UK GDPR Policy
For the attention of: All Staff
Approved by: Board of Governors
Date of publication: June 2022 Date of review: June 2025
UK Policy Contents
- Overview………………………………………………………………………………………. 4
- About This Policy………………………………………………………………………….. 4
- Definitions…………………………………………………………………………………….. 4
- College Personnel’s General Obligations………………………………………. 5
- Data Protection Principles…………………………………………………………….. 6
- Lawful Use of Personal Data………………………………………………………….. 6
- Transparent Processing – Privacy Notices…………………………………….. 6
- Data Quality………………………………………………………………………………….. 7
- Personal Data Must Not Be Kept For Longer Than Needed…………….. 2
- Data Security………………………………………………………………………………. 5
- Data Breach………………………………………………………………………………… 5
- Appointing Contractors Who Access The College’s Personal Data. 4
- Individuals’ Rights………………………………………………………………………. 4
- Marketing & Consent…………………………………………………………………… 4
- Automated Decision Making and Profiling……………………………………. 5
- Data Protection Impact Assesments (DPIA)…………………………………. 6
- Transferring Personal Data to a Country Outside the EEA……………. 6
- Scope & Limitations…………………………………………………………………….. 6
- Responsibilities…………………………………………………………………………… 7
- Privacy Notice & Website…………………………………………………………….. 2
- Complaints Management Process……………………………………………….. 5
- Data Sharing Agreements……………………………………………………………. 5
- Records Management Policy……………………………………………………….. 7
- Monitoring & Review……………………………………………………………………. 2
- Supporting Documents……………………………………………………………….. 5
1.Overview
- The College’s reputation and future growth are dependent on the way the College manages and protects Personal Data. Protecting the confidentiality and integrity of Personal Data is a key responsibility of everyone within the College.
- As an organisation that collects, uses and stores Personal Data about its employees, employers, suppliers (sole traders, partnerships or individuals within companies), students, governors, parents and visitors, the College recognises that having controls around the collection, use, retention and destruction of Personal Data is important in order to comply with the College’s obligations under Data Protection Laws and in particular its obligations under Article 5 of UK GDPR.
- The College has implemented this Data Protection Policy to ensure all College Personnel are aware of what they must do to ensure the correct and lawful treatment of Personal This will maintain confidence in the College and will provide for a successful working and learning environment for all.
- College Personnel will receive a copy of this Policy when they start and may receive periodic revisions of this Policy. This Policy does not form part of any member of the College Personnel’s contract of employment and the College reserves the right to change this Policy at any time. All members of College Personnel are obliged to comply with this Policy at all
- If you have any queries concerning this Policy, please contact our Data Protection Officer, who
is responsible for ensuring the College’s compliance with this Policy.
2. About This Policy
- This Policy (and the other policies and documents referred to in it) sets out the basis on which the College will collect and use Personal Data either where the College collects it from individuals itself, or where it is provided to the College by third parties. It also sets out rules on how the College handles uses, transfers and stores Personal Data.
- It applies to all Personal Data stored electronically, in paper form, or
3.Definitions
- College – Oxbridge International College UK
- College Personnel – Any College employee, worker or contractor who accesses any of the College’s Personal Data and will include employees, consultants, contractors, and temporary personnel hired to work on behalf of the College.
- Controller – Any entity (e.g. company, organisation or person) that makes its own decisions about how it is going to collect and use Personal Data.
- Data Protection Laws – The (UK GDPR) Data Protection Act 2018, subsequent Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and all applicable laws relating to the collection and use of Personal Data and privacy and any applicable codes of practice issued by a regulator including in the UK.
- Data Protection Officer – Our Data Protection Officer is Kelechi Rofe, and can be contacted at: +442034797945 or by email at data.protection@oxbridgeic.co.uk
- EEA – Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden.
- ICO – the Information Commissioner’s Office, the UK’s data protection
- Individuals – Living individuals who can be identified, directly or indirectly, from information that the College has. For example, an individual could be identified directly by name, or indirectly by gender, job role and office location if you can use this information to work out who they are. Individuals include employees, students, parents, visitors and potential students. Individuals also include partnerships and sole traders.
- Personal Data – Any information about an Individual (see definition above) which identifies them or allows them to be identified in conjunction with other information that is held. It includes information of this type, even if used in a business context.
