Data Protection Policy
How we handle personal data in compliance with UK GDPR
Overview
Enterprise Skills Ltd provides the Enterprise Skills platform, including Skills Hub for schools (free) and Skills Hub Workforce and the Employer Skills Audit for employers (paid). The platform measures the 8 capabilities AI cannot replace, producing individual, team, organisation and cohort-level Human Skills Index (HSI) scores.
This policy sets out how we handle personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Last updated April 2026. Next review April 2027.
Data Controller and Processor Roles
When a school, college or employer contracts with Enterprise Skills Ltd, that institution or organisation is the Data Controller. The controller determines the purposes and means of processing student or employee personal data and retains full control over which users are enrolled on the platform.
Enterprise Skills Ltd is the Data Processor. We process personal data solely on the instructions of the controller, for the purpose of delivering the service. We do not determine the purposes of processing and we do not use identifiable personal data for any purpose other than service delivery.
For anonymised, aggregated data contributed by schools to the Human Skills Index dataset, Enterprise Skills Ltd acts as an independent controller. This contribution is the non-monetary consideration for free school access and is governed by a clause in the school licence agreement.
Lawful Basis for Processing
Processing is carried out under GDPR Article 6(1)(b), contractual necessity, as the processing of personal data is necessary for the performance of the service contract between Enterprise Skills Ltd and the controller.
Schools may additionally rely on Article 6(1)(e), public task, or Article 6(1)(f), legitimate interests, specifically the legitimate interest in providing students with measurable career readiness development. Employers may rely on Article 6(1)(f), legitimate interests, specifically workforce planning and capability development.
No special category data (as defined in Article 9) is collected or processed. HSI scores are never used to make automated decisions about individuals.
Personal Data We Process
We apply strict data minimisation. The following table sets out the personal data fields we process, their source, and their purpose.
| Data Field | Source | Purpose |
|---|---|---|
| First initial | CSV upload or SSO | Identify user in educator dashboard (e.g. "C. Simmance") |
| Surname | CSV upload or SSO | Identify user in educator dashboard |
| Email address | CSV upload or SSO | Authentication and account creation. Removable on request or licence expiry. |
| User ID (optional) | CSV upload | Cross-reference with institutional MIS or HR system |
| Job title, role, department (workforce only) | CSV upload or SSO | Team and role-level reporting in Employer Skills Audit dashboards |
| Simulation scores | Platform-generated | Human Skills Index measurement (0-100 across 8 capabilities) |
| Session data | Platform-generated | Progress tracking and controller reporting |
| Portfolio entries (schools only) | User-created | Career portfolio building; educator-approved before publication |
Data We Do Not Collect
We do not collect or process any of the following:
- Home address
- Date of birth
- Medical information
- Special educational needs (SEN) data
- Free school meals status
- Ethnicity
- Religion
- Sexual orientation
- Biometric data
- Photographs
- Any other sensitive personal data
We do not store full first names. Only the first initial is retained alongside the surname.
Data Minimisation and Email Removal
User records, whether for students or employees, are stored as first initial and surname only, not full first names. This significantly reduces the identifiability of stored records.
Email addresses are used solely for authentication. When a school or employer licence lapses or expires, we remove email addresses from all associated records within 30 days. After removal, the remaining data consists of a first initial, surname, organisation name, capability scores and, for workforce records, job title and department.
This residual data is retained to preserve the verifiability of any certificates issued and the integrity of longitudinal HSI benchmarks, while rendering the records effectively pseudonymised.
Users or their controller may request email removal at any time, regardless of licence status.
Third-Party Data Sharing
Personal data is not:
- Shared with any third parties
- Used for marketing
- Sold
- Used for profiling or automated decision-making
- Transferred to any advertising networks or analytics platforms
Data is shared only with the subprocessors listed in the section below, solely for the purpose of operating the platform infrastructure.
Data Retention
Personal data is retained for the duration of the active licence. For schools, this is the free auto-renewing licence under the School Licence Agreement. For employers, this is the contracted term of the Employer Skills Audit or Skills Hub Workforce subscription.
On termination or expiry of the licence, email addresses are removed from all associated records within 30 days. The controller may request full deletion of all identifiable data, which will be completed within 90 days of the request.
If no deletion request is made, residual pseudonymised records (initial, surname, organisation, scores and, for workforce records, job title and department) are retained to support certificate verification and longitudinal benchmarking.
Anonymised, aggregated data contributed to the Human Skills Index dataset is retained indefinitely under the terms of the school licence agreement and workforce data processing agreement.
Data Subject Rights
Students, parents, guardians and employees can exercise their data subject rights through their school or employer, which acts as the Data Controller. Enterprise Skills Ltd will support the controller in responding to requests, including:
- Right of access (Article 15) - obtain confirmation of what data is held and receive a copy
- Right to rectification (Article 16) - have inaccurate data corrected without undue delay
- Right to erasure (Article 17) - request deletion of personal data where processing is no longer necessary
- Right to restriction of processing (Article 18) - request that processing is limited in certain circumstances
- Right to data portability (Article 20) - receive data in a structured, machine-readable format
Data Storage and Subprocessors
All personal data is stored within the United Kingdom. Our database infrastructure is hosted by Supabase on AWS eu-west-2 (London). No personal data, whether for students or employees, is transferred outside the UK.
| Subprocessor | Service | Data Processed | Location |
|---|---|---|---|
| Supabase (via AWS) | Database and authentication | All personal data and scores | UK (eu-west-2, London) |
| Netlify | Application hosting and CDN | No personal data stored; serves application code only | Global CDN |
| Cloudflare | DNS, SSL/TLS, DDoS protection, WAF | No personal data stored; traffic passes through in transit only | Global CDN |
Security Measures
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access is controlled by role-based permissions with institutional data isolation enforced at the database level via Row Level Security.
Authentication is via Microsoft SSO or Google SSO with institutional 2FA passthrough. Full details are available in our Information Security Policy.
Data Breach Notification
In the event of a personal data breach, Enterprise Skills Ltd will notify the affected controller (school or employer) without undue delay and in any event within 72 hours of becoming aware of the breach.
The notification will include:
- The nature of the breach
- The categories and approximate number of data subjects affected
- The likely consequences
- The measures taken or proposed to address the breach
Contact
For data protection enquiries or to exercise your rights, contact us at: