Data Protection (UK GDPR)
The internal governance framework for how The Data and AI School of London, as an NCFE-approved centre, processes all personal data under UK GDPR and the Data Protection Act 2018.
| Policy Owner | Head of Centre and Data Protection Officer (Ali Fraz Khan FHEA) |
|---|---|
| Approved By | Head of Centre |
| Date Effective | 30 June 2026 |
| Review Cycle | Annual |
| Next Review | 30 June 2027 |
| Related Documents | DAIS-PRIV-001 Privacy Notice, DAIS-POL-011 Safeguarding, DAIS-SD-011 Data Breach Incident Report, DAIS-SD-013 Complaints Register |
| Legal Reference | UK GDPR, Data Protection Act 2018, Privacy and Electronic Communications Regulations 2003 |
| ICO Registration | ZC086597 |
1. Purpose and Scope
The purpose of this policy is to set out the framework through which The Data and AI School of London (referred to in this policy as "the school", "the centre", "we", "us", or "our") processes personal data lawfully, fairly, and transparently across all of its operations as an NCFE-approved centre delivering qualifications wholly online.
This policy applies to all personal data processed by the centre, in any format and on any platform, including the personal data of prospective learners, enrolled learners, staff and associate tutors, Business Partners, and any other individual whose data we process. It applies to all members of staff, contractors, and third parties who process personal data on our behalf.
This is our internal governance policy. It sits alongside our public-facing Privacy Notice (DAIS-PRIV-001), which explains our data processing to website visitors, prospective learners, and applicants. Where the two documents overlap, this policy governs the centre's internal obligations and controls.
2. Definitions
| Personal data | Any information relating to an identified or identifiable living individual. |
|---|---|
| Special category data | Personal data revealing racial or ethnic origin, health, religious beliefs, and similar sensitive categories, which require additional protection. |
| Data subject | The living individual to whom the personal data relates. |
| Controller | The party that determines the purposes and means of processing personal data. The centre is the controller for the data it processes. |
| Processor | A party that processes personal data on behalf of the controller, such as a cloud platform provider. |
| Processing | Any operation performed on personal data, including collection, storage, use, disclosure, and deletion. |
| Personal data breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. |
| DPO | Data Protection Officer, the person responsible for overseeing data protection within the centre. |
| ICO | The Information Commissioner's Office, the United Kingdom's independent supervisory authority for data protection. |
| SAR | Subject Access Request, a request by a data subject to access the personal data we hold about them. |
3. Roles and Responsibilities
3.1 Data Protection Officer
The Data Protection Officer (DPO) is responsible for overseeing the centre's compliance with data protection law. The DPO advises the centre on its obligations, monitors compliance, acts as the point of contact for data subjects and for the ICO, and handles Subject Access Requests, data protection complaints, and data breaches. The current DPO is the Head of Centre, contactable at [email protected].
3.2 Head of Centre
The Head of Centre holds ultimate accountability for data protection within the centre. The Head of Centre approves this policy, ensures that adequate resources are in place to meet the centre's obligations, and promotes a culture of data protection across all operations.
3.3 All staff
All members of staff are responsible for handling personal data in accordance with this policy. This includes completing data protection training, accessing only the personal data required to perform their role, keeping personal data secure, and reporting any actual or suspected personal data breach to the DPO without delay.
4. Legal Framework
The centre processes personal data in accordance with the following legislation:
| Legislation | Relevance |
|---|---|
| UK General Data Protection Regulation (UK GDPR) | The primary legislation governing the processing of personal data in the United Kingdom. |
| Data Protection Act 2018 | Supplements UK GDPR and sets out the United Kingdom's national provisions for data protection. |
| Privacy and Electronic Communications Regulations 2003 (PECR) | Governs electronic marketing, cookies, and electronic communications. |
The centre is registered with the ICO under registration number ZC086597.
