Skip Content

Privacy notice & cookies notice

Last updated – 10th October 2023

This privacy notice explains how we, Construction Skills Certification Scheme Limited (“CSCS”/“We”/“Us”/”our“), process your personal data when you use our services, including our website, card, app, content, or otherwise engage with us online or offline.

Please read the following carefully and contact us if you have any questions by email to [email protected] or by using the details set out in section 15 below. You may find it helpful to click on the headings below to expand on each topic covered in this notice.

CSCS privacy notice and cookies notice

  • CSCS is the “controller” under data protection law in respect of the data processing described in this privacy notice.
  • CSCS is a not-for-profit limited company registered in England and Wales under registered number 03024675. The address of our registered office is Floor 8, 71 Queen Victoria Street, London, England, EC4V 4AY.
  • CSCS is registered as a data controller with the UK Information Commissioner’s Office (“ICO“) under registration number Z8156332.
  • CSCS is the leading skills certification scheme within the UK construction industry. A key aspect of the Scheme is the provision of the CSCS card which is a voluntary system that provides validation that our cardholders working on construction sites have the required occupational training and qualifications for the type of work that they carry out and enables the matching of cardholder details for identity verification.

This notice applies to you if you act in your personal capacity, for example, as our customer, and if you act in your professional capacity, for example, as an employee or agent of our supplier.

Specifically, CSCS may process personal data relating to:

  • an applicant or cardholder who applied for a CSCS card or holds one;
  • a user of our services such as our website, app or content;
  • third party agent such as employer or training provider who makes an application for a CSCS card on behalf of their employee or another individual;
  • a supplier or business partner;
  • a corporate service user and their IT partners purchase a licence to use our services; and
  • anyone else who interacts with us, when you call, email or visit us or otherwise interact with us.

We may collect, use, transfer or otherwise process different kinds of personal data, including the following main groups of personal data:

  • Identity and Contact Data: including your name, title, date of birth, national insurance number, home and/or business address (postal and email), proof of name change (if relevant), telephone number, photograph.
  • Qualification Data: qualification certificates and details and training history.
  • Transaction Data: details of your purchases and other transactions and details of payments made through our payment processor.
  • Technical and Usage Data: including internet protocol (IP) addresses, the type of browser used while visiting the website, the numbers of users who visit the website, details of your visits to the website including, but not limited to, usage session dates and duration, page views, and how you use the website and our services, traffic data, location data, weblogs and the resources that you access.
  • Marketing Data: including your preferences in receiving marketing from us and your communication preferences.
  • General Data: information relating to your general enquiries or complaints and all other personal data.

Please do not provide personal data about other individuals unless they have read this privacy notice and provided their consent.

We collect data from and about you in various situations including as set out below.

Applicants, cardholders and users Direct Interactions. You may give us your Identity and Contact Data, Qualification, Transaction Data, Marketing Data and General Data when you:

·            sign up to our newsletter;

·            communicate with us by telephone, post, email, via your online account or the Webchat function;

·            meet our representatives in person;

·            make an application to CSCS to become a cardholder;

·            complete the Scheme application formalities including filling in applicable forms and providing us with copy documents and certificates showing and/or information relating to your occupational, qualifications and/or training;

·            become a CSCS cardholder;

·            make enquiries about CSCS, the Scheme or its members and/or cardholders;

·            are a user of CSCS services;

·            use a CSCS card reader;

·            use the CSCS Smart Check App;

·            report a problem with the website;

·            complete our voluntary surveys;

·            respond to a request via our marketing materials; or

·            in other circumstances.

Information from third parties. We may also receive your Identity and Contact Data, Qualification Data, Transaction Data from your employer, training provider or third party if they have made an application for a CSCS Card on your behalf, and your Qualification Data from Awarding Organisations when we verify your qualification and training information. We may also receive your Identity and Contact Data if our corporate service user verifies your identity by using services licensed from us. We may also receive your information from social media if you interact with our content, from third party databases engaged to verify your details or detect and prevent crime and in other situations envisaged in this notice.