Personal data is defined broadly and covers things such as name, address, email address (including in a business context, email addresses of Individuals in companies such as firstname.surname@organisation.com), IP address and also more sensitive types of data such as trade union membership, genetic data and religious beliefs. These more sensitive types of data are called “Special Categories of Personal Data” and are defined below.
Special Categories of Personal Data are given extra protection by Data Protection Laws.
- Processor – Any entity (e.g. company, organisation or person) which accesses or uses Personal Data on the instruction of a Controller.
A Processor is a third party that processes Personal Data on behalf of a Controller. This is usually as a result of the outsourcing of a service by the Controller or the provision of services by the Processor which involve access to or use of Personal Data. Examples include: where software support for a system, which contains Personal Data, is provided by someone outside the business; cloud arrangements; and mail fulfilment services.
- Special Categories of Personal Data – Personal Data that reveals a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data (i.e. information about their inherited or acquired genetic characteristics), biometric data (i.e. information about their physical, physiological or behavioural characteristics such as facial images and fingerprints), physical or mental health, sexual life or sexual orientation and criminal Special Categories of Personal Data are subject to additional controls in comparison to ordinary Personal Data.
4.College Personnel’s General Obligations
- All College Personnel must comply with this
- College Personnel must ensure that they keep confidential all Personal Data that they collect, store, use and come into contact with during the performance of their duties.
- College Personnel must not release or disclose any Personal Data:
- inside the college; to College Personnel not authorised to access the Personal Data, without specific authorisation from their manager or the Data Protection Officer; this includes by phone calls or in emails.
- College Personnel must take all steps to ensure there is no unauthorised access to Personal Data whether by other College Personnel who are not authorised to see such Personal Data or by people outside the College
5.Data Protection Principles
- When using Personal Data, Data Protection Laws require that the College complies with the following principles. These principles require Personal Data to be:
- processed lawfully, fairly and in a transparent manner;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary for the purposes for which it is being processed;
- accurate and kept up to date, meaning that every reasonable step must be taken to ensure that Personal Data that is inaccurate is erased or rectified as soon as possible;
- kept for no longer than is necessary for the purposes for which it is being processed; and
- processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- These principles are considered in more detail in the remainder of this
- In addition to complying with the above requirements the College also has to demonstrate in writing that it complies with them. The College has a number of policies and procedures in place, including this Policy and the documentation referred to in it, to ensure that the College can demonstrate its compliance.
6.Lawful use of Personal Data
- The College has carefully assessed how it uses Personal Data and how it complies with the obligations set out in paragraphs 1 and 6.1.
- In most cases the legal grounds for the College processing Personal Data is because
- the processing is necessary for the College to perform its contract with an Individual or
- the processing is necessary for the College to comply with a legal obligation; or
- the processing is necessary for the performance of a task carried out in the public
- the processing is necessary for the health / safety of the Individual and thus processed under vital interest.
- otherwise we will seek the Individual’s consent to process their Personal Data for a
particular purpose.
- The College sets out the legal grounds for processing in the privacy notices on its website and in the enrolment form for students.
- If the College changes how it uses Personal Data, the College needs to update this record and may also need to notify Individuals about the change. If College Personnel therefore intend to change how they use Personal Data at any point, they must notify the Data Protection Officer who will decide whether their intended use requires amendments to be made and any other controls which need to apply
7.Transparent Processing – Privacy Notices
- Where the College collects Personal Data directly from Individuals, the College will inform them about how the College uses their Personal Data. This is in a privacy notice. The College has adopted the following privacy notices: General Privacy Notice, Privacy Notice for Students, Privacy Notice for Staff, Privacy notice for Govenors.
- If the College receives Personal Data about an Individual from other sources, the College will provide the Individual with a privacy notice about how the College will use their Personal This will be provided as soon as reasonably possible and in any event within one month.
- If the College changes how it uses Personal Data, the College may need to notify Individuals about the change. If College Personnel therefore intend to change how they use Personal Data please notify the Data Protection Officer who will decide whether the College Personnel’s intended use requires amendments to be made to the privacy notices and any other controls which need to apply
8.Data Quality – ensuring the use of accurate, up to date and relevant personal data
- Data Protection Laws require that the College only collects and processes Personal Data to the extent that it is required for the specific purpose(s) notified to the Individual in a privacy notice (see paragraph Error! Reference source not found. above) and as set out in the College’s record of how it uses Personal Data. The College is also required to ensure that the Personal Data the College holds is accurate and kept up to date.
