Privacy Policy

Welcome to Bookmark – The Protocol Group!

‘We’ are committed to protecting and respecting the privacy and security of your personal information.

About us

In this Privacy Notice, references to ‘we’ ‘us’ or “our” means Protocol National Limited, (t/a Protocol, Bookmark and eSafeguarding), a company incorporated in England and Wales (registered number 3007851).

“our websites” means;;;

What is covered in this document?

This document explains how we collect and use personal information about you. For the purposes of this document “you” refers to:

  • Individual work seekers who are seeking or who have been found work by us on either a temporary, interim or permanent basis (referred to in this document as “candidates”)
  • Visitors to any of our group websites
  • Private individuals who are or were formerly working for our current or former clients, as

    further explained below under “Who we are and what we do” below.

  • Private individuals who work for or have worked for suppliers or prospective suppliers of services to us
  • Students

This notice together with our Cookie Policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a new regulation which replaces the Data Protection Regulation (Directive 95/46/EC). Even though the UK left the EU in March 2019, the GDPR became applicable in the UK on 25th May 2018. GDPR will continue in UK law post Brexit and the Government has also introduced a Data Protection Bill to replace the outgoing Data Protection Act in due course.

Your new rights under the GDPR are set out in this notice.

Please read the following, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal data about you, so that you are aware of how and why we are using your personal information.

For the purposes of data protection legislation in force from time to time the data controller is Protocol National Limited of The Point, Welbeck Road, West Bridgford, Nottingham, NG2 7QW.

Version June 2023

If you have any questions about your personal information, please click on

Who we are and what we do

We are an employment agency and employment business as defined in the Employment Agencies and Employment Businesses Regulations 2003 (our business).

Our core business is the introduction of candidates and recruitment services to our clients who may include:

  • general further education and sixth form colleges
  • employment business owned by colleges of further education
  • HM Prison Service via client colleges and training providers
  • Schools
  • third party recruitment businesses who hold “master vendor” contracts under which we operate as second tier suppliers.
  • Local Authorities, Charities, Private Training Providers,
  • End Point Assessment providers, Awarding bodies and other relevant prospective

    employers in the FE, HE & Third Sector

    (the “Core Business”)

    In support of our Core Businesses we may also provide the following services behaviour profiling/psychometric testing, IT system services, payroll services, online DBS processing (via eSafeguarding), outsourcing, consultancy and training and assessment services (the “Ancillary Services”).

    We collect information about you to carry out our Core Business and Ancillary Services.

    The personal information we collect, store and use

    Information that you give to us

    This is information about you that you give us by filling in forms on any of our websites or by communicating with us by phone, e-mail, text, post or otherwise.

    It includes information you provide when you register to use any of our websites, to enter our database, to subscribe to our services, to attend our events, to participate in discussion boards or other social media functions on our websites, enter a competition, promotion or survey, and when you report a problem with any of our websites.

    Depending on the nature of our relationship with you the information you give us or we collect about you may include your name; address; private and corporate e-mail address; phone number(s); financial information such as bank account details, PAYE code and records of payments owed/paid to you; compliance documentation (including health and criminal convictions checks); age/date of birth; gender/gender identity; emergency contact details (next of kin); references verifying your qualifications and experience; documents verifying your legal right to work in the United Kingdom; curriculum vitae; photograph; records of current and completed work assignments contracted with us or with clients; data on workplace observations/performance feedback; CPD/training records; links to your professional profiles available in the public domain e.g. LinkedIn, Twitter, business Facebook or corporate website and general correspondence.

Information we collect about you when you visit any of our websites

As well as any information you give to us by filling in forms on our websites, on each of your visits to any one of our websites we will automatically collect the following information:

  • technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information if applicable, browser type and version, browser plug-in types and versions, operating system and platform;
  • information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), products you viewed or searched for’ page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, and any phone number used to call the company.

    Information we obtain from other sources

    We may obtain personal information about you from other sources such as online CV libraries, social media, corporate websites, job board websites, your business card, personal recommendations, event attendance lists, third party referrals and other public sources. When we collect this information in relation to job enquiries / opportunities we will inform you, by sending you this privacy notice, within a maximum of 30 days of collecting the data of the fact we hold personal data about you, the source the personal data originates from and whether it came from publicly accessible sources, and for what purpose we intend to retain and process your personal data. There is an option to opt out of correspondence should you wish.

    We are working closely with third parties including companies within our Group, business partners, sub-contractors in technical, professional, payment and other services, advertising networks, analytics providers, search information providers, credit reference agencies, professional advisors and college owned recruitment agencies or other recruitment businesses working as a main contractor on behalf of a college. We may receive information about you from them for the purposes of our Core Business and Ancillary Services.

    Purposes of the processing and the legal basis for the processing
    We will only use your personal information when the law permits us to.

