Serac is the UK’s leading provider
of sector specific vocational
qualifications and training courses

View our Open
Course Calendar

Privacy Policy

How will your personal data be used? 

SERAC UK will use the personal data collected during the course of your training, assessment or qualification to:

  • Deliver and verify your training, assessment or qualification and produce a certificate
  • Create training records
  • Provide your company with a complete and accurate record of your training history

Your data will be securely stored by the Company and shared only with those who legitimately require the information such as the relevant accrediting bodies, regulatory bodies or government organisations (for example the Education Skills Funding Agency) or as required by law.

Data will be held for as long as is required to provide your company with a complete and accurate record of your training history. For more information on how your data is handled and stored see below for our full GDPR policy. 


For South East Regional Assessment Centre (Serac) to provide training, assessments and qualifications to its customers and clients, promote its services, maintain its own accounts and records and support and manage its employees and subcontractors, it gathers and uses certain information about individuals and companies directly and legitimately associated to the Serac’s business. Serac is registered as a Data Controller (no. ZA112946) with the Information Commissioners Office (ICO), see Appendix A for contact details.

Personal Data Held and Reasons for Processing

In order to conduct its business, Serac is required to hold electronic data to:

  • Accurately contact individuals responsible for arranging training or assessment for their workforce on their sites
  • Allow for delivery of training to those individuals who have been nominated by their employer to complete a course or those individuals who have arranged their own training
  • Produce a certificate for an individual who has completed a course/qualification or pass the information on to the recognised accrediting body who produce the individual’s certificate, for example MPQC or WAMITAB
  • Produce ‘training reports’ when requested by a company who require visibility of their workforce training/qualification completions – this will include details of their employees who have been on courses/qualifications arranged by Serac
  • Share the individual’s details with the appropriate accrediting body for the type of training/qualification undertaken
  • Share the individual’s details with Serac trainers/assessors and approved sub-contractor providers who are responsible for ensuring the right individuals receive scheduled training/assessment
  • Process sales invoices to companies or individuals for services or training materials provided by Serac
  • Process purchase invoices for services or materials provided to Serac

Serac holds electronic data on individuals in the CRM (Customer Relationship Management) system, accounting package, Office 365, e-portfolio system, iAuditor, Class Marker and within the file structure on the server.

Serac records and stores data on paper forms required to:

  • Carry out its business service – to train and assess individuals who require training or qualifications
  • To produce a certificate for an individual who has completed a course or qualification
  • To maintain a record of the individuals’ training/qualifications
  • To share proof of training/assessment with the relevant accrediting bodies to allow them to produce a certificate of training in line with their standards

The information held on Serac’s systems includes the collection and storage of:

  • The company and company contacts with whom the Sales Teams and other departments communicate
  • The individual contacts, employed by these companies, who undertake a training course or qualification
  • Individuals who have booked to attend a training course or qualification with Serac
  • Associate trainers/assessors and approved subcontractor providers who carry out work on behalf of Serac

Data Collection and Storage

Data held on Serac’s systems includes:

  • Company Contacts
    • The company whom Serac has been requested to deliver training/ qualifications on the behalf of
    • Company contact’s forename and surname
    • Contact’s job title and role within the company
    • Contact’s phone numbers
    • Contact’s company email address
    • Company address
    • Opt-in/opt-out of which type of marketing communications
  • Individual’s Data
    • Company whom the individual is employed by
    • Forename and surname
    • Employee number
    • National Insurance Number*
    • Home address*
    • Date of birth*
    • Course/qualification dates
    • Course/qualification details
    • Scores
    • Passed/failed
    • Photograph

*National Insurance Numbers, dates of birth and home address are mandated as unique identifiers by some of the accrediting bodies/awarding organisations with whom Serac is approved.

  • Tracking Online Activity

Serac track activity on their website and engagement with their online marketing via cookies and marketing analysis tools, for example Google Analytics. Data retention controls are in place to periodically remove user data over time

Individuals’ data is collected through the completion of electronic and hardcopy forms such as test sheets, registration forms, visit activity reports, candidate achievement records and evaluation forms. These forms are completed by the individual on the course and by a trainer/assessor who is authorised as a sub-processor by Serac. Data may also be provided in advance via email or telephone to allow registration on the training course or qualification.

The forms include a statement explaining why the data is being collected and with whom Serac share it.

Data collected is used to create a certificate for the individual (candidate) which is then either sent via standard postage or recorded delivery to the contact at the individual’s workplace or a central contact, dependent upon the terms agreed in the contract between the company and Serac, it is also stored on the e-portfolio system. In some instances, certification is produced in an electronic format and saved on to a shared filing system that is accessed by the training department of the customer that arranged the training/qualification.

