Register trainee teachers data sharing agreement

This agreement was last updated on 22 June 2022.

Data sharing details

This data sharing agreement (DSA) applies to personal data shared between the Department for Education (DfE) and (‘the provider’) as part of the Register trainee teachers (Register) service.

The parties to the data sharing agreement

  1. Department for Education (DfE)
  2. Any designated provider in the Teacher Service Programme

Each ‘a party‘ and together ‘the parties’.

The aims and benefits of the data sharing agreement

The aim of this data sharing agreement is to enable the parties to understand how data is collected, processed and managed in Register.

This data sharing agreement sets out your roles, responsibilities, and accountability as Data Controller for the different processing of the personal data that is stored and processed in Register.

Register has replaced the existing Database of Trainee Teachers and Providers (DTTP). The DTTP service existed to support the exchange of data on trainee teachers in England between accredited Initial Teacher Training (ITT) Providers and the DfE. Trainee teacher data is a critical business requirement with accredited providers entering data into the DTTP, and that data being used by internal downstream users.

The agreed purposes

This collection and processing of this data is vital to DfE for a variety of purposes including (but not limited to):

  • collection of data for statistics and publications
  • assessing the impact of teacher recruitment campaigns
  • calculation and allocation of funding for bursaries, scholarships and grants
  • auditing of third party teaching suppliers
  • awarding of teacher status at the end of a trainee’s teacher training
  • creating a trainee’s teacher record once they qualify, which is used throughout their teaching career

This data provides the DfE with past, current, and future foresight of new teachers entering the workforce.

The personal data and Special Category personal data being shared

The following types of personal data will be shared between the parties for the purposes of this agreement:

  • full name
  • date of birth
  • sex (female, male, other or not provided)
  • nationalities
  • disabilities
  • ethnicity

The following types of Special Category personal data shall be shared between the parties for the purposes of this agreement:

  • nationalities
  • sex
  • ethnicity
  • disabilities

Nationality

We collect this to inform funding, policy and statistics, and is included in aggregate tables that are included in annual ITT publications reported by the Teacher analysis division (TAD).

Sex, ethnicity and disability

We collect these as part of a section in the service called ‘Personal details’. This information can also be collected from the Apply for teacher training (Apply) service, and comes into Register through an integration between the 2 services. Sex, ethnicity and disability information is included in aggregate tables that are included in annual ITT publications reported by TAD. The user can choose to provide this information.

Identifiable data of providers

There are various combinations of identifiable data which may be collected about a provider (depending on route), these extend to:

  • lead school ID
  • employing school ID
  • unique reference number (URN)
  • organisation name
  • address

At the point of data collection, the DfE and the providers are Independent Data Controllers for the trainee’s data. It is the provider’s responsibility as an Independent Data Controller to ensure compliance with the appropriate requirements of data protection legislation.

Register trainee teachers privacy notice

In situations where a trainee did not use Apply for teacher training (Apply), the accredited provider should inform their trainees of Register’s privacy notice which describes to trainees how their data will be used. This privacy notice will include the email address they can use to contact the Register support team, and can be found at www.register-trainee-teachers.education.gov.uk/privacy-notice

What the provider can use personal data for that’s shared with them by the DfE

Part of the data that the DfE collects for each trainee includes sensitive data, as described above. Where trainee data comes in through Apply the accredited provider is responsible for correcting and updating the data in Register on behalf of the trainee.

When data is directly entered into Register, the accredited provider collects this information from the trainee and enters it into Register manually and keeps it up to date. The accredited providers remain Data Controllers as they need this data for their student records.

When lead schools import Register’s data they have an obligation to ensure the data is used in accordance with the rules stated in the Third party section of this document.

What the DfE can use personal data shared with the DfE for

Register receives the data outlined in this section from Apply (internal to the DfE) or the accredited providers. This data is used to allocate a Teacher reference number (TRN) and Qualified teacher status (QTS) or Early years teacher status (EYTS) to the trainee by the DfE, and for the purposes of preventing duplication in the allocation process.

Additionally, statistical analysis is done by the DfE to understand demographic trends in and performance of teacher recruitment. Once a TRN is allocated for the trainee and a QTS or EYTS is awarded, these are passed onto the providers for their student records. The data is also included in the trainee’s teacher record throughout their career.

