ATU-CPAC Confidentiality and Data Protection Policy

ATU-CPAC Confidentiality and Data Protection Policy

Arab Trainers Union Council for Professional Accreditation and Certification

Version 1/2026

Effective Date: 1 June 2026

Controlled Policy Document

1. Document Control

Document Title: ATU-CPAC Confidentiality and Data Protection Policy
Document Owner: ATU-CPAC Digital Verification and Registry Committee
Issuing Authority: Arab Trainers Union
Policy Authority: ATU-CPAC Governing Council
Approval Authority: Arab Trainers Union Board of Directors, where required
Effective Date: 1 June 2026
Review Date: Every three years, or earlier where required
Applicability: ATU-CPAC, Arab Trainers Union, approved providers, accredited providers, authorized assessment centers, certified professionals, candidates, learners, trainers, assessors, IQAs, EQAs, reviewers, committee members, partners, contractors, registry users, and all persons handling ATU-CPAC-governed information

2. Introduction

The Arab Trainers Union Council for Professional Accreditation and Certification, referred to as ATU-CPAC, is a specialized council operating within the Arab Trainers Union.

ATU-CPAC regulates, monitors, quality assures, and verifies professional accreditation, professional certification, assessment, quality assurance, registry, and compliance activities under the authority of the Arab Trainers Union.

Confidentiality and data protection are essential to safeguarding personal data, assessment records, certification decisions, provider records, registry information, partner data, and institutional trust.

All certificates, professional certifications, accreditation certificates, assessed certificates, registry confirmations, and verification records governed by ATU-CPAC are issued in the name and under the authority of the Arab Trainers Union.

3. Purpose

This policy sets out how ATU-CPAC shall collect, process, store, use, share, protect, retain, correct, disclose, and dispose of confidential information and personal data.

The policy aims to:

  1. Protect the privacy and rights of candidates, learners, certified professionals, providers, trainers, assessors, partners, and stakeholders.
  2. Ensure confidential information is accessed only by authorized persons.
  3. Support compliance with applicable data protection laws and ATU requirements.
  4. Protect the credibility of ATU-issued credentials.
  5. Prevent unauthorized disclosure, alteration, misuse, loss, or destruction of records.
  6. Ensure registry and verification information is accurate, secure, and controlled.
  7. Define responsibilities for data protection, confidentiality, breach reporting, and corrective action.

4. Scope

This policy applies to all information handled in relation to:

  1. Provider accreditation.
  2. Professional certification.
  3. Assessed training certificates.
  4. Certificates of achievement.
  5. Assessment and examination records.
  6. IQA and EQA records.
  7. Complaints and appeals.
  8. Malpractice and misconduct investigations.
  9. Registry and verification records.
  10. Digital badges and QR verification.
  11. Partner-endorsed or jointly supported credentials.
  12. ATU-CPAC governance and committee records.
  13. Online platforms, learning management systems, email, cloud storage, databases, and paper records.

This policy applies to information in physical, digital, verbal, visual, recorded, printed, or electronic form.

5. Policy Principles

ATU-CPAC confidentiality and data protection shall be guided by the following principles.

5.1 Lawfulness

Personal data shall be collected and processed only where there is a lawful and legitimate purpose.

5.2 Purpose Limitation

Data shall be used only for the purpose for which it was collected or another approved and lawful purpose.

5.3 Data Minimization

Only data necessary for accreditation, certification, assessment, verification, quality assurance, compliance, or administration shall be collected.

5.4 Accuracy

Personal data and registry records shall be accurate, complete, current, and corrected where errors are identified.

5.5 Confidentiality

Confidential information shall be protected and shared only with authorized persons who have a legitimate need to know.

5.6 Security

Appropriate administrative, technical, and physical controls shall be used to protect data from unauthorized access, loss, misuse, alteration, or disclosure.

5.7 Accountability

ATU-CPAC, providers, partners, and authorized users shall be accountable for the data they collect, use, store, share, and protect.

5.8 Transparency

Individuals shall be informed, where appropriate, about how their data is used, stored, shared, retained, and verified.

5.9 Retention Control

Records shall be retained only for approved periods and securely disposed of when no longer required.

5.10 Public Trust

Data protection and confidentiality controls shall protect the reputation of ATU, ATU-CPAC, providers, certified professionals, and valid credential holders.