- All College Personnel that collect and record Personal Data shall ensure that the Personal Data is recorded accurately, is kept up to date and shall also ensure that they limit the collection and recording of Personal Data to that which is adequate, relevant and limited to what is necessary in relation to the purpose for which it is collected and used.
- All College Personnel that obtain Personal Data from sources outside the College shall take reasonable steps to ensure that the Personal Data is recorded accurately, is up to date and
limited to that which is adequate, relevant and limited to what is necessary in relation to the purpose for which it is collected and used. This does not require College Personnel to independently check the Personal Data obtained.
- In order to maintain the quality of Personal Data, all College Personnel that access Personal Data shall ensure that they review, maintain and update it to ensure that it remains accurate, up to date, adequate, relevant and limited to what is necessary in relation to the purpose for which it is collected and used. Please note that this does not apply to Personal Data which the College must keep in its original form (e.g. for legal reasons or that which is relevant to an investigation).
- The College recognises the importance of ensuring that Personal Data is amended, rectified, erased or its use restricted where this is appropriate under Data Protection Laws. The College has a Rights of Individuals Policy and a Rights of Individuals Procedure which set out how the College responds to requests relating to these issues. Any request from an individual for the amendment, rectification, erasure or restriction of the use of their Personal Data should be dealt with in accordance with those documents
9.Personal Data Must Not Be Kept For Longer Than Needed
- Data Protection Laws require that the College does not keep Personal Data longer than is necessary for the purpose or purposes for which the College collected it.
- The College has assessed the types of Personal Data that it holds and the purposes it uses it for and has set retention periods for the different types of Personal Data processed by the College, the reasons for those retention periods and how the College securely deletes Personal Data at the end of those periods. These are set out in the Data Retention Policy.
- If College Personnel feel that a particular item of Personal Data needs to be kept for more or less time than the retention period set out in the Data Retention Policy, for example because there is a requirement of law, or if College Personnel have any questions about this Policy or the College’s Personal Data retention practices, they should contact the Data Protection Officer for guidance.
10.Data Security
- The College takes information security very seriously and the College has security measures against unlawful or unauthorised processing of Personal Data and against the accidental loss of, or damage to, Personal The College has in place procedures and technologies to maintain the security of all Personal Data from the point of collection to the point of destruction.
11. Data Breach
- Whilst the College takes information security very seriously, unfortunately, in today’s environment, it is possible that a security breach could happen which may result in the unauthorised loss of, access to, deletion of or alteration of Personal If this happens there will be a Personal Data breach and College Personnel must comply with the College’s Data Breach Notification Policy. Please see paragraphs Error! Reference source not found. and 0 for examples of what can be a Personal Data breach. Please familiarise yourself with it as it contains important obligations which College Personnel need to comply with in the event of Personal Data breaches.
- Personal Data breach is defined very broadly and is effectively any failure to keep Personal Data secure, which leads to the accidental or unlawful loss (including loss of access to), destruction, alteration or unauthorised disclosure of Personal Whilst most Personal Data breaches happen as a result of action taken by a third party, they can also occur as a result of something someone internal does.
- There are three main types of Personal Data breach which are as follows:
- Confidentiality breach – where there is an unauthorised or accidental disclosure of, or access to, Personal Data e.g. hacking, accessing internal systems that a College Personnel is not authorised to access, accessing Personal Data stored on a lost laptop, phone or other device, people “blagging” access to Personal Data they have no right to access, putting the wrong letter in the wrong envelope, sending an email to the wrong student, or disclosing information over the phone to the wrong person;
- Availability breach – where there is an accidental or unauthorised loss of access to, or destruction of, Personal Data g. loss of a memory stick, laptop or device, denial of service attack, infection of systems by ransom ware, deleting Personal Data in error, loss of access to Personal Data stored on systems, inability to restore access to Personal Data from back up, or loss of an encryption key; and
- Integrity breach – where there is an unauthorised or accidental alteration of Personal
12.Appointing Contractors Who Access The College’s Personal Data
- If the College appoints a contractor who is a Processor of the College’s Personal Data, Data Protection Laws require that the College only appoints them where the College has carried out sufficient due diligence and only where the College has appropriate contracts in place.