Lawful basis

The data collected by Register provides the DfE with past, current, and future foresight of new teachers entering the workforce. This data collection and processing operates under the Secretary of State for Education’s ministerial common law powers. The DfE and providers commit to working together to limit the personal data shared and reduce this where possible. The following statutes underpinned the basis for processing this data.

The lawful basis for this processing is Public Interest, as outlined in the legislation:

  • Article 6(1)(e) of the UK General Data Protection Regulation (UK GDPR)
  • Section 8(d) of the Data Protection Act (DPA) 2018: UK DPA Legislation

The lawful basis for processing Special Category Data is Substantial Public Interest, as outlined in the legislation:

  • Article 9(2)(g) of the UK GDPR
  • Data Protection Act 2018 - Schedule 1: Part 2; UK DPA Legislation

The collection and processing of this data is vital to the DfE for a variety of purposes including (but not limited to):

  • the collection of data for statistics and publications
  • assessing the impact of teacher recruitment campaigns
  • calculation and allocation of funding for bursaries, scholarships and grants
  • auditing of third party teacher training providers
  • awarding of teacher status at the end of a trainee’s teacher training
  • creating a trainee’s teacher record once they qualify, which is used throughout their teaching career

Privacy notices

Refer to the Register privacy notice to see how Register handles data entered directly into the service.

In a situation where trainee records are entered directly into Register for non Apply trainees, the provider should inform their trainees of Register’s own privacy notice which describes to trainees how their data will be used. This privacy notice will include the email address they can use to contact the Register support team.

It is the responsibility of providers, as Data Controllers, to ensure that their respective privacy notices are sufficiently detailed to cover the data sharing activity specified in this DSA, including but not limited to the Purpose and the Lawful Basis for the sharing and processing.

By agreeing to this data sharing agreement, the DfE and the provider confirm that their respective privacy notices explain the data sharing activities outlined in this agreement.

Data handling

The DfE and the providers are Independent Data Controllers for the data collected through Register. The primary routes which data enters Register through are:

  • providers entering new records directly into Register using information from their own systems to populate Register
  • Register using an API to pull data where providers have managed the application process (with trainees submitting their data via the Apply service). Accredited providers may still need to add course details into these pre-populated records

The systems-based connection in which Register may share data:

  • Register connects to Apply to retrieve applicant information to populate its own records
  • Register retrieves course information from the Publish teacher training (Publish) service
  • organisations connect to Register to add, view or update their trainee data. Users can only access data connected to their organisation
  • Register reads and writes trainee record data to systems within the DfE for the purpose of allocating or retrieving a TRN for trainees and for registering their QTS or EYTS.
  • lead schools connect to Register to view their funding information and trainees’ information

The DfE uses Zendesk, a customer relationship management system, to handle queries from provider staff.

For data concerning trainees provided to the DfE by users through Zendesk, providers continue to be Data Controllers. The DfE will use this data for analytical purposes as well as for supporting providers with their queries and therefore will also become Data Controller at this point for this data.

The DfE and the provider may use some personal data such as names and date of birth for identification purposes through other channels, such as by phone or email for support and administration purposes.

Refer to the section on third party disclosure for more information on how the DfE shares data.

Accuracy of the shared data

The DfE undertakes measures to ensure that the data received by Register is accurate and reflects the information given to the DfE, though the format may be different.

The data shared by providers must be accurate, up-to-date and complete.

Assurance of compliance

The DfE’s personal information charter explains the standards expected of the DfE when holding personal information.

By consenting to this agreement, the provider confirms that:

  • their organisation is compliant, and will continue to comply, with the requirements of data protection legislation
  • data will be held in secure systems in line with data protection legislation and security requirements
  • they will treat data as Official-Sensitive and apply appropriate security measures to its handling

Third party disclosure

Where we are required to disclose personal data to comply with legal requirements, we will endeavour to notify the individual prior to disclosure as allowed by law.

For other data shared, each party will endeavour to inform the other of any requirements to share data with third parties. The DfE uses some third-party data processors, including Google Analytics, Google Workspace, Zendesk.

