ATU-CPAC Confidentiality and Data Protection Policy
Arab Trainers Union Council for Professional Accreditation and Certification
Version 1/2026
Effective Date: 1 June 2026
Controlled Policy Document
1. Document Control
Document Title: ATU-CPAC Confidentiality and Data
Protection Policy
Document Owner: ATU-CPAC Digital Verification and Registry Committee
Issuing Authority: Arab Trainers Union
Policy Authority: ATU-CPAC Governing Council
Approval Authority: Arab Trainers Union Board of Directors, where
required
Effective Date: 1 June 2026
Review Date: Every three years, or earlier where required
Applicability: ATU-CPAC, Arab Trainers Union, approved providers,
accredited providers, authorized assessment centers, certified professionals,
candidates, learners, trainers, assessors, IQAs, EQAs, reviewers, committee
members, partners, contractors, registry users, and all persons handling
ATU-CPAC-governed information
2. Introduction
The Arab Trainers Union Council
for Professional Accreditation and Certification, referred to as ATU-CPAC, is a
specialized council operating within the Arab Trainers Union.
ATU-CPAC regulates, monitors,
quality assures, and verifies professional accreditation, professional
certification, assessment, quality assurance, registry, and compliance
activities under the authority of the Arab Trainers Union.
Confidentiality and data
protection are essential to safeguarding personal data, assessment records,
certification decisions, provider records, registry information, partner data,
and institutional trust.
All certificates, professional
certifications, accreditation certificates, assessed certificates, registry
confirmations, and verification records governed by ATU-CPAC are issued in the
name and under the authority of the Arab Trainers Union.
3. Purpose
This policy sets out how ATU-CPAC
shall collect, process, store, use, share, protect, retain, correct, disclose,
and dispose of confidential information and personal data.
The policy aims to:
- Protect
the privacy and rights of candidates, learners, certified professionals,
providers, trainers, assessors, partners, and stakeholders.
- Ensure
confidential information is accessed only by authorized persons.
- Support
compliance with applicable data protection laws and ATU requirements.
- Protect
the credibility of ATU-issued credentials.
- Prevent
unauthorized disclosure, alteration, misuse, loss, or destruction of
records.
- Ensure
registry and verification information is accurate, secure, and controlled.
- Define
responsibilities for data protection, confidentiality, breach reporting,
and corrective action.
4. Scope
This policy applies to all information handled in relation
to:
- Provider
accreditation.
- Professional
certification.
- Assessed
training certificates.
- Certificates
of achievement.
- Assessment
and examination records.
- IQA
and EQA records.
- Complaints
and appeals.
- Malpractice
and misconduct investigations.
- Registry
and verification records.
- Digital
badges and QR verification.
- Partner-endorsed
or jointly supported credentials.
- ATU-CPAC
governance and committee records.
- Online
platforms, learning management systems, email, cloud storage, databases,
and paper records.
This policy applies to information in physical, digital,
verbal, visual, recorded, printed, or electronic form.
5. Policy Principles
ATU-CPAC confidentiality and data protection shall be guided
by the following principles.
5.1 Lawfulness
Personal data shall be collected and processed only where
there is a lawful and legitimate purpose.
5.2 Purpose Limitation
Data shall be used only for the purpose for which it was
collected or another approved and lawful purpose.
5.3 Data Minimization
Only data necessary for accreditation, certification,
assessment, verification, quality assurance, compliance, or administration
shall be collected.
5.4 Accuracy
Personal data and registry records shall be accurate,
complete, current, and corrected where errors are identified.
5.5 Confidentiality
Confidential information shall be protected and shared only
with authorized persons who have a legitimate need to know.
5.6 Security
Appropriate administrative, technical, and physical controls
shall be used to protect data from unauthorized access, loss, misuse,
alteration, or disclosure.
5.7 Accountability
ATU-CPAC, providers, partners, and authorized users shall be
accountable for the data they collect, use, store, share, and protect.
5.8 Transparency
Individuals shall be informed, where appropriate, about how
their data is used, stored, shared, retained, and verified.
5.9 Retention Control
Records shall be retained only for approved periods and
securely disposed of when no longer required.
