West Dean Data Protection Policy & Procedures
1. Purpose & Scope
1.1 West Dean College (“West Dean”, “we”, “us” or “our”) has a wide range of functions as an organisation. We may collect, store, use or otherwise process Personal Data about individuals with whom we interact, including students, staff, contractors, applicants, alumni, supporters, visitors and other relevant third parties (collectively the “Data Subjects”) to operate effectively as an organisation.
1.2 We recognise that much of our work involves handling information about living individuals and protecting the confidentiality and integrity of Personal Data is a critical responsibility that we take seriously at all times. We recognise that the lawful and correct treatment of Personal Data is essential to maintaining trust and confidence in West Dean and for meeting legal requirements.
1.3 West Dean is obliged to fulfil Data Subjects’ reasonable expectations of privacy by complying with the UK General Data Protection Regulation (the “UK GDPR”), the Data Protection Act 2018 (the “DPA”), the UK Data Use and Access Act 2025 (the “DUAA”) and related legislation (collectively “the Data Protection Laws”).
1.4 This Data Protection Policy (the “Policy”) sets out how we will Process Personal Data in compliance with the Data Protection Laws and applies to all Personal Data we Process regardless of the Data Subject and the medium on which that Personal Data is stored. All staff and others Processing Personal Data on West Dean’s behalf must read and understand it. A failure to comply with this Policy may result in disciplinary action.
1.5 Please refer to the glossary at the end of this Policy for definitions of the main terms used in this Policy
2. Data Protection Principles
2.1 We adhere to the principles relating to Processing of Personal Data set out in the Data Protection Laws. These laws set out strict requirements for how Personal Data must be collected, used, stored and disposed of, as follows:
a) Lawfulness, Fairness and Transparency
Personal Data must be Processed lawfully, fairly, and in a transparent manner. Individuals must be informed about how their data is used, and processing must have a valid legal basis.
b) Purpose Limitation
Personal Data must only be collected for specified, explicit, and legitimate purposes. It must not be further Processed in a way that is incompatible with those purposes.
c) Data Minimisation
Only the minimum Personal Data necessary for the intended purpose should be collected and Processed. Data must be adequate, relevant, and limited to what is required.
d) Accuracy
Personal Data must be accurate and kept up to date. Any inaccurate or incomplete data must be corrected or erased without delay.
e) Storage Limitation
Personal Data must not be kept for longer than is necessary for the purposes for which it was collected.
f) Integrity and Confidentiality (Security)
Personal Data must be handled securely. Appropriate technical and organisational measures must be in place to protect data against unauthorised access, unlawful processing, accidental loss, destruction, or damage.
g) Transfer Limitation
Personal Data must not be transferred to another country without appropriate safeguards in place.
h) Data Subject’s Rights and Requests
Personal Data must be made available to Data Subjects and allow Data Subjects to exercise certain rights in relation to their Personal Data.
2.2 West Dean is responsible for demonstrating compliance with all data protection principles listed above. This includes maintaining appropriate documentation, completing data protection impact assessments where required, and ensuring staff are trained in data protection responsibilities.
3. Types of Personal Data Held
3.1 West Dean maintains a variety of Personal Data about its community, including staff, students, applicants, contractors, alumni, supporters, visitors and other relevant individuals. This information is recorded in personnel or student files, and managed via secure electronic systems (e.g., HR systems, enrolment tools, attendance monitoring and access control systems). The Personal Data we hold can be broadly grouped into the following types:
a) Personal and Identifying Information
We collect basic personal details such as names, addresses, telephone numbers, email addresses, photographs, and other identifiers. This includes Personal Data submitted during recruitment or application processes, such as CVs, cover letters, references, employment history, and educational background.
b) Employment-related Data (for Staff)
For employees, we hold information related to their role, pay, and employment status. This includes job titles and descriptions, salary, contractual terms, National Insurance numbers, tax codes, bank account details, and records of holiday, sickness, performance appraisals, disciplinary or grievance proceedings, and training undertaken.
c) Security and Access Data
To ensure the security and safety of our premises and systems, we process data such as CCTV images, card access logs, and records of interaction with IT (for instance, login activity, email, and Wi-Fi usage). This data helps us maintain security, prevent misuse, investigate incidents, and manage access.
d) Special Categories of Personal Data
We also collect and Process what the UK GDPR calls special categories of personal data, because it is particularly sensitive and requires additional protection. Under the UK GDPR, this includes: racial or ethnic origin, political or religious beliefs, trade union membership, genetic or biometric data (where used for identification), health data (including disabilities) and data concerning sexual orientation.
e) Criminal Convictions Data
In certain circumstances, we process data relating to relevant criminal convictions or offences.
