Privacy Policy

At The Challenge Network, we are committed to protecting and respecting your privacy.

This privacy policy explains the types of personal information we collect from you, why we collect it, how we will use it, who we may disclose it to and the choices available to you about that information.

This notice applies to current and former participants. This notice does not form a fixed part of your Step Forward application or any other contract, so we may update this notice at any time.

This policy sets out the basis on which any personal information we collect from you or that you provide to us, through this website or otherwise in relation to Step Forward will be processed by us. Please read the policy carefully to understand our practices regarding your personal information and how we will treat it.

For the purposes of data protection law, the “Data Controller” in respect of personal information collected through this website is the Education and Skills Funding Authority (ESFA). The Challenge Network act as their data processor.

You may wish to also refer to our Terms of Use policy, available here.

Our Privacy Policy aims to explain:

  • The information we collect and why we collect it.
  • How we will use and protect that information.
  • The options available for accessing and updating an individual’s personal information.

The Information We Collect

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are ‘special categories’ of more sensitive personal information which requires a higher level of protection.

We may collect, store, and use the following categories of personal information and ‘special categories’ of personal information about you, including:

  • contact details;
  • diversity information (including ethnicity and religion);
  • gender;
  • date of birth;
  • medical and safeguarding information;
  • recruitment information (including CVs and references);
  • safeguarding information (including any criminal convictions and offences); and photos, videos and testimonies.

How Is Your Personal Information Collected

We collect personal information about you through the application process, directly from you and, if you are under 19 years of age, your parents/guardians or other key workers.

We will also collect additional personal information through your participation of Step Forward.

How will we use personal information we hold about you?

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • where we need to perform the contract we have entered into with you;
  • where we need to comply with a legal obligation;
  • where it is necessary for our legitimate interest (or those of a third party); and
  • we may also use your personal information in the following situations, which are likely to be rare :
    1. where we need to protect your vital interests; and
    2. where it is needed in the public interest.

Situations in which we will use your personal information

We need all the categories of information in the list above primarily to allow us to perform our contract with you and to enable us to comply with legal obligations. In some cases we may use your personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests.

The situations in which we will process your information are listed below.

  • Assessing qualifications for a particular job or task.
  • Checking you are legally entitled to work in the UK.
  • To ensure you are safe and supported whilst on the programme and allow us to comply with our legal obligations to keep young people safe.
  • Administering the contract we have entered into with you.
  • Education, training and development requirements.
  • Dealing with legal disputes.
  • Complying with health and safety obligations.
  • To monitor your use of our information and communication systems to ensure compliance with our IT policies.
  • To ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution.
  • Equal opportunities monitoring.

Change of Purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis that allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

If you fail to provide information

If you fail to provide personal information when requested you may be unable to continue with the programme e.g. if we are prevented from complying with our legal obligations (such as to ensure the health and safety of the young people).

Please note that this list is not exhaustive.

How we use particularly sensitive information

“Special categories” of particularly sensitive personal information require higher levels of protection. We have in place an appropriate policy document and safeguards, which we are required by law to maintain when processing such data. We may process special categories of personal information in the following circumstances:

  1. In limited circumstances, with your explicit written consent.
  2. Where we need to carry out our legal obligations or exercise rights in connection with employment.
  3. Where it is needed in the public interest, such as for equal opportunities monitoring.

We may also process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public. We may also process such information about members or former members in the course of legitimate business activities with the appropriate safeguards.

We will use your particularly sensitive personal information in the following ways:

  • We will use information about your physical or mental health, or disability status, to ensure your health and safety in the classroom, and to provide appropriate classroom adjustments.
  • We will use information about your race or national or ethnic origin to ensure meaningful equal opportunity monitoring and reporting.

We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

Information about criminal convictions

We may need to collect criminal convictions information during the application process to ensure your suitability to certain employers and/or industries.

We will use the information about criminal convictions, or contact with the criminal justice system, to ensure the safety of yourself, others and the integrity of the industry for which you are being matched with i.e. accounting and early years practitioners. We may also collect information about criminal convictions directly from you or from other key workers such as social workers, teachers and probation officers.


Who we might share your personal information with?

We may have to share your data with third parties, including third-party service providers. We require third parties to respect the security of your data and to treat it in accordance with the law. In limited circumstances, we may transfer your personal information outside the EEA. If we do, you can expect a similar degree of protection in respect of your personal information.

Why we might share your personal information with third parties?

We will share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

“Third parties” includes funders, partners, service providers, contractors and designated agents. The following third-parties may process personal information about you:

  • Education and Skills Funding Agency;
  • Lead Funders/Providers for your programme
  • Awarding Bodies (such as AAT);
  • regulatory authorities;
  • IT service providers;
  • those who provide products or services to The Challenge (such as payroll administrators, activity centres, and Disclosure and Barring Service Providers); and
  • to a third party in the event of a business sale, restructure or reorganisation.

All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal information for their own purposes. We only permit them to process your personal information for specified purposes and in accordance with our instructions.

We may share your personal information with other third parties, for example with a regulator or to otherwise comply with the law.

When will we delete the personal information?

