Privacy, Cookies and Data Protection

The Edward James Foundation Limited (collectively referred to as “West Dean College”), is committed to protecting your personal data.
These Privacy Statements together with our Cookie Policy explain how we collect, use and protect your personal information and inform you of your privacy rights under data protection law. 

We keep our Privacy Statements, Cookie Policy and Data Protection Policy under regular review.  Any changes to these can be found on this page.

Contact the Data Protection Team

If you have any questions about how we use your personal data, or if you would like to exercise any of your data protection rights, you can contact us via

Email address: [email protected]

Postal address: Attn: Data Controller, The Edward James Foundation Limited, Estate Office, West Dean, Chichester, West Sussex, PO18 0QZ.

Privacy Statements

Alumni & Supporters Privacy Statement

Introduction

West Dean College respects your privacy and is committed to protecting your personal data. This privacy statement applies to all Alumni and Supporters. This privacy statement will inform you as to how we look after your personal data as an Alumnus or Supporter and tell you about your privacy rights and how the law protects you.

1. Important information and who we are

Purpose of this privacy statement

This privacy statement aims to give you information on how we collect and process your personal data once you leave our institution and become a member of our “Alumni” or when you donate or volunteer to support our programmes as a “Supporter”.

Other privacy statements and notices will apply depending on your relationship with us, i.e. if you are a student or member of staff. Those privacy statements should be considered separately so when we are collecting or processing your personal data, you are fully aware of how and why we are using your data. This privacy statement supplements other privacy notices and statements and is not intended to override them.

When we collect, use and are responsible for certain personal data about you, we are subject to the UK General Data Protection Regulation (“UK GDPR”) and Data Protection Act 2018 (“DPA 2018”).

Controller and contact information

The Edward James Foundation Limited is the controller and responsible for your personal data (collectively referred to as “West Dean College”, “we”, “us”, or “our” in this privacy statement).

If you have any questions about this privacy statement or our privacy practices, please contact us in the following ways:

Full name of legal entity: The Edward James Foundation Limited

Email address: [email protected]

Postal address: Attn: Data Controller, The Edward James Foundation Limited, Estate Office, West Dean, Chichester, West Sussex, PO18 0QZ.

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Changes to this privacy statement and your duty to inform us of changes

We keep our privacy statement under regular review. The current version of all of our privacy statements can be found online at Privacy and we encourage you to check online for the most recent version.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

2. The data we collect about you

Personal data, or personal information, is any information about an individual from which that person can be identified either directly or indirectly. For example, personal data may include names, addresses, email addresses and telephone numbers; it may also include images in photographs or films and recorded telephone conversations. It does not include data where your identity, or potential to be identified, has been removed (anonymised data).

The types of personal information we hold

We may collect, hold and process the following types of personal information about you:

Biographical

  • Name, address, telephone number, email address;
  • Date of birth;
  • Gender;
  • Marital status;
  • Student ID number;
  • Computing and email information, including login details and network access;
  • Links to your public social media presence and social media handles; and
  • Current interests, activities and accolades.

Financial

  • Bank details and/or payment card details (collected and used for donations and event registrations); and
  • Gift Aid Declarations and tax status.

Educational

  • Course details and attainment record;
  • Dates of attendance, award and graduation;
  • Involvement in clubs and societies whilst at West Dean College;
  • Use of and engagement with West Dean College services, activities and events (e.g. employability); and
  • Scholarship, bursary and other funding information.

Professional

  • Current and past professional titles;
  • Employment status and employer details, including work contact details;
  • Job title, income, income band;
  • Curriculum vitae;
  • Academic/professional memberships and publications;
  • Company/business profile;
  • Press/media, such as press releases or broadcast appearances; and
  • Affiliations with other organisations (e.g. board memberships, directorships or trusteeships).

Data relating to interactions with West Dean College

  • Communications relating to decisions we make;
  • Records of your interactions with us (e.g. correspondence, notes, enquiries), including your communication preferences;
  • Event registration and attendance;
  • Fundraising responses (including donations);
  • Engagement with West Dean College services since finishing your course (e.g. employability);
  • How you may be able to support us, for example our estimate of your capacity to volunteer or donate, which may include details of your estimated or actual financial worth and internal classifications of your engagements with West Dean College and/or potential for supporting us (e.g. through future donations, etc); and
  • Your support for West Dean College (donations, volunteering, advocacy, etc).

Images and photographs

  • Photographs we have taken, for example at events you attend or to accompany published interviews; and
  • Images or photographs which are in the public domain.

We may also collect and hold personal information derived from publicly available sources (either directly or through internet search functions). These public sources may include LinkedIn, Twitter, Companies House and other business-related resources including company websites, The Queen’s Honours lists, Royal Mail National Change of Address service, reliable news and press reports, and rich lists.

Special category personal data

In some circumstances, we also collect, store and use “special categories” of more sensitive personal data, which may include:

  • Health information – We may use health information to help us make reasonable adjustments. This information is stored and processed solely for the facilitation of event access.
  • Criminal convictions data – We may use publicly available information relating to convictions, offences or allegations, including on money laundering or bribery offences, to carry out  diligence on donors or prospective donors before accepting gifts.
  • Race or ethnicity – We may use this information to support monitoring purposes and to help ensure activities reflect the makeup of our Alumni and student community.
  • We do not seek to obtain sexual orientation, religious beliefs or political opinions, but this data may sometimes be collected or inferred from other publicly available sources about you, such as through activities or event attendance, memberships, relationships, donations to specific causes, reliable press releases and interviews, etc.

If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel the service you have with us but we will notify you if this is the case at the time.

3. How your personal data is collected

We collect personal information in the following ways:

  • Directly from you during your ongoing relationship with West Dean College, which includes personal information held on your student record which forms the basis of your Alumni record which is managed by the academic registry team after you complete your course.
  • From publicly available sources, such as online and print media, social media, company and organisation websites, Companies House, the Charity Commission website, rich lists, honours lists, etc.
  • Wealth screening and prospect research activities carried out in house using publicly available information to assess potential inclination to provide financial or  non-financial support.
  • From third parties providing us with services or acting on our behalf (e.g. from WorldPay, SagePay and Donr and Donorfy when making donations).

4. How we use your personal data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Where we need to perform a contract we are about to enter into or have entered into with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal obligation.

We have set out below, in a table format, a description of the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Purpose/Activity

Lawful basis for processing

Creating (which will include importing data from your West Dean College student record), administering and maintaining your record in our Alumni and Supporters relationship management systems.

Our legitimate interests in pursuing fundraising in support of our charitable mission, contractual necessity.

Identifying opportunities, products and services that may be of interest to you, and inviting you (via post, email, telephone, text message, etc depending on your communication preferences) to get involved with activities including events, fundraising campaigns, mentoring, guest speaking and research. This may include disclosing personal data to trusted third parties, such as appointed service providers (e.g. Donorfy, MailChimp, Eventbrite).

Our legitimate interests in maintaining strong relationships with our Alumni and Supports and in promoting our services to you and to the public. We will offer you an opportunity to refuse marketing when your details are first collected and in subsequent communications to you.

To process payments (e.g. ticket sales, merchandise or donations).

Contractual necessity and our legitimate interests to recover debts due to us.

Event registration and management.

Contractual necessity.

Volunteer registration and management.

Our legitimate interests in facilitating volunteer opportunities in support of our charitable mission.

Conducting due diligence on prospective major donors.

Compliance with legal obligations (e.g. money laundering rules) and our legitimate interests in pursuing fundraising in support of our charitable mission.

Processing gifts.

Contractual necessity.

Processing Gift Aid claims, including sharing information with HMRC for this purpose.

Compliance with legal obligations (e.g. Gift Aid requirements).

Making legacy estimates/valuations.

Our legitimate interests in fundraising in support of our charitable mission.

To analyse the progression of Alumni from graduation into employment and, where appropriate, follow your career beyond West Dean College. This may include desk-based research drawing on publicly available information (e.g. company websites, media and press releases, or publicly accessible social media platforms).

Our legitimate interests in maintaining strong relationships with our Alumni and in assessing the success of our programmes.

 

Where special categories of personal data (as set out in paragraph 2 above) are processed, in addition to one of the lawful bases set out above, we will rely on one of the conditions of Article 9 of the UK GDPR:

  • Explicit consent;
  • The personal data has been manifestly made public by you;
  • The establishment, exercise or defence of legal claims;
  • For archiving, statistical and research purposes;
  • Processing is necessary to protect vital interests.

There may be other processing in addition to the above, for example, when you access our website which uses cookies or when we take photos of our events and publish them. This is done on the basis of our policies and we will inform you about such processing at the time when the data is obtained or as soon as reasonably possible thereafter.

5. Who we share your data with

Within West Dean College, your data is shared only with those staff who need access for delivering our Alumni and Supporter activities. Supporter personal data is held securely on our Donorfy database and Alumni personal data is held securely on our Microsoft Azure Cloud Services and this data is restricted to nominated employees.

