Data Protection Policy

1.     Statement
2.     Aims
3.     Related policies, legislation and guidance
4.     Definitions and Data Protection Principles
5.     Roles and responsibilities
6.     Procedures and requirements for data processing
7.     Sharing personal data
8.     Subject Access Requests (SARs)
9.     CCTV
10.   Photos, videos and marketing materials
11.   Artificial Intelligence (AI)
12.   Data Protection by design and default
13.   Data security, storage, retention and disposal
14.   Personal data breaches
15.   Training and monitoring

Appendix 1: Key staff
Appendix 2: Subject Access Requests process
Appendix 3: Data breach procedure
Appendix 4: Data retention and disposal schedule

1. Statement
The College collects and processes personal data about employees, job applicants, students, parents and carers, agents, suppliers and other individuals for a variety of business purposes.

(Back to menu)

2. Aims
The aim of this policy is to set out how the College seeks to protect personal data collected and ensure that staff understand and comply with data protection law in the processing of personal data to which they have access in the course of their work. In particular, this policy requires staff to consult the Compliance Officer before any significant new data processing activity is initiated to ensure that it meets regulations.

3. Related policies, legislation and guidance
3.1 Related polices

• Artificial Intelligence (AI) Policy
• Child Protection and Safeguarding Policy and Procedures
• Complaints Policy
• e-Safety Policy and Acceptable Use of ICT Agreements
• Equal Opportunities Policy
• Staff Code of Conduct
• Whistleblowing Policy

3.2 Legislation and guidance
This policy has been developed in accordance with relevant government statutory guidance and legislation including: the Data (Use and Access) Act, Data Protection Act and the UK General Data Protection Act Regulations (GDPR); the Freedom of Information Act; the Information Commissioner’s Office (ICO) guidance on GDPR and Surveillance; and the Department for Education (DfE) guidance on Generative artificial intelligence in education.

(Back to menu)

4. Data protection definitions and principles
4.1 Definitions

4.2 Data protection principles
The College must comply with the core data protection principles, as set out by the ICO, that underpin the UK GDPR. These principles state that personal data must be:

• processed lawfully, fairly and in a transparent manner
• used only for the specified, explicit and legitimate reasons it was collected
• appropriate, relevant and limited to fulfil the purpose it has been collected; no more information than is absolutely necessary
• accurate and kept up to date
• kept only only for as long as it is relevant and required; otherwise it should be securely destroyed or deleted
• processed and stored securely to maintain its integrity and confidentiality.

It is further required to ensure appropriate measures are in place and records kept to demonstrate data protection compliance.

(Back to menu)

5. Roles and responsibilities
5.1 Data controller
Ashbourne processes personal data relating to staff, students, parents, carers and other individuals and is therefore a data controller. The College is registered as a data controller with the ICO which it renews according to legal requirements.

5.2 Compliance Officer
The Compliance Officer (CO) is responsible for overseeing the implementation of this policy and monitoring compliance with respect to data protection law. The CO is the first point of contact for anyone whose data is processed by the College, as well as the ICO, and for all members of staff processing personal data.

The CO’s responsibilities include:

• Keeping up to date with data protection responsibilities, risks and issues
• Reviewing all data protection procedures and policies on a regular basis
• Arranging data protection training and advice for all staff members
• Responding to data protection questions from staff and other relevant persons
• Responding to individuals such as parents and guardians, students and employees who wish to know which data is being held about them by the College
• Handling Subject Access Requests
• Checking and approving with third parties that handle the company’s data and any contracts or agreements regarding data processing.

5.3 IT and Facilities Manager
Responsibilities of the IT and Facilities Manager, as delegated by the CO, are to:

• Ensure all systems, services, software and equipment meet acceptable security standards
• Check and scan security hardware and software regularly to ensure it is functioning properly
• Keeping up to date with how third-party services, such as Google Classroom and cloud services, process and store data on behalf of the College
• Carrying out Data Protection Impact Assessments where appropriate.