The majority of the processing of your data is performed by us for one of three reasons:

Necessary for contract

This means that we process your data in order to carry out our obligations arising from any contracts that we either intend to enter into or have entered into with you and to provide you with the information, products and services that you request from us or we think will be of interest to you because it is relevant to your career or to your organisation.

Legal obligations

Certain processing of your personal data is required to enable us to meet our legal obligations. For example, if you are a candidate we are obliged by law to provide HMRC with information about any money that you earn through contracts that you enter with us and to remit income tax and National Insurance that is due.

Legitimate interests

In certain cases we may process your personal data in order to further our legitimate business interests, or to help our clients to satisfy their legitimate interests. We will only do this when we have considered whether there is any other way to fulfil the relevant legitimate interest and balanced our legitimate interests against your right to privacy/the impact the processing has on your privacy.

An example of processing to fulfil a legitimate interest is our practice of recording all calls made to and by us. We state on our website and on calls that they are recorded. The recordings are held securely for a limited time and a very limited number of people have access to them. We use the recordings where there has been a complaint or dispute, to enable us to verify what was actually said. This is a mutual benefit to both you and us, as it helps facilitate fair resolution of any issues and helps to protect all parties from being subject to false accusations.


While the majority of our processing of data is covered by the three legal bases explained above, in some cases we will seek your express consent to processing. Examples of when consent may be the lawful basis for processing include permission to introduce you to a client (if you are a candidate).

The main instance in which we will seek your express consent are:

• where we would like to send you marketing materials to introduce you to other services that we or our Group can provide. We do not share your data with any third parties for the purpose of their own marketing efforts.

Should we want or need to rely on consent to lawfully process your data the way we request your consent will depend on what the data to be processed is. For example, if you are a candidate we make a contractual commitment to you to get your consent before sharing information (excluding special category/sensitive information) with a client. This may be done orally if we are in telephone contact with you and we will make a note of your response.

In other cases, we may request consent by email or by an online process for the specific activity we require consent for and record your response on our system. Where consent is the lawful basis for our processing you have the right to withdraw your consent to this particular processing at any time.

Vital interests

This is information collected to protect your vital interests. The only data that we collect that falls in this category is next of kin/emergency contact details for candidates. You do not have to provide us with this information if you do not want to.

Other Uses of your data:

  • to notify you about changes to our service;
  • to ensure that content from our site is presented in the most effective manner for you and

    for your computer.

    We will use this information:

  • to administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
  • to improve our site to ensure that content is presented in the most effective manner for you and for your computer;
  • to allow you to participate in interactive features of our service, when you choose to do so;
  • as part of our efforts to keep our site safe and secure;
  • to measure or understand the effectiveness of advertising we serve to you and others,

    and to deliver relevant advertising to you;

  • to make suggestions and recommendations to you and other users of our site about goods or services that may interest you or them.

    Other information we collect

    Social buttons

    On many of the pages of Our websites you will see ‘social buttons’. These enable users to share or bookmark the web pages. There are buttons for: Twitter, Facebook and LinkedIn. In order to implement these buttons and connect them to the relevant social networks and external sites, there are scripts from domains outside of Our websites. You should be aware that these sites are likely to be collecting information about what you are doing all around the internet, including on our websites’. So, if you click on any of these buttons, these sites will be registering that action and may use that information. In some cases, these sites will be registering the fact that you are visiting Our websites, and the specific pages you are on, even if you don’t click on the button if you are logged into their services, like Google and Facebook. You should check the respective policies of each of these sites to see how exactly they use your information and to find out how to opt out, or delete, such information.

External web services

We use several external web services on the Our websites, mostly to display content within our web pages. For example, to display slideshows we sometimes use SlideShare; to show videos we use YouTube and Vimeo. This is not an exhaustive or complete list of the services we use, or might use in the future, when embedding content, but these are the most common. As with the social buttons we cannot prevent these sites, or external domains, from collecting information on your usage of this embedded content. If you are not logged in to these external services then they will not know who you are but are likely to gather anonymous usage information e.g. number of views, plays, loads etc.

Email tracking

Some emails that we send you have no tracking in at all, for example personal correspondence or emails with invoices attached. Other emails we send we put in tracking so that we can tell how much traffic those emails send to our site and we can track, at an individual level, whether the user has opened and clicked on the email. We rarely use the latter information at a personal level, rather we use it to understand open and click rates on our emails to try and improve them. Sometimes we do use the personal information e.g. to re-email people who didn’t click the first time. If you want to be sure that none of your email activity is tracked then you should unsubscribe from our email campaigns.

Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over the other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

Automated decision making

We do not undertake automated decision making or profiling. We do use our computer systems to search and identify personal data in accordance with parameters set by a person and / or a client. A person will always be involved in the decision making process.


Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. For detailed information on the cookies we use and the purposes for which we use them see our Cookie notice.

Disclosure of your information inside and outside of the EEA

In the course of our Core Business and Ancillary Services we may share your personal information with:

Any member of our Group all of which are located within the EEA. Selected third parties including:

  • clients for the purpose of introducing candidates to them;
  • candidates for the purpose of arranging interviews and engagements with contacts atclient organisations;
  • clients, business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you; as well as for compliance with legal obligations that we or clients are required to meet, such as safeguarding of minors and vulnerable adults.
  • subcontractors including email marketing providers, payment and other financial service providers and where relevant payroll processors / providers and Umbrella bodies
  • advertisers and advertising networks that require the data to select and serve relevant adverts to you and others. We do not disclose information about identifiable individuals to our advertisers, but we will provide them with aggregate information about how many candidates clicked on to their advert on our site.
  • analytics and search engine providers that assist us in the improvement and optimisation of our site;
  • in compliance with legal obligations we may also provide your details to the Disclosure and Barring Service/Disclosure Scotland when DBS or PVG checks are required.
  • at your request we may provide information to financial organisations to help establish your suitability for a mortgage or reference information to a prospective employer. Other circumstances in which we may disclose your personal information to third parties are:
  • In the event that the business or its assets were bought or sold or with a view to sale, we will disclose your personal data to the prospective seller or buyer of such business or assets.
  • If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our or terms and conditions of supply of services and other agreements; or to protect the rights, property, or safety of Protocol, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

    The lawful basis for the third-party processing will include:

    • their own legitimate business interests in processing your personal data, in most cases to fulfil their internal resourcing needs or legal obligations;
    • satisfaction of their contractual obligations to us as our data processor; for the purpose of a contract in place or in contemplation; to fulfil our legal obligations.

Whenever data is shared with third parties we require that the third party takes appropriate security measures to protect your personal information in line with our policies. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

Where we store and process your personal data

The data that we collect from you is currently stored within the EEA. However in the future should your personal data be transferred outside the EEA or countries recognised by the European Commission as having an adequate data protection regime we will put in place appropriate measures to ensure that your personal information is held in those locations in a way that is consistent with and which respect the EU and UK laws on data protection, including one or more of the following binding corporate rules; use in contracts of standard data protection clauses approved by the European Commission i.e. EU-US Privacy Shield Framework.

Data security

All information you provide to us is stored on our secure servers. Further we limit access to your personal information to those employees, agents, contractors or other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Any payment transactions will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Retention of your data

We understand our legal duty to retain accurate data and only to retain personal data for as long as we need it to fulfil the purposes we collected it for. Accordingly, we have a data retention policy and run data routines to remove data in line with the policy. To determine the appropriate retention period for personal data we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, as well as the applicable legal requirements.

We do the following to try to ensure our data is accurate:

  • our website enables you to manage your data and to review whether the details we hold about you are accurate
  • prior to making an introduction we check that we have accurate information about you we keep in touch with you so you can let us know of changes to your personal data.

We may archive part or all of your personal data or retain it on our financial systems only, deleting all or part of it from our main Customer Relationship Manager (CRM) system. We may pseudonymise parts of your data, particularly following a request for suppression or deletion of your data, to ensure that we do not re-enter your personal data on to our database, unless requested to do so.

For your information,
Our current retention policy is available upon request.

Direct marketing

You have the right to ask us not to process your personal data for marketing purposes. We will always aim to inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes and we will collect express consent from you if legally required prior to using your personal data for marketing purposes.

You can exercise your right to accept or prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us at

Our site may, from time to time, contain links to and from the websites of our partner networks, /partner service providers, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

The GDPR provides you with the right to:

  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to
  • Pseudonymised Data is created by taking identifying fields within a database and replacing them with artificial identifiers, or pseudonyms, object or withdraw your consent where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party in certain formats, if practicable.
  • Make a complaint to a supervisory body which in the United Kingdom is the Information Commissioner’s Office. The ICO can be contacted through this link:

Access to information

The Data Protection Act 1998 and the GDPR give you the right to access information held about you. We also encourage you to contact us to ensure your data is accurate and complete.

Your right of access can be exercised in accordance with the Act (and the GDPR once it is in force). Prior to 25th May 2018 any access request under the Data Protection Act will be subject to a fee of £10 to meet our costs in providing you with details of the information we hold about you.

A subject access request should be submitted to No fee will apply once the GDPR comes into force.

Changes to our privacy notice

Any changes we make to our privacy notice in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our privacy notice.


Questions, comments and requests regarding this privacy notice are welcomed and should be addressed to

Get in Touch with Bookmark

Let's Connect and Take the Next Step Together

Ready to Take the Next Step? How Can We Assist You in Your Education Recruitment Journey?