Data Protection and GDPR Policy

London College of International Education Ltd

Document Reference: LCIE-POL-
Version: 1
Date: August 2025
Following Review: August 2026
Approved by: Managing Director & CEO
Responsible Officer: Operations Manager
Data Protection Officer: Operations Manager

1. Introduction and Purpose

London College of International Education Ltd (LCIE) is committed to protecting the privacy and personal data of all individuals who interact with the college, including learners, staff, applicants, and other stakeholders. This Data Protection and GDPR Policy establishes the framework for lawful, fair, and transparent processing of personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other relevant data protection legislation.

The purpose of this policy is to ensure that all personal data processed by LCIE is handled in accordance with legal requirements and best practices, protecting individuals’ privacy rights while enabling the college to fulfil its educational mission and operational requirements. This policy applies to all personal data processing activities undertaken by the college, regardless of the format in which data is stored or the method by which it is processed.

LCIE recognises that trust is fundamental to its relationships with learners, staff, and other stakeholders, and that protecting personal data is essential to maintaining this trust. The college is committed to implementing appropriate technical and organisational measures to ensure data security and to providing individuals with clear information about how their personal data is used.

This policy covers all personal data processing activities conducted by LCIE, including data collected directly from individuals, data received from third parties, and data generated through the college’s operations. It applies to all staff members, contractors, and third parties who process personal data on behalf of the college.

2. Legal Framework and Compliance

LCIE’s data protection practices are governed by comprehensive legal requirements that establish individuals’ rights and organisations’ obligations regarding personal data processing. Understanding and compliance with this legal framework is fundamental to the college’s approach.

The UK GDPR provides the primary legal framework for data protection in the UK, establishing principles for lawful data processing, individuals’ rights regarding their personal data, and organisations’ obligations.

The Data Protection Act 2018 supplements the UK GDPR and provides additional provisions, including for the education sector, law enforcement processing, and national security exemptions. It also establishes the role and powers of the Information Commissioner’s Office (ICO).

Sector-specific regulations may also apply, including education-specific requirements, professional body regulations, and international transfer obligations.

OTHM requirements for data protection ensure that approved centres maintain appropriate standards for protecting learner data and personal information processed in connection with OTHM qualifications.

International considerations apply where LCIE processes data of individuals located outside the UK or transfers personal data internationally.

Regulatory oversight is provided by the ICO, which can investigate compliance, issue enforcement notices, and impose penalties. LCIE maintains registration with the ICO and cooperates fully with investigations.

3. Data Protection Principles

LCIE’s approach is founded on the principles of data protection law:

• Lawfulness, fairness, and transparency – processing only with a valid legal basis, fair to individuals, and clearly explained.
• Purpose limitation – collected for specific, explicit purposes, not used incompatibly.
• Data minimisation – only necessary data is collected and processed.
• Accuracy – data must be accurate and kept up to date.
• Storage limitation – data is retained no longer than necessary.
• Integrity and confidentiality – appropriate security against loss, destruction, or unauthorised access.
• Accountability – LCIE must demonstrate compliance, including maintaining records and applying data protection by design and by default.

4. Types of Personal Data Processed

Categories include:

• Learner data – contact details, academic history, assessments, attendance, finances, correspondence.
• Prospective learner data – application details, supporting documents.
• Staff data – employment records, payroll, performance, qualifications.
• Applicant data – for job or volunteer roles.
• Visitor data – purpose of visit, contact, and security details.
• Third-party data – e.g., emergency contacts, referees, family.
• Special category data – health, disabilities, ethnicity, religion, processed only with safeguards.

5. Legal Bases for Processing

Processing is carried out under:

• Contract performance – e.g., delivering courses, staff employment.
• Legal obligation – compliance with statutory duties.
• Vital interests – emergencies protecting life/health.
• Public task – activities in the public interest.
• Legitimate interests – balanced against individuals’ rights.
• Consent – freely given, informed, specific consent where other bases do not apply.
• Special category processing – requires additional grounds such as explicit consent or substantial public interest.