- One requirement of UK GDPR is that a Controller must only use Processors who meet the requirements of the UK GDPR and protect the rights of individuals. This means that data protection due diligence should be undertaken on both new and existing suppliers. Once a Processor is appointed they should be audited periodically to ensure that they are meeting the requirements of their contract in relation to Data Protection.
- Any contract where an organisation appoints a Processor must be in
- You are considered as having appointed a Processor where you engage someone to perform a service for you and as part of it they may get access to your Personal Data. Where you appoint a Processor you, as Controller remain responsible for what happens to the Personal
- GDPR requires the contract with a Processor to contain the following obligations as a minimum:
- to only act on the written instructions of the Controller;
- to not export Personal Data without the Controller’s instruction;
- to ensure staff are subject to confidentiality obligations;
- to take appropriate security measures;
- to only engage sub-processors with the prior consent (specific or general) of the Controller and under a written contract;
- to keep the Personal Data secure and assist the Controller to do so;
- to assist with the notification of Data Breaches and Data Protection Impact Assessments;
- to assist with subject access/individuals rights;
- to delete/return all Personal Data as requested at the end of the contract;
- to submit to audits and provide information about the processing; and
- to tell the Controller if any instruction is in breach of the UK GDPR or member state data protection law.
- In addition the contract should set out:
- The subject-matter and duration of the processing;
- the nature and purpose of the processing;
- the type of Personal Data and categories of individuals; and
- the obligations and rights of the Controller
13.Individuals’ Rights
- UK GDPR gives individuals more control about how their data is collected and stored and what is done with it. Some existing rights of individuals have been expanded upon and some new rights have been introduced. It is extremely important that Colleges plan how they will handle these requests under UK GDPR.
- The different types of rights of individuals are reflected in this
13.3Subject Access Requests
- Individuals have the right under the UK GDPR to ask a College to confirm what Personal Data they hold in relation to them and provide them with the data. This is not a new right but additional information has to be provided and the timescale for providing it has been reduced from 40 days to one month (with a possible extension if it is a complex request). In addition, you will no longer be able to charge a fee for complying with the request.
- Subject Access Requests are becoming more and more common and are often made in the context of a dispute which means that it is crucial that they are handled appropriately to avoid a complaint being made to the ICO.
13.4 Right of Erasure (Right to be Forgotten)
- This is a limited right for individuals to request the erasure of Personal Data concerning them where:
- the use of the Personal Data is no longer necessary;
- their consent is withdrawn and there is no other legal ground for the processing;
- the individual objects to the processing and there are no overriding legitimate grounds for the processing;
- the Personal Data has been unlawfully processed; and
- the Personal Data has to be erased for compliance with a legal
- In a marketing context, where Personal Data is collected and processed for direct marketing purposes, the individual has a right to object to processing at any time. Where the individual objects, the Personal Data must not be processed for such purposes.
13.5 Right of Data Portability
- An individual has the right to request that data concerning them is provided to them in a structured, commonly used and machine readable format where:
- the processing is based on consent or on a contract; and
- the processing is carried out by automated means
- This right isn’t the same as subject access and is intended to give individuals a subset of their
data.
13.6 The Right of Rectification and Restriction
- Finally, individuals are also given the right to request that any Personal Data is rectified if inaccurate and to have use of their Personal Data restricted to particular purposes in certain
- The College will use all Personal Data in accordance with the rights given to Individuals’ under Data Protection Laws, and will ensure that it allows Individuals to exercise their rights in accordance with the College’s Rights of Individuals Policy and Rights of Individuals Procedure. Please familiarise yourself with these documents as they contain important obligations which College Personnel need to comply with in relation to the rights of Individuals over their Personal Data
14.Marketing and Consent
- The College will sometimes contact Individuals to send them marketing or to promote the College. Where the College carries out any marketing, Data Protection Laws require that this is only done in a legally compliant manner.
- Marketing consists of any advertising or marketing communication that is directed to particular When the College undertake any direct marketing it will ensure that:
- It provides appropriate detail to individuals in our privacy notices, including for example whether profiling takes place; and
- it will operate on an ‘opt-in’ basis when seeking consent to continue receiving direct
marketing communications.
- Colleges also need to be aware of the Privacy and Electronic Communications Regulations (PECR) that sit alongside data protection.