5.4 Marketing Manager and staff
Responsibilities of the Marketing Manager, as delegated by the CO, and other staff involved in marketing are to:

• Ensure all permissions have been received before using personal data in marketing materials
• Assess and query the appropriateness of using any personal data in marketing material
• Approve data protection statements attached to emails and other marketing copy
• Address data protection queries from parents and guardians, students, prospective employees, target audiences and/or media outlets
• Coordinate with the CO to ensure all marketing initiatives adhere to data protection laws and this Data Protection Policy.

5.5 Staff
In the conduct of their roles, all operations and teaching staff are responsible for:

• Ensuring they collect, store and process personal data in accordance with this policy
• Updating the College with respect to any changes in their own personal data that is processed
• Following data protection procedures with respect to preparing material for and during the official examinations process
• Contacting the CO with specific concerns relating any aspect of processing personal data, for example:
  • Queries about data protection law and regulations, retaining or securing personal data;
  • Checking whether there is a lawful basis for using personal data in a particular circumstance;
  • Verifying whether they can initiate a new data processing activity and how it may affect privacy rights;
  • Consultation and confirmation regarding consent and privacy notices;
  • Referring SARs;
  • Transferring personal data outside of the College and the UK
  • Advice on agreeing contracts or sharing personal data with third parties
  • Raising concerns if this policy is not being followed
  • Reporting a personal data breach.

(Back to menu)

6. Procedures and requirements for data processing
6.1 The processing of all data
Ashbourne will only process personal data where it has a lawful basis to do so under data protection law, for example to provide information to the Department of Education. The College will ensure that the processing of data has no adverse effect on any individual and, where appropriate, will be transparent in how data is processed, for example through the consent and privacy notices.

The processing of all data must be necessary to:

• Fulfil contracts agreed with individuals and to deliver services
• Comply with legal obligations
• Meet the legitimate interests of the College, or associated third parties, without unduly prejudicing the individual’s privacy
• Ensure the vital interests of the individual, i.e. protection of those in the College’s care.

6.2 Special category (sensitive) personal data
The College will only process sensitive personal data under conditions prescribed by data protection law.

Where the College processes sensitive personal data it will require the data subject’s explicit consent to do so, unless exceptional circumstances apply or the College is required to do this by law. Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.

It is sometimes necessary to process information about a person’s criminal convictions, race, gender and family details. This may be to ensure that the College is a safe place for everyone and/or to meet legal requirements pertaining to equal opportunities, child protection and safeguarding.

The College will also ask for information about particular physical and mental health needs including allergies, conditions or disabilities. The College will only use the information for the protection of the health and safety of the individual, but will need consent to process this information, for example in the event of a medical emergency. Because this information is considered sensitive, and it is recognised that the processing of it may cause particular concern or distress to individuals, staff and students will be asked to give express consent for the College to do this. Offers of employment or places to study at the College may be withdrawn if an individual refuses to consent to this without good reason.

6.3 Privacy Notice
Ashbourne’s terms of business contains a Privacy Notice to students, staff, contractors and all other individuals dealing with the College on data protection. These notices are typically provided on registration or at start of employment.

The notices:

• Set out the purposes for which we hold personal data on students  and employees
• Highlight that the work may require the College to give information to third parties such as professional advisers and external agencies
• Provide that students and staff have a right of access to the personal data that the College holds about them.

6.4 Conditions for processing personal data
Before data may be processed one of the following conditions must be met:

1. The individual (data subject) has given their consent.
2. The processing is necessary in relation to a contract.
3. The processing is necessary because of a legal obligation.
4. The processing is necessary to protect the individual’s vital interests.
5. The processing is necessary for the administration of justice or other statutory functions.
6. Any other legitimate interest.