4. Lawfulness, Fairness and Transparency
4.1 We may only Process Personal Data fairly, lawfully, transparently and for specified purposes. These restrictions are not intended to prevent Processing, but to ensure that we Process Personal Data for legitimate purposes without prejudicing the rights and freedoms of Data Subjects.
4.2 In order to be justified, West Dean may only Process Personal Data if the Processing in question is based on one (or more) of the legal bases set out below. Section 6 below deals with justifying the Processing of Special Categories of Personal Data.
4.3 The legal bases for Processing non-sensitive Personal Data are as follows:
a) the Data Subject has given their Consent to the Processing;
b) the Processing is necessary for the performance of a contract with the Data Subject (e.g. monitoring academic performance to provide the relevant qualification for which the student has enrolled or for payment of salary to staff);
c) the Processing is necessary for compliance with our legal obligations;
d) the Processing is necessary to protect the Data Subject’s vital interests;
e) the Processing is necessary for the performance of a task carried out in the public interest;
f) the Processing is necessary to pursue our legitimate interests for purposes where they are not overridden because the Processing prejudices the interests or fundamental rights and freedoms of Data Subjects. The specific legitimate interest or interests that West Dean is pursuing when Processing Personal Data are set out in relevant Privacy Notices.
4.4 The legal basis which is being relied on for each Processing activity will be identified and documented in the relevant Privacy Notices provided to Data Subjects.
5. Consent
5.1 A Data Subject consents to Processing of their Personal Data if they indicate agreement clearly either by a statement or positive action to the Processing. Silence, pre-ticked boxes or inactivity will not be sufficient to indicate consent. If Consent is given in a document that deals with other matters, you must ensure that the Consent is separate and distinct from those other matters.
5.2 Data Subjects must be able to withdraw Consent to Processing easily at any time. Withdrawal of Consent must be promptly honoured. Consent may need to be renewed if you intend to Process Personal Data for a different and incompatible purpose which was not disclosed when the Data Subject first consented, or if the Consent is historic.
5.3 You should only obtain a Data Subject’s Consent if there is no other legal basis for the Processing. Consent requires genuine choice and genuine control. You will need to ensure that you have evidence of Consent and you should keep a record of all Consents obtained so that we can demonstrate compliance.
5.4 Consent is required for some electronic marketing and some research purposes.
6. Legal bases for Processing Special Category Personal Data and Criminal Convictions Data
6.1 Special Categories of Personal Data include:
a) racial or ethnic origin;
b) political opinions;
c) religious or philosophical beliefs; or
d) trade union membership.
e) genetic data;
f) biometric data for the purpose of uniquely identifying a natural person;
g) data concerning health; or
h) data concerning a natural person’s sex life or sexual orientation
i) children
6.2 The Processing of Special Categories of Personal Data by West Dean must be based on one of the following (together with one of the legal bases for Processing non-sensitive Personal Data listed under paragraph 4):
a) the Data Subject has given explicit consent (requiring a clear statement, not merely an action);
b) If the Data Subject is under 18 then the parents/legal guardians have given explicit consent (requiring a clear statement, not merely an action);
c) the Processing is necessary for complying with employment law (subject to the provisions of the Data Protection Act 2018);
d) the Processing is necessary to protect the vital interests of the Data Subject or another person where the Data Subject is physically or legally incapable of giving consent;
e) the Processing relates to Personal Data which are manifestly made public by the Data Subject;
f) the Processing is necessary for the establishment, exercise or defence of legal claims;
g) the Processing is necessary for reasons of substantial public interest (provided it is proportionate to the particular aim pursued and takes into account the privacy rights of the Data Subject);
h) the Processing is necessary for the purposes of preventive or occupational medicine, etc. provided that it is subject to professional confidentiality;
i) the Processing is necessary for reasons of public interest in the area of public health, provided it is subject to professional confidentiality; and
j) the Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes if it is subject to certain safeguards (i.e. Pseudonymisation or anonymisation where possible, the research is not carried out for the purposes of making decisions about particular individuals (unless it is approved medical research) and it must not be likely to cause substantial damage/distress to an individual and is in the public interest).