- Alternatively, the College may be able to market using a “soft opt in” if the following
conditions were met:
- contact details have been obtained in the course of a sale (or negotiations for a sale);
- the College are marketing its own similar services; and
- the College gives the individual a simple opportunity to refuse to opt out of the marketing, both when first collecting the details and in every message after
15.Automated Decision Making and Profiling
- Under Data Protection Laws there are controls around profiling and automated decision making in relation to Individuals.
Automated Decision Making happens where the College makes a decision about an Individual solely by automated means without any human involvement and the decision has legal or other significant effects; and
Profiling happens where the College automatically uses Personal Data to evaluate certain things about an Individual.
- Any Automated Decision Making or Profiling which the College carries out can only be done once the College is confident that it is complying with Data Protection Laws. If College Personnel therefore wish to carry out any Automated Decision Making or Profiling College Personnel must inform the Data Protection Officer.
- College Personnel must not carry out Automated Decision Making or Profiling without the approval of the Data Protection Officer.
- The College does not carry out Automated Decision Making or Profiling in relation to its employees
16.Data Protection Impact Assessment (DPIA)
- The GDPR introduce a new requirement to carry out a risk assessment in relation to the use of Personal Data for a new service, product or process. This must be done prior to the processing via a Data Protection Impact Assessment (“DPIA”). A DPIA should be started as early as practically possible in the design of a new product/service/process. The process is designed to:
- describe the collection and use of Personal Data;
- assess its necessity and its proportionality in relation to the purposes;
- assess the risks to the rights and freedoms of individuals; and
- the measures to address the
- A DPIA must be completed where the use of Personal Data is likely to result in a high risk to the rights and freedoms of individuals. The ICO’s standard DPIA template is available from ico.org.uk.
- Where a DPIA reveals risks which are not appropriately mitigated the ICO will be
- Where the College is launching or proposing to adopt a new process, product or service which involves Personal Data, the College needs to consider whether it needs to carry out a DPIA as part of the project initiation process. The College needs to carry out a DPIA at an early stage in the process so that the College can identify and fix problems with its proposed new process, product or service at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur.
- Situations where the College may have to carry out a Data Protection Impact Assessment include the following (please note that this list is not exhaustive):
- large scale and systematic use of Personal Data for the purposes of Automated Decision Making or Profiling (see definitions above) where legal or similarly significant decisions are made;
- large scale use of Special Categories of Personal Data, or Personal Data relating to criminal convictions and offences e.g. the use of high volumes of health data; or
- systematic monitoring of public areas on a large scale g. CCTV cameras.
- All DPIAs must be reviewed and approved by the Data Protection Officer
17.Transferring Personal Data to a Country Outside the UK
- Data Protection Laws impose strict controls on Personal Data being transferred outside the UK. Transfer includes sending Personal Data outside the UK but also includes storage of Personal Data or access to it outside the UK. It needs to be thought about whenever the College appoints a supplier outside the UK or the College appoints a supplier with group companies outside the UK which may give access to the Personal Data to staff outside the
- So that the College can ensure it is compliant with Data Protection Laws College Personnel must not export Personal Data unless it has been approved by the Data Protection Officer.
- College Personnel must not export any Personal Data outside the UK without the approval of the Data Protection Officer
18. Scope and Limitations
- The policy covers all aspects of personal data that is
18.2 Retention of Records
- The College has a legal requirement to hold data for a range of reasons and is a requirement of certain legal bodies including but not limited Government Funding Organisations and the
- The Data Retention Policy states what data the College holds and how long each different type of data will be kept for.
- At the end of the retention period the data will be disposed of securely following the College
18.3 CCTV
- CCTV is recorded for safeguarding and security requirements on all College sites. Notices are clearly displayed on the entrance to all sites. Data is kept for a maximum of 31 days, unless the data has been requested for an on-going incident or accident, in which case it will be kept until 6 months after the case is closed.
- CCTV can only be accessed by certain
- Further details can be found in the CCTV
18.4 Photography
- Photography for any other purpose other than ID badges or Staff posters will require explicit consent from an individual.
- Consent will be obtained during the enrolment process and stored on the College MIS
- The marketing team and associated contractors will get explicit consent for any marketing
- Staff undertaking trips or visits will obtain a list from the MIS system listing students who have consented to having their photo taken. Students who have opted out will get an additional form signed if they intend to use an image of that individual.
