Required policies and plans for training providers and assessment venues

An appeals policy must outline:

• the procedure a student should follow if they want to appeal a recognition of prior learning (RPL) assessment
• how they contact AAT if they want to appeal any other type of assessment, quoting the details on the Assessment enquiries and appeals page.

It must cover at least: 

• how the student goes about appealing
• the timeframes involved at each stage
• details of the teams and job titles involved at each stage
• details of how any second stage appeal is dealt with independently. 

An assessment and internal verification policy must be in place where you're offering internal assessment, like recognition of prior learning (RPL).

It must cover at least:

• the process for recording assessment and internal verification decisions
• how records are maintained
• what performance management systems are in place to monitor and evaluate the effectiveness of the process and those involved
• how and when standardisation takes place
• the process for ensuring assessors and internal verifiers keep their continuing professional development (CPD) up to date.

A business continuity plan must outline procedures and instructions for your staff members in the event of a disaster.

The plan must specify how you would maintain service continuity when faced with a disruptive event and cover at least:

• business processes
• business impact assessment to determine requirements applicable to adverse situations
• incident response procedures to prepare for, mitigate and respond to a disruptive event
• who is responsible for what
• escalation procedures and management structure
• emergency contact details
• external notifications, legal and contractual requirements
• controls to protect against external and environmental threats, including back-up power/failover server and data centre arrangements
• mechanisms to review and test the validity and effectiveness of these plans.

A complaints policy must outline the process a student should follow if they're not satisfied with the service they've received from your organisation.

It must cover at least:

• where the student should send their complaint
• details of the different stages of the process
• the timeframes involved at each stage
• details of the teams and job titles involved at each stage
• reference to the student's right to refer the matter to AAT if they're unsatisfied with the outcome of their original complaint (after fully exhausting your complaints process).

A conflicts of interest policy must outline details of how the organisation identifies and manages potential conflicts of interest.

It must cover at least:

• how conflicts of interest are identified, logged and reported
• who is involved in dealing with conflicts of interest
• how conflicts of interest are managed and how mitigation is used to reduce risk.

A data protection policy will help you comply with GDPR requirements by setting out clear procedures to be followed by businesses and data subjects.

It must cover at least:

• your general approach to data protection
• how you'll ensure lawful processing is carried out
• how the core data protection principles will be met, including data minimisation, transparency and accountability
• governance of data protection and responsibility for oversight, including monitoring and audit
• how the rights of data subjects are protected
• technical and organisational measures to ensure systems security
• how staff will be trained and supervised in handling personal data
• where data processors are to be used and how they are selected
• staff obligations to integrity and confidentiality.

A disaster recovery plan must state clearly how your centre will restore normal operations in the event of unplanned incidents.

It must cover at least:

• the locations, systems and services it covers
• incident response, and what would trigger it
• disaster recovery and restore procedures
• alternative work locations if your normal site is unusable
• back-up routines, schedules, validation, testing and on and off-line back-ups
• site recovery or fall-back servers/data centres
• external and internal contacts you'll need to inform
• insurance: details of policies, numbers and emergency contacts
• plan review procedure: how often you'll review and test this plan.

An equal opportunities and access policy must outline how your organisation commits to fair working practices, and how you eliminate and prevent unfair treatment.

It must cover at least:

• information around responsibilities within your organisation
• details and examples of types of discrimination
• details of access to assessments, comprising a list of procedures you have in place to support learners with disabilities
• how the policy is implemented.

A health and safety policy must highlight your commitment and approach to maintaining a safe and healthy environment for staff and students.

It must cover at least:

• a statement of intent that includes your commitment to managing health and safety
• details of those responsible for health and safety
• the practical arrangements you have in place and how these are met
• the process for raising health and safety concerns.

An incident response plan ensures that in the event of a security breach, the right personnel and procedures are in place to effectively deal with a threat and help return your system to normal operations.

It must cover at least:

• the process for responding to threats or exploited vulnerabilities
• containment or eradication strategies
• recovery and post-incident management
• roles and responsibilities including when external support is necessary
• how incidents are reviewed to determine severity
• escalation procedures
• relevant policy positions, for example ransomware payments
• external notifications
• root cause analysis and lessons learned
• what mitigations can be put in place to prevent further threats and damage
• how further threats are eradicated
• preservation of audit trails and log data
• how systems will be cleaned and restored
• identifying the actions to be implemented to strengthen security and prevent future attacks.

An IT security policy must outline the strategy your organisation has in place to ensure IT security is maintained.

It must cover at least:

• principles to be observed by your staff
• details of how IT security is implemented
• what preventative measures are in place
• how security measures will prevent malpractice.

There are a number of regulatory requirements on awarding organisations to work with centres to mitigate the risk of cyber-attacks. They include:

• associated downtime
• promoting service continuity
• encouraging organisations to implement appropriate controls
• communicating and collaborating on the management of any cyber attacks
• notifying Ofqual of any cyber incidents that lead to a potential or actual adverse effect on the development, delivery or award of our qualifications.

To meet these requirements, AAT has put in place controls to protect against cyber attacks and information security breaches. Further information can be found in the following documents.

• Framework agreement/call-off contract: at Section 25 "Data protection and cyber security", and Schedule 2: Data security, the framework agreement places duties on both AAT and approved organisations to satisfy both Ofqual requirements and wider legal responsibilities.
• AAT guidance for training providers (PDF): there are requirements for potential new providers going through the approval process, the need to have cyber insurance in place, and requirements of ongoing data protection and cyber security.
• Code of practice for AAT Approved organisations (PDF) – there is a data protection and information/cyber security section, along with sanctions (1r and 3L) in relation to data protection/cyber security.
• AAT approved organisation self-assessment form (doc): requirements are listed for training providers to provide up-to-date information about their arrangements for information/cyber security, which have been embedded into the self-evaluation process.

The responses to the AAT approved organisation self-assessment form will be monitored through our standard external quality assurance monitoring activities, to ensure there's sufficient evidence and we're satisfied the necessary processes are in place to meet the new requirements.

Where the self-assessment form highlights that additional work is required, a timebound action plan will be put in place to ensure the new requirements are implemented and met within a reasonable timeframe.

For the avoidance of doubt, we haven't implemented these requirements in relation to or to satisfy GDPR Article 28 requirements specifically relating to personal data and data processors, but rather to look at cyber resilience and any impact on the development, delivery and award of qualifications. 

As an awarding organisation AAT is required by qualifications regulators to obtain assurances from approved organisations relating to their cyber security controls.

Department for Education guidance: Meeting digital and technology standards in schools and colleges

We recommend you read and review the DfE's cyber security guidance, which is consistent with our own guidance as set out above.

A malpractice and maladministration policy must outline the process for investigating malpractice and maladministration incidents.

It must cover at least:

• definitions of malpractice and maladministration
• examples of malpractice and maladministration
• how your organisation prevents, identifies, investigates and handles potential cases (including reporting incidents to AAT)
• details of those involved with dealing with potential incidents
• the timeframes for dealing with potential incidents (including reporting to AAT)
• details of what actions will be taken and sanctions imposed. 

A safeguarding policy must outline the procedures for dealing with allegations or suspicions of abuse reported by staff, students, parents or other persons, and bringing these to AAT's attention in accordance with this policy.

It must cover at least:

• principles to be observed by centre staff and representatives
• identifying, recording and reporting allegations of abuse
• the responsibilities of the Designated Safeguarding Officer (DSO)
• details of all other safeguarding roles and responsibilities, such as the Deputy DSO or Safeguarding Lead.