Last updated May 2026

Introduction

The City and Guilds of London Institute (“CGLI”), operating under the working name City & Guilds Foundation, administers a bursary programme that provides financial support to individuals undertaking vocational and technical education and training. CGLI is committed to data security and the fair and transparent processing of personal data.

This privacy notice (“Notice”) sets out how CGLI processes the personal data of individuals who enquire about, apply for, or receive a bursary award, in compliance with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”). Where we process personal data of individuals located in the European Economic Area, EU GDPR may also apply.

Please read this Notice carefully before submitting your details or application.

Who We Are

The City and Guilds of London Institute is a charity incorporated by Royal Charter, with registered charity number 312832 (England and Wales) and SC039576 (Scotland). Our registered address is Giltspur House, 5–6 Giltspur Street, London EC1A 9DE. City & Guilds Foundation is the working name of The City and Guilds of London Institute.

For the purposes of UK GDPR and the DPA 2018, CGLI is the data controller for personal data processed in connection with the bursary programme.

Contact us: If you have any queries about this Notice or wish to exercise your rights, please contact us at info@cityandguildsfoundation.org or write to: Data Protection, The City and Guilds of London Institute, Giltspur House, 5–6 Giltspur Street, London EC1A 9DE.

Your Application Journey and How We Use Your Data at Each Stage

The bursary application process has several stages. We process different personal data at each stage and on different legal bases. The sections below explain this.

Stage 1 – Eligibility check

When you first register your interest, you will be asked a series of eligibility questions via our online registration form (hosted on Alchemer). These questions are used to determine whether you meet the basic criteria for a bursary award.

This stage involves automated processing: your responses are assessed automatically and, if you meet the eligibility criteria, you will automatically receive an email inviting you to submit a full application. If your responses indicate that you do not meet the eligibility criteria, you will not be invited to proceed at this stage.

⚠️  Your right to request human review: If you are not invited to proceed following the eligibility check and you believe this is incorrect — for example, if you answered a question incorrectly — you have the right to request a human review of your eligibility. To do so, please contact us at bursaries@cityandguildsfoundation.org. A member of the Foundation team will review your registration and respond to you. In our experience, most review requests are resolved quickly, often because an eligibility question was misunderstood or answered incorrectly.

Stage 2 – Full application

If you are invited to apply, you will be sent a full application form (also hosted on Alchemer). This form collects more detailed personal information to allow us to assess your application fully. See section 4 for the full list of data collected at this stage.

Stage 3 – Shortlisting and assessment

Applications are reviewed and shortlisted by the Foundation team. We use approved AI tools (Microsoft Copilot and Claude) to assist with this review process. No personal data is entered into AI prompts: AI tools are used to support the team’s work but all shortlisting decisions involve human judgement and sign-off.

Stage 4 – Decision and award

Successful applicants are notified and the bursary award process begins. Unsuccessful applicants are also notified. Your data continues to be processed in connection with the ongoing grant relationship (for successful applicants) or is retained for a limited period before deletion (for unsuccessful applicants) — see section 7 for retention periods.

Personal Data We Collect

Registration and eligibility check

At the eligibility check stage we collect the minimum information needed to assess eligibility:

• Name and email address
• Course and centre name and location
• Qualification level
• Employment status
• Responses to eligibility questions

Full application

If invited to apply, we collect the following additional information through the full application form:

• Age range
• Postal address and telephone number
• Sex
• Information about your income, expenditure, debt, and savings
• Career interests, skills, and experience
• Your professional development goals
• Disability information, requests for reasonable adjustments, and information about learning difficulties
• Equal opportunities monitoring information (including racial or ethnic origin)

The disability and equal opportunities information listed above is special category personal data under UK GDPR. We explain how we use this data and the legal basis for doing so in section 5 below.

Website data

If you visit our website, we may also automatically collect technical and usage data including IP address, browser type, operating system, and information about your visit. Please see our Cookie Policy for full details at cityandguildsfoundation.org/cookie-policy

Data about other people

If you provide personal data about any person other than yourself, you must ensure that they understand how their information will be used and that they have given their permission for you to disclose it to us.

How and Why We Use Your Personal Data

We only process your personal data where we have a lawful basis for doing so. The table below sets out our main processing activities and the basis for each.