In order to provide our services, we may also need to share your personal data outside with external third parties, such as:

  • Contractors and suppliers: We use third party processors who provide elements of services for us, such as companies like Donorfy that provide our CRM system and MailChimp that provide email services.
  • Service providers acting as processors who provide IT and system administration services.
  • Payment processors to process credit and debit card payments and store payment information, such as SagePay, Merac and K3 Retail. 
  • Agencies and organisations to prevent and detect fraud (including fraudulent transactions).
  • HM Revenue & Customs, the Charity Commission, HESA and other regulators and authorities based in the United Kingdom.
  • Third parties such as analytics and search engine providers that help us improve and optimise this website, as well as advertising services, in order to deliver targeted and relevant ads.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

6. International transfers

Many of our external third parties are based outside the UK so their processing of your personal data will involve a transfer of data outside the UK.

Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
  • Where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.

7. Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

8. Data retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Alumni personal data will be retained in support of your lifelong relationship with the University, or until there is no longer a legal basis for holding it (for example if you withdraw your consent).

Data retention periods are usually linked to legal limitation (statute of limitation) periods. Our records retention schedule is available

9. Your legal

Under certain circumstances, you have rights under data protection laws in relation to your personal data. These rights include:

  • Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
     
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
     
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
     
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
     
  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
    • If you want us to establish the data's accuracy.
    • Where our use of the data is unlawful but you do not want us to erase it.
    • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
    • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact us.

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests to exercise a data protection right within one month. Occasionally it could take us longer than a month if you request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Applicants & Students Privacy Statement

Introduction

West Dean College respects your privacy and is committed to protecting your personal data. This privacy statement applies to all applicants to be a student, as well as current and former students. This privacy statement will inform you as to how we look after your personal data and tell you about your privacy rights and how the law protects you.

1. Important information and who we are

Purpose of this privacy statement

This privacy statement aims to give you information on how we collect and process your personal data when you apply to one of our programmes and if you become a student at West Dean College.

Other privacy statements and notices will apply depending on your relationship with us, i.e. when you become an alumnus. Those privacy statements should be considered separately so when we are collecting or processing your personal data, you are fully aware of how and why we are using your data. This privacy statement supplements other privacy notices and statements and is not intended to override them.

When we collect, use and are responsible for certain personal data about you, we are subject to the UK General Data Protection Regulation (“UK GDPR”) and Data Protection Act 2018 (“DPA 2018”).

Controller and contact information

The Edward James Foundation Limited is the controller and responsible for your personal data (collectively referred to as “West Dean College”, “we”, “us”, or “our” in this privacy statement).

If you have any questions about this privacy statement or our privacy practices, please contact us in the following ways:

Full name of legal entity: The Edward James Foundation Limited

Email address: [email protected]

Postal address: Attn: Data Controller, The Edward James Foundation Limited, Estate Office, West Dean, Chichester, West Sussex, PO18 0QZ.

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Changes to this privacy statement and your duty to inform us of changes

We keep our privacy statement under regular review. The current version of all of our privacy statements can be found online at Privacy and we encourage you to check online for the most recent version.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

2. The data we collect about you

Personal data, or personal information, is any information about an individual from which that person can be identified either directly or indirectly. For example, personal data may include names, addresses, email addresses and telephone numbers; it may also include images in photographs or films and recorded telephone conversations. It does not include data where your identity, or potential to be identified, has been removed (anonymised data).

The types of personal information we hold

We may collect, hold and process the following types of personal information about you:

Biographical

  • Name, address, telephone number, email address;
  • Date of birth;
  • Gender;
  • Marital status;
  • Student ID number;
  • Links to your public social media presence and social media handles;
  • Location and login data gathered through logging into our WIFI in campus buildings, including teaching and learning spaces and public areas;
  • your nationality and any other information about your ethnicity or immigration status; and
  • Your photograph and video recordings.
  • Next of kin/Emergency Contact

Financial

  • Bank details and/or payment card details (collected and used for paying fees and event registrations); and
  • Information relating to fees and funding, scholarships, bursaries and any sponsorships relevant to your studies.

Educational

  • Qualifications and other academic records;
  • Course details and attainment record;
  • Records of any appeals or submissions you make relating to extenuating circumstances;
  • If relevant, breaches of our policies (such as academic or other misconduct concerning West Dean College activities) or any complaints made by you or in which you are involved;
  • Involvement in clubs and societies whilst at West Dean College; and
  • Use of and engagement with West Dean College services, activities and events (e.g. employability).

Special category personal data

In some circumstances, we also collect, store and use “special categories” of more sensitive personal data, which may include:

  • Health information – We may use health information to help us make reasonable adjustments.
     
  • Criminal convictions data – We may ask you to disclose information relating to relevant criminal convictions or offences.
     
  • Religion or sexual orientation – We may use this information if it is disclosed by you.

If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel the service you have with us but we will notify you if this is the case at the time.

3. How your personal data is collected

We collect your personal information directly from you during your relationship with West Dean College.

4. How we use your personal data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Where we have your consent.
  • Where we need to perform a contract we are about to enter into or have entered into with you.
  • Where it is necessary for the performance of a task carried out in the public interest.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal obligation.

We have set out below, in a table format, a description of the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Purpose/Activity

Lawful basis for processing

Assessing eligibility to undertake our academic programmes.

Contractual necessity.

Provision of academic programmes and related services (including IT and library services). 

Contractual necessity, i.e. to provide your chosen academic programme.

Monitoring our networks to protect the security and integrity of our IT network and information and electronic communications systems.

Contractual necessity.

Assessment of academic progress and performance (including attendance).

Contractual necessity.

Immigration matters.

Necessary for us to comply with our legal obligations in relation to student visas.

Making reasonable adjustments for disabilities and providing relevant support to students with ill health.

Explicit consent.

Regulating our community (including dealing with misconduct under our procedures for academic and other misconduct).

Contractual necessity and the public interest in maintaining academic standards.

To fulfil statutory reporting requirements.

Necessary for us to comply with our legal obligations.

To monitor our responsibilities under equality legislation.

Public interest and substantial public interest.

To ensure the health and safety of students, including safeguarding, preventing and detecting crime.

Public interest and substantial public interest.

Obtaining payment of fees.

Contractual necessity.

Protecting our property and assets (e.g. dealing with misconduct).

Contractual necessity and our legitimate interest in safeguarding our property and assets.

Crediting students’ bank accounts with payments in respect of financial aid.

Contractual necessity.

CCTV, including body worn cameras.

Necessary for our legitimate interest in ensuring the safety of our community and our property and assets.

Providing appropriate IT and other infrastructure facilities, for example a virtual learning environment, as well as the development of new IT systems.

Contractual necessity

Communicating with you.

Contractual necessity and our legitimate interest in marketing West Dean College and where relevant for the purpose of student welfare.

For alumni relations.

Necessary for our legitimate interest in maintaining an alumni network.

Provision of residential accommodation.

Contractual necessity

Use of campus facilities, including libraries, sports facilities and other services.

Contractual necessity relating to the terms governing access to and use of the facilities and services.

 

Where special categories of personal data (as set out in paragraph 2 above) are processed, in addition to one of the lawful bases set out above, we will rely on one of the conditions of Article 9 of the UK GDPR:

Explicit consent;

  • The personal data has been manifestly made public by you;
  • The establishment, exercise or defence of legal claims;
  • For archiving, statistical and research purposes;
  • Processing is necessary to protect vital interests.

5. Who we share your data with

Within West Dean College, your data is shared only with administrative, support and academic staff in the course of your study with us and we pass certain aspects of your personal data to our alumni team when you graduate. Personal data is not normally voluntarily shared with anyone outside of West Dean College. This includes your spouse or partner, parents or other family members, unless you give us your permission to share it or because, in exceptional circumstances, we have reason to believe that your health or safety or the health and safety of a third party is at risk.

The following table gives examples of personal data that may be shared and with whom.

Who we share personal data with

Recipients

Personal data we may share with them

Our academic staff

Some Contact details, attendance and progression information, education and attainment data, and where necessary for the implementation of reasonable adjustments and/or the provision of other support and subject to your consent health information. Your contact details may also be used by these staff when recruiting to related extra-curricular activities, such as volunteering opportunities.

Our administrative and support staff

Contact details, immigration details, attendance and progression information, education and attainment data, and where necessary for the implementation of reasonable adjustments and/or the provision of other support and subject to your consent health information. Your contact details may also be used by these staff when recruiting to related extra-curricular activities, such as volunteering opportunities.

Employment or study placement providers

Your CV as well as any accessibility and assistance requirements and related information.

Co-curricular and/or extracurricular excursion providers

Accessibility and assistance requirements and related information.

Future employers

Personal information relating to programme of study, conduct, performance and academic achievement, where we are asked for a reference.

League table compilers, for example The Economist, Financial Times and organisations compiling graduate destination data

Contact details and employment or further study destination data.