6.3 Special Categories of Personal Data Processed by West Dean will include the following:
a) health data for the purposes for assessing eligibility to undertake relevant professional programmes, assessing fitness to study or to engage in college activities or for assessing fitness to work/occupational health;
b) details of disability for the purposes of assessing and implementing reasonable adjustments to West Dean’s policies, criteria or practices; and
c) details of racial/ethnic origin, sexual orientation, religion/belief for the purposes of equality monitoring.
6.4 Criminal Convictions Data is Personal Data relating to criminal convictions and offences including the alleged commission of offences or proceedings for offences or alleged offences.
6.5 Criminal Convictions Data is only Processed under the strict conditions of Article 10 of the UK GDPR and the corresponding provisions of the Data Protection Act 2018.
6.6 Criminal Convictions Data Processed by West Dean will include the following:
a) details of relevant unspent convictions for the purposes of assessing eligibility to enrol on academic programmes;
b) details of relevant unspent convictions for the purposes of recruiting relevant staff;
c) checks conducted by the Disclosure and Barring Service for the purposes of assessing eligibility of staff or students to engage in work with children and vulnerable adults, as permitted by legislation relating to the rehabilitation of offenders or for determining fitness to practise in relevant professions;
d) unspent convictions or allegations of sexual misconduct for staff and student disciplinary purposes;
7. Transparency (Notifying Data Subjects)
7.1 The UK GDPR requires West Dean to provide detailed, specific information to Data Subjects depending on whether the information was collected directly from Data Subjects or from elsewhere. That information must be provided through appropriate Privacy Notices which must be concise, transparent, intelligible, easily accessible, and in clear and plain language so that a Data Subject can easily understand them.
7.2 Whenever we collect Personal Data directly from Data Subjects, including for recruitment of staff and recruitment of students, we must provide the Data Subject with all the prescribed information, which includes West Dean’s details, contact details of the Data Protection Officer (“DPO”), and how and why we will use, Process, disclose, protect and retain that Personal Data through a Privacy Notice which must be presented at the time of collection.
7.3 When Personal Data is collected indirectly (for example, from a third party or publicly available source), you must also provide information about the categories of Personal Data and any information on the source. The Data Subject must be provided with all the information required by the UK GDPR as soon as possible after collecting/receiving the data. You must also check that the Personal Data was collected by the third party in accordance with the UK GDPR and on a basis which contemplates our proposed Processing of that Personal Data.
8. Purpose Limitation
8.1 Personal Data must be collected only for specified, explicit and legitimate purposes. It must not be further Processed in any manner incompatible with those purposes.
8.2 You cannot use Personal Data for new, different or incompatible purposes from that disclosed when it was first obtained unless you have informed the Data Subject of the new purposes and they have provided their Consent where necessary.
8.3 If you want to use Personal Data for a new or different purpose from that for which it was obtained, you must first contact the DPO for advice on how to do this in compliance with both the law and this Policy.
9. Data Minimisation
9.1 Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.
9.2 You may only Process Personal Data when performing your job duties requires it. You cannot Process Personal Data for any reason unrelated to your job duties.
9.3 You may only collect Personal Data that you require for your job duties: do not collect excessive data. Ensure any Personal Data collected is adequate and relevant for the intended purposes.
9.4 You must ensure that when Personal Data is no longer needed for specified purposes, it is deleted or anonymised.
10. Accuracy
10.1 Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.
10.2 You must ensure that the Personal Data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. You must check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards. You must take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.
11. Storage Limitation
11.1 Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed. We will maintain a Retention Schedule and procedures to ensure Personal Data is deleted after an appropriate time, unless a law requires that data to be kept for a minimum time.
11.2 You must not keep Personal Data in a form which permits the identification of the Data Subject for longer than needed for the legitimate business purposes or other purposes for which we originally collected it including for the purpose of satisfying any legal, accounting or reporting requirements.
11.3 You will take all reasonable steps to destroy or erase from our systems all Personal Data that we no longer require in accordance with West Dean’s Retention Schedule. This includes requiring third parties to delete that data where applicable.
11.4 You will ensure Data Subjects are provided with information about the period for which their Personal Data is stored and how that period is determined in any applicable Privacy Notice.