Purpose	Lawful Basis	Notes
Automated eligibility screening via Alchemer registration form	Legitimate interests	Automated processing with human review available on request — see section 6
Administering the full application process via Alchemer	Contract / Legitimate interests	Core programme administration
Shortlisting and assessing applications (Foundation team, AI-assisted)	Legitimate interests	No personal data entered into AI prompts; all decisions involve human review
Notifying applicants of outcomes	Contract / Legitimate interests
Administering the bursary award and ongoing grant relationship (successful applicants)	Contract	For the duration of the grant relationship
Processing disability information and reasonable adjustment requests	Explicit consent / Legal obligation	Special category data — see below
Equal opportunities monitoring (racial/ethnic origin, sex, disability)	Explicit consent / Substantial public interest	Used in aggregate to monitor programme equity; not used in individual decisions
Sending post-programme evaluation forms and career progression surveys	Legitimate interests	You may opt out at any time
Inviting you to share your experience as a case study or speaker	Legitimate interests	Entirely voluntary; separate consent obtained before any publication
Communicating with you about queries, complaints, or disputes	Legitimate interests / Legal obligation
Sending newsletters or information about related programmes and events	Consent	You may withdraw consent at any time via the unsubscribe link
Complying with legal or regulatory obligations	Legal obligation	e.g. responding to requests from authorities
Improving and operating our website	Legitimate interests	Analytics and performance monitoring

 

Special category data

Disability and reasonable adjustment information is collected with your explicit consent and is used solely to ensure that adjustments can be made to the application process where needed. It is not used as a factor in assessing the merits of your application.

Equal opportunities monitoring data (including racial or ethnic origin and sex) is collected with your explicit consent and used only in aggregate to monitor whether our programme is reaching a diverse range of applicants. It is never used to make decisions about individual applications.

You may withdraw your consent to the processing of special category data at any time by contacting us at info@cityandguildsfoundation.org. Withdrawal of consent for equal opportunities monitoring data will not affect your application.

Automated Decision-Making

As described in section 3, the initial eligibility check involves automated processing. Your responses to the eligibility questions in the Alchemer registration form are assessed automatically. If your responses indicate that you do not meet the eligibility criteria, you will not automatically receive an invitation to complete the full application form.

This constitutes automated decision-making with significant effect under Article 22 of UK GDPR. We rely on our legitimate interests in operating an efficient and consistent initial screening process as the basis for this automated processing.

You have the right to:

• Request human review of the automated eligibility decision by contacting us at info@cityandguildsfoundation.org
• Express your point of view and provide additional information or clarification
• Contest the decision

 

Human review requests are handled by the Foundation team and are usually resolved quickly. In our experience, most cases involve an eligibility question that was misunderstood or answered incorrectly. If following human review you are found to be eligible, you will be invited to submit a full application.

The eligibility criteria used in the automated check are based on the published eligibility requirements for the bursary programme. If you would like to understand the specific logic applied to your registration, please contact us.

Platforms We Use and Who We Share Your Data With

Technology platforms

Your personal data is processed through the following platforms:

Platform	Role	Privacy information
Alchemer	Hosts registration and application forms; processes your responses	alchemer.com/privacy-policy
HubSpot	Automates eligibility check emails; manages applicant communications	legal.hubspot.com/privacy-notice
Microsoft 365 (Copilot)	Internal team use; AI-assisted shortlisting support (no PI in prompts)	microsoft.com/en-us/privacy
Claude (Anthropic)	Internal team use; AI-assisted shortlisting support (no PI in prompts)	anthropic.com/privacy
SurveyMonkey Apply	Grant management platform (successful applicants)	surveymonkey.com/mp/legal/privacy-policy

Other recipients

We may also share your personal data with:

• Foundation staff involved in reviewing and shortlisting applications
• Legal and professional advisers, where necessary
• Analytics and search engine providers in connection with website improvement
• Law enforcement or regulatory authorities, where required by applicable law

We require all third-party processors to have appropriate data processing agreements in place, including obligations on confidentiality, security, and lawful processing.