6.5 Conditions for processing sensitive personal data
Because such information might be used in a discriminatory way, these are more stringent and must include one of the following conditions:

1. The individual has given consent.
2. The processing is required by employment law.
3. The processing is necessary to protect the vital interests of the individual or third party.
4. The individual has made the information public.
5. The processing is necessary for statutory reasons.
6. The processing is carried out with a third party who is bound by a professional code of conduct (a doctor for example).
7. The processing is required to monitor equal opportunities.
8. The processing is necessary to prevent crime or protect the public.

6.6 Accuracy and relevance
Ashbourne will ensure that any personal data it processes is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. The College will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.

Individuals may ask that the College correct inaccurate personal data relating to them. If it is believed that information is inaccurate it should be recorded and brought to the attention of the CO.

(Back to menu)

7. Sharing personal data
Generally all personal data collected and processed by the College will be subject to the Data Protection Act. There are some circumstances, however, when it may be exempted.

7.1 Exemptions include:
References – the College may be asked for references (a confidential reference given by the College to a third party regarding education, employment/training, appointment to a public office, a service being provided by the data subject) that will remain confidential.

References the College has received and kept on file are not exempt. The College must, however, ensure that the rights of the referee are considered. Information about the individual referee should not be disclosed without explicit consent (anonymising the information is acceptable). The College cannot refuse to disclose confidential references without providing reasons.

Vital interests – personal data may be released if it is in the vital interests of the individual e.g. a medical emergency.

Crime and taxation – personal data may have to be disclosed to government departments or the Police where legally required to do so. Data will only be released on the basis of properly drawn up requests.

Under 19 students – the College will normally release information about a student’s progress and attendance to parents or guardians of students under 19 years of age on the previous 31st August.

Safeguarding – information shared in good faith with an appropriate person or authority in order to safeguard (e.g. prevent harm, promote welfare, identify risk for prevention of harm) a child (up to 18 years old) does not breach UK data protection law.

7.2 Transferring data internationally
The CO must be consulted before any personal data is transferred internationally and any transfers will be done in accordance with UK law.  

(Back to menu)

8. Subject Access Requests (SARs)
Individuals are entitled to request access to information the College holds about them or someone they are legally responsible for, subject to certain exceptions. The procedure for making and dealing with SARs is set out in Appendix 2.

9. CCTV
Ashbourne uses CCTV in various locations at the College primarily for security and safety purposes. The College adopts, where applicable, the ICO’s code of practice for its use.

This section serves as a notice and a guide to data subjects (including students, staff, visitors and members of the public) regarding their rights in relation to personal data recorded via the CCTV system.

All fixed cameras are in plain sight on premises and Ashbourne does not routinely use CCTV for covert monitoring or monitoring of private property outside the College.

Data captured for the purposes below will not be used for any commercial purpose.
Objectives of the system:

• To protect students, staff, visitors and members of the public with regard to their personal safety
• To protect the College buildings and equipment, and the personal property of staff, visitors and members of the public
• To support the police in preventing and detecting crime, and assist in the identification and apprehension of offenders
• To monitor the security of the site
• To monitor staff and contractors when carrying out work duties
• To promote good behaviour of students.

Locations have been selected that the College reasonably believes require monitoring to address the stated objectives.

Warning signs are placed in prominent positions to inform anyone entering the area, such as students, staff, visitors and members of the public that they are entering a monitored area, identifying the College as the Data Controller and giving contact details for further information regarding the system.

No images will be captured from areas in which individuals would have a heightened expectation of privacy, including changing and washroom facilities.

Maintenance
The CCTV system will be operational 24 hours a day, every day of the year.
The System Manager (defined below) will check and confirm that the system is properly recording and that cameras are functioning correctly, on a regular basis.
The system will be checked and (to the extent necessary) serviced, annually.

Supervision of the system
Staff authorised by the College to conduct routine supervision of the system may include:
Images will be viewed and/or monitored in a suitable environment where it is unlikely they will be accessed or inadvertently viewed by unauthorised persons.

