes include the required notifications to be sent to the Information Commissioners Office and to customers. This is reviewed annually and may be subject to change.

General Data Protection Regulation 2018

Highfield has adapted its policies and procedures to ensure it is compliant with the GDPR. This document has been produced to represent our current status and will be reviewed annually and updated as processes are developed.

Under GDPR, individuals have certain rights when it comes to the control of personal data:

The right to be informed. Each individual has the right to be given information about how their data is being processed and why. Highfield have provided this policy to show how we handle your data.

The right of access. Highfield have a duty to comply with the requirements of Subject Access Requests (SAR)

The right to rectification. The GDPR includes a right for individuals to have inaccurate personal data rectified or completed if it is incomplete.

The right to be forgotten. You have the right to ask Highfield to remove your data.

The right to restrict processing. You may restrict processing for a legitimate reason, we would still have the right to hold that information.

The right to data portability. You may be able to obtain the information we hold about you and use it for your own purposes. Conditions apply.

Should you wish to exercise any of your rights above, please email legal@highfieldabc.com stating the following information:

Contact details
Relationship to Subject
Full details of information relating to your request Reason for request and the right being exercised.

You will be asked to verify your identity if you are the subject alternatively you will be asked to provide consent from the subject if you are a representative.

Should we require further information we will contact you.

Your request will be dealt within one month of receipt of your request.

Under the GDPR you have further rights in relation to automated decision making and profiling. Highfield currently only use automated profiling for the purpose of Functional Skills and e Learning requirements, the purpose of this profiling is to determine appropriate skills levels. Should any further automated processes be implemented, the policy will be reviewed and updated.


Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website. It also allows us to improve our website.

 A 'Cookie' is a small piece of information that we store on your computer. Our system will issue cookies to your computer when you access the site. We use the following cookies

  1. Strictly necessary cookies; These are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website.
  2. Analytical/performance cookies; These allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
  3. Functional Cookies; These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).

You can find more information about the individual cookies we use and the purposes for which we use them in the table below:

ASP.NET_SessionIdStores server-side, user-specific data relating to a current browsing session.
_utmaThese are first party cookies for Google analytics and track how many times a visitor has been to the site.
_utmb / _utmcb - c are a pair and work together to calculate how long a visit takes - b takes a time stamp of when a user enters a site - c takes a time stamp of when the user leaves - b expires at the end of the session - c waits 30mins and then expires.
_utmb / _utmcKeeps track of where the visitor came from - what search engine used - what link the user clicked - what key word the user used and where they are in the world.
  • Additional Cookies – used when registered Centres log to the websites
ABCUserIDStores a unique identifier to allow the site to remember a user’s identity.
HABCCartIdStores a unique identifier to allow the site to remember purchase details.
RoleIDStores a unique identifier of the current logged in user’s role to ensure that the correct information is presented to them.
CentreIDStores a unique identifier to allow the site to remember a centre’s identity.
CentreNumberStores the centre registration number to allow the site to remember a centre’s identity.
TutorNumberStores the tutor registration number to allow the site to remember a tutor’s identity.
InternalVerifierNumberStores the Internal Verifier registration number to allow the site to remember an Internal Verifier’s identity.
TutorIDStores the unique identifier to allow the site to remember a tutor’s identity.
 Stores the unique identifier to allow the site to remember an Internal Verifier’s identity.
RoleOptionStores the designated role of the current logged in user to ensure that the correct information is presented to them.
HABCLastProductsViewedStores details of the last products viewed by the user to allow relevant information to be presented.

This website uses tracking software to monitor its visitors to better understand how they use it. This software is provided by Google Analytics which uses cookies to track visitor usage. The software will save a cookie to your computer’s hard drive in order to track and monitor your engagement and usage of the website, but will not store, save or collect personal information.

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including “strictly necessary” cookies) you may not be able to access all or parts of our website. 

You can remove cookies from your computer at any time by going into the settings in your browser and deleting the browsing history and cookies stored. The exact location of this setting will depend on your browser of choice.