Official bodies to which we are obliged to report, for example HESA  and the Office for Students, or their agents

Information supplied as necessary to fulfil our reporting obligations to these bodies. This may include relevant special category data.

You can find HESA's Privacy Notices here: https://www.hesa.ac.uk/about/regulation/data-protection/notices

We supply contact information to the OfS for the purposes of inviting students to participate in the National Student Survey (NSS), and for auditing.

External examiners

Identification details and exam papers and assessment records.

UK Home Office

Passport details, programme details and fees, English Language proficiency and housing details.

Data processors (third parties who process personal data on our behalf, such as software providers)

Application details, attendance records, contact information and account credential where required for single sign-in.

Local Authority

Contact details.

Research partners

Contact details, attendance and progression information.

Funding bodies, scholarship and bursary providers

Contact details, attendance and progression information.

Government agencies, for example HMRC (only upon request and where there is a legal basis for doing so)

Contact details.

Police (only upon request and where there is a legal basis for doing so)

Information supplied as necessary in order to fulfil our legal obligations with respect to fire prevention and the detection of crime.

 

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

6. International transfers

Many of our external third parties are based outside the UK so their processing of your personal data will involve a transfer of data outside the UK.

Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
  • Where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.

7. Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

8. Data retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Data retention periods are usually linked to legal limitation (statute of limitation) periods. Our records retention schedule is available

9. Your legal

Under certain circumstances, you have rights under data protection laws in relation to your personal data. These rights include:

  • Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
     
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
     
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
     
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
     
  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
    • If you want us to establish the data's accuracy.
    • Where our use of the data is unlawful but you do not want us to erase it.
    • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
    • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
     
  • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact us.

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests to exercise a data protection right within one month. Occasionally it could take us longer than a month if you request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Job Applicants & Staff Privacy Statement

Introduction

West Dean College respects your privacy and is committed to protecting your personal data. This privacy statement applies to job applicants and current and former employees, workers and contractors. This privacy statement will inform you as to how we look after your personal data and tell you about your privacy rights and how the law protects you.

1. Important information and who we are

Purpose of this privacy statement

This privacy statement aims to give you information on how we collect and process your personal data when you apply for a job at West Dean College or become a member of staff here.

When we collect, use and are responsible for certain personal data about you, we are subject to the UK General Data Protection Regulation (“UK GDPR”) and Data Protection Act 2018 (“DPA 2018”).

Controller and contact information

The Edward James Foundation Limited is the controller and responsible for your personal data (collectively referred to as “West Dean College”, “we”, “us”, or “our” in this privacy statement).

If you have any questions about this privacy statement or our privacy practices, please contact us in the following ways:

Full name of legal entity: The Edward James Foundation Limited

Email address: [email protected]

Postal address: Attn: Data Controller, The Edward James Foundation Limited, Estate Office, West Dean, Chichester, West Sussex, PO18 0QZ.

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Changes to this privacy statement and your duty to inform us of changes

We keep our privacy statement under regular review. The current version of all of our privacy statements can be found online at Privacy and we encourage you to check online for the most recent version.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

2. The data we collect about you

Personal data, or personal information, is any information about an individual from which that person can be identified either directly or indirectly. For example, personal data may include names, addresses, email addresses and telephone numbers; it may also include images in photographs or films and recorded telephone conversations. It does not include data where your identity, or potential to be identified, has been removed (anonymised data).

The types of personal information we hold

We may collect, hold and process the following types of personal information about you:

Biographical

  • Name, address, telephone number, email address;
  • Date of birth;
  • Gender;
  • Marital status;
  • NHS number;
  • Links to your public social media presence and social media handles;
  • Languages spoken; and
  • Your photograph and video recordings.

Financial

  • National Insurance Number;
  • Bank account details, payroll details and tax status information; and
  • Salary, annual leave, pension and benefits information.

Recruitment information

  • Qualifications and other academic records;
  • Details of your skills and experience;
  • References;
  • Assessment and interview notes collected during the recruitment process;
  • Evidence of your right to work in the UK and information relating to your immigration status;
  • Any correspondence with you regarding your application;
  • Your CV and, depending on your role, your availability; and
  • Employment History and reasons for leaving current job.

Employment information

  • Performance information;
  • Disciplinary and grievance information;
  • CCTV footage and other information obtained through electronic means such as swipe card records;
  • Vehicle registration number;
  • Information about your use of our IT systems;
  • ID card image and photographs; and
  • Location data gathered through logging into WIFI in campus buildings, including teaching and learning spaces and public areas. Location data gathered through the use of logging in via staff cards.

Special category personal data

In some circumstances, we also collect, store and use “special categories” of more sensitive personal data, which may include:

  • Information about your race or ethnicity, disability, age, religious beliefs, gender reassignment, sexual orientation, political opinions, marriage and civil partnership and pregnancy and maternity;
  • Trade union membership;
  • Information about your health, including any medical condition, health and sickness records; and
  • Information about any criminal convictions, offences and barred list status.

If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel the service you have with us but we will notify you if this is the case at the time.

3. How your personal data is collected

We collect your personal information directly from you during your relationship with West Dean College. In some cases, we may collect some of your personal data from third parties providing us with services, such as recruitment agents.

4. How we use your personal data

We will only use your personal data when the law allows us to. We process your personal data to help us to effectively administer the employment relationship between you and us. We only process data for specified purposes and if it is justified in accordance with data protection law. 

Most of the processing of your personal data is justified on the basis of contractual necessity. In general this applies to personal data you provide to us at when you first start working for us and throughout the duration of your employment with us. We collect and process this data to manage the employment relationship and to monitor performance

Without this information we wouldn't be able to employ you and follow the law, assess your application, offer you work or make reasonable adjustments. Some personal data is also required to fulfil our legal obligations (for example, immigration or HMRC).

We may also use your personal data in the following circumstances:

  • Where we have your consent.
  • Where it is necessary for the performance of a task carried out in the public interest.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal obligation.

We have set out below, in a table format, a description of the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Purpose/Activity

Lawful basis for processing

To assess and process your application.

Contractual necessity.

To carry out pre-employment checks.

Contractual necessity and legal obligation.

To determine the terms on which you work for us.

Necessary for the performance of the employment contract and to comply with Employment Law.

To allocate and manage work responsibilities.

Necessary for the performance of the employment contract and to comply with Employment Law.

To pay salary, tax and pension contributions and process associated benefits.

Necessary for the performance of the employment contract and to comply with Employment Law.

To manage performance and conduct.

Necessary for the performance of the employment contract and to comply with Employment Law.

To manage training and development needs and opportunities.

Necessary for the performance of the employment contract.

To monitor equality, diversity and inclusion.

Necessary for our legal obligation to promote an inclusive work environment and to comply with Employment Law and our other legal obligations including the Equality Act 2010.

To provide IT services, building access and library services.

Necessary for the performance of the employment contract.

For non-essential library users, the legal basis for this processing is Legitimate Interest.

To implement and ensure compliance with our policies.

Necessary for the performance of the employment contract and to comply with Employment Law and the ICO Code of Practice.

To carry out surveillance via CCTV including body-worn cameras for the prevention, reduction, detection and investigation of crime and other incidents; to ensure the safety of staff, students and visitors; to assist in the investigation of suspected breaches of our regulations by staff or students; and the monitoring and enforcement of traffic related matters.

We have a legitimate interest in ensuring that its campuses are safe places to work, live and study. We have a statutory duty of care to its staff and students to ensure a safe environment.

To carry out Automatic Number Plate Recognition (ANPR) in car parks on campus.

We have a legitimate interest in providing a safe and secure campus environment for all users and the prevention, reduction, investigation and prosecution of crimes and acts of anti-social behaviour or disorder.

To assess, monitor and manage fitness and capability to work and manage sickness absence.

Necessary for the performance of the employment contract and to comply with Employment Law.

To manage health and safety incidents including statutory reporting and medical referrals.

Compliance with a legal obligation, i.e. the Health and Safety At Work Acts.

To manage regarding and promotion processes.

Necessary for the performance of the employment contract and to comply with Employment Law.

Providing management information and testing functionality of HR system developments.

Necessary for the performance of the employment contract, to comply with Employment Law and our legitimate interests to ensure HR systems operate securely and efficiently and, also, to inform management decisions.

To communicate with you during your employment

Necessary for the performance of the employment contract and to comply with Employment Law and our other legal obligations and our legitimate interest in consulting with staff and raising awareness of initiatives and opportunities.

To provide you with employment-related benefits.

Necessary for the performance of the employment contract.

To liaise with your pension provider.

Necessary for the performance of the employment contract and to comply with Employment Law.

To sponsor international staff to work in the UK.

Necessary for the performance of the employment contract and to comply with Employment Law and our other legal obligations.

To check right-to-work status and support visa applications.

Necessary for the performance of the employment contract and to comply with Employment Law and our other legal obligations.