5. Lawful Basis for Processing
The centre identifies and records an appropriate lawful basis before processing personal data. The lawful basis relied on depends on the category of data subject and the purpose of processing:
| Category of processing | Lawful basis |
|---|---|
| Enrolling learners and delivering their qualifications | Performance of a contract, and compliance with a legal obligation for awarding-organisation registration and certification. |
| Registering learners with NCFE and issuing certificates | Compliance with a legal obligation and the centre's regulatory requirements. |
| Managing staff and associate tutors | Performance of a contract and compliance with legal obligations. |
| Responding to enquiries from prospective learners | Legitimate interests, or steps taken at the request of the individual prior to entering a contract. |
| Marketing communications | Consent, which can be withdrawn at any time. |
| Special category data (for example, to make reasonable adjustments) | Explicit consent, or another condition under Article 9 of UK GDPR and the Data Protection Act 2018. |
6. Data Processing Principles
The centre applies the principles set out in Article 5 of UK GDPR to all processing of personal data.
6.1 Lawfulness, fairness and transparency
We process personal data lawfully, fairly, and in a transparent manner. We identify a lawful basis before processing and inform data subjects, through our Privacy Notice and other means, of how their data is used.
6.2 Purpose limitation
We collect personal data only for specified, explicit, and legitimate purposes, and we do not process it in a manner incompatible with those purposes.
6.3 Data minimisation
We collect and process only the personal data that is adequate, relevant, and limited to what is necessary for the purpose concerned.
6.4 Accuracy
We take reasonable steps to keep personal data accurate and up to date, and to correct or erase inaccurate data without delay.
6.5 Storage limitation and retention
We keep personal data only for as long as is necessary for the purposes for which it is processed, including any period required by our awarding organisation, our regulatory obligations, or applicable law. Retention periods are recorded in the centre's retention schedule, and data is securely deleted or anonymised at the end of its retention period.
6.6 Integrity and confidentiality
We process personal data securely, using appropriate technical and organisational measures. These include access controls on a least-privilege basis, multi-factor authentication for staff accounts, encryption of data in transit and at rest where supported by our platforms, and regular review of user access.
6.7 Data Subject Rights
We uphold the rights of data subjects under UK GDPR. Individuals have the right of access (through a Subject Access Request), and the rights to rectification, erasure, restriction of processing, data portability, and to object to processing. Requests should be made to the DPO at [email protected]. We respond to a valid request without undue delay and within one calendar month, and we do not charge a fee for a request unless it is manifestly unfounded or excessive.
6.8 Data Breach Procedure
All staff must report any actual or suspected personal data breach to the DPO immediately on becoming aware of it. On receiving a report, the DPO takes steps to contain the breach, assesses the risk to the rights and freedoms of affected individuals, and records the breach in the Data Breach Incident Report (DAIS-SD-011).
- Where the breach is likely to result in a risk to the rights and freedoms of individuals, the DPO notifies the ICO within 72 hours of the centre becoming aware of the breach.
- Where the breach affects data connected to our NCFE provision, the DPO notifies NCFE within 24 hours, in line with Centre Agreement v2.1, Schedule 4.
- Where the breach is likely to result in a high risk to individuals, we notify the affected data subjects without undue delay.
Every breach, and the actions taken in response, is logged and reviewed so that lessons are learned and controls are improved.
6.9 Staff Responsibilities
Staff must complete data protection training, follow this policy and related procedures, keep personal data secure at all times, apply a clear-desk and clear-screen approach, and never disclose personal data to any person who is not authorised to receive it. Any concern about the handling of personal data must be raised with the DPO.
6.10 Data Protection Complaints
6.10.1 Scope of this section
This section sets out the process for raising and handling complaints about how the school processes personal data. A data protection complaint is distinct from a Data Subject Rights Request (covered in Section 6.7). A complaint is raised where a learner, member of staff, or other individual believes that their personal data has been mishandled, processed unlawfully, or that the school has failed to comply with its obligations under UK GDPR or the Data Protection Act 2018.