- As part of open events and general photography, signs must be clearly visible and guidelines followed from the Digital Images Procedures.
18.5Financial Data
- Financial Data, particularly credit card payments will be taken securely to comply with the Payment Card Industry Security Standard (PCI).
18.6 Disclosing to Parents
- Data will not be disclosed to parents without explicit consent from the student. This will be given on the enrolment form or in the case of an online ILP system the student giving access to the parent.
- Exceptions to this are where the individual is not legally competent to understand their own data. Learners over the age of 13 will be appropriately assessed for competency in their understanding and the College will make a judgement accordingly
19.Responsibilities
- It is the responsibility of all staff to ensure that all data within the college is held in accordance with UK GPDR guidance.
- The Governing body and Senior Leadership Team are responsible for ensuring that there is the required policy and framework in place to ensure the college is compliant with UK
- The Data Protection Officer is responsible for developing the policies, ongoing monitoring of compliance with UK GDPR in college, recording any breaches and raising awareness across
the college to support compliance.
- There are specific areas of the college that hold a large amount of personal data and the responsibilities for each area and person responsible for ensuring compliance and control of data in each of these areas:-
- Human Resources (Staff Data)– Head of HR
- Student Information (Student Data) – Head of MIS
- Examinations (Student Data) – Exams Manager
- Finance (Staff and Student Data) – Head of Finance
- IT (Security of systems and Data for staff and students) – IT Services Manager
- Estates (Disposal of secure waste and CCTV) – Head of Estates
20.Privacy Notice and Website
- The College will publish and update via its website, the College’s Privacy notices and the Policies relating to data protection.
- Students and Staff when starting at the College will have seen the Colleges data protection statement and have the option of opting in or giving consent for any items not covered by a legal requirement to process
21.Complaints Management Process
- The complaints management process is that any individual can in the first instance complain to the DPO, by emailing protection@oxbridgeic.co.uk
- If they believe that the complaint has not been resolved successfully and wish to escalate the complaint then students and external bodies can use the College’s complaints procedure, which can be found on the College website. Staff will use the complaints procedure by contacting HR.
22. Information Asset Register
- The college’s information asset register lists all data that is held by the college, where it is stored and the area responsible. This list will continue to be updated as new software or data is stored and kept as an up-to-date list. This information is key when the college receives a Subject Access Request as it will identify all data held and where to access the data to ensure the college fully complies with any request
23. Data Sharing Agreements
- The college through contracts has a number of Data Sharing Agreements in These fall into 4 main categories:-
- Suppliers of systems and services
- Sub-contractors
- Awarding Bodies and HE institutions
- Other organisations we share data with
- UK GDPR and data sharing agreements will be written into all contracts and variations to contracts issues for existing contracts.
- The first 3 categories fall under business interests to share data. Any contracts issued under category 4 Other Organisations will require a Data Sharing Agreement.
- The process and approval of data sharing is set out in the Data Sharing Procedures document
24.Records Management Policy
- The Records management policy shows the responsibilities of staff and areas for the recording, usage, storage and disposal of personal data across the college. This is in conjunction with the Information Asset Register, which shows all data stored by area and the right for processing and owner.
25.Monitoring and Review
- The compliance of the policy and regular review will be undertaken in a number of ways to mitigate the risk of data breaches.
- Log of all data protection requests and breaches to be held by the Data Protection Officer
- Monthly checks on all staff that they have completed the annual data protection mandatory training by the data protection officer
- Termly internal audit reviews a year based on high risk areas within the college to be undertaken by the data protection officer and written feedback and changes to be given
- Termly reporting to SLT on UK GDPR update on training, current issues and risks from audits, contingency measures and any potential breaches from the data log
26.Supporting Documents
- Guidance for staff
- Breach Procedure
- Dealing with Subject Access request for data
- Disclosing to parents
- Disposal of Data
- Subject Access Request Form
- Subject Access Removal Form
- Privacy and Fair Processing Statements / Notices
- Data Sharing Log
- Encryption Policy
- Information Asset Register including Data Retention Schedule
- CCTV Policy
- Digital Images Procedures
- Data Privacy Impact Assessment Process (DPIA)
- In addition the College will maintain and update its contract with third parties to ensure that they reflect this policy