Blog

GDPR and trainee data: what programme directors should know

8 April 2026 · [Author Name]

This article provides a practical overview of GDPR and UK DPA 2018 as they relate to teaching programme management. For specific legal questions, consult your organisation’s data protection officer or legal team.

Why it matters

Teaching programmes handle personal data: trainee names, email addresses, attendance records, performance data, and sometimes sensitive information related to pastoral support. Under GDPR and the UK Data Protection Act 2018, this data must be handled lawfully, fairly, and transparently.

Key principles for programme leads

1. Lawful basis

You need a lawful basis for processing trainee data. For most teaching programme activities, this is likely:

  • Legitimate interest: Managing the training programme and meeting regulatory requirements
  • Contract: Where a formal agreement exists between the trainee and the institution
  • Legal obligation: Where data processing is required to comply with GMC or HEE requirements

2. Data minimisation

Only collect the data you actually need. If you don’t need a trainee’s home address for attendance tracking, don’t ask for it.

3. Storage and security

Trainee data should be stored securely, with appropriate access controls. Shared spreadsheets on personal Google accounts don’t meet this standard. Purpose-built platforms with role-based access control and encryption are the expectation.

4. Data subject rights

Trainees have the right to access their data, request corrections, and in some cases request deletion. Your programme should have a process for handling these requests within 30 days.

5. Data sharing

If you’re sharing trainee data between organisations (e.g. between a hospital and a deanery), ensure there’s a data sharing agreement or Data Processing Agreement in place.

What Exogi does

Exogi is designed with GDPR and UK DPA 2018 compliance built in:

  • Encryption at rest and in transit
  • Role-based access control — users only see data they’re authorised to access
  • Data isolation — each deanery operates in a completely separate environment
  • Data export and deletion — available at any time
  • DPA available on request for organisations that require one

Data protection isn’t an afterthought. It’s a core design principle.