12. Security Integrity and Confidentiality
12.1 We are required to implement and maintain appropriate safeguards to protect Personal Data, taking into account the risks to Data Subjects presented by unauthorised or unlawful Processing or accidental loss, destruction of, or damage to their Personal Data.
12.2 Safeguarding will include the use of encryption and Pseudonymisation where appropriate. It also includes protecting the confidentiality (i.e. that only those who need to know and are authorised to use Personal Data have access to it), integrity and availability of the Personal Data. We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our Processing of Personal Data.
12.3 You are responsible for protecting the Personal Data that you Process in the course of your duties. You must therefore handle Personal Data in a way that guards against accidental loss or disclosure or other unintended or unlawful Processing and in a way that maintains its confidentiality. You must exercise particular care in protecting Special Categories of Personal Data from loss and unauthorised access, use or disclosure.
12.4 You must comply with all procedures and technologies we put in place to maintain the security of all Personal Data from the point of collection to the point of destruction. You may only transfer Personal Data to third-party service providers who agree to comply with the required policies and procedures and who agree to put adequate measures in place, as requested.
12.5 You must maintain data security by protection the confidentiality, integrity and availability of the Personal Data, defined as follows:
a) Confidentiality: only people who have a need to know and are authorised to use the Personal Data can access it;
b) Integrity: Personal Data is accurate and suitable for the purpose for which it is Processed; and
c) Availability: authorised users are able to access the Personal Data when they need it for authorised purposes.
12.6 You must comply with and not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain in accordance with the Data Protection Laws to protect Personal Data.
13. Reporting a Personal Data Breach
13.1 All staff and students must report any data breach or suspected breach immediately upon discovery. Reports must be made to the DPO. Delays in reporting may increase risks to individuals and West Dean and may impact our legal obligations.
13.2 Some types of Personal Data Breach must be reported to the Information Commissioner’s Office by the DPO within 72 hours. Staff and students must therefore report Personal Data Breaches or potential breaches as soon as possible, as the sooner action is taken, the greater the opportunity to limit any potential damage which might be caused by the incident.
13.3 The DPO will assess the breach and decide whether it is necessary to report the Personal Data Breach to either the Information Commissioner’s Office for the affected Data Subjects, or necessary third parties.
13.4 The DPO will record all breaches regardless of severity in our Data Breach Register and recommend steps to prevent recurrence.
14. Transfer Limitation
14.1 West Dean only transfers Personal Data when necessary. All sharing is secure and only for the purposes for which the Personal Data was collected.
14.2 The UK GDPR restricts data transfers to countries outside the UK and EEA in order to ensure that the level of data protection afforded to individuals by the UK GDPR is not undermined. Personal Data originating in one country is transferred across borders when you transmit or send that data to a different country or view/access it in a different country. International transfers outside the UK or EEA must occur only with appropriate safeguards and you must ensure compliance with this Policy.
14.3 You may only transfer Personal Data outside the UK if one of the following conditions applies:
a) the UK has issued regulations confirming that the country to which we transfer the Personal Data ensures an adequate level of protection for the Data Subject's rights and freedoms;
b) appropriate safeguards are in place such as binding corporate rules, standard contractual clauses approved for use in the UK, an International Data Transfer Agreement or other approved safeguards;
c) the Data Subject has provided explicit Consent to the proposed transfer after being informed of any potential risks; or
d) the transfer is necessary for one of the other reasons set out in the UK GDPR including:
- the performance of a contract between us and the Data Subject;
- reasons of public interest;
- to establish, exercise or defend legal claims;
- to protect the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving Consent; and
- in some limited cases, for our legitimate interest.
15. Training and Audit
15.1 It is our responsibility to ensure that all staff understand the UK GDPR principles, their role in handling Personal Data, and their legal responsibilities. To that end, all employees must read and understand this Policy.
15.2 All staff are also periodically required to attend mandatory training on confidentiality, data protection, and how to recognise and respond to potential Personal Data breaches. All staff must regularly review all the processes and systems under their control to ensure they always comply with this Policy.
15.3 We also ensure that individuals in key data protection roles (such as our DPO) receive additional, targeted training appropriate to their responsibilities.
16. Privacy by Design and Data Protection Impact Assessment (“DPIA”)
16.1 We are required to implement Privacy by Design measures when Processing Personal Data, by implementing appropriate technical and organisational measures (like Pseudonymisation) in an effective manner, to ensure compliance with data protection principles.