6. Types of Protected Information

Protected information may include:

  1. Candidate and learner personal data.
  2. Identity documents.
  3. Contact details.
  4. Education and qualification records.
  5. Professional experience records.
  6. Assessment submissions.
  7. Examination papers and answers.
  8. Marking schemes and rubrics.
  9. Assessment results and feedback.
  10. IQA and EQA reports.
  11. Provider accreditation files.
  12. Trainer, assessor, IQA, and EQA records.
  13. Complaints and appeals files.
  14. Malpractice and investigation records.
  15. Committee minutes and decisions.
  16. Registry and verification records.
  17. Certificate numbers and QR codes.
  18. Digital badge records.
  19. Partner agreements and restricted materials.
  20. Financial and payment records where applicable.
  21. Internal ATU and ATU-CPAC correspondence.

7. Sensitive and High-Risk Data

ATU-CPAC shall apply additional care when handling sensitive or high-risk data.

Sensitive or high-risk data may include:

  1. Identity documents.
  2. Financial information.
  3. Health or disability information submitted for reasonable adjustment.
  4. Special consideration evidence.
  5. Investigation records.
  6. Disciplinary records.
  7. Complaint and appeal evidence.
  8. Biometric or proctoring data where applicable.
  9. Data relating to minors or vulnerable learners where applicable.
  10. Partner-restricted confidential information.

Such data shall be accessed only by authorized persons and used only for approved purposes.

8. Data Collection

ATU-CPAC and approved providers may collect personal data for legitimate operational purposes, including:

  1. Application processing.
  2. Candidate registration.
  3. Eligibility review.
  4. Assessment administration.
  5. Professional certification.
  6. Provider accreditation.
  7. Quality assurance.
  8. Registry and verification.
  9. Complaints and appeals.
  10. Malpractice investigation.
  11. Renewal and CPD monitoring.
  12. Partner reporting where approved.
  13. Legal, financial, or compliance obligations.

Data collection forms shall clearly request only necessary information and shall avoid excessive or irrelevant data.

9. Consent and Data Use

Where consent is required, it shall be clear, informed, specific, and recorded.

Consent may be required for:

  1. Public registry listing.
  2. Digital badge publication.
  3. Sharing data with approved partners.
  4. Publishing professional profile information.
  5. Using photos, testimonials, or public success stories.
  6. Processing sensitive information where required.
  7. Communication for non-essential purposes.

Consent may be withdrawn where legally and operationally possible, but withdrawal may affect the ability to provide certification, registry, verification, or related services.

10. Data Subject Rights

Individuals may request, according to approved procedures and applicable law:

  1. Confirmation that their data is being processed.
  2. Access to their personal data.
  3. Correction of inaccurate data.
  4. Update of outdated data.
  5. Restriction of processing where applicable.
  6. Withdrawal of consent where applicable.
  7. Review of registry information.
  8. Correction of certificate or verification data.
  9. Deletion of data where legally and operationally permitted.

Requests shall be reviewed fairly and within a reasonable timeframe.

11. Confidentiality Obligations

All persons handling ATU-CPAC information shall maintain confidentiality.

Confidentiality obligations apply to:

  1. ATU-CPAC staff and officers.
  2. Governing Council members.
  3. Committee members.
  4. Trainers.
  5. Assessors.
  6. IQAs.
  7. EQAs.
  8. Providers.
  9. Partners.
  10. Contractors.
  11. Consultants.
  12. Technical experts.
  13. Registry administrators.
  14. Appeal and investigation panel members.

Confidential information must not be disclosed, copied, discussed, published, transferred, or used for personal, commercial, or unauthorized purposes.

12. Confidentiality Declarations

ATU-CPAC may require confidentiality declarations from persons involved in:

  1. Governance meetings.
  2. Accreditation reviews.
  3. Assessment design.
  4. Examination administration.
  5. Marking and moderation.
  6. IQA and EQA.
  7. Registry management.
  8. Complaints and appeals.
  9. Investigations.
  10. Partner projects.
  11. Technical platform administration.

Failure to sign or comply with confidentiality requirements may result in removal from the activity, suspension of approval, or other action.

13. Access Control

Access to confidential information and personal data shall be based on role, authority, and operational need.

