From 25 May 2018, the new EU General Data Protection Regulation (GDPR) will be coming into effect. In order to comply with the new requirements of this law, NSAR has updated its Privacy Policy which provides detailed information on how we use and protect your personal information, and your rights in relation to this.


This Privacy Policy explains what we do with your personal data, whether we are in the process of helping recruiting you, continuing our relationship with you as an employee, or a member, providing you with a service, receiving a service from you, or you are visiting our website. It describes how we collect, use and process your personal data, and how, in doing so, we comply with our legal obligations to you. 


Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights. This Privacy Policy applies to the personal data of our Candidates, Employees, Members, Suppliers, and other people whom we may need to contact. 

It also applies to the emergency contacts of our Staff.For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), the company responsible for your personal data (“NSAR” or “us”) can be found here.


NSAR reserves the right to amend this Privacy Policy from time to time in line with legislative changes. If you are dissatisfied with any aspect of our Privacy Policy, you may have legal rights and, where relevant, we have described these as well.


You are required to supply your Data in order to register for our membership, newsletters, access to applications and services or where you have asked us to send you further information.

What kind of personal data do we collect?

Candidate Data 

In order to recruit effectively we need to process certain information about you. We only ask for details that will genuinely help us to help you, such as your name, contact details, education details, employment history and financial information (where we need to carry out financial background checks). Where appropriate and in accordance with local laws and requirements, we may also collect information related to your health, diversity information or details of any criminal convictions. 

Employee Data 

Organisations are required by law to hold certain personal data for their workforce such as records of workers joining them, their job title, contact details, pay and benefits and so on. NSAR collects as a minimum personal data relating to contact details, previous work history, proof of right to work in the UK, bank details, and terms & conditions of employment.

Member Data

If you are active NSAR Member, we need to collect and maintain information about you and organisation. We will would ask that you submit any changes to these details once they are apparent. Lapsed members records will be held for a period of 6 months where beyond this period they will be eliminated from our records.

Supplier Data

We need a small amount of information from our Suppliers to ensure that things run smoothly. We need contact details of relevant individuals at your organisation so that we can communicate with you. We also need other information such as your bank details so that we can pay for the services you provide (if this is part of the contractual arrangements between us).

People whose data we receive from staff, such as referees and Emergency Contacts

In order to provide candidates with suitable employment opportunities safely and securely and to provide for every eventuality for them and our employees, we need some basic background information. We only ask for very basic contact details, so that we can get in touch with you either for a reference or because you’ve been listed as an emergency contact for one of our employees.

How do we use your personal data?

Your data will solely be used for the purpose specified at the time of collection and unless specified, will not be passed on or sold to any third parties unless you have indicated your consent to at the time of your registration or following further communications from us.

Client Data

The main reason for using information about Clients is to ensure that the contractual arrangements between us can properly be implemented so that the relationship can run smoothly. The more information we have, the more bespoke we can make our service.

Supplier Data

The main reasons for using Supplier data are to ensure that the contractual arrangements between us can properly be implemented so that the relationship can run smoothly, and to comply with legal requirements.

Employee Data

Employee records are necessary for the formulation and implementation of employment policies and procedures for recruitment, training, promotion, dismissal etc. Some of these are required by law and others enable personnel to monitor other processes.  Accurate records help ensure that employees receive their correct pay, annual leave, pension and other entitlements and benefits. They can be used to monitor fair and consistent treatment of staff.

People whose data we receive from staff, such as referees and Emergency Contacts

We use referees’ personal data to help verify our Employee’s details and qualifications on commencement of employment. We use the personal details of an Employee’s emergency contacts in the case of an accident or emergency affecting that individual.

How can you access, amend or take back the personal data that you have given to us?

Even if we already hold your personal data, you still have various rights in relation to it. To get in touch about these, please contact us. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of any applicable laws. Please note that we may keep a record of your communications to help us resolve any issues which you raise.Right to object: If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Generally, we will only disagree with you if certain limited conditions apply.Right to withdraw consent: Where we have obtained your consent to process your personal data or consent to market to you, you may withdraw your consent at any time.Data Subject Access Requests: You have the right to ask us to confirm what information we hold about you at any time, and you may ask us to modify, update or Delete such information. At this point we may comply with your request or, additionally do one of the following:

  • we may ask you to verify your identity, or ask for more information about your request; and
  • where we are legally permitted to do so, we may decline your request, but we will explain why if we do so.

Right to erasure: In certain situations (for example, where we have processed your data unlawfully), you have the right to request us to “erase” your personal data. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases) and will only disagree with you if certain limited conditions apply. If we do agree to your request, we will Delete your data but will generally assume that you would prefer us to keep a note of your name on our register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your data are collected in unconnected circumstances. If you would prefer us not to do this, you are free to say so.

Right to lodge a complaint with a supervisory authority: You also have the right to lodge a complaint with your local supervisory authority or the Information Commissioners Office.

Children and Privacy

Our Website does not target and is not intended to attract children under the age of 14. We do not knowingly solicit personal information from children under the age of 14 or send them requests for personal information.

What are cookies and how do we use them?

A cookie is a text-only string of information that a website transfers to the cookie file of the browser on your computer’s hard disk so that the website can remember who you are. A cookie will typically contain the name of the domain from which the cookie has come, the “lifetime” of the cookie, and a value, usually a randomly generated unique number.

We use cookies in the following ways:


  • to help us recognise you as a unique visitor (just a number) when you return to our Website and to allow us to tailor content or advertisements to match your preferred interests; and
  • to track user traffic patterns to see how effective our navigational structure is in helping users reach that information and to help us ensure that its structure is workable; and
  • to compile anonymous, aggregated statistics that allow us to determine the usefulness of our Website information. 