Unless there is a compelling safeguarding, health and safety, dispute or other legal reason to retain information for a longer period, we will normally delete:

Subsection Record Type Retention Period and Deletion or Disposal Deadline
      i.          Personally Identifiable Information – not direct delivery by TCN, subject to iii to vi Return to prime provider and delete within 3 months of last payment relation to that individual.
     ii.          Personally Identifiable Information – direct delivery by TCN, subject to iii to vi 6 years from date of last payment to TCN in relation to the individual.
    iii.          Student Evidence and Assessment Records 3 years from the date of certification.
    iv.          Photos, video, voice recordings for marketing (not for programme logistics), subject to vi 5 years from the date of creation
     v.          Any other Special Category Data not for programme logistics, subject to vi
    vi.          Incident Information and any Personal Identifiable Information or Special Category Data related to that Incident 20 years from the date of the Incident or alleged Incident (whichever is the later). Incident levels are defined in our Major Incident Procedures and Crisis Comms Plan.


Personally Identifiable Information means any information relating to a living individual (a “Data Subject”) where that Data Subject can be identified directly or indirectly, for example, by reference to an identifier such as a name, an identification number or address. It includes “Special Category Information”. Information which can be used to identify a ‘living individual’ e.g. name, address, email address, date of birth, home address, phone number, identification number, location data, online data and include a Special Category Information.

Transferring information outside the EEA

We may from time to time need to use the services of an IT provider that stores or accesses your personal information outside the European Economic Area (EEA). However, we will only do so if there are appropriate safeguards to protect the information. For example, we will put in place European Commission model contractual clauses, ensure the supplier has binding corporate rules in place regarding data security and/or ensure the relevant country is recognise as having adequate data security by the European Commission. For details of such safeguards please email

Your rights in relation to your personal information

You are entitled to:

  • request copies of personal information that we hold about you;
  • require inaccurate personal information to be corrected if it is inaccurate or incomplete; and
  • in some circumstances:
    • request that your personal information is erased, for example, if its no longer necessary for the purpose we hold it for;
    • request that the use of your personal information is restricted, for example, where you have raised concerns as to the accuracy of the information;
    • object to our use of their personal information, for example, if the information being used for one of our legitimate interests like collection for evidence, research, statistics;
    • withdraw consent to our use of your personal information going forward, for example, where you have requested support information but have changed your mind; and
    • have the personal information provided to us be transferred to another organisation.

No fee usually required

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Right to withdraw consent

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the ESFA’s Information Manager by sending mail to Chief Executive’s Office, Cheylesmore House, Quinton Road, Coventry, CV1 2WT. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

Other Requests/Issues

We have appointed a Data Protection Officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact The Challenge Network’s DPO at , or if you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal information, or request that we transfer a copy of your personal information to another party please contact the ESFA’s Information Manager by sending mail to Chief Executive’s Office, Cheylesmore House, Quinton Road, Coventry, CV1 2WT. You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.

Links to Third Party Sites

Please note that this site may, from time to time, contain links to and from websites of third parties including our partners, advertisers or affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy notices and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal information to these websites.

Cookies Policy

Our website uses cookies to distinguish you from other users of our website.

Through the insight we gain into our visitors we are able to improve our site and focus the content to our viewers’ interests. By continuing to browse the Step Forward website (“Our Site”), you are agreeing to our use of cookies.

A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive.

We use the following cookies:

  • Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website.
  • Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
    How Cookies are used on Our Site

We use a tool called Google Analytics to collect information about how you use Our Site. We do this to measure performance of Our Site, for example to find out the most visited pages of Our Site, and the most frequently asked questions, but also to help make sure the site is meeting the needs of its visitors and to help us make improvements.

Google Analytics stores information including but not limited to:

  • the pages you visit on our website;
  • the link you clicked on (or other way) to come to our website;
  • the amount of time you spend on each page of our website; and
  • what you click on while you’re visiting the site.

A cookie is logged on your computer the first time you visit Our Site.

You can find more information about the individual cookies we use and the purposes for which we use them in the table below:

Cookie Expiration Purpose More information
__utma 2 years from set/update. Used to distinguish users and sessions. The cookie is created when the javascript library executes and no existing __utma cookies exist. The cookie is updated every time data is sent to Google Analytics.
__utmb 30 mins from set/update. Used to determine new sessions/visits. The cookie is created when the javascript library executes and no existing __utmb cookies exist. The cookie is updated every time data is sent to Google Analytics.
__utmc End of browser session. Not used in ga.js. Set for interoperability with urchin.js. Historically, this cookie operated in conjunction with the __utmb cookie to determine whether the user was in a new session/visit.
__utmz 6 months from set/update. Stores the traffic source or campaign that explains how the user reached our site. The cookie is created when the javascript library executes and is updated every time data is sent to Google Analytics.
_ga 2 years. Used to distinguish users.
_gat 10 minutes. Used to throttle request rate.
VISITOR_INFO1_LIVE 9 months Allows Youtube to count the views of embedded Youtube videos.
PREF Used to remember your preferences/settings such as language, preferred resolution size.
NID Used to remember your selections or preferences that you’ve already made when looking at information or using a service.


Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control.

Changing your cookie preference

Most web browsers allow some control of most cookies through the browser settings.

You can block cookies by activating the settings on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of Our Site.