Access controls shall include:

  1. Named user accounts.
  2. Strong passwords.
  3. Role-based permissions.
  4. Limited access to sensitive files.
  5. Secure storage locations.
  6. Controlled sharing links.
  7. Access logs where available.
  8. Removal of access when a role ends.
  9. Additional restrictions for assessment materials and investigation files.

Shared accounts should not be used for confidential ATU-CPAC systems.

14. Data Security

ATU-CPAC and approved providers shall apply appropriate security controls.

Security controls may include:

  1. Password protection.
  2. Multi-factor authentication where available.
  3. Secure email and file sharing.
  4. Encryption where appropriate.
  5. Regular backups.
  6. Secure cloud storage.
  7. Antivirus and device protection.
  8. Locked storage for paper records.
  9. Controlled printing and scanning.
  10. Secure disposal of records.
  11. Restricted access to examination materials.
  12. Monitoring of unauthorized access or misuse.

15. Assessment and Examination Confidentiality

Assessment materials shall be treated as highly confidential.

Protected assessment materials include:

  1. Examination papers.
  2. Question banks.
  3. Assignments before release.
  4. Marking schemes.
  5. Model answers.
  6. Rubrics before authorized publication.
  7. Candidate submissions.
  8. Assessment results.
  9. Proctoring records.
  10. IQA and EQA assessment samples.

Assessment materials must not be shared with unauthorized persons or used outside the approved assessment process.

16. Registry and Verification Data

Registry and verification information shall be accurate, controlled, and disclosed only according to approved rules.

Public verification may confirm:

  1. Certificate holder or provider name.
  2. Credential or accreditation title.
  3. Certificate or approval number.
  4. Issue date.
  5. Expiry date where applicable.
  6. Status.
  7. Scope or specialization.
  8. Verification link or QR code.

Internal records such as scores, assessment evidence, complaints, appeals, investigation findings, and identity documents shall not be publicly disclosed unless legally required or formally approved.

17. Data Sharing

ATU-CPAC may share data only where there is an approved and lawful purpose.

Data may be shared with:

  1. Arab Trainers Union authorized officers.
  2. ATU-CPAC committees.
  3. Approved providers.
  4. Authorized assessment centers.
  5. IQAs and EQAs.
  6. Approved partners.
  7. Registry and verification service providers.
  8. Legal, financial, or audit advisors.
  9. Competent authorities where legally required.
  10. Individuals requesting verification of their own records.

Data sharing shall be limited to the minimum necessary information and shall be documented where appropriate.

18. International and Partner Data Transfer

Because ATU-CPAC may operate across Arab countries and with international partners, data may need to be transferred or accessed across borders.

International or partner data transfer shall require:

  1. Approved purpose.
  2. Legal and policy review where required.
  3. Data minimization.
  4. Secure transfer method.
  5. Confidentiality obligations.
  6. Partner agreement or data sharing arrangement.
  7. Clear responsibility for data protection.
  8. Restrictions on further disclosure.
  9. Retention and disposal requirements.
  10. Compliance with applicable laws in relevant jurisdictions.

No partner may use ATU-CPAC data for purposes outside the approved agreement.

19. Provider and Partner Responsibilities

Approved providers, accredited providers, authorized assessment centers, and partners shall:

  1. Protect learner, candidate, provider, assessment, and certificate data.
  2. Collect only necessary information.
  3. Use data only for approved ATU-CPAC purposes.
  4. Maintain secure records.
  5. Restrict access to authorized staff.
  6. Protect assessment materials.
  7. Report data breaches or suspected breaches.
  8. Submit accurate certificate and registry data.
  9. Correct errors promptly.
  10. Follow retention and disposal requirements.
  11. Avoid unauthorized disclosure to third parties.
  12. Comply with ATU-CPAC and partner data requirements.

Failure to protect data may result in corrective action, monitoring, suspension, withdrawal, revocation, or referral to ATU leadership.

20. Data Accuracy and Correction

ATU-CPAC shall take reasonable steps to ensure data accuracy.

Accuracy checks may include:

  1. Candidate name verification.
  2. Identity verification.
  3. Certificate number verification.
  4. Provider status verification.
  5. Program title verification.
  6. Assessment result confirmation.
  7. Registry status review.
  8. Expiry date check.
  9. Partner statement review.
  10. QR-code or verification link testing.