Storage of Data
The system is administered and managed by the College, who will act as the Data Controller. The day-to-day management of images will be the responsibility of the IT and Facilities Manager who will act as the System Manager, or such suitable person as the System Manager.

Images will be stored for two weeks, and automatically over-written unless the College considers it reasonably necessary for the pursuit of the objectives outlined above, or if lawfully required by an appropriate third party such as the police or local authority.

Where such data is retained, it will be retained in accordance with data protection laws. Information including the date, time and length of the recording, as well as the locations covered and groups or individuals recorded, will be recorded in the system log book.

Access to images
Access to stored CCTV images will only be given to authorised persons, under the supervision of the System Manager, in pursuance of the above objectives (or if there is some other overriding and lawful reason to grant such access).

The System Manager must satisfy themselves of the identity of any person wishing to view stored images or access the system and the legitimacy of the request. The following are examples when the System Manager may authorise access to CCTV images:

• Where required to do so by the Principal, the Police or some relevant statutory authority and in accordance with the law;
• To make a report regarding suspected criminal behaviour;
• To enable the Designated Safeguarding Lead or appointed deputy to examine behaviour which may give rise to any reasonable safeguarding concern;
• To assist the College in establishing facts in cases of unacceptable student behaviour, in which case the parents/guardian will be informed as part of the College’s management of a particular incident;
• To data subjects (or their legal representatives) pursuant to an access request under data protection law provided that the time, date and location of the recordings is furnished to the College appropriately;
• To the College’s insurance company where required in order to pursue a claim for damage done to insured property;
• In any other circumstances required under law or regulation.

Where images are disclosed a record will be made in the system log including the person viewing the images, the time of access, the reason for viewing the images, the details of images viewed and a crime incident number (if applicable).

Where images are provided to third parties, and wherever practicable, steps will be taken to obscure images of non-relevant individuals.

Other CCTV systems
The College may be provided by third parties with CCTV images and will manage these in accordance with this policy and the Student Behaviour and Exclusions Policy.

For example, many pupils travel on coaches provided by third party contractors and a number of these coaches are equipped with CCTV systems. The College may use these in establishing facts in cases of unacceptable student behaviour, in which case the parents/guardian will be informed as part of the College’s management of a particular incident. Parents are informed of this as part of the Coach Service Registration document, to which they agree when registering their child service.

(Back to menu)

10. Photos, videos and marketing materials
10.1 Marketing and promotion
The College may take photos and video recordings involving students, parents and staff during college activities and for promotional interviews.

Uses may include:

• Internal newsletters and events fliers
• The College website and social media
• Promotional brochures and prospectus

The College will obtain written consent from students, parents and staff for photos and videos to be used for any marketing and/or promotional purposes.

The College will avoid accompanying photos and videos with any identifiable information for external promotional materials unless consent has been made.

Consent can be refused or withdrawn at any time. The College will remove and/or delete photographs and videos for further use and distribution, where possible.

The College will not send direct marketing materials to someone electronically (e.g. via email) unless there is an existing business relationship with them in relation to the services being marketed or an understanding that parties have given consent.

10.2 Non-College photos and videos
Any photos or videos taken by students, parents and staff at college events for their own personal use are not covered by data protection legislation. The College requests, however, that these are not shared publicly on social media for safeguarding reasons unless explicitly agreed by those involved.

10.3 Prohibited photography and video
10.3.1 ‘Smart’ glasses and other wearables
‘Smart’ glasses and other wearables that can record audio-visual information without consent are not permitted at the College. Wearables that record, and access information from the internet or other sources, pose data protection concerns and are a potential threat to academic integrity with respect to exams.

(Back to menu)

11. Artificial Intelligence (AI)
Generative AI tools, such as ChatGPT and Google Gemini, are now widely used and accessible. Whilst these tools offer many benefits for learning and working they also pose challenges and risks to data protection and may have wider safeguarding repercussions.