5.10 Public Trust
Data protection and confidentiality controls shall protect
the reputation of ATU, ATU-CPAC, providers, certified professionals, and valid
credential holders.
6. Types of
Protected Information
Protected information may include:
- Candidate
and learner personal data.
- Identity
documents.
- Contact
details.
- Education
and qualification records.
- Professional
experience records.
- Assessment
submissions.
- Examination
papers and answers.
- Marking
schemes and rubrics.
- Assessment
results and feedback.
- IQA
and EQA reports.
- Provider
accreditation files.
- Trainer,
assessor, IQA, and EQA records.
- Complaints
and appeals files.
- Malpractice
and investigation records.
- Committee
minutes and decisions.
- Registry
and verification records.
- Certificate
numbers and QR codes.
- Digital
badge records.
- Partner
agreements and restricted materials.
- Financial
and payment records where applicable.
- Internal
ATU and ATU-CPAC correspondence.
7. Sensitive and
High-Risk Data
ATU-CPAC shall apply additional care when handling sensitive
or high-risk data.
Sensitive or high-risk data may include:
- Identity
documents.
- Financial
information.
- Health
or disability information submitted for reasonable adjustment.
- Special
consideration evidence.
- Investigation
records.
- Disciplinary
records.
- Complaint
and appeal evidence.
- Biometric
or proctoring data where applicable.
- Data
relating to minors or vulnerable learners where applicable.
- Partner-restricted
confidential information.
Such data shall be accessed only by authorized persons and
used only for approved purposes.
8. Data Collection
ATU-CPAC and approved providers may collect personal data
for legitimate operational purposes, including:
- Application
processing.
- Candidate
registration.
- Eligibility
review.
- Assessment
administration.
- Professional
certification.
- Provider
accreditation.
- Quality
assurance.
- Registry
and verification.
- Complaints
and appeals.
- Malpractice
investigation.
- Renewal
and CPD monitoring.
- Partner
reporting where approved.
- Legal,
financial, or compliance obligations.
Data collection forms shall clearly request only necessary
information and shall avoid excessive or irrelevant data.
9. Consent and Data
Use
Where consent is required, it shall be clear, informed,
specific, and recorded.
Consent may be required for:
- Public
registry listing.
- Digital
badge publication.
- Sharing
data with approved partners.
- Publishing
professional profile information.
- Using
photos, testimonials, or public success stories.
- Processing
sensitive information where required.
- Communication
for non-essential purposes.
Consent may be withdrawn where legally and operationally
possible, but withdrawal may affect the ability to provide certification,
registry, verification, or related services.
10. Data Subject
Rights
Individuals may request, according to approved procedures
and applicable law:
- Confirmation
that their data is being processed.
- Access
to their personal data.
- Correction
of inaccurate data.
- Update
of outdated data.
- Restriction
of processing where applicable.
- Withdrawal
of consent where applicable.
- Review
of registry information.
- Correction
of certificate or verification data.
- Deletion
of data where legally and operationally permitted.
Requests shall be reviewed fairly and within a reasonable
timeframe.
11. Confidentiality
Obligations
All persons handling ATU-CPAC information shall maintain
confidentiality.
Confidentiality obligations apply to:
- ATU-CPAC
staff and officers.
- Governing
Council members.
- Committee
members.
- Trainers.
- Assessors.
- IQAs.
- EQAs.
- Providers.
- Partners.
- Contractors.
- Consultants.
- Technical
experts.
- Registry
administrators.
- Appeal
and investigation panel members.
Confidential information must not be disclosed, copied,
discussed, published, transferred, or used for personal, commercial, or
unauthorized purposes.
12. Confidentiality
Declarations
ATU-CPAC may require confidentiality declarations from
persons involved in:
- Governance
meetings.
- Accreditation
reviews.
- Assessment
design.
- Examination
administration.
- Marking
and moderation.
- IQA
and EQA.
- Registry
management.
- Complaints
and appeals.
- Investigations.
- Partner
projects.
- Technical
platform administration.
Failure to sign or comply with confidentiality requirements
may result in removal from the activity, suspension of approval, or other
action.
13. Access Control
Access to confidential information and personal data shall
be based on role, authority, and operational need.
Access controls shall include:
- Named
user accounts.