To gather evidence for possible grievance or disciplinary hearings.

Necessary for the performance of the employment contract and to comply with Employment Law.

To make decisions about your continued employment or arrangements for the termination of our working relationship.

Necessary for the performance of the employment contract and to comply with Employment Law.

To provide references on request.

Necessary for the performance of the employment contract for applicants or where consent has been given.

Basic departmental contact details published internally and externally on staff lookup and/or team websites.

Contractual necessity.


Where special categories of personal data (as set out in paragraph 2 above) are processed, in addition to one of the lawful bases set out above, we will rely on one of the conditions of Article 9 of the UK GDPR:

  • Explicit consent - if we require your consent for any specific use of your personal data, we will collect it at the appropriate time, explaining why we are collecting the data and how we will use it, and your right to withdraw consent any time;
  • For West Dean College to carry out its legal obligations under Employment Law;
  • The personal data has been manifestly made public by you;
  • The establishment, exercise or defence of legal claims;
  • For archiving, statistical and research purposes;
  • Processing is necessary to protect vital interests.
  • The table below provides examples of what special category data may be processed and under which basis.

How we use special category personal data

Purpose/Activity

Lawful basis for processing

We use information relating to your health to make decisions regarding reasonable adjustments

Processing of health-related data is necessary so that we can meet our obligations under Employment Law

We use information about your race or ethnicity, religious beliefs, sexual orientation and political opinions to conduct equal opportunities monitoring

Necessary for our legal obligation to promote an inclusive work environment and to comply with Employment Law and our other legal obligations

We use trade union membership information to pay trade union premiums, register that status of a protected employee and to comply with employment law obligations

Processing is necessary so that we can meet our obligations in the field of Employment Law

We use information about your criminal convictions, reprimands and cautions to assess your suitability to carry out the work for which you are being engaged.

Processing is necessary in order to meet our obligations in the field of Employment Law and fulfil our duty of care to staff and students.


5. Who we share your data with

Within West Dean College, your data is shared only with staff who have received appropriate training and have a genuine reason for accessing this information.

We sometimes share data with companies processing data on our behalf (e.g. training providers). These companies are carefully vetted and appropriate agreements are put in place to ensure the security of your data.

In some circumstances, your personal data will be shared with third parties in compliance with our legal obligations (e.g. UKVI and HMRC).

The following table gives examples of personal data that may be shared and with whom.

Who we share personal data with

Recipients

Personal data we may share with them

Line managers

Some Contact details, employment details, attendance, planned workload, performance, conduct, training and development information for the performance of the employment contract and health information to fulfil our duty of care and where necessary for the implementation of reasonable adjustments and/or the provision of additional health information.

Our administrative and support staff

Some Contact details, employment details, planned workload, immigration details, attendance, training, and development and progression information. Health information only where necessary for the implementation of reasonable adjustments and/or the provision of other support.

Trade Unions

Information relating to an employment relations matter.

Investigation officers, hearing panel chairs and members, external solicitors, employment tribunals and ACAS

Personal information relating to conduct, performance and employment.

Third-party organisations who process personal data on our behalf, such as training providers, assessment providers and employment surveyors

Name, contact and employment details.

Third-party organisations to whom a potential TUPE transfer is being made

Employment contract terms and conditions and associated benefits (full employee liability information).

Official bodies to which the University is obliged to report, for example HESA and the Office for Students, or their agents

Information supplied as necessary to fulfil the University's reporting obligations to these bodies. This may include relevant special category data.

Future employers

Only the person’s nature of employment (job title) and dates of employment with West Dean are provided.

Government agencies such as UK Visa and Immigration Office and the Home Office

Contact details, passport details, salary and other employment basis details for example fixed term or permanent contract status.

University DBS providers (GBG plc)

Name and contact details.

Pension schemes

Personal information including contact details and salary and pension contribution details.

HMRC

Contact, pay and benefit details.

Information Systems department

All personal data held electronically (for back-ups and for the development of new systems).

Software hosts and cloud providers

Information will be shared with IT suppliers and providers in order to provide our services. This data may be subject to transfer outside of the EU, however, we ensure that there are contracts in place and carry out due diligence to ensure the safety of personal information.


We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

6. International transfers

Many of our external third parties are based outside the UK so their processing of your personal data will involve a transfer of data outside the UK.

Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
  • Where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.

7. Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

8. Data retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Data retention periods are usually linked to legal limitation (statute of limitation) periods. Our records retention schedule is available

9. Your legal

Under certain circumstances, you have rights under data protection laws in relation to your personal data. These rights include:

  • Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
     
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
     
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
     
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
     
  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
    • If you want us to establish the data's accuracy.
    • Where our use of the data is unlawful but you do not want us to erase it.
    • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
    • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
     
  • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact us.

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests to exercise a data protection right within one month. Occasionally it could take us longer than a month if you request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Visitors Privacy Statement

Introduction

West Dean College respects your privacy and is committed to protecting your personal data. This privacy statement applies to visitors to and those attending events at West Dean College. This includes visitors for the purposes of commercial stays in the college’s accommodation, evening meals in the gardens, commercial use of the facilities for conferences and weddings. This privacy statement will inform you as to how we look after your personal data as visitor and tell you about your privacy rights and how the law protects you.

1. Important information and who we are

Purpose of this privacy statement

This privacy statement aims to give you information on how we collect and process your personal data whilst you are a visitor.

Other privacy statements and notices will apply depending on your relationship with us, i.e. if you are also a student or member of staff too, those privacy statements will apply in the context of those relationships. Those privacy statements should be considered separately so when we are collecting or processing your personal data, you are fully aware of how and why we are using your data. This privacy statement supplements other privacy notices and statements and is not intended to override them.

When we collect, use and are responsible for certain personal data about you, we are subject to the UK General Data Protection Regulation (“UK GDPR”) and Data Protection Act 2018 (“DPA 2018”).

Controller and contact information

The Edward James Foundation Limited is the controller and responsible for your personal data (collectively referred to as “West Dean College”, “we”, “us”, or “our” in this privacy statement).

If you have any questions about this privacy statement or our privacy practices, please contact us in the following ways:

Full name of legal entity: The Edward James Foundation Limited

Email address: [email protected]

Postal address: Attn: Data Controller, The Edward James Foundation Limited, Estate Office, West Dean, Chichester, West Sussex, PO18 0QZ.

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Changes to this privacy statement and your duty to inform us of changes

We keep our privacy statement under regular review. The current version of all of our privacy statements can be found online at Privacy and we encourage you to check online for the most recent version.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

2. The data we collect about you

Personal data, or personal information, is any information about an individual from which that person can be identified either directly or indirectly. For example, personal data may include names, addresses, email addresses and telephone numbers; it may also include images in photographs or films and recorded telephone conversations. It does not include data where your identity, or potential to be identified, has been removed (anonymised data).

The types of personal information we hold

We may collect, hold and process the following types of personal information about you:

Biographical

  • Name, address, telephone number, email address;
  • Nationality and country of residence;
  • Company details; and
  • Vehicle registration details.

Financial

  • Bank details and/or payment card details (collected and used for event registrations).

Images and photographs

  • Photographs we have taken at events you attend; and
  • Images or photographs which are in the public domain.

Special category personal data

In some circumstances, we also collect, store and use “special categories” of more sensitive personal data, which may include:

  • Health information – We may use health information to help us make reasonable adjustments. This information is stored and processed solely for the facilitation of event access.

If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel the service you have with us but we will notify you if this is the case at the time.

3. How your personal data is collected

We usually collect personal information directly from you for the administration of your visit to West Dean College and for security and health and safety purposes.

4. How we use your personal data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Where we have your consent.
  • Where we need to perform a contract we are about to enter into or have entered into with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We have set out below, in a table format, a description of the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Purpose/Activity

Lawful basis for processing

Event registration and management.

Contractual necessity.

CCTV, including body worn cameras.

Necessary for our legitimate interest in ensuring the safety of our community and our property and assets.

Carrying out Automatic Number Plate Recognition (ANPR) in car parks on campus.

Necessary for our legitimate interest in ensuring the safety of our community and our property and assets.

Assessing reasonable adjustments for events.

Explicit consent.

Communicating with you.

Contractual necessity and our legitimate interest in marketing West Dean College.

Managing access to our premises and facilities (e.g. the library and other buildings) and related services.

Contractual necessity and our legitimate interests in maintaining the safety and security of our property and assets and IT networks.

 

Where special categories of personal data (as set out in paragraph 2 above) are processed, in addition to one of the lawful bases set out above, we will rely on one of the conditions of Article 9 of the UK GDPR:

Explicit consent;

  • The personal data has been manifestly made public by you;
  • The establishment, exercise or defence of legal claims;
  • For archiving, statistical and research purposes;
  • Processing is necessary to protect vital interests.