 

Information about your device. We may process details of your interactions with our services including our website, communications or content and of the fulfilment of any of your requests; and/or information that is otherwise collected in the normal course of the provision of our services and the operation of our Scheme.

 

Public information. We may process information about you that is drawn from publicly-available sources.

 
Employers, training providers, third parties Direct Interactions. You may give us your Identity and Contact Data and General Data when you correspond with us or make applications on behalf of third parties.

 

Information from third parties. We may receive your Identity and Contact Data from third parties such as your employer or from publicly available sources.
Suppliers, corporate users and similar parties We collect your Identity and Contact Data, Transaction Data and General Data when we correspond with you about our services, and from publicly available sources such as Companies House.
Users As you interact with us and our services such as our website, we may automatically collect Technical and Usage Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, traffic logs and other similar technologies. Please see our Cookies Notice for further information.

 

We have set out below, in a table format, a description of the ways in which we may use your personal data, and which formal legal basis we rely on to do so. Personal data is only used for the specific purpose intended and we only use/store sufficient personal data to meet that purpose.

Data subject Purpose/Activity Category of Data Lawful basis for processing, including basis of legitimate interest
All To assist with your enquiries.

 

 General Necessary for our legitimate interest in responding to enquiries, complying with the law and best practices or, as the case may be, necessary for taking steps prior to entering into a contract or the performance of our contract with you.
Applicants, cardholders, and our service users To provide our services to you, such as our website, app, user portal, content, CSCS card which can be presented or scanned by a device on-site to share your qualification status, name, image and other details. Identity and Contact

Qualification Technical and Usage

General

User details

 Necessary for our legitimate interest in providing our services to the public, our users and customers and complying with our legal obligations or, as the case may be, necessary for the performance of our contract with you as a CSCS cardholder.
Applicants and cardholders To process your application for a CSCS Card and to provide you with the benefits of the Scheme.

 

 Identity and Contact

Qualification

Transaction

General

 

 To take steps to enter into a contract with you, and to perform our contract with you.
Applicants and cardholders To validate with the awarding organisation and other stakeholders the correctness of Qualification Data and other information you, your employer, training provider or third party has provided in respect of your application. Qualification

General

 Necessary for our legitimate interests in ensuring the correctness of application information, preventing fraudulent applications and preserving the integrity of our Scheme.
Applicants and cardholders To record our calls with you for compliance, transaction records and crime prevention purposes.

 

 General Necessary for our legitimate interest in documenting enquiries and business transactions for compliance, governance and crime prevention purposes.
Applicants and cardholders To verify the correctness of your Qualification Data and other information provided by you, your employer, training provider, third party or obtained from the public domain as part of our investigations, which may involve appointing an external investigator to make enquiries with you and other stakeholders face-to-face or otherwise, carry out research from publicly available sources and share data with relevant stakeholders for verification and investigation purposes. To share information about your CSCS status with the awarding organisation and other stakeholders, for example, when your card is revoked. Identity and Contact

Qualification

General

 Necessary for our legitimate interests in detecting and preventing crime, fraudulent applications, credit risk reduction, preserving the integrity of our Scheme and providing the Services in compliance with our legal obligations.
Applicants, cardholders, and our service users To manage our relationship with you, including to:

·       Administer our contract with you

·       Provide the CSCS cards

·       Send communications to you such as information, news or surveys about the Scheme

·       Manage and record our relationship with you, and to deal with any complaints that you may have about it

·       Monitor and improve the effectiveness of our services

·       Notify you about changes to our services, including contacting you by email, telephone or post

