Data Protection Policy


  1. Purpose
    1. During the course of the Company’s activities we will collect, store and process Personal Data about our customers, employees, contractors, suppliers and other third parties, and we recognise that the correct and lawful treatment of this data will maintain confidence in the organisation, reduce risks to both the data subjects and the Company, and will provide for successful business operations.
    2. The General Data Protection Regulations (GDPR) and the Data Protection Act 2018 (DPA) replaced the Data Protection Act 1998 on 25 May 2018. In addition, the Privacy and Electronic Communications Regulations (PECR) sit alongside the GDPR and give people specific privacy rights in relation to electronic communications. This Policy specifies how the Company governs and manages personal data within a wider Information Governance and Security framework and in accordance with this legislation.
    3. Definitions for all capitalised terms used in this Policy can be found at Annex A.
  2. Scope This Policy applies to:
    1. All Personal Data held and Processed by the Company. This includes expressions of opinions about individuals and of the intentions of the Company in respect of that individual. It includes data held in any system or format, whether electronic or manual;
    2. All members of staff, as well as individuals conducting work at or for the Company and who have access to Personal Data (“you”, “your”). This includes temporary, honorary, visiting, casual, voluntary and agency workers, students employed by the Company and suppliers, as well as students Processing Personal Data as part of their studies (including research). Note this list is not intended to be exhaustive; and
    3. All locations from which Personal Data is Processed – including off-site. Each area of the Company has responsibility in relation to its own area for
      • ensuring Company personnel comply with this Policy; and
      • implementing appropriate practices, processes, controls and training to ensure such compliance.
    4. The governance framework detailed in the Information Governance Framework applies to this Policy.


  1. Personal data protection principles
    1. The Company adheres to the principles relating to Processing of Personal Data set out in the GDPR which require Personal Data to be:
      • processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency);
      • collected only for specified, explicit and legitimate purposes (Purpose Limitation);
      • adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data Minimisation);
      • accurate and where necessary kept up to date (Accuracy);
      • not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (Storage Limitation); and
      • Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality) in accordance with the Company’s Information Security Policy and related guidance.
    2. The Company is responsible for and must be able to demonstrate compliance with the data protection principles listed above (Accountability).
    3. Full details of the data protection principles and how these should be complied with are contained in the Privacy Guidance.
  2. Transfer limitation
    1. The GDPR restricts data transfers to countries outside the EEA in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined. You transfer Personal Data originating in one country across borders when you transmit, send, view or access that data in or to a different country.
    2. You may transfer Personal Data outside the EEA only if specific conditions apply. You must comply with the Privacy Guidelines on cross border data transfers.
  3. Data Subject's rights and requests
    1. Data Subjects have rights with regard to how the Company handles their Personal Data. These include rights to:
      • withdraw Consent to Processing at any time;
      • receive certain information about the Company’s Processing activities;
      • request access to their Personal Data that we hold;
      • prevent our use of their Personal Data for direct marketing purposes;
      • ask to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed or to rectify inaccurate data or to complete incomplete data;
      • restrict Processing in Specific circumstances
      • challenge Processing which has been justified on the basis of our legitimate interests or in the public interest;
      • request a copy of an agreement under which Personal data is transferred outside of the EEA;
      • object to decisions based solely on Automated Processing, including profiling (ADM);
      • prevent Processing that is likely to cause damage or distress to the Data subject or anyone else;
      • be notified of a Personal Data Breach which is likely to result in a high risk to their rights and freedoms;
      • make a complaint to the supervisory authority; and
      • in limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used and machine readable format.
    2. You must verify the identity of an individual requesting data under any of the rights listed above (do not allow third parties to persuade you into disclosing Personal Data without proper authorisation).
    3. You must immediately forward any Data Subject request you receive to and comply with the Company's Data Subject response process (see the Privacy Guidance).
  4. Reporting a Personal Data Breach
    1. The GDPR requires Data Controllers to notify any Personal Data Breach to the applicable regulator (the Information Commissioner in the UK) and, in certain instances, the Data Subject. If a Data Breach is reportable the Company must make that report to the ICO and/or the Data Subjects within 72 hours of becoming aware of the breach.
    2. We have put in place procedures to deal with any suspected Personal Data Breach and will notify Data Subjects or any applicable regulator where we are legally required to do so.
    3. If you know or suspect that a Personal Data Breach has occurred, follow the internal notification procedure without delay.
    4. Full details on the Breach Reporting procedure can be found in the Privacy Guidance.
  5. Sharing Personal Data
    1. Generally we are not allowed to share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place.
    2. You may only share the Personal Data we hold with another employee if the recipient has a job-related need to know the information and the transfer complies with any applicable cross border transfer restrictions.
    3. You may only share the Personal Data we hold with third parties, such as our service providers if:
      • they have a need to know the information for the purposes of providing the contracted
      • services;
      • sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject's Consent has been obtained;
      • the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
      • the transfer complies with any applicable cross border transfer restrictions; and
      • a fully executed written contract that contains GDPR-approved third party clauses has been obtained.
    4. You must comply with the Company's guidelines on sharing data with third parties (see the Privacy Guidance).
    5. All other ad-hoc requests for access to Personal Data from third parties (i.e. not from the Data Subject themselves) – including the Police – should be referred to the Company’s Directors
  6. Accountability
    1. We will implement appropriate technical and organisational measures in an effective manner, to ensure compliance with data protection principles. The Company is responsible for, and must be able to demonstrate, compliance with the data protection principles.
    2. The Company must have adequate resources and controls in place to ensure and to document GDPR compliance including:
      • appointing a suitably qualified Data Protection Officer (DPO) and an executive accountable for data privacy (the SIRO);
      • implementing Privacy by Design when Processing Personal Data and completing DPIAs where Processing presents a high risk to rights and freedoms of Data Subjects;
      • integrating data protection into internal documents including this Policy, Related Policies, Privacy Guidance, Privacy Notices;
      • regularly training Company personnel on the GDPR, this Policy, Related Policies and Privacy Guidance and data protection matters including, for example, Data Subjects’ rights, Consent, legal basis, DPIAs and Personal Data Breaches. The Company must maintain a record of training attendance by Company personnel; and
      • regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.
  7. Record keeping
    1. The GDPR requires us to keep full and accurate records of all our data Processing activities.
    2. You must keep and maintain accurate corporate records reflecting our Processing including records of Data Subjects' Consents and procedures for obtaining Consents in accordance with the Company's record keeping guidance.
    3. These records should include, as a minimum, the name and contact details of the Data Controller and the DPO, clear descriptions of the Personal Data types, Data Subject types, Processing activities, Processing purposes, third-party recipients of the Personal Data, Personal Data storage locations, Personal Data transfers, the retention period for keeping Personal Data and a description of the security measures in place. In order to create such records, asset registers and data maps should be created and maintained.
  8. Training and audit
    1. We are required to ensure all Company personnel have undergone adequate training to enable them to comply with data privacy laws. We must also regularly test our systems and processes to assess compliance.
    2. You must undergo all mandatory data privacy related training applicable to your areas of activity and ensure your team undergoes similar mandatory training in accordance with the Company's mandatory training guidelines.
    3. You must regularly review all the systems and processes under your control to ensure they comply with this Policy and check that adequate governance controls and resources are in place to ensure proper use and protection of Personal Data.
  9. Privacy By Design and Data Protection Impact Assessments (DPIAs)
    1. We are required to implement Privacy by Design measures when Processing Personal Data by implementing appropriate technical and organisational measures (like Pseudonymisation) in an effective manner, to ensure compliance with data privacy principles.
    2. We must also conduct DPIAs in respect of high risk Processing.
    3. You should conduct a DPIA (and discuss your findings with the DPO) when implementing any high risk projects involving the Processing of Personal Data including:
      • use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes);
      • Automated Processing including profiling and Automated Decision Making (ADM);
      • large scale Processing of Sensitive Data;
      • large scale, systematic monitoring of a publicly accessible area; and
      • any other projects (including research) where there may be significant privacy concerns.
    4. You must comply with the Privacy Guidance on DPIAs and Privacy by Design.
  10. Marketing
    1. Where we undertake any electronic or telephone direct marketing activities we will ensure that we comply with both the GDPR and the Privacy and Electronic Communications Regulations (PECR).
    2. PECR restrict unsolicited marketing by phone, fax, email, text, or other electronic message. There are different rules for different types of communication. The rules are generally stricter for marketing to individuals than for marketing to companies.
    3. You will often need specific consent to send unsolicited direct marketing. The best way to obtain valid consent is to ask recipients to tick opt-in boxes confirming they are happy to receive marketing calls, texts or emails from you
  11. Cookies and similar technologies
    1. Where we employ the use of website cookies or other similar technologies, such as Local Shared Objects, we will comply with both the GDPR and PECR (Regulation 6).
    2. We will ensure that we give clear and comprehensive information about the purposes for which we will use these technologies and we will, where required, seek and record consent to do so.