There may be other processing in addition to the above, for example, when you access our website which uses cookies or when we take photos of our events and publish them. This is done on the basis of our policies and we will inform you about such processing at the time when the data is obtained or as soon as reasonably possible thereafter.

5. Who we share your data with

Within West Dean College, your data is shared only with those staff who need access for delivering events.

Recipients

Data which we may share with them

Our administrative and support staff

Personal and contact details and, where necessary for the implementation of reasonable adjustments and/or the provision of other support and subject to your consent, health information

Data processors (third parties who process personal data on our behalf)

Personal and contact details

Accommodation services who arrange accommodation

Personal details and dietary requirements

 

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

6. International transfers

Many of our external third parties are based outside the UK so their processing of your personal data will involve a transfer of data outside the UK.

Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
  • Where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.

7. Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

8. Data retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Data retention periods are usually linked to legal limitation (statute of limitation) periods. Our records retention schedule is available

9. Your legal

Under certain circumstances, you have rights under data protection laws in relation to your personal data. These rights include:

  • Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
     
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
     
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
     
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
     
  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
    • If you want us to establish the data's accuracy.
    • Where our use of the data is unlawful but you do not want us to erase it.
    • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
    • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
     
  • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact us.

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests to exercise a data protection right within one month. Occasionally it could take us longer than a month if you request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

 

Website Privacy Statement

This statement (together with our Cookie Policy below) sets out how we will process any personal data we collect from you or that you provide to us. By visiting our website at www.westdean.ac.uk you are accepting and consenting to the practices described in this statement.

For the purpose of the General Data Protection Regulation (GDPR) the organisation is The Edward James Foundation Limited (charity number 1126084 and Company Number: 6689362) of Estate Office, West Dean, Chichester, West Sussex, PO18 0QZ. Our registration number with the Information Commissioner's Office is Z7402406.

1. Data we collect

We may collect and process the following data about you:

  • Data you give to us: you may give us personal data by completing forms or transactions on this website or by corresponding with us by telephone, e-mail or post. This includes data you provide when you request information from us or make other enquiries, apply for a course of study or register for an event that we are organising or hosting, subscribe to one or more of our newsletters, place an order on our website, make a donation to us or make a booking. The data you give us may include your name, address, e-mail address and telephone number, areas of interest, qualifications, financial and credit card information.

Data we collect about you: on each visit to this website we may automatically collect the following data:

  • technical data, including the internet protocol (IP) address used to connect your device to the internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
  • data about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from this website (including date and time); products and resources you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any telephone number used to contact us.
  • Data we receive from other sources: as some of our services are delivered by sub-contractors in technical, payment and delivery services, SagePay and Merac. We may receive data about you from search information providers Google Analytics, also social media analytics from Facebook, Twitter, Instagram, YouTube, Pinterest and LinkedIn. 

Read more in our Cookie policy

2. What we do with your data

We process data held about you in the following ways:

  • to carry out our contractual obligations arising from any agreements entered into between you and us and to provide you with the information, products and services that you request from us;
  • to provide you with information about other courses, events, products and services we offer that are similar to those that you have already applied or registered for or enquired about. This data is processed on the basis of legitimate interest.
  • to notify you about changes to our courses and events on the basis of legitimate interest.
  • to ensure that content from this website is presented in the most effective manner for you and for your device.
  • to provide you with details of fundraising appeals or campaigns that support our work, and to process any Gift Aid donations and reclaim appropriate tax reliefs, on the basis of legitimate interest

Data we collect about you: we will use this data:

  • to administer this website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
  • to improve this website to ensure that content is presented in the most effective manner for you and for your device;
  • to allow you to participate in interactive features of this website, when you choose to do so; and
  • as part of our efforts to keep this website safe and secure.

3. Disclosure of your data

Except as set out below and unless otherwise stated on the relevant form collecting your data, we will not disclose your data to third parties.

Your data may be disclosed to third parties:

  • where we are under a duty to disclose or share your personal data in order to comply with any legal obligation or are legally permitted to disclose or share it;
  • in order to enforce or apply any contractual agreements entered into between us or the terms of any student or staff policies;
  • to protect our rights, property, or safety, and those of our staff, students and other users of this website, or our services or resources or any other person (including but not limited to third parties who claim that you have infringed their intellectual property rights and/or privacy rights). This data sharing includes the legal basis for exchanging information with other companies and organisations for the purposes of fraud protection,
  • to any third parties who accredit our courses and/or provide part of their delivery and assessment, on the basis of legitimate interest;
  • to analytics and search engine providers that assist us in the improvement and optimisation of this website, on the basis of legitimate interest;
  • to subcontractors who assist us in the delivery and administration of this website and our courses, events, products and services, on the basis of legitimate interest;

4. Where we store your personal data

All data you provide to us is stored on our secure services in the UK or with our chosen system providers who are Privacy Shield Certified. Any payment transactions will be encrypted [using SSL technology]. Where we have given you (or where you have chosen) a password which enables you to access certain parts of this website, you are responsible for keeping this password confidential and not sharing it with anyone else.

We will do our best to protect your personal data, but we cannot guarantee the security of data transmitted to this website as transfer via the internet is not completely secure; any transmission is at your own risk. Once we have received your data, we will use strict procedures and security features to try to prevent unauthorised access.

5. Your rights: to withdraw consent, be informed, be forgotten, rectification

You have the right to withdraw your consent for processing of your data at any time by contacting us (details below).

The GDPR gives you the right to access data held about you. Your right of access can be exercised by contacting us. We will provide you with details of the data we hold about you within 30 days.

Right to be forgotten: An unsubscribe option is automatically included in the footer of every email newsletter you receive, should you wish to remove yourself from our eNewsletter list.

Upon request we will also permanently delete your record and all data associated with it.

Right to rectification: You may update your data at any time to correct information we hold about

Right to Object: if you have any concerns or objections then contact us at the email or address below.

Please direct any of the above requests to email: [email protected] Or Attn: Data Controller, The Edward James Foundation Limited, Estate Office, West Dean, Chichester, West Sussex, PO18 0QZ,

6. Data retention policy

We normally retain contact data for three years unless there is a legal/contractual requirement to retain beyond this.

Some student data is retained for the lifetime of the student to reflect the ongoing relationship with the College and some Alumni records are retained indefinitely as there is an expectation that Higher Education Colleges should retain a permanent core record of students and courses studied (see Data Protection Guidance for Students).

7. Changes to our privacy policy

Any changes we may make to our privacy statement in the future will be posted on this page and, where appropriate, notified to you by e-mail.

8. Links

This website may, from time to time, contain links to and from the websites of our partner organisations, affiliated bodies and other third parties. If you follow any of these links, please be aware that these websites have their own privacy policies and we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

9. Contact

Questions, comments and requests regarding this privacy statement should be addressed to email: [email protected]k

Cookie Policy

Cookies are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the website.

Find out more about cookies used on our website and how to edit your preferences. 

Cookie policy

Data Protection and Governance

Data Protection Policy & Procedures

West Dean Data Protection Policy & Procedures


1. Purpose & Scope

1.1 West Dean College (“West Dean”, “we”, “us” or “our”) has a wide range of functions as an organisation. We may collect, store, use or otherwise process Personal Data about individuals with whom we interact, including students, staff, contractors, applicants, alumni, supporters, visitors and other relevant third parties (collectively the “Data Subjects”) to operate effectively as an organisation.

1.2 We recognise that much of our work involves handling information about living individuals and protecting the confidentiality and integrity of Personal Data is a critical responsibility that we take seriously at all times. We recognise that the lawful and correct treatment of Personal Data is essential to maintaining trust and confidence in West Dean and for meeting legal requirements.

1.3 West Dean is obliged to fulfil Data Subjects’ reasonable expectations of privacy by complying with the UK General Data Protection Regulation (the “UK GDPR”), the Data Protection Act 2018 (the “DPA”), the UK Data Use and Access Act 2025 (the “DUAA”) and related legislation (collectively “the Data Protection Laws”).

1.4 This Data Protection Policy (the “Policy”) sets out how we will Process Personal Data in compliance with the Data Protection Laws and applies to all Personal Data we Process regardless of the Data Subject and the medium on which that Personal Data is stored. All staff and others Processing Personal Data on West Dean’s behalf must read and understand it. A failure to comply with this Policy may result in disciplinary action.