16.2 You must assess what Privacy by Design measures can be implemented on all programmes, systems or processes that Process Personal Data by taking into account the following:
a) the state of the art;
b) the cost of implementation;
c) the nature, scope, context and purposes of Processing; and
d) the risks of varying likelihood and severity for rights and freedoms of the Data Subject posed by the Processing.
16.3 West Dean must also conduct DPIA in respect of high-risk Processing before that Processing is undertaken.
16.4 You should conduct a DPIA (and discuss your findings with the DPO) in the following circumstances:
a) the use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes);
b) automated Processing including profiling and ADM;
c) large scale Processing of Special Categories of Personal Data; and
d) large scale, systematic monitoring of a publicly accessible area.
16.5 A DPIA must include:
a) a description of the Processing, its purposes and West Dean’s legitimate interests if appropriate;
b) an assessment of the necessity and proportionality of the Processing in relation to its purpose;
c) an assessment of the risk to individuals; and
d) the risk-mitigation measures in place and demonstration of compliance.
17. Data Subject’s Rights and Requests
17.1 Data Subjects have rights in relation to the way we handle their Personal Data. These include the following rights:
a) withdraw Consent to Processing at any time;
b) receive certain information about the Controller's Processing activities;
c) request access to their Personal Data that we hold (including receiving a copy of their Personal Data) – for further information about West Dean’s SAR Procedure, see Annex1;
d) prevent our use of their Personal Data for direct marketing purposes;
e) ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed or to rectify inaccurate data or to complete incomplete data;
f) restrict Processing in specific circumstances;
g) object to Processing which has been justified on the basis of our legitimate interests or in the public interest;
h) request a copy of an agreement under which Personal Data is transferred outside of the UK;
i) object to decisions based solely on Automated Processing, including profiling (ADM);
j) prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else;
k) be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms;
l) make a complaint to us and subsequently to the supervisory authority; and
m) in limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used and machine-readable format.
17.2 You must verify the identity of an individual requesting data under any of the rights listed above (do not allow third parties to persuade you into disclosing Personal Data without proper authorisation) and report any requests to the DPO.
17.3 The DPO is responsible for logging the request, locating and reviewing relevant information, removing third-party data where necessary, and issuing the response securely. You must immediately forward any Data Subject request or complaint you receive to the DPO.
18. Accountability
18.1 West Dean must implement appropriate technical and organisational measures in an effective manner to ensure compliance with data protection principles. West Dean is responsible for, and must be able to demonstrate compliance with, the data protection principles.
18.2 We must therefore apply adequate resources and controls to ensure and to document UK GDPR compliance including:
a) appointing a suitably qualified DPO;
b) implementing Privacy by Design when Processing Personal Data and completing Data Privacy Impact Assessment where Processing presents a high risk the privacy of Data Subjects;
c) integrating data protection into our policies, procedures, in the way Personal Data is handled by us and by producing required documentation such as Privacy Notices, records of processing, records of Personal Data Breaches;
d) training staff on compliance with Data Protection Laws and keeping a record accordingly; and
e) regularly testing the privacy measures implemented and conducting periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.
19. Record Keeping
19.1 The UK GDPR requires us to keep full and accurate records of all our data Processing activities.
19.2 You must keep and maintain accurate corporate records reflecting our Processing, including records of Data Subjects’ Consents and procedures for obtaining Consents.
19.3 These records should include, at a minimum:
a) the name and contact details of the Controller and the DPO; and
b) clear descriptions of:
i. the Personal Data types;
ii. the Data Subject types;
iii. the Processing activities;
iv. the Processing purposes;
v. the third-party recipients of the Personal Data;
vi. the Personal Data storage locations;
vii. the Personal Data transfers;
viii. the Personal Data's retention period; and
ix. the security measures in place.
20. Direct Marketing
20.1 We are subject to certain rules and privacy laws when engaging in direct marketing to our applicants, students, alumni and any other potential user of our services.
20.2 For example, a Data Subject’s prior consent is required for electronic direct marketing (for example, by email, text or automated calls). The limited exception for existing customers (e.g. current students) known as “soft opt in” allows organisations to send marketing texts or emails if they have obtained contact details in the course of a sale to that person, they are marketing similar services, and they gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent message.
20.3 The right to object to direct marketing must be explicitly offered to the Data Subject in an intelligible manner so that it is clearly distinguishable from other information.