·       To maintain business records

 Identity and Contact

Qualification

Transaction

Marketing

General

 To perform our contract with you. Necessary for our legitimate interests to keep our records updated, to review how customers use our services and develop them and to ensure the proper administration of our business.
Applicants and cardholders To share anonymised data on a statistical basis with government and industry representatives, construction card scheme members of the CSCS Alliance group, other third parties and the general public to gain and share useful data insights into the construction industry Anonymised data as is necessary and proportionate Necessary for our legitimate interests in sharing data with third parties to analyse and understand the state of the construction industry and to support workers in the industry
Cardholders To share data for the interoperability of solutions, apps and technologies operated by third parties such as your employer, site manager, security contractor, etc. including, for example, ID verification solutions such as biometric facial recognition. Identity and Contact

Qualification

General

 Necessary for our legitimate interests in enabling the use of our Cards for legitimate  secondary use cases such as ID verification carried on by such third parties.
Employers, training providers and third parties ·       To enable you to make applications for CSCS cards on behalf of individuals

·       To take payments from you

·       To provide you with information about our services

·       To notify you about changes to our services

·       To maintain business records

 Identity and Contact

Transaction

Marketing

 Necessary for our legitimate interests in fulfilling our contractual obligations to your employer, for record keeping purposes and to ensure the proper administration of our business.
Suppliers, corporate users and similar parties To carry out our contractual obligations owed to our suppliers, including to manage our payments to you. Identity and Contact

Transaction

 Necessary for our legitimate interests in receiving products and services from our suppliers to ensure our business is run efficiently.
Service users To understand our audiences and customer profiles for product and service development, research, market intelligence, marketing, advertising, content personalisation and business administration. Depending on purpose, we use your profile information in anonymised or pseudonymised or, when it comes to marketing by say email, identifiable form, e.g. your email address. In some cases, this will include information observed or inferred from your activity or other information about you.

 

 Anonymised or pseudonymised data as is necessary and proportionate Necessary for our legitimate interest in understanding our typical customer profiles for service development, research, market intelligence, marketing, advertising, content personalisation and business administration.

 

Where required by law, we rely on your consent to deploy cookies or similar technologies on your device or to read information on your device except where necessary for essential services (please see our cookies notice).

 
Service users To send you relevant marketing communications about our existing and new products and services by email, text, push, post or other channels if you sign up for a newsletter or if you are our existing customer.

 

 Marketing  Data We rely on your consent if you sign up or on soft opt-in (presumed consent) if you are our existing customer. You can unsubscribe at any time.

 

Where required by law, we rely on your consent to deploy cookies or similar technologies on your device or to read information on your device except where necessary for essential services (please see our cookies notice).

 
Service users To engage our third party service providers who may process your personal data on our behalf or otherwise, to facilitate the provision of our services and the fulfilment of essential service functions such as troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data. Identity and Contact

Technical and Usage

 Necessary for our legitimate interests in providing administration and IT services, to ensure our business is run efficiently, to study how customers use our services and to develop them, to grow our organisation.
Service users To deliver personalised services to you based on information about you from different sources. Pseudonymised data Necessary for our legitimate interest in providing relevant services.

 
Applicants, cardholders, and our service users To use data analytics and tools to improve the website, our services, marketing, customer relationships and experiences, to use data for product development, the training of algorithms and other service improvements and to share data with third parties for these purposes. Anonymised or pseudonymised data as is necessary and proportionate Necessary for our legitimate interests in providing relevant products and services, to develop them and to grow our organisation.
All To monitor interactions and operations for fraud prevention and crime detection purposes, and share and receive information from law enforcement authorities, awarding organisations and other stakeholders to enable investigations.

 

 All information as is lawful, necessary and proportionate Necessary for our legitimate interest in detecting and preventing fraud and illegal conduct, upholding the integrity of services and necessary for compliance with a legal obligation to which we are subject.
All To ensure the safety of people, security of our premises, the security of our systems and online services.

 

 All information as is lawful, necessary and proportionate Necessary for our legitimate interest in ensuring the security of our organisation, people and services and necessary for compliance with our legal obligations.
All To ensure health and safety at our premises.