Sharing of Data

Serac only shares data with those who legitimately require the information to complete the purchase contact with the individual themselves or their employer. Training companies are required to share data of individuals who have been trained/assessed with the appropriate accrediting body/awarding organisation.

Individuals' data is shared to the following people/organisations:

  • With the company that ordered the training/qualification in the form of a certificate and/or badge. This information will only include:
    • Name
    • Employee number
    • Company name
    • Equipment and course title
    • Dates of training
    • Name and registration number of the trainer/assessor that carried out the training/assessment
  • The individual’s data is shared with the appropriate accrediting/awarding body as required to provide a certificate or record of competence. This will include:
    • Name
    • Date of birth*
    • National Insurance Number*
    • Home address*
    • Course/qualification start date
    • Course/qualification end date
    • Length of course/qualification
    • Duration of course/qualification
    • Test/assessment date
    • Trainer/assessor name and registration number
    • Course/qualification type
    • Equipment/environment type
    • Photograph

*National Insurance Numbers, dates of birth and home address are mandated as unique identifiers by some of the accrediting/awarding bodies with whom Serac is approved.

  • Some individuals’ and companies’ data is shared with the approved trainer/assessor as required to deliver the training. This will include:
    • Company name and address
    • Site contact name
    • Candidate name
    • Candidate employee number
    • Course/qualification start date
    • Course/qualification end date
    • Length of course/qualification
    • Course/qualification type
    • Equipment/environment type

All of the data that Serac holds on individuals who have undertaken courses is classed as low risk except for home addresses which are required by some of the Awarding Organisation. We do not hold information on financial records.

Accuracy of Data

Collection of New Contacts and Accuracy of Data

Serac endeavours to accurately collect the data it needs and provides clear and transparent justification for doing so, referenced at the point of collection, including a privacy statement that is accessible via the website, e-portfolio systems or the App (once developed).

New contacts and sales leads must be constantly brought in to Serac to ensure survival and growth.

Although this is not an exhaustive list, Serac aim to bring in new contacts through the following ways:

  • Website
  • Cold calling
  • Visits
  • Leads across company groups
  • Leads through trade union groups
  • Marketing – online and trade magazines
  • Trade shows

Serac will only market to/contact companies where we believe content will be of legitimate interest to the company/individual but will always provide them with the opportunity to opt out. Serac does not use purchased leads to build up its contact database.

Data Security and Data Breaches

Serac protects itself to the best of its ability against data breaches through staff training and by keeping its IT systems up to date with the latest anti-virus, ransomware and firewall protection and by complying with the latest best practice for data storage and protection. Serac’s website is tested against hackers ensuring that there is no ‘backdoor’ entry to gain access to the IT system and individuals’ data.

If Serac do suffer a personal data breach, the Data Protection Leader will notify the ICO and the affected parties within 72 hours of the breach. Serac consider a breach to be an occurrence involving a loss of data which presents a risk to the rights and freedom of any individuals involved and could result in:

  • Discrimination
  • Damage to reputation
  • Financial loss
  • Loss of confidentiality
  • Any other significant economic or social disadvantage

 Disclosing Data for Other Reasons

In certain circumstances, GDPR allows personal data to be disclosed to law enforcement agencies without consent of the data subject. Under these circumstances, Serac will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the Board and from the Serac’s legal advisers where necessary.

Providing Information

Serac aims to ensure that individuals are aware that their data is being processed and that they understand:

  • How the data is being used
  • How to exercise their rights

To these ends, Serac has a privacy statement setting out how data relating to individuals is used – this is available on request. A version of this statement is also available on Serac’s website.

Right to be Forgotten

Due to the nature of the industry in which Serac operates, we believe in the Right to be Forgotten:

  • Attendees of a course/qualification: if an individual employed by a company requests the right to be forgotten, Serac will first check with the company to ensure that they approve of this data removal from their training records. Once approved, the data can be removed from the CRM
  • CRM Contact: if a contact no longer wishes to be contacted then we can remove that individual’s data from the CRM. If we have provided training/qualifications for their company then we cannot delete their company record from our CRM as individual training records will be associated to it
  • Tracked online activity: anyone who would like records of their online activity removed can request to do so by emailing the Data Controller

Deleting Data

If a contract ends between Serac and the customer, Serac can provide all the personal data that they hold about the customer and the individuals within the organisation, if requested.

Serac will not delete the associated training/qualification records as this data may be requested as evidence of training or assessment if, for example, an individual has an accident.

Personal data for people who have attended one of our courses/qualifications must be stored and recorded to meet standards set by the Health and Safety Executive. The industry standard for keeping this data is a minimum of 7 years. After 7 years all paper copies of the personal data collected will be shredded on-site by an approved secure shredding company. Electronic data is stored back to 2007. Our customers use this data to prove compliance to the standards set by the accrediting bodies, legislation and HSE guidance