- Strong
passwords.
- Role-based
permissions.
- Limited
access to sensitive files.
- Secure
storage locations.
- Controlled
sharing links.
- Access
logs where available.
- Removal
of access when a role ends.
- Additional
restrictions for assessment materials and investigation files.
Shared accounts should not be used for confidential ATU-CPAC
systems.
14. Data Security
ATU-CPAC and approved providers shall apply appropriate
security controls.
Security controls may include:
- Password
protection.
- Multi-factor
authentication where available.
- Secure
email and file sharing.
- Encryption
where appropriate.
- Regular
backups.
- Secure
cloud storage.
- Antivirus
and device protection.
- Locked
storage for paper records.
- Controlled
printing and scanning.
- Secure
disposal of records.
- Restricted
access to examination materials.
- Monitoring
of unauthorized access or misuse.
15. Assessment and
Examination Confidentiality
Assessment materials shall be treated as highly
confidential.
Protected assessment materials include:
- Examination
papers.
- Question
banks.
- Assignments
before release.
- Marking
schemes.
- Model
answers.
- Rubrics
before authorized publication.
- Candidate
submissions.
- Assessment
results.
- Proctoring
records.
- IQA
and EQA assessment samples.
Assessment materials must not be shared with unauthorized
persons or used outside the approved assessment process.
16. Registry and
Verification Data
Registry and verification information shall be accurate,
controlled, and disclosed only according to approved rules.
Public verification may confirm:
- Certificate
holder or provider name.
- Credential
or accreditation title.
- Certificate
or approval number.
- Issue
date.
- Expiry
date where applicable.
- Status.
- Scope
or specialization.
- Verification
link or QR code.
Internal records such as scores, assessment evidence,
complaints, appeals, investigation findings, and identity documents shall not
be publicly disclosed unless legally required or formally approved.
17. Data Sharing
ATU-CPAC may share data only where there is an approved and
lawful purpose.
Data may be shared with:
- Arab
Trainers Union authorized officers.
- ATU-CPAC
committees.
- Approved
providers.
- Authorized
assessment centers.
- IQAs
and EQAs.
- Approved
partners.
- Registry
and verification service providers.
- Legal,
financial, or audit advisors.
- Competent
authorities where legally required.
- Individuals
requesting verification of their own records.
Data sharing shall be limited to the minimum necessary
information and shall be documented where appropriate.
18. International
and Partner Data Transfer
Because ATU-CPAC may operate across Arab countries and with
international partners, data may need to be transferred or accessed across
borders.
International or partner data transfer shall require:
- Approved
purpose.
- Legal
and policy review where required.
- Data
minimization.
- Secure
transfer method.
- Confidentiality
obligations.
- Partner
agreement or data sharing arrangement.
- Clear
responsibility for data protection.
- Restrictions
on further disclosure.
- Retention
and disposal requirements.
- Compliance
with applicable laws in relevant jurisdictions.
No partner may use ATU-CPAC data for purposes outside the
approved agreement.
19. Provider and
Partner Responsibilities
Approved providers, accredited providers, authorized
assessment centers, and partners shall:
- Protect
learner, candidate, provider, assessment, and certificate data.
- Collect
only necessary information.
- Use
data only for approved ATU-CPAC purposes.
- Maintain
secure records.
- Restrict
access to authorized staff.
- Protect
assessment materials.
- Report
data breaches or suspected breaches.
- Submit
accurate certificate and registry data.
- Correct
errors promptly.
- Follow
retention and disposal requirements.
- Avoid
unauthorized disclosure to third parties.
- Comply
with ATU-CPAC and partner data requirements.
Failure to protect data may result in corrective action,
monitoring, suspension, withdrawal, revocation, or referral to ATU leadership.
20. Data Accuracy
and Correction
ATU-CPAC shall take reasonable steps to ensure data
accuracy.
Accuracy checks may include:
- Candidate
name verification.
- Identity
verification.
- Certificate
number verification.
- Provider
status verification.
- Program
title verification.
- Assessment
result confirmation.
- Registry
status review.
- Expiry
date check.
- Partner
statement review.
- QR-code
or verification link testing.
Where an error is identified, ATU-CPAC shall correct the
record through an approved and traceable process.