Where any third party is located outside the UK or European Economic Area, we ensure the transfer is protected by appropriate safeguards such as UK International Data Transfer Agreements or Standard Contractual Clauses.

AI tools: Foundation staff use approved AI tools (Microsoft Copilot and Claude) to assist with application review and shortlisting. No personal data about applicants is entered into any AI prompt. AI tools support human decision-making but do not make or determine any decisions about applications.

How Long We Keep Your Personal Data

We retain personal data only for as long as necessary for the purpose for which it was collected, and in accordance with our legal and regulatory obligations.

Category	Lawful basis / purpose	Retention period
Registration data (disqualified at eligibility stage)	Legitimate interests	6 months from registration date, then deleted
Full application data (unsuccessful applicants)	Legitimate interests	2 years from notification of outcome, then deleted
Full application data (successful applicants)	Contract / Legitimate interests	6 years from end of grant relationship
Special category data (disability, equal opportunities)	Consent / Substantial public interest	As above; consent may be withdrawn at any time
Post-programme evaluation and case study data	Consent / Legitimate interests	3 years from collection, or until consent withdrawn
Marketing and newsletter preferences	Consent	Until consent withdrawn, then promptly deleted
Legal and compliance correspondence	Legal obligation	6 years from resolution

 

Your Rights

Under UK GDPR, you have the following rights. To exercise any of them, please contact us at info@cityandguildsfoundation.org.

Right of access

You have the right to request a copy of the personal data we hold about you. We will respond within one month. We may need to verify your identity before responding.

Right to rectification

You have the right to ask us to correct inaccurate or incomplete personal data we hold about you.

Right to erasure

You have the right to ask us to delete your personal data where, for example, it is no longer needed for the purpose for which it was collected, you have withdrawn consent, or it has been unlawfully processed. Please note this right is subject to exceptions where we are required to retain data by law.

Right to object

You have the right to object to processing based on legitimate interests, or to processing for direct marketing purposes. If you object to legitimate interests processing, we will cease unless we can demonstrate compelling grounds that override your interests.

Right to restrict processing

You have the right to ask us to restrict further processing in certain circumstances, for example where you have queried its accuracy or objected to processing pending our response.

Right to data portability

Where processing is based on consent or a contract and is carried out by automated means, you have the right to receive your data in a structured, machine-readable format and to have it transferred to another controller where feasible.

Right to human review of automated decisions

Where an automated eligibility decision has been made about you, you have the right to request human review, express your view, and contest the outcome. See section 6 for details.

Right to withdraw consent

Where processing is based on your consent (including for special category data), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

Data protection law provides for exceptions to these rights. Where we cannot comply with a request, we will explain why.

How We Protect Your Data

We take appropriate technical and organisational measures to protect your personal data. This includes staff training, limiting access to those with a genuine need, and ensuring our third-party processors maintain appropriate security standards.

We have procedures in place to detect and respond to suspected personal data breaches, and will notify you and the Information Commissioner’s Office (ICO) where legally required to do so.

Where you have a username or password to access any part of our systems, you are responsible for keeping those credentials confidential.

Cookies

Our website uses cookies and similar technologies. Please see our Cookie Policy (available at cityandguildsfoundation.org) for details of what cookies we use and how to manage your preferences.

International Data Transfers

Some of our service providers are based outside the UK or European Economic Area. Where we transfer personal data internationally, appropriate safeguards are in place, such as UK International Data Transfer Agreements or Standard Contractual Clauses. Please contact us if you would like further information about these safeguards.

Complaints

If you believe your data protection rights have been breached and we have been unable to resolve your concern, you have the right to lodge a complaint with a supervisory authority:

• UK residents: Information Commissioner’s Office (ICO) — ico.org.uk/concerns
• EEA residents: your local data protection supervisory authority

 

We would always encourage you to contact us first so we can try to resolve your concern directly at info@cityandguildsfoundation.org.

Changes to This Notice

We may update this Notice from time to time. The current version and effective date are shown at the top of this document and on our website. Where changes are material, we will notify you by email where we hold your contact details.

Contact: info@cityandguildsfoundation.org |  Data Protection, The City and Guilds of London Institute, Giltspur House, 5–6 Giltspur Street, London EC1A 9DE  |  Registered Charity 312832