6.10.2 How to raise a data protection complaint
A complaint should be submitted in writing to the Data Protection Officer (DPO) at [email protected], with the subject line "Data Protection Complaint". Complaints should include: the name and contact details of the complainant; a clear description of the data protection concern; the date or period over which the concern arose; any supporting evidence; and a statement of the outcome sought. The current Data Protection Officer is the Head of Centre, who can also be contacted by post at Office LG06, 1 Quality Court, Chancery Lane, London, WC2A 1HR.
6.10.3 Internal handling process
- The DPO acknowledges receipt of the complaint in writing within 3 working days, confirming the date received and the timescale for response.
- The DPO investigates the complaint, which may include reviewing the school's Register of Processing Activities, examining platform logs, consulting with any third-party processor involved, and interviewing relevant staff.
- The DPO issues a written response within 30 calendar days of the original complaint, setting out the findings of the investigation, the action taken or planned, and the complainant's right of escalation.
- Where the complaint is complex or requires more time to investigate fully, the response period may be extended by up to a further 60 calendar days. In such cases, the complainant is informed in writing of the extension, the reason, and the new response deadline within the original 30-day window.
- Where the complaint involves the Data Protection Officer personally, the investigation is conducted by an independent third party agreed by the Head of Centre and the complainant.
6.10.4 Escalation to the Information Commissioner's Office
If the complainant is not satisfied with the school's response, or if no response has been received within the 30 calendar day period (or extended period notified to the complainant), they have the right to escalate the complaint to the Information Commissioner's Office (ICO).
The ICO is the United Kingdom's independent supervisory authority for data protection. The school will not penalise, retaliate against, or otherwise disadvantage any individual who chooses to escalate a complaint to the ICO.
- Telephone: 0303 123 1113 (Monday to Friday, 09:00 to 17:00)
- Website: ico.org.uk
- Email: [email protected]
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
6.10.5 Record keeping
All data protection complaints are logged in the Complaints Register (DAIS-SD-013), with the following recorded: the date of receipt; the nature of the complaint; the investigation steps taken; the outcome and response date; any onward escalation to the ICO; and any improvement actions arising. Records of data protection complaints are retained for a minimum of 3 years from the date of resolution, in line with the retention schedule in Section 6.5 of this policy.
7. Third-Party Data Processors and Data Processing Agreements
As an online centre, we rely on third-party cloud platforms and service providers to process personal data on our behalf, for example our virtual learning environment, email and communication tools, and payment provider. We carry out due diligence before engaging any processor and put in place a written Data Processing Agreement that meets the requirements of Article 28 of UK GDPR. Each agreement requires the processor to act only on our documented instructions, to apply appropriate security measures, to assist us in meeting our obligations, and to delete or return personal data at the end of the engagement.
One such processor is Anthropic PBC, based in the United States, which powers our AI chatbot ("Talk to my AI"). Only the chat message content a visitor types is transmitted to Anthropic for processing; no IP address, browser data, or tracking cookies are collected, and the chatbot loads only after the visitor accepts cookie consent. The transfer is made under our Data Processing Agreement with Anthropic and is safeguarded by Anthropic's participation in the EU-US Data Privacy Framework and equivalent UK arrangements. See also Section 8 (International Data Transfers).
8. International Data Transfers
Where personal data is transferred outside the United Kingdom, we ensure that an appropriate safeguard is in place. This means the transfer is made to a country covered by United Kingdom adequacy regulations, or is protected by an International Data Transfer Agreement or the United Kingdom Addendum to the Standard Contractual Clauses, together with a transfer risk assessment where required.
9. Training and Awareness
All staff complete data protection training as part of their induction and at least annually thereafter. Training covers this policy, the principles of UK GDPR, how to recognise and report a data breach, and the handling of Subject Access Requests and complaints. Records of training completion are retained by the centre.
10. Monitoring, Review and Continuous Improvement
The DPO monitors the centre's compliance with this policy and with data protection law. This policy is reviewed at least annually, and also whenever there is a material change to the personal data we process, the platforms we use, or the applicable law. Findings from data breaches, complaints, and Subject Access Requests are used to improve our controls and procedures on a continuous basis.