21. Records
Retention
Records shall be retained
according to ATU policy, ATU-CPAC requirements, applicable law, partner
requirements, and operational needs.
Retention periods shall be defined for:
- Provider
accreditation records.
- Candidate
registration records.
- Assessment
evidence.
- Assessment
results.
- Certificate
issuance records.
- Registry
records.
- IQA
and EQA records.
- Complaints
and appeals.
- Investigation
records.
- Partner
records.
- Financial
records.
- Committee
records.
Records shall not be destroyed
where an appeal, complaint, investigation, audit, legal matter, or quality
assurance review is ongoing.
22. Secure Disposal
Confidential information and personal data shall be securely
disposed of when no longer required.
Secure disposal may include:
- Shredding
paper records.
- Secure
deletion of digital files.
- Removal
of access permissions.
- Deletion
from shared folders.
- Destruction
of obsolete assessment materials.
- Deactivation
of invalid verification links where required.
- Recording
disposal where necessary.
Disposal shall be authorized and documented for high-risk or
sensitive records.
23. Data Breach
Management
A data breach may include unauthorized access, disclosure,
loss, alteration, destruction, theft, or misuse of personal data or
confidential information.
The breach response process shall include:
- Immediate
reporting.
- Initial
containment.
- Risk
assessment.
- Evidence
preservation.
- Notification
to responsible ATU-CPAC authority.
- Investigation.
- Corrective
action.
- Notification
to affected persons where required.
- Notification
to competent authority where legally required.
- Registry
or certificate protection action where required.
- Lessons
learned and prevention measures.
Serious breaches shall be escalated to ATU leadership.
24. Use of Digital
Platforms
Digital platforms used for ATU-CPAC activities shall be
managed securely.
This includes:
- Learning
management systems.
- Examination
platforms.
- Registry
systems.
- Verification
platforms.
- Cloud
storage.
- Email
systems.
- Video
meeting platforms.
- Digital
badge systems.
- Payment
systems where applicable.
Providers and partners using digital systems for ATU-CPAC
activities must ensure secure access, accurate records, data backup, user
permission control, and confidentiality.
25. Confidentiality
in Meetings and Committees
ATU-CPAC meetings and committee discussions are confidential
unless approved for publication.
Committee members shall not disclose:
- Deliberations.
- Votes
or individual opinions.
- Candidate
or provider details.
- Complaints
or appeals.
- Investigation
matters.
- Assessment
outcomes before official release.
- Partner-restricted
information.
- Internal
documents not approved for publication.
Meeting records shall be stored securely and accessed only
by authorized persons.
26. Public
Communication
Public communication shall not disclose confidential or
personal information unless approved.
Public statements must not include:
- Assessment
results of named individuals without consent or authorization.
- Complaint
or appeal details.
- Investigation
details.
- Personal
contact information.
- Identity
documents.
- Internal
committee decisions not approved for release.
- Provider
confidential documents.
- Partner-restricted
information.
Approved public communication may include registry status,
accreditation status, certificate verification status, and official statements
authorized by ATU or ATU-CPAC.
27. Monitoring and
Audit
ATU-CPAC may monitor and audit confidentiality and data
protection compliance.
Audit may include review of:
- Access
controls.
- Data
collection forms.
- Candidate
records.
- Provider
records.
- Assessment
security.
- Registry
accuracy.
- Data
sharing records.
- Breach
logs.
- Consent
records.
- Retention
and disposal records.
- Provider
and partner compliance.
- Digital
platform controls.
Findings may result in corrective
action, additional monitoring, suspension, withdrawal, revocation, or other
action according to ATU-CPAC policies.
28. Reporting
Concerns
Any person may report suspected
unauthorized disclosure, data breach, misuse of information, registry
manipulation, certificate data error, or confidentiality breach to ATU-CPAC.
Reports should include:
- Description
of the concern.
- Date
and time where known.
- Person
or organization involved.
- Type
of data affected.
- Evidence
or screenshots where available.
- Immediate
risk.
- Actions
already taken.
Reports shall be handled confidentially and reviewed
according to this policy and related complaints, ethics, or suspension
procedures.
29. Responsibilities
of ATU-CPAC
ATU-CPAC shall:
- Maintain
confidentiality and data protection procedures.