1.5 Please refer to the glossary at the end of this Policy for definitions of the main terms used in this Policy

2. Data Protection Principles

2.1 We adhere to the principles relating to Processing of Personal Data set out in the Data Protection Laws. These laws set out strict requirements for how Personal Data must be collected, used, stored and disposed of, as follows:

a) Lawfulness, Fairness and Transparency
Personal Data must be Processed lawfully, fairly, and in a transparent manner. Individuals must be informed about how their data is used, and processing must have a valid legal basis.

b) Purpose Limitation
Personal Data must only be collected for specified, explicit, and legitimate purposes. It must not be further Processed in a way that is incompatible with those purposes.

c) Data Minimisation
Only the minimum Personal Data necessary for the intended purpose should be collected and Processed. Data must be adequate, relevant, and limited to what is required.

d) Accuracy
Personal Data must be accurate and kept up to date. Any inaccurate or incomplete data must be corrected or erased without delay.

e) Storage Limitation
Personal Data must not be kept for longer than is necessary for the purposes for which it was collected.

f) Integrity and Confidentiality (Security)
Personal Data must be handled securely. Appropriate technical and organisational measures must be in place to protect data against unauthorised access, unlawful processing, accidental loss, destruction, or damage.

g) Transfer Limitation
Personal Data must not be transferred to another country without appropriate safeguards in place.

h) Data Subject’s Rights and Requests
Personal Data must be made available to Data Subjects and allow Data Subjects to exercise certain rights in relation to their Personal Data.

2.2 West Dean is responsible for demonstrating compliance with all data protection principles listed above. This includes maintaining appropriate documentation, completing data protection impact assessments where required, and ensuring staff are trained in data protection responsibilities.

3. Types of Personal Data Held 

3.1 West Dean maintains a variety of Personal Data about its community, including staff, students, applicants, contractors, alumni, supporters, visitors and other relevant individuals. This information is recorded in personnel or student files, and managed via secure electronic systems (e.g., HR systems, enrolment tools, attendance monitoring and access control systems). The Personal Data we hold can be broadly grouped into the following types:

a) Personal and Identifying Information
We collect basic personal details such as names, addresses, telephone numbers, email addresses, photographs, and other identifiers. This includes Personal Data submitted during recruitment or application processes, such as CVs, cover letters, references, employment history, and educational background.

b) Employment-related Data (for Staff)
For employees, we hold information related to their role, pay, and employment status. This includes job titles and descriptions, salary, contractual terms, National Insurance numbers, tax codes, bank account details, and records of holiday, sickness, performance appraisals, disciplinary or grievance proceedings, and training undertaken.

c) Security and Access Data
To ensure the security and safety of our premises and systems, we process data such as CCTV images, card access logs, and records of interaction with IT (for instance, login activity, email, and Wi-Fi usage). This data helps us maintain security, prevent misuse, investigate incidents, and manage access.

d) Special Categories of Personal Data
We also collect and Process what the UK GDPR calls special categories of personal data, because it is particularly sensitive and requires additional protection. Under the UK GDPR, this includes: racial or ethnic origin, political or religious beliefs, trade union membership, genetic or biometric data (where used for identification), health data (including disabilities) and data concerning sexual orientation.

e) Criminal Convictions Data
In certain circumstances, we process data relating to relevant criminal convictions or offences.

4. Lawfulness, Fairness and Transparency

4.1 We may only Process Personal Data fairly, lawfully, transparently and for specified purposes. These restrictions are not intended to prevent Processing, but to ensure that we Process Personal Data for legitimate purposes without prejudicing the rights and freedoms of Data Subjects.

4.2 In order to be justified, West Dean may only Process Personal Data if the Processing in question is based on one (or more) of the legal bases set out below. Section 6 below deals with justifying the Processing of Special Categories of Personal Data.

4.3 The legal bases for Processing non-sensitive Personal Data are as follows:

a) the Data Subject has given their Consent to the Processing;
b) the Processing is necessary for the performance of a contract with the Data Subject (e.g. monitoring academic performance to provide the relevant qualification for which the student has enrolled or for payment of salary to staff);
c) the Processing is necessary for compliance with our legal obligations;
d) the Processing is necessary to protect the Data Subject’s vital interests;
e) the Processing is necessary for the performance of a task carried out in the public interest;
f) the Processing is necessary to pursue our legitimate interests for purposes where they are not overridden because the Processing prejudices the interests or fundamental rights and freedoms of Data Subjects. The specific legitimate interest or interests that West Dean is pursuing when Processing Personal Data are set out in relevant Privacy Notices. 

4.4 The legal basis which is being relied on for each Processing activity will be identified and documented in the relevant Privacy Notices provided to Data Subjects.

5. Consent

5.1 A Data Subject consents to Processing of their Personal Data if they indicate agreement clearly either by a statement or positive action to the Processing. Silence, pre-ticked boxes or inactivity will not be sufficient to indicate consent. If Consent is given in a document that deals with other matters, you must ensure that the Consent is separate and distinct from those other matters.

5.2 Data Subjects must be able to withdraw Consent to Processing easily at any time. Withdrawal of Consent must be promptly honoured. Consent may need to be renewed if you intend to Process Personal Data for a different and incompatible purpose which was not disclosed when the Data Subject first consented, or if the Consent is historic.

5.3 You should only obtain a Data Subject’s Consent if there is no other legal basis for the Processing. Consent requires genuine choice and genuine control. You will need to ensure that you have evidence of Consent and you should keep a record of all Consents obtained so that we can demonstrate compliance.

5.4 Consent is required for some electronic marketing and some research purposes.

6. Legal bases for Processing Special Category Personal Data and Criminal Convictions Data

6.1 Special Categories of Personal Data include:

a) racial or ethnic origin;
b) political opinions;
c) religious or philosophical beliefs; or
d) trade union membership.
e) genetic data;
f) biometric data for the purpose of uniquely identifying a natural person;
g) data concerning health; or
h) data concerning a natural person’s sex life or sexual orientation
i) children

6.2 The Processing of Special Categories of Personal Data by West Dean must be based on one of the following (together with one of the legal bases for Processing non-sensitive Personal Data listed under paragraph 4):

a) the Data Subject has given explicit consent (requiring a clear statement, not merely an action);
b) If the Data Subject is under 18 then the parents/legal guardians have given explicit consent (requiring a clear statement, not merely an action);
c) the Processing is necessary for complying with employment law (subject to the provisions of the Data Protection Act 2018);
d) the Processing is necessary to protect the vital interests of the Data Subject or another person where the Data Subject is physically or legally incapable of giving consent;
e) the Processing relates to Personal Data which are manifestly made public by the Data Subject;
f) the Processing is necessary for the establishment, exercise or defence of legal claims;
g) the Processing is necessary for reasons of substantial public interest (provided it is proportionate to the particular aim pursued and takes into account the privacy rights of the Data Subject);
h) the Processing is necessary for the purposes of preventive or occupational medicine, etc. provided that it is subject to professional confidentiality;
i) the Processing is necessary for reasons of public interest in the area of public health, provided it is subject to professional confidentiality; and
j) the Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes if it is subject to certain safeguards (i.e. Pseudonymisation or anonymisation where possible, the research is not carried out for the purposes of making decisions about particular individuals (unless it is approved medical research) and it must not be likely to cause substantial damage/distress to an individual and is in the public interest).

6.3 Special Categories of Personal Data Processed by West Dean will include the following:

a) health data for the purposes for assessing eligibility to undertake relevant professional programmes, assessing fitness to study or to engage in college activities or for assessing fitness to work/occupational health;
b) details of disability for the purposes of assessing and implementing reasonable adjustments to West Dean’s policies, criteria or practices; and
c) details of racial/ethnic origin, sexual orientation, religion/belief for the purposes of equality monitoring.

6.4 Criminal Convictions Data is Personal Data relating to criminal convictions and offences including the alleged commission of offences or proceedings for offences or alleged offences.

6.5 Criminal Convictions Data is only Processed under the strict conditions of Article 10 of the UK GDPR and the corresponding provisions of the Data Protection Act 2018.

6.6 Criminal Convictions Data Processed by West Dean will include the following:

a) details of relevant unspent convictions for the purposes of assessing eligibility to enrol on academic programmes;
b) details of relevant unspent convictions for the purposes of recruiting relevant staff;
c) checks conducted by the Disclosure and Barring Service for the purposes of assessing eligibility of staff or students to engage in work with children and vulnerable adults, as permitted by legislation relating to the rehabilitation of offenders or for determining fitness to practise in relevant professions; 
d) unspent convictions or allegations of sexual misconduct for staff and student disciplinary purposes;

7. Transparency (Notifying Data Subjects)  

7.1 The UK GDPR requires West Dean to provide detailed, specific information to Data Subjects depending on whether the information was collected directly from Data Subjects or from elsewhere. That information must be provided through appropriate Privacy Notices which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a Data Subject can easily understand them.

7.2 Whenever we collect Personal Data directly from Data Subjects, including for recruitment of staff and recruitment of students, we must provide the Data Subject with all the prescribed information, which includes West Dean’s details, contact details of the Data Protection Officer (“DPO”), and how and why we will use, Process, disclose, protect and retain that Personal Data through a Privacy Notice which must be presented at the time of collection.

7.3 When Personal Data is collected indirectly (for example, from a third party or publicly available source), you must also provide information about the categories of Personal Data and any information on the source. The Data Subject must be provided with all the information required by the UK GDPR as soon as possible after collecting/receiving the data. You must also check that the Personal Data was collected by the third party in accordance with the UK GDPR and on a basis which contemplates our proposed Processing of that Personal Data.