20.4 A Data Subject’s objection to direct marketing must be promptly honoured. If a Data Subject opts out of marketing at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.
21. Sharing Personal Data
21.1 We are not allowed to share Personal Data with third parties unless certain safeguards and contractual arrangements are in place.
21.2 You may only share Personal Data we hold with another employee, agent or representative of our institution if the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions.
21.3 Some bodies have a statutory power to obtain information (for example, external bodies such as Higher Education Statistics Agency, student loan company, local education authorities and other grant-awarding bodies)). You should refer such requests to the DPO.
21.4 You may only share the Personal Data we hold with third parties, such as our service providers, if:
a) they have a need to know the information for the purposes of providing the contracted services;
b) sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject's Consent has been obtained;
c) the third party has agreed to comply with the required data security standards, policies and procedures, and put adequate security measures in place;
d) the transfer complies with any applicable cross-border transfer restrictions; and
e) a fully executed written contract that contains UK GDPR-compliant third party clauses has been obtained.
22. AI- Personal Data
22.1 West Dean recognises that artificial intelligence (“AI”) tools can enhance efficiency, creativity, and administrative processes; however, their use must always comply with UK GDPR and this Policy. Employees must not input, upload, or disclose any Personal Data, confidential information, or commercially sensitive material into AI systems unless the tool has been formally approved by the DPO and an appropriate lawful basis and security assessment have been established. Public AI tools are not approved for Processing Personal Data, and any AI-generated content must be verified for accuracy before being used for our purposes.
22.2 Employees are responsible for ensuring that AI is used safely, ethically, and transparently, and must not rely on AI to make decisions that affect individuals’ rights or wellbeing without proper human oversight. Any concerns or incidents involving AI misuse, inaccurate outputs, or potential data protection risks must be reported immediately to the DPO.
23. Responsibilities under this Policy
23.1 Responsibilities of the Data Protection Officer (DPO):
a) monitoring compliance with data protection laws and internal policies;
b) providing advice and guidance to staff on data protection matters;
c) acting as the main contact for Data Subjects wishing to exercise their data rights;
d) advising on data protection impact assessments (DPIAs);
e) managing and advising on data breaches, including reporting to the Information Commissioner’s Office (“ICO”) when required; and
f) acting as the point of contact with the ICO.
You should contact the DPO if you have any questions about the operation of this Policy or the application of Data Protection Laws or if you have any concerns that this Policy is not being followed:
Name: DPO Officer
Email: [email protected]
23.2 Responsibilities of Individual Members of Staff:
1) All staff are required to ensure that any Personal Data they provide to West Dean, including employment information, is accurate and up to date. Updates can be made through the HR self-service system or other relevant channels and must notify us of any changes to, or errors in, the Personal Data held.
2) Staff must comply with this Policy and any other related policies as well as undertake core Information Governance training via the West Dean’s eLearning platform and refresh their knowledge at least every two years.
3) Any deliberate or negligent breach of this Policy or statutory UK GDPR obligations may result in disciplinary action.
4) All staff are expected to familiarise themselves with this Policy and uphold the principles at all times.
5) Staff whose work involves Processing Personal Data must ensure that they:
- collect only the minimum data necessary for the task (data minimisation).
- provide clear information to individuals on why their data is being processed.
- anonymise personal data wherever possible and appropriate.
- ensure that third-party processors are aware of their UK GDPR responsibilities and that these are captured in formal agreements.
- store personal data securely, using measures such as password protection, encryption, locked cabinets, access controls, and anonymisation where appropriate.
- do not disclose personal data to unauthorised third parties unless necessary to protect the data subject or others in an emergency, and then only share the minimum required.
- keep data accurate and up to date, retain it only as long as necessary, and destroy it confidentially when no longer required, in line with West Dean’s Retention Schedule.
- access only the Personal Data necessary for their role.
- maintain the same level of data security when working remotely, ensuring electronic data is stored on West Dean’s systems, not personal devices.
6) Managers have additional responsibilities to:
- ensure their teams are aware of the UK GDPR principles and understand how to process Personal Data correctly.
- confirm that staff have completed the mandatory Information Governance eLearning module as part of core training.
24. Changes to the Policy
24.1 We keep this Policy under regular review and reserve the right to amend this Policy at any time without notice to you, so please check regularly to obtain the latest copy.