- Protect
personal data and confidential information.
- Control
access to records.
- Maintain
accurate registry and verification data.
- Require
confidentiality declarations where needed.
- Monitor
provider and partner compliance.
- Respond
to data subject requests.
- Investigate
breaches and concerns.
- Apply
corrective action where required.
- Review
this policy and improve controls.
30. Responsibilities
of Providers
Providers shall:
- Protect
learner and candidate data.
- Protect
assessment and certificate records.
- Use
data only for approved purposes.
- Maintain
secure storage and access control.
- Train
relevant staff on confidentiality.
- Submit
accurate data to ATU-CPAC.
- Report
breaches immediately.
- Cooperate
with audits and investigations.
- Correct
errors promptly.
- Follow
retention and disposal rules.
31. Responsibilities
of Individuals
Candidates, learners, certified professionals, trainers,
assessors, IQAs, EQAs, committee members, and reviewers shall:
- Provide
accurate information.
- Protect
confidential information received through ATU-CPAC activities.
- Use
records only for approved purposes.
- Avoid
sharing assessment materials or personal data.
- Report
errors or breaches.
- Cooperate
with verification and correction processes.
- Respect
registry and certificate data rules.
- Comply
with confidentiality declarations.
32. Non-Compliance
Failure to comply with this policy may result in:
- Guidance
or warning.
- Required
corrective action.
- Removal
of system access.
- Certificate
hold.
- Registry
correction or restriction.
- Increased
monitoring.
- Suspension.
- Withdrawal.
- Revocation.
- Partner
notification.
- Referral
to ATU leadership.
- Legal
action where required.
Actions shall be proportionate to the seriousness, impact,
intent, recurrence, and risk of the breach.
33. Review of Policy
This policy shall be reviewed every three years or earlier
where required due to:
- ATU
Board decision.
- Legal
or regulatory change.
- Data
protection requirement changes.
- Registry
or verification incidents.
- Assessment
security incidents.
- Data
breach trends.
- Provider
or partner compliance findings.
- Complaints
or appeals trends.
- Technology
platform changes.
- Stakeholder
feedback.
- Operational
need.
34. Definitions
|
Term |
Meaning |
|
Arab Trainers
Union |
The issuing
authority for ATU certificates, professional certifications, accreditation
certificates, and related credentials. |
|
ATU-CPAC |
Arab Trainers
Union Council for Professional Accreditation and Certification, a specialized
council within ATU responsible for regulation, quality assurance, monitoring,
registry, and verification. |
|
Personal Data |
Any
information that identifies or may identify a natural person directly or
indirectly. |
|
Confidential
Information |
Information
that is not approved for public disclosure and must be protected from
unauthorized access or use. |
|
Data Subject |
The person
whose personal data is collected or processed. |
|
Processing |
Any operation
performed on data, including collection, storage, use, sharing, correction,
publication, retention, or deletion. |
|
Data
Controller |
The party
that determines the purpose and means of processing personal data. |
|
Data
Processor |
The party
that processes personal data on behalf of another authorized party. |
|
Data Breach |
Unauthorized
access, disclosure, loss, alteration, destruction, theft, or misuse of
personal data or confidential information. |
|
Registry |
The official
record used to verify provider, program, certificate, certification, or
professional status. |
|
Verification |
The process
of confirming the authenticity, validity, scope, and status of a credential
or approval. |
|
Sensitive
Data |
Data that
requires additional protection due to its nature, risk, or legal status. |
|
Data Sharing |
Disclosure or
transfer of data to another authorized party for an approved purpose. |
|
Secure
Disposal |
Approved
destruction or deletion of records so they cannot be accessed or
reconstructed. |
Final Policy
Statement
ATU-CPAC Confidentiality and Data Protection Policy exists
to protect privacy, confidentiality, data integrity, registry reliability,
assessment security, and public trust under the authority of the Arab Trainers
Union.
Through lawful collection, controlled access, secure
storage, accurate records, responsible sharing, breach response, and continuous
monitoring, ATU-CPAC ensures that confidential information and personal data
are protected across accreditation, certification, assessment, quality
assurance, registry, and verification activities.