6. Individual Rights

Individuals have the following rights:

• Right to be informed
• Right of access
• Right to rectification
• Right to erasure (right to be forgotten)
• Right to restrict processing
• Right to data portability
• Right to object
• Rights related to automated decision-making and profiling

LCIE has clear procedures to facilitate these rights.

7. Privacy Notices and Transparency

LCIE provides privacy notices with:

• Identity of the controller
• Processing purposes and legal bases
• Categories of data
• Recipients
• Retention periods
• Rights of individuals
• Contact details

These are written in plain language, layered where appropriate, updated when practices change, and tailored to different groups (learners, staff, website users, children, etc.).

8. Data Security Measures

LCIE employees:

• Technical measures – access controls, authentication, encryption.
• Network measures – firewalls, intrusion detection, patching.
• Physical measures – secure premises, storage, clear desk/screen.
• Organisational measures – staff training, confidentiality agreements.
• Backups and recovery – tested restoration procedures.
• Incident response – reporting, containment, notification where required.
• Vendor controls – contracts and monitoring of processors.

9. Data Sharing and Third-Party Processing

Data is shared only where necessary, with safeguards in place.

• Internal sharing – on a need-to-know basis.
• Third-party processors – bound by contracts.
• OTHM data sharing – for registration, certification, QA.
• Regulatory reporting – where required by law.
• Emergency sharing – where vital interests demand.
• International transfers – with safeguards (adequacy decisions, SCCs, BCRs).

10. Data Retention and Disposal

• Clear retention schedules are regularly reviewed.
• Different retention periods for learner, staff, and assessment data.
• Secure disposal (shredding, incineration, secure deletion).
• Documentation of disposal activities.
• Regular audits to ensure compliance.

11. Data Protection Impact Assessments (DPIAs)

DPIAs are conducted for high-risk processing, including:

• Systematic monitoring
• Large-scale special category data
• New technologies
• Automated decision-making

The process includes risk identification, stakeholder consultation, mitigation measures, documentation, and ongoing monitoring.

12. Data Breach Management

Procedures include:

• Breach identification and reporting
• Containment and initial response
• Risk assessment
• Notification to ICO within 72 hours where required
• Notification to individuals if they are at high risk
• Remedial actions
• Documentation and analysis for improvement

13. Training and Awareness

• Induction training for all new staff.
• Ongoing updates and refresher training.
• Role-specific training for high-risk roles.
• Awareness campaigns across the college.
• Evaluation and monitoring of effectiveness.
• Training records maintained.
• External training for staff with specialist roles.

14. Monitoring and Compliance

• Regular audits and reviews
• Performance indicators (rights requests, breaches, training)
• Internal audits with reports to management
• External reviews (ICO, auditors, certification)
• Corrective actions tracked
• Reports to senior management
• Continuous improvement of activities

15. Governance and Accountability

• Senior management – ultimate responsibility.
• Data Protection Officer – Operations Manager, with independence and expertise.
• Governance structure – data protection champions, regular reporting.
• Policy framework – comprehensive coverage and support documents.
• Documentation and records – demonstrating compliance.
• Accountability – proactive compliance, regular reviews.
• Stakeholder engagement – transparent consultation and communication.

Document Control

Document History: Version 1 – Initial policy creation (August 2025)

Review Schedule:

• Annual review by Operations Manager (DPO)
• Major review every two years or after significant legal changes
• Ad hoc review following breaches or new guidance

Distribution:

• All staff (mandatory reading)
• College website (public sections)
• Student handbook
• New staff induction materials
• Contractor and third-party agreements

Related Documents:

• Privacy Notices (Learners, Staff, Website Users)
• Data Retention Schedule
• Data Breach Response Procedure
• Information Security Policy
• Records Management Policy

Contact Information:

• Data Protection Officer: Operations Manager
• Email: Info@lcie.ac.uk
• Phone: 07417504912
• Address: London College of International Education Ltd, First Floor Office, Devonshire Street North, Universal Square Business Centre, Manchester, England, M12 6JH