More information about cookies, including how to block them and/or delete them, can be found at 

You do not need to have cookies turned on to use or navigate through many parts of our Website, however this may limit some of the functions available on the Website and you may not be able to use all the interactive features.

Security – How do we safeguard your data?

We take reasonable precautions to keep your Data secure. Such information is subject to restricted access to prevent unauthorised or unlawful access, modification or use and accidental loss, destruction, or damage. We will ensure any third parties to whom we send your data for processing on our behalf are obliged to comply with our own standards of security and to act only upon our instructions.  

System Data

NSAR and your employer are committed to protecting and respecting your privacy.


This policy sets out the basis on which any personal data we store on the web based system will be processed by us. This includes your trainer / assessor account, if applicable, and your individual record on the system (called ‘Skills ID’). Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. Please note that this policy only relates to personal data stored on the NSAR system; your employer also has a policy for other personal data collected by it or not held on the NSAR system.


For the purpose of GDPR, NSAR and your employer are joint data controllers. NSAR is registered in England and Wales under company number 07484465 and data controller number Z2646486.

Information we collect from you

We will collect and process the following data about you:

  • Information that you provide which is necessary to allow you to register on the NSAR SkillsBackbone™ system (as well as any changes to this information). This is your name, gender, date of birth (trainers/assessors), year of birth (SkillsID holders), National Insurance number, your current employer and an e-mail address.
  • B. An e-mail address will be required as the NSAR system uses password automation for instances of an individual requiring a password reminder. In addition, a helpdesk will be provided should any problems be encountered with this process.
  • Information that you/your employers provide which, at your option, may be recorded on your NSAR account(s) (as well as any changes to this information). This may include your job title and functional area.

Where we store your personal data

Once your information is stored on the NSAR system, we will use strict procedures and security measures to prevent unauthorised access. For example, when your NSAR account is accessed over the internet by either us or your employer the delivery of information is executed using secure transport mechanisms. When not in transmission, all information you provide to us is stored on secure servers.


If you would like further information regarding the security of the NSAR system, please contact the nominated data control representative in your organisation or NSAR’s helpdesk.

Retention of data

Once your information has been uploaded onto the NSAR system, it will remain accessible while you are employed by your employer or whilst you remain an active Trainer/Assessor.‘Archiving’ means that your NSAR account(s) has been removed to a separate area on the NSAR system and is not accessible to anyone except NSAR. Your Trainer/Assessor account will be archived if you cease to be sponsored by any approved Sentinel training/assessment provider or if your employing training/assessment organisation withdraws from the NSAR scheme.

Your system account will be archived in the two circumstances:


  • where there has been no change or access to it within 5 years; or
  • where you cease to be employed by your employer 

After archiving, one of three things will happen to your account:


  • where an account is not ‘unarchived’ within 5 years, it will be stored on a disc in accordance with current legislation in this area; or
  • on obtaining a job with a new employer, your account will be reactivated by them if they subscribe to SkillsID. Your account will be unarchived, with your training and qualification records being transferred to your new employer
  • trainer/assessor accounts will be reactivated by NSAR when you begin training/assessing with a new employer or sponsor. However, NSAR may require you to reapply for approval depending on how long you were inactive for. 

Uses made of this information

We use information held about you in the following ways:


  • to process and approve your application to become an NSAR approved Trainer/Assessor
  • to manage your approved trainer / assessor status including monitoring your CPD
  • to allow you (via your employer and approved training providers) to record that you have completed training and qualifications
  • to allow you and your employer to benchmark your training and qualifications against industry standard job roles to assist with your career pathway
  • to use the Competency system to assess against agreed industry descriptors, recorded on the system and available to employers by reporting
  • to allow new employers (after you commence employment with them) to confirm your training and qualifications by reviewing your Skills ID records. 

If NSAR needs to contact you it will use the email information provided on your account.

Access to information

The GDPR gives you the right to access information held about you. Your right of access can be exercised in accordance with the GDPR. Please address any requests to NSAR Data Protection Controller at NSAR’s head office address.


Trainers/Assessors are able to access information held about them via their Trainer /Assessor account. As a SkillsID holder you will be able to access some of this information yourself (i.e. your training and qualification records), unless your account has been archived. If you are not able to access your account, then you can also ask your employer for assistance in accessing your SkillsID.

Changes to the Privacy Policy

Any changes we may make to this privacy policy in the future will be notified to you by post or by e-mail unless:


  1. your Trainer/Assessor account has been permanently deleted (after being archived)
  2. your Skills ID has been permanently deleted (after being archived); or
  3. you have moved to a new employer (and this privacy policy has been superseded with one provided to you by your new employer).

Unsubscribing you wish to unsubscribe from NSAR communications follow the unsubscribe link sent with all NSAR electronic communications or alternatively by email your request to unsubscribe request to

Data Protection

We are registered as a data controller with the Information Commissioner. If you have any further questions or concerns about our collection, use, or disclosure of your personal information, please write to the Data Protection Officer, the National Skill Academy for Railway Ltd, 11 Carteret Street, London SW1H 9DJ.


We use our reasonable endeavours to make sure information on this Website is accurate and up to date but before you rely on anything please contact us or double check the information from another source.


This Website also contains links to external Internet websites. We have included such links for your ease of reference but please note that we have no control over the contents of these websites and do not endorse their content and cannot accept responsibility for them. You access such websites at your own risk.

© 2019 Copyright National Skills Academy for Rail