Blog

GDPR and trainee data: what programme directors should know

8 April 2026 · [Author Name]

This article provides a practical overview of GDPR and UK DPA 2018 as they relate to teaching programme management. For specific legal questions, consult your organisation’s data protection officer or legal team.

Why it matters

Teaching programmes handle personal data: trainee names, email addresses, attendance records, performance data, and sometimes sensitive information related to pastoral support. Under GDPR and the UK Data Protection Act 2018, this data must be handled lawfully, fairly, and transparently.

Key principles for programme leads

1. Lawful basis

You need a lawful basis for processing trainee data. For most teaching programme activities, this is likely:

  • Legitimate interest: Managing the training programme and meeting regulatory requirements
  • Contract: Where a formal agreement exists between the trainee and the institution
  • Legal obligation: Where data processing is required to comply with GMC or HEE requirements

2. Data minimisation

Only collect the data you actually need. If you don’t need a trainee’s home address for attendance tracking, don’t ask for it.

3. Storage and security

Trainee data should be stored securely, with appropriate access controls. Shared spreadsheets on personal Google accounts don’t meet this standard. Purpose-built platforms with role-based access control and encryption are the expectation.

4. Data subject rights

Trainees have the right to access their data, request corrections, and in some cases request deletion. Your programme should have a process for handling these requests within 30 days.

5. Data sharing

If you’re sharing trainee data between organisations (e.g. between a hospital and a training programme body), ensure there’s a Data Processing Agreement in place. Exogi provides DPAs on request.

What Exogi does

Exogi is designed with GDPR and UK DPA 2018 compliance built in:

  • Encryption in transit (TLS) and bcrypt password hashing
  • Role-based access control — users only see data they’re authorised to access
  • Data isolation — each organisation operates in a completely separate environment
  • Subject access requests, data export, and full erasure — supported at any time
  • Data Processing Agreement available on request

Data protection isn’t an afterthought. It’s a core design principle.