 

 All information as is lawful, necessary and proportionate Necessary for our legitimate interest in ensuring the health and safety of our staff and others, to comply with best practice or necessary for compliance with our legal obligations or activities in the substantial public interest.

 
All To process and share information as is required for our compliance with the law or to establish, exercise or defend legal claims.

 

To process and share information with other third parties where required by law, such as regulators, law enforcement agencies or where mandatory under a court order.

 All information as is lawful, necessary and proportionate Where processing or sharing your data is necessary for compliance with a legal obligation to which we are subject, to establish, exercise or defend legal claims, or, where necessary and proportionate, in order to satisfy our legitimate interest in complying with best practice or applicable laws.

We will update you about any new purposes of processing of your personal data from time to time, and we will obtain your prior consent for such new purposes where we are required to do so at law.

  • The Scheme’s digital self-service application system is managed by Icreon UK Limited (Company Number 04771967) and the Scheme’s telephone-based application system and customer service call centre is operated by Teleperformance Limited (Company Number 02060289).
  • Our payment processing is managed by Fiserve Clover (Company Number 02012925), who handles all payments and transactions on our behalf.
  • Our suppliers who administer the Scheme in order to provide you with the relevant CSCS Card on our behalf.
  • Our investigators, who may carry out interviews with you at your home in order to investigate and verify your identity and the accuracy of your Qualification Data.
  • Other suppliers who provide services or advise us.
  • Our marketing, advertising and analytics providers and partners.
  • With awarding organisations and other stakeholders to validate the Qualification Data and other information about you, and to investigate suspicious information.
  • With the Construction Industry Training Board (CITB), to enable CITB to manage the Construction Training Register.
  • A person such as your employer, staffing agency or other party presented with your CSCS card or cardholder details for verification will access your name, image, registration number, occupational qualifications, expiry date and other data. Verification can occur by automated or manual means, for example, thought a card-reader, smartphone (with near-field communications (NFC) or other capability) or similar device, by calling CSCS or interrogating a database or otherwise.
  • Our corporate users and their IT providers who licence from us our service and technology to integrate it in their processes and equipment, such as site access control devices;
  • To third parties:
    • if we are under a duty to disclose or share your personal data in order to comply with any legal obligation;
    • in order to establish, exercise or defend legal claims including to enforce or apply our terms of useand other agreements;
    • to protect the rights, property, integrity or safety of CSCS, our clients, our members, or others (this includes exchanging information with other organisations and law enforcement for the purposes of detection and prevention of crime, fraud protection and credit risk reduction);
    • with whom you request us to share your personal data such as your employer;
    • to help CSCS or our affiliates analyse and/or improve our communication or relationship with you; and/or
    • in the event that all or substantially all of our business or assets are or are intended to be sold or otherwise assigned to another entity.
  • If you have provided consent.

We use a variety of technological, physical and organisational protections and procedures to help protect your personal data from unauthorised access, use, or disclosure, such as encryption, passwords, physical security, etc.

In addition, we limit access to your personal data to those employees, agents, contractors and suppliers who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

While we strive to protect your personal data, no website, product, device, online application or transmission of data, computer system or wireless connection is completely secure, and CSCS cannot ensure or warrant that the personal data or private communications you transmit to us will always remain private, and you do so at your own risk.

If a password is used to help protect your accounts and personal data, it is your responsibility to keep your password confidential. Do not share this information with anyone. If you are sharing a computer with anyone you should always log out before leaving the website to protect access to your information from subsequent users.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Our digital system holding your personal data is hosted by Amazon Web Services in a data centre located in the UK.

Some of our suppliers and partners may hold your personal data outside of the UK. We will only transfer your personal data to countries outside the UK (which may not provide the same level of data protection as within it) in accordance with applicable laws.

CSCS wants to help you keep your personal data accurate and current.

You have the right to access information we hold about you. Please keep us informed if your personal data changes during your relationship with us. To review, verify or correct your personal data, please contact our customer service department detailed in section 15.