Where an error is identified, ATU-CPAC shall correct the record through an approved and traceable process.

21. Records Retention

Records shall be retained according to ATU policy, ATU-CPAC requirements, applicable law, partner requirements, and operational needs.

Retention periods shall be defined for:

  1. Provider accreditation records.
  2. Candidate registration records.
  3. Assessment evidence.
  4. Assessment results.
  5. Certificate issuance records.
  6. Registry records.
  7. IQA and EQA records.
  8. Complaints and appeals.
  9. Investigation records.
  10. Partner records.
  11. Financial records.
  12. Committee records.

Records shall not be destroyed where an appeal, complaint, investigation, audit, legal matter, or quality assurance review is ongoing.

22. Secure Disposal

Confidential information and personal data shall be securely disposed of when no longer required.

Secure disposal may include:

  1. Shredding paper records.
  2. Secure deletion of digital files.
  3. Removal of access permissions.
  4. Deletion from shared folders.
  5. Destruction of obsolete assessment materials.
  6. Deactivation of invalid verification links where required.
  7. Recording disposal where necessary.

Disposal shall be authorized and documented for high-risk or sensitive records.

23. Data Breach Management

A data breach may include unauthorized access, disclosure, loss, alteration, destruction, theft, or misuse of personal data or confidential information.

The breach response process shall include:

  1. Immediate reporting.
  2. Initial containment.
  3. Risk assessment.
  4. Evidence preservation.
  5. Notification to responsible ATU-CPAC authority.
  6. Investigation.
  7. Corrective action.
  8. Notification to affected persons where required.
  9. Notification to competent authority where legally required.
  10. Registry or certificate protection action where required.
  11. Lessons learned and prevention measures.

Serious breaches shall be escalated to ATU leadership.

24. Use of Digital Platforms

Digital platforms used for ATU-CPAC activities shall be managed securely.

This includes:

  1. Learning management systems.
  2. Examination platforms.
  3. Registry systems.
  4. Verification platforms.
  5. Cloud storage.
  6. Email systems.
  7. Video meeting platforms.
  8. Digital badge systems.
  9. Payment systems where applicable.

Providers and partners using digital systems for ATU-CPAC activities must ensure secure access, accurate records, data backup, user permission control, and confidentiality.

25. Confidentiality in Meetings and Committees

ATU-CPAC meetings and committee discussions are confidential unless approved for publication.

Committee members shall not disclose:

  1. Deliberations.
  2. Votes or individual opinions.
  3. Candidate or provider details.
  4. Complaints or appeals.
  5. Investigation matters.
  6. Assessment outcomes before official release.
  7. Partner-restricted information.
  8. Internal documents not approved for publication.

Meeting records shall be stored securely and accessed only by authorized persons.

26. Public Communication

Public communication shall not disclose confidential or personal information unless approved.

Public statements must not include:

  1. Assessment results of named individuals without consent or authorization.
  2. Complaint or appeal details.
  3. Investigation details.
  4. Personal contact information.
  5. Identity documents.
  6. Internal committee decisions not approved for release.
  7. Provider confidential documents.
  8. Partner-restricted information.

Approved public communication may include registry status, accreditation status, certificate verification status, and official statements authorized by ATU or ATU-CPAC.

27. Monitoring and Audit

ATU-CPAC may monitor and audit confidentiality and data protection compliance.

Audit may include review of:

  1. Access controls.
  2. Data collection forms.
  3. Candidate records.
  4. Provider records.
  5. Assessment security.
  6. Registry accuracy.
  7. Data sharing records.
  8. Breach logs.
  9. Consent records.
  10. Retention and disposal records.
  11. Provider and partner compliance.
  12. Digital platform controls.

Findings may result in corrective action, additional monitoring, suspension, withdrawal, revocation, or other action according to ATU-CPAC policies.

28. Reporting Concerns

Any person may report suspected unauthorized disclosure, data breach, misuse of information, registry manipulation, certificate data error, or confidentiality breach to ATU-CPAC.

Reports should include:

  1. Description of the concern.
  2. Date and time where known.
  3. Person or organization involved.
  4. Type of data affected.
  5. Evidence or screenshots where available.
  6. Immediate risk.
  7. Actions already taken.