Roles and Responsibilities

  1. The Company’s Board is responsible for approval of the Policy.
  2. The Board is responsible for strategic level implementation of the policy, oversight of compliance with the policy.
  3. The Director of Operations holds local responsibility for data protection compliance processed within the operational teams.
  4. The Company’s Data Protection Officer (DPO) is primarily responsible for advising on and assessing the Company’s compliance with the DPA and GDPR and making recommendations to improve practice in this area. Further, the DPO acts as the Company’s primary point of contact for DPA and GDPR-related matters.
  5. The Executive Directors are responsible for providing advice, support and guidance in relation to day-to-day data protection matters.
  6. Staff
    1. As part of their responsibilities (including research) all staff, whether permanent, fixed-term or temporary workers, who Process Personal Data must comply with this Data Protection Policy and the Related Policies and Privacy Guidance.
    2. Staff who supervise students who will be Processing Personal Data as part of their studies (including research) should inform the DPO and the relevant Information Asset Manager(s) before any Processing is commenced
  7. Others working for and on behalf of the Company
    1. Others working for and on behalf of the Company, third parties such as contractors, consultants and agents, who will handle Personal Data of which the Company is the Data Controller, should operate in accordance with the GDPR and details of any such Processing should be subject to a written agreement between the Company and the third party in accordance with the Privacy Guidance (Data Sharing). Such third parties include external supervisors, examiners, suppliers or customers

Related Policies and Procedures

  1. This Policy supplements and should be read in conjunction with our other policies and procedures in force from time to time, including without limitation the:
    1. Information Governance Framework;
    2. Information Security Policy;
    3. Records Management Policy and Records Retention Schedule; and
    4. Freedom of Information Policy.

Review, Approval & Publication

  1. Review
    1. The Board will be responsible for reviewing this Policy on a periodic basis and at least every two years.
  2. Publication This Policy will be published on the website. The Company’s Information Governance web pages will maintain prominent links to the Policy as appropriate on both external and internal facing pages.