We will collect, store and process your personal data in accordance with your rights under any applicable data protection laws. Under certain circumstances, you will or may have the following rights in relation to your personal data:

  • Right to information about matters set out in this notice. You may also contact us for further details about our data retention policy and international data transfers.
  • Subject access: the right to request details of the personal data which we hold about you and copies thereof.
  • Right to withdraw consent: (where you have consented to our processing of your personal data), the right to withdraw such consent at any time. If you wish to withdraw your consent to processing, please contact us using the details provided in section 15.
  • Data portability: the right to request us to port (i.e. transmit) your personal data directly to another organisation.
  • Rectification: the right to require us to rectify or update any incorrect or inaccurate personal data about you.
  • Erasure (‘right to be forgotten’): the right to have your personal data ‘erased’ in certain specified situations.
  • Restriction of processing: the right in certain specified situations to require us to stop processing your personal data.
  • Object to processing: the right to object to specific types of processing of your personal data, such as where we are processing your personal data for the purposes of direct marketing.
  • Prevent automated decision-taking: the right not to be subject to decisions being taken solely on the basis of automated processing.

If you wish to exercise any of the above rights under applicable data protection laws, please contact us by using the details set out in section 15. We will respond to your request without undue delay and by no later than one month from receipt of any such request, unless a longer period is permitted by applicable data protection laws, and, if permitted to do so by applicable data protection laws we may charge a reasonable fee for dealing with your request which we will notify to you.

If you are concerned that we have not complied with your legal rights under applicable data protection laws, you may contact the ICO (www.ico.org.uk) which is the data protection regulator in the UK. Alternatively, if you are based outside the UK, you may contact your local data protection supervisory authority. We would, however, appreciate the chance to deal with your concerns before you approach the ICO (or other data protection supervisory authority) so please contact us in the first instance.

We retain personal data for as long as necessary to fulfil the purposes for which they have been collected as outlined in this privacy notice unless a longer retention period is required by law.

We reserve the right to keep records of former Scheme members for the purposes of operating the Scheme, fielding enquiries and compliance purposes. Generally, we retain some details of our former Scheme members’ for 10 years from expiry or cancellation of their CSCS card as is necessary for our purposes.

When your personal data are no longer required for the said purposes or as required by applicable law, they will be deleted and/or returned to you in accordance with applicable law or anonymised and used for research and statistical purposes.

This website may from time to time include links to third-party websites, plug-ins and applications.

Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit or to which you may provide your personal data.

When you use our online services, essential cookies and similar technologies which are required to provide our services will be automatically set on your device.

Others will also be set if you accept cookies and similar technologies by selecting your choices in the cookie panel. As some cookies are provided by third parties, your acceptance of cookies will extend to such third parties. A ‘cookie’ is a name for a small text file, usually of letters and numbers, which, if you agree to them, are downloaded onto your computer, mobile phone, tablet or other device when you visit a website. This notice also covers similar technologies such as pixels, tags, URL tracking, local storage and digital fingerprints. Cookies and these technologies contain information that is transferred to your device’s hard drive or are otherwise stored and are used to distinguish you from other website users.

Like most organisations with online presence, we use cookies and similar technologies to:

  • provide our services which is not possible without certain essential cookies;
  • remember your settings and preferences to improve your experience, speed up your searches, recognise you when you return to our service or track the pages that you visit on the website and to ensure that you do not see the same information repeatedly through functional cookies; and
  • understand the number of website visits and tracking patterns of page viewing, to monitor the performance of the website and make improvements to it, use navigational data for system administration and to report aggregate information to our partners or other stakeholders through performance cookies.

To accomplish this, we will, in certain cases, also link information from cookies and similar technologies with personal data held about you.

We will deploy cookies and similar technologies ourselves. However, our services may also include cookies and similar technologies deployed by third parties. For example, third party cookies will enable our analytics providers to find out how you used our services. Personalisation and analytics is only possible because of a certain level of profiling carried out with information collected through cookies and similar technologies. This may include your preferences, characteristics and behaviour.

