AAA Eureka MBITT SKE - Data Processing for Subject Knowledge Enhancement (SKE) Programmes (Privacy Policy)


Version: 2.0


Prepared by: Eureka Online College


Introduction

MBITT’s responsibilities are defined under its contract with the DfE, and it subcontracts Eureka Online College to deliver SKE courses. MBITT remains responsible for compliance with the DfE’s data protection requirements and ensures that subcontracted partners also meet these standards.  MBITT and Eureka Online College work together for the purposes of delivering SKE under the trading name of AAA Eureka MBITT SKE.


Legal Basis, Roles and Contact Details

As a data processor, we process personal data only on the lawful basis determined by the DfE. This usually falls under:

  • Public task – for delivering government-funded educational programmes
  • Data Controller: Department for Education (DfE)
  • Principal Data Processor: MBITT
  • Sub-Processor: Eureka Online College


You may contact us at:


Email: EurekaMail@SKEonline.co.uk


Types of Data Processed

  • Full name, email, data of birth and contact details of applicants
  • Eligibility evidence (e.g. conditional ITT offer, qualifications)
  • Progress and completion data
  • Bank details (for bursary payments)
  • Trainee feedback and complaints where applicable
  • Signed consent forms and photo ID (in specific situations involving non-standard bank payment arrangements)


We also process limited data about website visitors, such as anonymised usage data, for website optimisation purposes.


Purpose of Processing

The personal data processed relates to individuals who enrol on DfE-funded SKE courses. The data is used for the following purposes:

  • Verifying applicant eligibility for SKE funding (including verifying data with the ITT provider)
  • Administering SKE bursary payments to eligible participants (MBITT)
  • Submitting funding claims and returns to the DfE
  • Supporting DfE with audits and assurance processes
  • To deliver the SKE course under the DfE programme
  • To provide access to online learning platforms and tutor support
  • To maintain training records and audit trails
  • To provide the ITT provider with monthly updates and final completion status
  • To report to the DfE and ITT as required


We do not use personal data for marketing purposes or sell personal data to any third party.


Data Retention and Deletion

We retain personal data only for as long as necessary to meet our contractual obligations with the DfE, and to comply with applicable audit and assurance requirements. Retention periods vary depending on the type of data, as summarised below:

  • Application and enrolment data – Retained for 7 years for audit purposes, even if the trainee withdraws early.
  • Eligibility documents (e.g. ID, degree certificates, ITT offer) – Retained for 7 years to evidence funding compliance.
  • Engagement and course records – Retained for 7 years to support audit and assurance requirements.
  • Email communication – Key communications (e.g. relating to complaints, safeguarding or funding) may be retained for up to 7 years; all other non-essential communication is reviewed and/or deleted when no longer required.
  • Moodle/VLE access data – Access is revoked upon withdrawal and deleted one year after completion (or up to 2 years for legacy cases).
  • Feedback, complaints, and course completion evidence: retained for 7 years
  • Moodle access and course access records: removed 1–2 years after course completion or immediately on withdrawal or if a trainee does not start and is removed
  • Bank statements and reconciliations: retained for 7 years, in accordance with HMRC and audit guidance
  • Bursary payment and funding claim records: retained for 7 years


Finance Data Controls

MBITT ensures that bursary payments are made directly to the enrolled participant’s bank account. Although DfE guidance (email dated 9 May 2025) indicates that payments to another individual may be allowed in exceptional cases with appropriate safeguards (e.g. signed letters and photo ID), MBITT has chosen not to permit such arrangements. All payments are made exclusively to the participant named on the SKE enrolment records.


MBITT also obtains signed bank detail forms from all SKE participants and confirms that international transfers may incur bank fees to be absorbed by the participant. Financial documents such as bursary payments, invoices, and audit records are retained securely for 7 years, in line with MBITT’s financial retention policy.


Technical and Organisational Measures

All personal data must be stored and transferred securely using encrypted systems. MBITT and Eureka Online College use the following controls:

  • Cloud storage providers with encryption (Google Drive, Dropbox)
  • Encrypted email systems (e.g. GalaxKey for communication with DfE)
  • Access controls and secure devices for staff and tutors


Sub-processors

MBITT and Eureka Online College ensures that all sub-processors and associated service providers (e.g. eLearn Design for Moodle hosting), are subject to appropriate agreements that uphold data protection requirements.


Subject Access Requests (SARs)

As the data controller, the DfE is responsible for responding to SARs. MBITT and Eureka Online College are not required to respond directly to such requests but will support the DfE if information is needed to fulfil a valid SAR.


Your Rights

If you wish to exercise any rights under UK GDPR (e.g. access, rectification, erasure), please contact the Department for Education directly at: SKE.INBOX@education.gov.uk


Review and Assurance

This policy section will be reviewed annually and updated as necessary to reflect any changes in the DfE’s service specification, audit requirements, or contractual terms.