Reports shall be handled confidentially and reviewed according to this policy and related complaints, ethics, or suspension procedures.

29. Responsibilities of ATU-CPAC

ATU-CPAC shall:

  1. Maintain confidentiality and data protection procedures.
  2. Protect personal data and confidential information.
  3. Control access to records.
  4. Maintain accurate registry and verification data.
  5. Require confidentiality declarations where needed.
  6. Monitor provider and partner compliance.
  7. Respond to data subject requests.
  8. Investigate breaches and concerns.
  9. Apply corrective action where required.
  10. Review this policy and improve controls.

30. Responsibilities of Providers

Providers shall:

  1. Protect learner and candidate data.
  2. Protect assessment and certificate records.
  3. Use data only for approved purposes.
  4. Maintain secure storage and access control.
  5. Train relevant staff on confidentiality.
  6. Submit accurate data to ATU-CPAC.
  7. Report breaches immediately.
  8. Cooperate with audits and investigations.
  9. Correct errors promptly.
  10. Follow retention and disposal rules.

31. Responsibilities of Individuals

Candidates, learners, certified professionals, trainers, assessors, IQAs, EQAs, committee members, and reviewers shall:

  1. Provide accurate information.
  2. Protect confidential information received through ATU-CPAC activities.
  3. Use records only for approved purposes.
  4. Avoid sharing assessment materials or personal data.
  5. Report errors or breaches.
  6. Cooperate with verification and correction processes.
  7. Respect registry and certificate data rules.
  8. Comply with confidentiality declarations.

32. Non-Compliance

Failure to comply with this policy may result in:

  1. Guidance or warning.
  2. Required corrective action.
  3. Removal of system access.
  4. Certificate hold.
  5. Registry correction or restriction.
  6. Increased monitoring.
  7. Suspension.
  8. Withdrawal.
  9. Revocation.
  10. Partner notification.
  11. Referral to ATU leadership.
  12. Legal action where required.

Actions shall be proportionate to the seriousness, impact, intent, recurrence, and risk of the breach.

33. Review of Policy

This policy shall be reviewed every three years or earlier where required due to:

  1. ATU Board decision.
  2. Legal or regulatory change.
  3. Data protection requirement changes.
  4. Registry or verification incidents.
  5. Assessment security incidents.
  6. Data breach trends.
  7. Provider or partner compliance findings.
  8. Complaints or appeals trends.
  9. Technology platform changes.
  10. Stakeholder feedback.
  11. Operational need.

34. Definitions

Term

Meaning

Arab Trainers Union

The issuing authority for ATU certificates, professional certifications, accreditation certificates, and related credentials.

ATU-CPAC

Arab Trainers Union Council for Professional Accreditation and Certification, a specialized council within ATU responsible for regulation, quality assurance, monitoring, registry, and verification.

Personal Data

Any information that identifies or may identify a natural person directly or indirectly.

Confidential Information

Information that is not approved for public disclosure and must be protected from unauthorized access or use.

Data Subject

The person whose personal data is collected or processed.

Processing

Any operation performed on data, including collection, storage, use, sharing, correction, publication, retention, or deletion.

Data Controller

The party that determines the purpose and means of processing personal data.

Data Processor

The party that processes personal data on behalf of another authorized party.

Data Breach

Unauthorized access, disclosure, loss, alteration, destruction, theft, or misuse of personal data or confidential information.

Registry

The official record used to verify provider, program, certificate, certification, or professional status.

Verification

The process of confirming the authenticity, validity, scope, and status of a credential or approval.

Sensitive Data

Data that requires additional protection due to its nature, risk, or legal status.

Data Sharing

Disclosure or transfer of data to another authorized party for an approved purpose.

Secure Disposal

Approved destruction or deletion of records so they cannot be accessed or reconstructed.

Final Policy Statement

ATU-CPAC Confidentiality and Data Protection Policy exists to protect privacy, confidentiality, data integrity, registry reliability, assessment security, and public trust under the authority of the Arab Trainers Union.

Through lawful collection, controlled access, secure storage, accurate records, responsible sharing, breach response, and continuous monitoring, ATU-CPAC ensures that confidential information and personal data are protected across accreditation, certification, assessment, quality assurance, registry, and verification activities.