8. Purpose Limitation

8.1 Personal Data must be collected only for specified, explicit and legitimate purposes. It must not be further Processed in any manner incompatible with those purposes.

8.2 You cannot use Personal Data for new, different or incompatible purposes from that disclosed when it was first obtained unless you have informed the Data Subject of the new purposes and they have provided their Consent where necessary.

8.3 If you want to use Personal Data for a new or different purpose from that for which it was obtained, you must first contact the DPO for advice on how to do this in compliance with both the law and this Policy.

9. Data Minimisation

9.1 Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.

9.2 You may only Process Personal Data when performing your job duties requires it. You cannot Process Personal Data for any reason unrelated to your job duties.

9.3 You may only collect Personal Data that you require for your job duties: do not collect excessive data. Ensure any Personal Data collected is adequate and relevant for the intended purposes.

9.4 You must ensure that when Personal Data is no longer needed for specified purposes, it is deleted or anonymised.

10. Accuracy

10.1 Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.

10.2 You must ensure that the Personal Data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. You must check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. You must take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.

11. Storage Limitation

11.1 Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed. We will maintain a Retention Schedule and procedures to ensure Personal Data is deleted after an appropriate time, unless a law requires that data to be kept for a minimum time. 

11.2 You must not keep Personal Data in a form which permits the identification of the Data Subject for longer than needed for the legitimate business purposes or other purposes for which we originally collected it including for the purpose of satisfying any legal, accounting or reporting requirements.

11.3 You will take all reasonable steps to destroy or erase from our systems all Personal Data that we no longer require in accordance with West Dean’s Retention Schedule. This includes requiring third parties to delete that data where applicable.

11.4 You will ensure Data Subjects are provided with information about the period for which their Personal Data is stored and how that period is determined in any applicable Privacy Notice.

12. Security Integrity and Confidentiality

12.1 We are required to implement and maintain appropriate safeguards to protect Personal Data, taking into account the risks to Data Subjects presented by unauthorised or unlawful Processing or accidental loss, destruction of, or damage to their Personal Data.

12.2 Safeguarding will include the use of encryption and Pseudonymisation where appropriate. It also includes protecting the confidentiality (i.e. that only those who need to know and are authorised to use Personal Data have access to it), integrity and availability of the Personal Data.  We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our Processing of Personal Data.

12.3 You are responsible for protecting the Personal Data that you Process in the course of your duties. You must therefore handle Personal Data in a way that guards against accidental loss or disclosure or other unintended or unlawful Processing and in a way that maintains its confidentiality. You must exercise particular care in protecting Special Categories of Personal Data from loss and unauthorised access, use or disclosure.

12.4 You must comply with all procedures and technologies we put in place to maintain the security of all Personal Data from the point of collection to the point of destruction. You may only transfer Personal Data to third-party service providers who agree to comply with the required policies and procedures and who agree to put adequate measures in place, as requested.

12.5 You must maintain data security by protection the confidentiality, integrity and availability of the Personal Data, defined as follows:

a) Confidentiality: only people who have a need to know and are authorised to use the Personal Data can access it;
b) Integrity: Personal Data is accurate and suitable for the purpose for which it is Processed; and
c) Availability: authorised users are able to access the Personal Data when they need it for authorised purposes.

12.6 You must comply with and not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain in accordance with the Data Protection Laws to protect Personal Data.

13. Reporting a Personal Data Breach

13.1 All staff and students must report any data breach or suspected breach immediately upon discovery. Reports must be made to the DPO. Delays in reporting may increase risks to individuals and West Dean and may impact our legal obligations.

13.2 Some types of Personal Data Breach must be reported to the Information Commissioner’s Office by the DPO within 72 hours. Staff and students must therefore report Personal Data Breaches or potential breaches as soon as possible, as the sooner action is taken, the greater the opportunity to limit any potential damage which might be caused by the incident.

13.3 The DPO will assess the breach and decide whether it is necessary to report the Personal Data Breach to either the Information Commissioner’s Office for the affected Data Subjects, or necessary third parties.

13.4 The DPO will record all breaches regardless of severity in our Data Breach Register and recommend steps to prevent recurrence.

14. Transfer Limitation

14.1 West Dean only transfers Personal Data when necessary. All sharing is secure and only for the purposes for which the Personal Data was collected.

14.2 The UK GDPR restricts data transfers to countries outside the UK and EEA in order to ensure that the level of data protection afforded to individuals by the UK GDPR is not undermined. Personal Data originating in one country is transferred across borders when you transmit or send that data to a different country or view/access it in a different country. International transfers outside the UK or EEA must occur only with appropriate safeguards and you must ensure compliance with this Policy.

14.3 You may only transfer Personal Data outside the UK if one of the following conditions applies:

a) the UK has issued regulations confirming that the country to which we transfer the Personal Data ensures an adequate level of protection for the Data Subject's rights and freedoms;
b) appropriate safeguards are in place such as binding corporate rules, standard contractual clauses approved for use in the UK, an International Data Transfer Agreement or other approved safeguards;
c) the Data Subject has provided explicit Consent to the proposed transfer after being informed of any potential risks; or
d) the transfer is necessary for one of the other reasons set out in the UK GDPR including:

  • the performance of a contract between us and the Data Subject;
  • reasons of public interest;
  • to establish, exercise or defend legal claims;
  • to protect the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving Consent; and
  • in some limited cases, for our legitimate interest.

15. Training and Audit

15.1 It is our responsibility to ensure that all staff understand the UK GDPR principles, their role in handling Personal Data, and their legal responsibilities. To that end, all employees must read and understand this Policy.

15.2 All staff are also periodically required to attend mandatory training on confidentiality, data protection, and how to recognise and respond to potential Personal Data breaches. All staff must regularly review all the processes and systems under their control to ensure they always comply with this Policy.

15.3 We also ensure that individuals in key data protection roles (such as our DPO) receive additional, targeted training appropriate to their responsibilities.

16. Privacy by Design and Data Protection Impact Assessment (“DPIA”)

16.1 We are required to implement Privacy by Design measures when Processing Personal Data, by implementing appropriate technical and organisational measures (like Pseudonymisation) in an effective manner, to ensure compliance with data protection principles.

16.2 You must assess what Privacy by Design measures can be implemented on all programmes, systems or processes that Process Personal Data by taking into account the following:

a) the state of the art;
b) the cost of implementation;
c) the nature, scope, context and purposes of Processing; and
d) the risks of varying likelihood and severity for rights and freedoms of the Data Subject posed by the Processing.

16.3 West Dean must also conduct DPIA in respect of high-risk Processing before that Processing is undertaken.

16.4 You should conduct a DPIA (and discuss your findings with the DPO) in the following circumstances:

a) the use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes);
b) automated Processing including profiling and ADM;
c) large scale Processing of Special Categories of Personal Data; and
d) large scale, systematic monitoring of a publicly accessible area.

16.5 A DPIA must include:

a) a description of the Processing, its purposes and West Dean’s legitimate interests if appropriate;
b) an assessment of the necessity and proportionality of the Processing in relation to its purpose;
c) an assessment of the risk to individuals; and
d) the risk-mitigation measures in place and demonstration of compliance.

17. Data Subject’s Rights and Requests

17.1 Data Subjects have rights in relation to the way we handle their Personal Data. These include the following rights:

a) withdraw Consent to Processing at any time;
b) receive certain information about the Controller's Processing activities;
c) request access to their Personal Data that we hold (including receiving a copy of their Personal Data) – for further information about West Dean’s SAR Procedure, see Annex1;
d) prevent our use of their Personal Data for direct marketing purposes;
e) ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed or to rectify inaccurate data or to complete incomplete data;
f) restrict Processing in specific circumstances;
g) object to Processing which has been justified on the basis of our legitimate interests or in the public interest;
h) request a copy of an agreement under which Personal Data is transferred outside of the UK;
i) object to decisions based solely on Automated Processing, including profiling (ADM);
j) prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else;
k) be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms;
l) make a complaint to us and subsequently to the supervisory authority; and
m) in limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used and machine-readable format.

17.2 You must verify the identity of an individual requesting data under any of the rights listed above (do not allow third parties to persuade you into disclosing Personal Data without proper authorisation) and report any requests to the DPO.

17.3 The DPO is responsible for logging the request, locating and reviewing relevant information, removing third-party data where necessary, and issuing the response securely. You must immediately forward any Data Subject request or complaint you receive to the DPO.

18. Accountability

18.1 West Dean must implement appropriate technical and organisational measures in an effective manner to ensure compliance with data protection principles. West Dean is responsible for, and must be able to demonstrate compliance with, the data protection principles.

