Data Protection & GDPR Policy

Purpose

This Data Protection and GDPR Policy sets out how Ravenscroft College collects, processes, stores, and protects personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all relevant UK data protection legislation. The College is committed to upholding the rights of all data subjects and to maintaining the highest standards of data protection practice.

Scope

This policy applies to all personal data processed by Ravenscroft College, whether in digital or physical form. It covers data relating to learners, applicants, staff, contractors, visitors, and any other individuals whose personal data the College holds. It applies to all departments, staff, and third-party processors acting on the College's behalf.

Data Controller

Ravenscroft College is the data controller for all personal data collected and processed in the course of its operations. The Director is ultimately responsible for data protection compliance. Day-to-day data protection matters are managed by the designated data protection lead.

Data Protection Principles

In accordance with UK GDPR, the College will ensure that personal data is:

• Processed lawfully, fairly, and in a transparent manner.
• Collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
• Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
• Accurate and, where necessary, kept up to date.
• Kept in a form which permits identification of data subjects for no longer than is necessary.
• Processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

Lawful Basis for Processing

The College will identify and document a lawful basis for each processing activity before any personal data is processed. The lawful bases relied upon include:

• Consent of the data subject.
• Performance of a contract with the data subject.
• Compliance with a legal obligation.
• Vital interests of the data subject or another person.
• Public interest or official authority.
• Legitimate interests of the College, where these do not override the data subject's rights.

Where special category data is processed (e.g., health, ethnicity, religious beliefs), an additional condition under Article 9 UK GDPR will be identified and documented.

Data Subject Rights

The College recognises and upholds the following rights of data subjects under UK GDPR:

• Right to be informed about how personal data is collected and used.
• Right of access to personal data held by the College (Subject Access Request).
• Right to rectification of inaccurate or incomplete data.
• Right to erasure ('right to be forgotten') where there is no compelling reason to retain the data.
• Right to restrict processing.
• Right to data portability.
• Right to object to processing, including processing for direct marketing.
• Rights in relation to automated decision-making and profiling.

Requests to exercise any of these rights should be submitted in writing to info@ravenscroftcollege.co.uk. The College will respond within one calendar month, or within an extended timeframe of up to three months where the request is complex, with notification to the data subject.

Data Security

The College implements appropriate technical and organisational measures to protect personal data, including:

• Encryption of personal data in transit and at rest where appropriate.
• Access controls restricting personal data to authorised personnel only.
• Regular security assessments and vulnerability testing.
• Secure disposal of personal data at the end of the retention period.
• Staff training on data protection responsibilities and best practice.
• Documented procedures for responding to data breaches.

Data Breaches

In the event of a personal data breach, the College will follow its Data Breach Procedure. Where a breach is likely to result in a risk to the rights and freedoms of individuals, the College will notify the Information Commissioner's Office (ICO) within 72 hours. Where the breach is likely to result in a high risk to affected individuals, those individuals will be notified directly without undue delay.

Data Sharing and Third-Party Processors

The College may share personal data with third parties where necessary and lawful, including awarding bodies (such as OTHM Qualifications, Pearson, and others), regulatory bodies, IT service providers, and professional advisors. All third-party processors are required to enter into a Data Processing Agreement with the College that meets the requirements of UK GDPR.

International Transfers

Where personal data is transferred outside the United Kingdom, the College will ensure that appropriate safeguards are in place, including Standard Contractual Clauses, adequacy decisions, or other mechanisms approved under UK GDPR.

Data Retention

Personal data will be retained only for as long as is necessary for the purpose for which it was collected, or as required by law. The College maintains a Data Retention Schedule that specifies retention periods for different categories of data. At the end of the retention period, data will be securely deleted or anonymised.

Training and Awareness

All staff will receive data protection training at induction and refresher training at least annually. Staff with specific data protection responsibilities will receive enhanced training appropriate to their role.

Complaints

Any individual who believes that their personal data has been mishandled or that the College has breached its data protection obligations may raise a complaint through the College's Complaints Policy. They also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

Review

This policy will be reviewed annually or following any data breach, significant change in legislation, or update to regulatory or awarding body expectations.