You do not have to accept cookies (apart from the essential ones), but without accepting them the functionality of our services will be reduced. If you do not want cookies sent to or stored on your system, you can choose to turn cookies off by setting your cookies preferences in the website cookies settings. These settings are accessed by clicking the button in the bottom left of the screen. If you choose to reject some of our cookies, then we will only store these essential or ‘strictly necessary’ cookies.

While we try to ensure that your choices are fully respected, this may not always be possible, particularly where third parties are involved. For example, if you do not agree to “functional cookies” but you still interact with our LinkedIn plugin in our online services, LinkedIn may set certain essential and non-essential cookies outside our control. As explained in our privacy notice, you should read the privacy notice of our third parties such as LinkedIn for more detail.

For this reason, aside from relying on our cookie settings, please also consider:

  • turning off the automatic download feature in your browser, as described at allaboutcookies.org;
  • opting out from third party services that deploy cookies and similar technologies, such as Google Analytics, by visiting www.google.com/settings/ads or by downloading the opt-out add-on at https://tools.google.com/dlpage/gaoptout.
  • In addition, most Internet browsers will allow you to delete or block cookies from your computer hard drive, prevent them from being stored or signal a warning before a cookie is stored. You should refer to your browser instructions or help screen to learn more about these functions.
Name Type Purpose
_cf_bm Essential Distinguishes between human users and bots.
_cfduid Essential Used by the content network, Cloudflare, to identify trusted web traffic.
_cfruid Essential Part of the services provided by Cloudflare including load-balancing, deliverance of website content and service DNS connection for website operators.
_zlcstore Essential Enables functioning of the web-chat service.
AWSALBCORS Essential Registers which server-cluster is serving the visitor. This issued in context with load-balancing.
CookieConsent Essential Stores the visitor’s cookie consent state for the current domain.
CookieControl Essential Determines whether the visitor has accepted the cookie consent box. This ensure that the cookie consent box will not be presented again upon re-entry to the website.
ZD-suid Essential Unique ID that identifies the user’s session.
ZD-store Preferences Registers whether the self-service-assistant Zendesk Answer Bot has been displayed to the website user.
_ga Statistics Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
_gat Statistics Used by Google Analytics to throttle request rate.
_gid Statistics Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
p.gif Statistics Keeps track of special fonts used on the website for internal analysis.
ZD-buid Statistics Unique ID that identifies the visitor on recurring visits.
ZD-currentTime Statistics Registers the date and time for the visitor’s latest visit to the website.
_zlcmid Marketing Preserves the visitor’s states across page requests.
Zte# Marketing Saves a Zopim Live Chat ID that recognises a device between visits during a chat session.

To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit allaboutcookies.org.

We may use your Identity and Contact Data and Marketing  Data (such as your contact details (e.g. name, address, email address, telephone number)) to send you marketing-related correspondence related to our Services by email. When we process your personal data for marketing purposes, we do so on the basis that it is in our legitimate interests to do so.

We may also use your personal data to personalise and to target more effectively our marketing and communications to ensure, to the extent possible, that any marketing-related correspondence is relevant to you.

To opt-out of receiving marketing-related correspondence specifically, please click “Unsubscribe” from any marketing or promotional email you receive from us, or contact us as explained in section 15 below.

Any changes we may make to our privacy notice in the future will be posted on this page and on Cardholders’ online profiles within the cscsonline.uk/com website. We encourage you to periodically review this privacy notice to be informed of how CSCS is processing your personal data.

If you have any questions about this privacy notice or the processing of your personal data, or if you wish to exercise any of your rights set out in this privacy notice, please contact us by email as set out above or in the following ways:

By post: Customer Services Team, The Construction Skills Certification Scheme Limited, Unit A2 and B, Mease Mill, Westminster Trading Estate, Measham, DE12 7DS

By telephone: 0344 994 4777