18.2 We must therefore apply adequate resources and controls to ensure and to document UK GDPR compliance including:

a) appointing a suitably qualified DPO;
b) implementing Privacy by Design when Processing Personal Data and completing Data Privacy Impact Assessment where Processing presents a high risk the privacy of Data Subjects;
c) integrating data protection into our policies, procedures, in the way Personal Data is handled by us and by producing required documentation such as Privacy Notices, records of processing, records of Personal Data Breaches;
d) training staff on compliance with Data Protection Laws and keeping a record accordingly; and
e) regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.

19. Record Keeping

19.1 The UK GDPR requires us to keep full and accurate records of all our data Processing activities.

19.2 You must keep and maintain accurate corporate records reflecting our Processing, including records of Data Subjects’ Consents and procedures for obtaining Consents.

19.3 These records should include, at a minimum:

a) the name and contact details of the Controller and the DPO; and
b) clear descriptions of:

i. the Personal Data types;
ii. the Data Subject types;
iii. the Processing activities;
iv. the Processing purposes;
v. the third-party recipients of the Personal Data;
vi. the Personal Data storage locations;
vii. the Personal Data transfers;
viii. the Personal Data's retention period; and
ix. the security measures in place.

20. Direct Marketing

20.1 We are subject to certain rules and privacy laws when engaging in direct marketing to our applicants, students, alumni and any other potential user of our services.

20.2 For example, a Data Subject’s prior consent is required for electronic direct marketing (for example, by email, text or automated calls). The limited exception for existing customers (e.g. current students) known as “soft opt in” allows organisations to send marketing texts or emails if they have obtained contact details in the course of a sale to that person, they are marketing similar services, and they gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent message.

20.3 The right to object to direct marketing must be explicitly offered to the Data Subject in an intelligible manner so that it is clearly distinguishable from other information.

20.4 A Data Subject’s objection to direct marketing must be promptly honoured. If a Data Subject opts out of marketing at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.

21. Sharing Personal Data

21.1 We are not allowed to share Personal Data with third parties unless certain safeguards and contractual arrangements are in place.

21.2 You may only share Personal Data we hold with another employee, agent or representative of our institution if the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions.

21.3 Some bodies have a statutory power to obtain information (for example, external bodies such as Higher Education Statistics Agency, student loan company, local education authorities and other grant-awarding bodies)). You should refer such requests to the DPO.

21.4 You may only share the Personal Data we hold with third parties, such as our service providers, if:

a) they have a need to know the information for the purposes of providing the contracted services;
b) sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject's Consent has been obtained;
c) the third party has agreed to comply with the required data security standards, policies and procedures, and put adequate security measures in place;
d) the transfer complies with any applicable cross-border transfer restrictions; and
e) a fully executed written contract that contains UK GDPR-compliant third party clauses has been obtained.

22. AI- Personal Data

22.1 West Dean recognises that artificial intelligence (“AI”) tools can enhance efficiency, creativity, and administrative processes; however, their use must always comply with UK GDPR and this Policy. Employees must not input, upload, or disclose any Personal Data, confidential information, or commercially sensitive material into AI systems unless the tool has been formally approved by the DPO and an appropriate lawful basis and security assessment have been established. Public AI tools are not approved for Processing Personal Data, and any AI-generated content must be verified for accuracy before being used for our purposes.

22.2 Employees are responsible for ensuring that AI is used safely, ethically, and transparently, and must not rely on AI to make decisions that affect individuals’ rights or wellbeing without proper human oversight. Any concerns or incidents involving AI misuse, inaccurate outputs, or potential data protection risks must be reported immediately to the DPO.

23. Responsibilities under this Policy

23.1 Responsibilities of the Data Protection Officer (DPO):

a) monitoring compliance with data protection laws and internal policies;
b) providing advice and guidance to staff on data protection matters;
c) acting as the main contact for Data Subjects wishing to exercise their data rights;
d) advising on data protection impact assessments (DPIAs);
e) managing and advising on data breaches, including reporting to the Information Commissioner’s Office (“ICO”) when required; and
f) acting as the point of contact with the ICO.

You should contact the DPO if you have any questions about the operation of this Policy or the application of Data Protection Laws or if you have any concerns that this Policy is not being followed:

Name: DPO Officer
Email: [email protected]

23.2 Responsibilities of Individual Members of Staff:

1) All staff are required to ensure that any Personal Data they provide to West Dean, including employment information, is accurate and up to date. Updates can be made through the HR self-service system or other relevant channels and must notify us of any changes to, or errors in, the Personal Data held.
2) Staff must comply with this Policy and any other related policies as well as undertake core Information Governance training via the West Dean’s eLearning platform and refresh their knowledge at least every two years.
3) Any deliberate or negligent breach of this Policy or statutory UK GDPR obligations may result in disciplinary action.
4) All staff are expected to familiarise themselves with this Policy and uphold the principles at all times.
5) Staff whose work involves Processing Personal Data must ensure that they:

  • collect only the minimum data necessary for the task (data minimisation).
  • provide clear information to individuals on why their data is being processed.
  • anonymise personal data wherever possible and appropriate.
  • ensure that third-party processors are aware of their UK GDPR responsibilities and that these are captured in formal agreements.
  • store personal data securely, using measures such as password protection, encryption, locked cabinets, access controls, and anonymisation where appropriate.
  • do not disclose personal data to unauthorised third parties unless necessary to protect the data subject or others in an emergency, and then only share the minimum required.
  • keep data accurate and up to date, retain it only as long as necessary, and destroy it confidentially when no longer required, in line with West Dean’s Retention Schedule.
  • access only the Personal Data necessary for their role.
  • maintain the same level of data security when working remotely, ensuring electronic data is stored on West Dean’s systems, not personal devices.

6) Managers have additional responsibilities to:

  • ensure their teams are aware of the UK GDPR principles and understand how to process Personal Data correctly.
  • confirm that staff have completed the mandatory Information Governance eLearning module as part of core training.

24. Changes to the Policy

24.1 We keep this Policy under regular review and reserve the right to amend this Policy at any time without notice to you, so please check regularly to obtain the latest copy.

Glossary of Terms

Automated Decision-Making (ADM): when a decision is made which is based solely on Automated Processing (including profiling) which produces legal effects or significantly affects an individual. The UK GDPR prohibits Automated Decision-Making (unless certain conditions are met) but not Automated Processing.

Automated Processing: any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of Automated Processing, as are many uses of artificial intelligence (AI) where they involve the processing of Personal Data.

Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the Processing of Personal Data relating to them.

Controller: the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the UK GDPR. West Dean is the Controller of all Personal Data relating to and used in our business for our own commercial purposes.

Criminal Convictions Data: personal data relating to criminal convictions and offences, including personal data relating to criminal allegations and proceedings.

Data Controller: the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in accordance with the UK GDPR. We are the Data Controller of all Personal Data relating to West Dean and used in delivering education and training, conducting research and all other purposes connected with it, including business purposes.

Data Privacy Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity. A DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the Processing of Personal Data.

Data Protection Officer (DPO): the person required to be appointed in specific circumstances under the UK GDPR. 

Data Subject: a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.

Personal Data: any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes Special Categories of Personal Data and Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.

Personal Data Breach: any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that we or our third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.

Privacy by Design: implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the UK GDPR.

Privacy Notices: separate notices setting out information that may be provided to Data Subjects when West Dean collects information about them. These notices may take the form of general privacy statements applicable to a specific group of individuals (for example, employee, student or donor privacy notices or the website privacy policy) or they may be stand-alone, one-time privacy statements covering Processing related to a specific purpose.

Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.

Pseudonymisation or Pseudonymised: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.

Special Categories Personal Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.

Annex 1 - West Dean SAR Procedure

1) A Subject Access Request can be made:

  • in writing (email or letter);
  • verbally; or
  • through any staff member (who must pass it on immediately).

2) All SARs must be forwarded without delay to the DPO for logging and action. If in doubt, you should consult the DPO for further advice.

3) To help West Dean process the request efficiently, the requester may be asked to:

  • confirm their identity;
  • clarify what information they are seeking; and/ or
  • specify time periods, departments, or systems involved

4) West Dean will respond to all valid SARs within one month of receipt. Where a request is complex or involves a large volume of data, this period may be extended by up to two additional months. The requester will be informed within the first month if an extension is required.

5) Once a SAR is received, the DPO will:

  • log the request in the SAR register;
  • verify the identity of the requester, where necessary;
  • locate relevant data across systems, files, email accounts, and archives;
  • review the data for accuracy, relevance, and lawful disclosure;
  • remove or redact information that relates to other individuals (unless consent has been obtained or it is reasonable to disclose); and
  • provide the response securely, along with required explanations under the Data Protection Laws (e.g. processing purposes, data retention periods).

6) Data will be provided free of charge except where requests are excessive or repeated.

7) West Dean may refuse or partially restrict access where a request is:

  • manifestly unfounded (e.g., malicious intent);
  • manifestly excessive (beyond what is reasonable); and/ or
  • repetitive, with no new information likely to be revealed.

Where a SAR is refused, the requester will receive a written explanation and information on their right to complain to the ICO.