Generative AI tools are open systems and are not private. Any information uploaded to them will be used to train the tool in order to generate content for others to access and use. For more information please refer to the College’s Artificial Intelligence (AI) Policy.

To ensure that the personal and sensitive data processed by the College remains secure, staff are not permitted to enter this data into any generative AI tools or chatbots.

If personal or sensitive data is entered into an unauthorised generative AI tool, this will be treated as a personal data breach.

(Back to menu)

12. Data Protection by design and default

The College puts in place measures to integrate data protection in its processing of activities and business practices in order to ensure they are effective and safeguard individual rights, as required by UK GDPR. This includes, for example:

• ensuring that the CO has the necessary resources and expertise to carry out their duties; and that they are properly signposted as the main contact responsible for data protection at the College.
• providing clear and widely available information about how the College processes personal data and individuals’ rights, for example this policy, privacy notices, agreements and informational webinars
• only processing personal data that the College needs for its purposes, and only using that data for those purposes
• carrying out data protection impact assessments (DPIA) to assess and mitigate risks of activities involving data processing
• ensuring that personal data is automatically protected in any IT system, service, product, and/or business practice, so that individuals should not have to take any specific action to protect their privacy
• regularly training staff on data protection law and the practical implementation of this in their role; keeping records of such training
• auditing and reviewing data protection measures and practices to ensure compliance
• putting in place appropriate measures for transferring personal data within and outside the UK.

(Back to menu)

13. Data security, storage, retention and disposal
13.1 Data security and storage
All members of the Ashbourne community must keep personal data secure against unauthorised or unlawful processing, access and disclosure as well as accidental and unlawful loss, destruction or damage.

Measures to maintain data security and storage involve ensuring that all records that contain personal data are kept securely and away from general access when not in use. This includes, for example:

• not leaving paper records in classrooms, staff rooms, by photocopiers or on admin work desks
• locking filing cabinets
• never saving data directly to mobile devices, tablets or smartphones
• protecting digital devices and drives using encrypted software, firewalls and strong passwords; those using their own devices to store personal information are expected to comply with the same security procedures
• keeping and maintaining servers in a secure location and securing data with encrypted software and strong firewalls
• regularly backing up data
• being alert to phishing emails, scammers and hackers
• not sharing personal data with third parties without consultation with the CO*
• not uploading or revealing personal data when using AI tools
• reporting data breaches to the CO immediately.

*Where other organisations process personal data as a service on the College’s behalf, the CO will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations. For example, payment of pensions and salaries are outsourced to third parties.

13.2 Data retention and disposal
13.2.1 Data retention
Staff records will be retained for 6 years after leaving unless there are ongoing allegations relating to criminal offences.

Student records will be retained for 6 years after leaving, unless there are ongoing safeguarding concerns, or when the student reaches 25 years old.

See Appendix 4 for a full schedule of retention.

13.2.2 Data disposal
Personal data that is no longer needed will be disposed of securely either by shredding for printed materials or irretrievably deleting digital material or wiping hardware.

(Back to menu)

14. Personal data breaches
The College takes every care to protect personal data and to avoid a data protection breach. In the unlikely event of data being lost or shared inappropriately the College will follow the procedures set out in Appendix 3 to minimise any associated risk as soon as possible. Where appropriate, breaches will be reported to the ICO within 72 hours.

Examples of potential breaches that may arise include:

• Loss or theft of a device holding personal data
• Unauthorised access by a third party
• Loss of availability of personal data due to unforeseen circumstances such as equipment failure, fire or flood
• Sending personal data to incorrect recipient (human error)
• Alteration of personal data without permission
• Deliberate or accidental action by the data processor or controller
• Disclosure of information as obtained by deception – ‘blagging’ offences
• Disclosure of information inadvertently (human judgement error)

Ashbourne will carry out certain activities to mitigate such circumstances, for example:

• creating a data recovery plan
• proper assessment of risks
• notifying all related parties such as the ICO, relevant data subjects, the police, banks
• instituting a proper procedure of evaluation and response
• regularly updating the protocol in relation to breach of security
• ensuring computer databases are password-protected.