Providers must comply with Article 28 in the GDPR, which sets out the roles and responsibilities of a Data Processor on appointing and using appropriate data processors.

By consenting to this agreement, the provider confirms that:

  • their data sharing practices comply with data protection legislation
  • their data sharing practices minimise the risk of individuals being identified by unauthorised parties, using appropriate safeguards to look after shared data
  • they will only share data for the purposes outlined in this agreement
  • they hold data in strict confidence and have appropriate safeguards in place to protect data against unlawful or unauthorised processing

Handling subject access requests (SARs)

The DfE will manage SARs regarding any information for which the DfE is a Data Controller.

The DfE and the provider will contact each other immediately if they get a request for:

  • rectification of information (Article 16 of GDPR)
  • erasure of information (Article 17 of GDPR)
  • restriction to process information (Article 18 of GDPR)

For other types of SARs, the provider must notify the DFE within 5 working days.

Data subjects wanting to make an SAR can email the DfE at becomingateacher@digital.education.gov.uk.

Handling freedom of information requests

The DfE is responsible for responding to freedom of information act requests regarding Register data processing and sharing practices.

The DfE will contact the provider if any support is needed to process a request.

Data access and storage

The provider must store shared data securely using technical and organisational measures.

Data should be encrypted at rest, using AES256 and in transit using TLS 1.2 and above, as minimum standards.

Access to data must be controlled and on a need-to-know basis. All access to data must be logged and reviewed periodically.

The data must be retained in a way that is compliant with EU data protection legislation.

By consenting to this agreement, the DfE and the provider agree to:

  • hold data in strict confidence
  • have appropriate safeguards in place to protect data against unlawful or unauthorised processing

Data retention and destruction schedule

Data retention

Personal data must be kept only as long as needed to carry out the activities outlined in this document.

The DfE will keep data for no longer than 7 years. The provider must set an appropriate time limit, in line with the General Data Protection Regulation (GDPR), for retaining data before erasure or review.

Data destruction

The provider must destroy the data when it is no longer needed, or when the retention schedule has expired.

The provider must follow the National Cyber Security Centre’s advice on secure sanitisation.

Security incidents

The DfE and the providers are responsible for notifying each other in writing in the event of loss or unauthorised disclosure of information within 24 hours of the event being discovered.

All communication should be sent by email to becomingateacher@digital.education.gov.uk.

The designated points of contact will discuss and agree the next steps relating to the incident, taking specialist advice where appropriate. Such arrangements will include (but will not be limited to):

  • containing the incident and mitigating any ongoing risk
  • recovering information
  • assessing whether the Information commissioner should be notified or whether data protection officers or data subjects need to be notified

The arrangements may vary in each case, depending on the sensitivity of the information and the nature of the loss or unauthorised disclosure. Where appropriate and if relevant to the incident, disciplinary misconduct action and criminal proceedings will be considered.

Consequences of security incidents

Any security incident that occurs will not impact the DfE’s ongoing cooperation with the provider.

In the event of a personal data breach (or where there is a reason to believe that an incident could arise) the DfE and the provider will pause further data sharing until the signatories of this agreement are satisfied that the cause or incident is resolved.

If the issue cannot be resolved or if it’s very serious, data sharing will not start again until DfE and the provider are satisfied that the cause or incident is resolved.

The DfE contact would raise the incident with the DfE departmental security team and complete formal procedures in the event of a personal data breach.

Termination of the agreement

When to terminate this agreement

Both participants to this DSA reserve the right to terminate this DSA with 3 months’ notice in the following circumstance:

  • finances, resources or other factors beyond the control of the DfE or the provider
  • if any change occurs which, in the opinion of the DfE and the provider, significantly impairs the value of the data sharing arrangement in meeting their objectives
  • in the event of a significant security breach or other serious breach of the terms of this DSA by either participant, the DSA will be terminated or suspended immediately without notice

A relevant person at your organisation who deals with initial teacher training (ITT) should consent to this DSA.

If you’re an accredited provider

To notify the DfE with your consent to the terms of this data sharing agreement, email becomingateacher@digital.education.gov.uk with confirmation.

If you’re a lead school

You will have received an email from us asking you to fill out a form where a relevant person from your organisation needs to consent to this data sharing agreement.