Privacy Policy


1.   Introduction

a.        ELCAS fully understands the importance of protecting information that comes into its possession whether from customers, suppliers, contractors or staff.

b.        ELCAS is also committed to complying with all Data Protection legislation including the General Data Protection Regulation (Regulation (EU) 2016/679) and the Data Protection Act 2018 and to ensuring the appropriate safeguarding and processing of Personal Data.

c.        This Privacy Policy explains what and how Personal Data may be processed, retained and protected as a result of our ongoing, or potential, day-to-day business, including individuals visiting our website.

d.        This Policy complies with the General Data Protection Regulation (Regulation (EU) 2016/679) and the Data Protection Act 2018.

2.   Your data and information

a.        In the course of our business, we collect information from individuals we deal with on behalf of the Ministry of Defence (MOD) in relation to the provision of the MOD’s Enhanced Learning Credits Scheme (ELC). In this context, we are the Data Processor and the MOD are the Data Controller.

b.        An “individual” might be any person including an actual (or potential) service leaver, service person, learning provider, customer, supplier or subcontractor or could be a visitor to our website. In the context of the GDPR, an identified or identifiable person is known as a “Data Subject”.

c.        Some of the information we gather can be Personal Data. “Personal Data” is information that relates to a Data Subject who can be identified from that data on its own, or when taken together with other information that comes into our possession. It can include any expression of opinion or indication of intention in respect of that person but does not include anonymised data.

3.   What do we need?

a.        The typical information collected through provision of our standard products and services includes;

i.      some Personal Data such as: VAT number, Companies House details, DUNS number, name, rank, position, date of birth, service number, gender, ethnic group, working location and contact details; it may also include spouse details.

ii.     contractual information such as: commercial contracts, technical information and site access information; and

iii.    relevant business information such as: meeting notes, related documents, complaints and informal letters.

b.        From our website, we may collect;

i.      individual browser information such as: internet protocol (IP) address, computer operating system and browser type; and

ii.     website information such as: general traffic patterns, address of any referring website, website areas visited most frequently and website services accessed the most.

4.   Why do we need it and what do we do with it?

a.        We only gather and process information (including Personal Data) that we need in order to conduct our day-to-day business. We do so under two of the lawful purposes specified in the GDPR:

i.      Performance of a contract. For example, we process Personal Data to engage in contractual negotiations, undertake operational delivery of customer products and services and correspond with our suppliers

ii.     Legal obligation. For example, we process Personal Data to undertake operational delivery of the Enhanced Learning Credit Scheme in line with JSP822 and The Armed Forces (Enhanced Learning Credit Scheme and Further and Higher Education Commitment Scheme) Order 2012, S.I 2012/1796 (as amended, most recently by S.I 2021/226)

b.        Personal Data processed as part of the provision of our standard products and services is stored in the UK.

5.   What don’t we do with it?

a.        ELCAS will not process Personal Data for purposes other than identified above without first informing the individual of the legal basis on which the processing will occur and gaining their consent.

b.        We do not take automated decisions about individuals using Personal Data or profiling.

c.        In certain circumstances, we will share Personal Data with other persons or companies where this is required in order to carry out a contract or where there is a legitimate interest. In all cases, we require Personal Data to be kept confidential, secure and to be protected in accordance with the law.

6.   How do we protect it?

a.        ELCAS has robust measures in place to ensure the security of Personal Data. Where reasonably practicable this includes:

i.      staff training and data processing guidelines;

ii.     the anonymisation and/or encryption of Personal Data; In-built resiliency to restore and access Personal Data in a timely manner in the event of a physical or technical incident

 7.  How long do we keep it? 

a.        Retention periods for Personal Data are determined by its nature and purpose and in accordance with the requirements of the GDPR. Data held for the purposes of performing a contract will be held for the period required by the contract or for as long as commercial relations remain between the parties.

b.        Personal Data processed for other legitimate interests will be retained for as long as it remains appropriate and relevant. Regardless of purpose, the continued relevance and accuracy of Personal Data will be reviewed and validated on a regular basis.

8.   What are your rights?

a.        Under the GDPR, you are entitled to a copy of any information we hold about you which can be obtained through a Subject Access Request (SAR). The request must be made in writing to us at

b.        You can request correction of inaccuracies in Personal Data; if you believe we hold incorrect or incomplete data please contact us so that we may take all reasonable steps to check and correct where possible or signpost you to the source of the data provision.

c.        You have the right to request we restrict the processing of your data (conditions in respect of JSP822 will apply).

d.        You have the right to request erasure (also referred to as the right to be forgotten) and can request that we no longer process your data and erase all information about you. This is not an absolute right and there may be legal, regulatory or contractual reasons why data cannot be erased at the time of the request.

e.        ELCAS will normally respond to a SAR within one month unless the request is complex or numerous in which case the period in which we must respond can be extended by a further two months.

f.         In circumstances where a SAR is manifestly unfounded or excessive, ELCAS may legally charge a reasonable administrative fee or may legally or contractually refuse to act on the SAR.

9.   Who can you contact?

a.        If you have any questions about this Privacy Policy or the information we hold about you, please contact us by email at or by post at ELCAS, E1 Suites 3-6 Green Lane Business Park, Green Lane, Tewkesbury, Gloucestershire, GL20 8SJ. Where necessary the matter can be escalated to the Ministry of Defence DPO on or by post at MOD Data Protection Officer, Ground floor, zone D, Main Building, Whitehall, London, SW1A 2HB.

b.        You can also obtain additional information about the GDPR and your rights under it on the Information Commissioner’s Office website here. You can also make a formal complaint to the ICO in the event that you feel we have not resolved any query to your satisfaction.

10.  Policy changes

 ELCAS will review this Policy periodically and reserves the right to update it as required. In any case the Policy will be reviewed at such times as organisational or legislative changes impact upon its content.

Please do not send any correspondence via post until further notice

Privacy Policy 

Contact us:
0330 0564202
09:00 – 16:00 Mon to Fri

Copyright © 1989 - 2024 ELCAS. All rights reserved.

Scroll To Top