(Back to menu)

15. Training and monitoring
15.1 Training
All staff undertake compulsory data protection training as part of their induction. Further training will be provided at least every two years or whenever there is a substantial change in the law or our policy and procedure.

Training is provided through an in-house seminar and covers:

• Data protection law
• The College’s data protection and related policies and procedures.

This includes understanding what personal and sensitive data are, how they may be used, how to keep data secure and individuals’ rights relating to their data, as well as the repercussions and consequences of failing to comply with data protection law and possible internal disciplinary action.

15.2 Monitoring
The CO is responsible for monitoring and reviewing this policy.

Data Protection registration no.: Z1019160

(Back to menu)

 

 

Appendix 1: Key staff
Compliance Officer (C0) – Mike Kirby, Principal
IT and Facilities Manager – Fabio Carpene
Head of Administration – Hien Nguyen
Designated Safeguarding Lead – Fran Burns

Appendix 2: Subject Access Request process
A1. Subject Access Request (SAR) – individuals have the right to know what personal data is held about them, why, how it is used and to gain access to that information. This includes, for example:

• What type of personal data is processed
• Access to a copy of the data
• Purposes of the data processing
• How has the data been, or will be, shared
• How long will the data be stored and/or how this is determined
• How to correct, remove, restrict access to the data
• The source of the data
• How the data is being safeguarded

A2. Data subjects – SARs may come from students, anyone with parental responsibility for a child (either for themselves or on behalf of their child), employees, third parties representing or acting on behalf of another person, and anyone else whose personal data the College processes.

A3. Request formats – SARs should preferably be made in writing, however they may come in any format, including verbally.

A4. Required information – SARs should include:

• Name of the individual
• Address
• Contact number and email
• Details of the information requested

Clarification – where a SAR is non-specific about the information required the College may ask for clarification. As the College typically holds a large quantity of data this may help provide more accurate information for the requester and speed up the process.

A5. Responsibility for SARs – staff should refer SARs immediately to the CO.

A6. Available information – the College is able to provide access to data held digitally and/or on paper, where this exists. This does not include safeguarding notes and correspondence which must be requested separately and will be released at the discretion of the College.

The College does not collect information for SARs from GoogleChat content, which is automatically deleted every 24 hours. The College prohibits using this platform to discuss safeguarding issues, and so on this risk assessed basis the content is not stored for any longer than 24 hours.

A7. Data corrections – Students and staff should contact the CO if they would like to correct or request information that the College holds about them. There are also restrictions on the information to which individuals are entitled under applicable law.

A8. Timeframe – the College aims to respond to SARs as quickly as possible, but will ensure they are managed within one calendar month of receiving the request, unless there is good reason for delay such as redaction of information that relates to other parties. In such cases, the College will inform the data subject in writing of the cause of the delay.

A9. Students and SARs – the College understands that information about students belongs to them so any request for their personal data by a related or independent third party may only be granted with the consent of the student.
This provision is subject to:

• The student’s maturity
• The nature of the personal data
• Any court orders
• The College’s duty of confidence to the student
• The consequences of disclosing the information especially in cases of suspected abuse
• Any detriment to the student should the third party not have access to the information
• The views of the student

A request for information which involves others may be declined unless the College has the other’s consent.

A10. Other rights

1. A right to object to the processing of information. Any such objection must be provided in proper written form and, depending on circumstances defined by the data protection law, may not always be granted.
2. In certain circumstances a right to have inaccurate information rectified, blocked, erased or destroyed.
3. Right to claim compensation.
4. Right not to participate in any marketing

(Back to menu)

Appendix 3: Data breach procedure
This procedure has been developed in accordance with guidance from the ICO.

