Data Protection and Information Security

TLM is committed to protecting the personal data it processes in connection with qualification delivery, assessment, awarding, and certification. We apply appropriate technical and organisational measures designed to safeguard personal data against unauthorised access, loss, misuse, alteration, or disclosure.

Our approach to data protection is guided by applicable UK data protection law, including the UK GDPR and the Data Protection Act 2018. We process personal data only where necessary for legitimate awarding organisation functions and seek to ensure that the information we collect is adequate, relevant, and limited to what is required for those purposes.

Technical and Organisational Security Measures

We maintain a range of technical and organisational controls to support the security of personal data. These include:

access controls designed to ensure that personal data is available only to authorised individuals
role-based permissions to limit access according to job responsibilities
secure hosting and server management arrangements
controlled handling of learner and centre data
internal procedures for managing incidents and data breaches
ongoing review of security arrangements to ensure they remain appropriate to the nature of the data processed

We also work to ensure that the personal data we process is limited to what is necessary for qualification administration, certification, regulatory requirements, and associated operational purposes.

Policies and Procedures

TLM maintains policies and procedures relating to data protection, privacy, information security, access management, retention, and incident handling. These are designed to support compliance and promote the secure and responsible handling of personal data across our operations.

Our Privacy Notice provides further information on how personal data is collected, used, stored, and shared:

TLM Privacy Notice

System Security

We take system security seriously and apply appropriate measures to protect the platforms and services we use in qualification delivery. Our arrangements include managed security controls, secure server management, and operational processes intended to reduce risk and maintain the integrity of our systems.

Access to personal data is restricted according to business need, and our systems and controls are reviewed periodically as part of our wider compliance and security management processes.

Cyber Essentials

TLM holds Cyber Essentials certification in relation to its server management arrangements. This supports our ongoing commitment to maintaining appropriate cyber security controls within our operational environment.

Information Security Accreditation

TLM currently holds Cyber Essentials certification. We do not currently hold ISO 27001 accreditation, although this remains under consideration as part of our ongoing development of information security governance.

Children’s Data and Age-Appropriate Design

TLM recognises the importance of protecting children’s personal data where our services may be accessed by learners under the age of 18. We consider applicable UK data protection requirements, including age-appropriate design considerations where relevant to the nature of the service provided.

Our platforms are used for defined educational and awarding purposes, such as qualification delivery, assessment, and certification. They are not designed as open social or consumer-facing platforms, and personal data is processed only for specific educational, operational, and regulatory purposes in line with our legal obligations.

Data Sharing

Where required, TLM may share limited data with relevant regulatory or public bodies in connection with qualification delivery, certification, funding, or other lawful obligations. Any such sharing is carried out in line with applicable legal and regulatory requirements and is limited to what is necessary for the relevant purpose.

Further Information

We are committed to transparency in how we manage and protect personal data. Where appropriate, additional information can be provided on areas such as data retention, access controls, incident handling, and data sharing arrangements.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_46896377_4	1 minute	This cookie is set by Google and is used to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	16 years 3 months 16 days 11 hours 3 minutes	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.