A1. Identifying a personal data breach
The ICO broadly defines a personal data breach as ‘a security incident that has affected the confidentiality, integrity or availability of personal data’. This includes when personal data is:

• accidentally lost, destroyed, altered or disclosed
• someone accesses the data or shares it without proper authorisation
• made unavailable (for whatever reason) and this results in significant negative effects on individuals.

A2. Reporting a personal data breach
Suspected and/or actual personal data breaches must be reported to the CO immediately. Where a breach has occurred or is uncovered outside of normal working hours, the CO should be informed as soon as possible.

A3. Risk-assessing data breaches
The CO will investigate the report and determine whether a breach has occurred and the nature of that breach.

This includes whether the personal data has been accidentally or unlawfully lost, stolen, destroyed, altered, disclosed, shared inappropriately and/or made available to unauthorised third parties.

The CO should further examine the circumstances to consider the extent and potential negative consequences of any breach in order to establish what immediate measures or response is required and whether the ICO should be notified. This includes looking at:

• the type of personal data involved
• how sensitive the data is
• what existing protections are in place
• what has happened to the data
• whether the data could be put to any illegal or inappropriate use
• how many people are affected;
• who has been affected (e.g., students, staff members, parents) and whether there are wider consequences to the breach

A clear record should be made of the nature of the breach and the decisions and actions taken to manage and mitigate.

A4. Immediate containment and/or recovery
If a breach has occurred, or is likely to occur, the CO will make all reasonable efforts, with the support of other members of staff and/or other data processors, to resolve and/or minimise the impact of the breach, and seek external advice where appropriate.
This may involve, for example:

• restoring information using back-ups
• alerting relevant technicians or staff
• changing access, passwords and entry codes
• closing down an IT system
• contacting the police, local safeguarding partners and providers, such as banks, where serious breaches and illegal activity may have been involved.

Where a personal data breach involves sensitive data, such as safeguarding records or information, the CO should consult with the Designated Safeguarding Lead to discuss whether to inform relevant local safeguarding partners and further action required.

A5. Reporting a breach to the ICO
Not all personal data breaches lead to risks beyond possible inconvenience and may not need to be reported to the ICO. Other breaches may significantly affect those whose data has been compromised and will need to be reported to the ICO.

The CO will use the ICO’s self-assessment tool to ascertain whether or not the breach should be reported. This is based on the likelihood of risk to individuals’ rights and freedoms.

Serious breaches must be reported to the ICO within 72 hours either by using the report a breach tool or by phone (0303 123 1113).

The CO will include a full description of the personal data breach, where feasible, including the:

• type of data involved
• number of individuals affected
• potential negative consequences
• immediate measures being taken.

All breaches must be recorded and include reasons justifying the decisions made even when they are not reported to the ICO.

A5. Alerting those whose personal data has been affected
Where a breach is considered likely to result in a ‘high risk’ to individuals’ rights and freedoms, those individuals must be informed directly as soon as possible to mitigate further risk. The ICO must also be notified within 72 hours, if not already done so.

The information provided to individuals should clearly communicate the nature of the breach, its potential consequences, what measures are being taken to manage the breach and mitigate against further risk and how to get in contact with the CO. The individuals should be offered access to advice about how to protect themselves as well as the opportunity to make a formal complaint if they wish following the College’s Complaints Procedure.

A6. Review and Evaluation
Following a breach, the CO should review both the causes of the breach and effectiveness of the response and consult with the senior leadership team to evaluate what action is required or measures that need to be put into place going forward.

If a breach warrants disciplinary investigation, this will be conducted in line with the relevant policy and procedures, such as the Complaints Policy, Staff Code of Conduct, Staff Disciplinary and Dismissal Policy and the Student Behaviour and Exclusions Policy.

(Back to menu)

Appendix 4: Data retention and disposal schedule
1. Students

 

2. Staff

 

3. Finance

 

4. Health & Safety

 

(Back to menu)