Data protection Policy

DATA PROTECTION POLICY

Purpose

This policy outlines how the College of Contract Management United Kingdom Ltd (‘the College’) complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

The College is committed to ensuring the lawful, fair, and transparent processing of personal data while safeguarding individuals’ rights and freedoms. It implements appropriate security measures to protect personal data. This policy applies to all employees, contractors, students, and stakeholders who handle personal data on behalf of the College.

The Act applies to the College as the Data Controller and to anyone who holds personal information in a structured way that allows for easy retrieval. The College is dedicated to upholding both the letter and spirit of the law, maintaining the highest standards of conduct. This policy serves to inform staff of their responsibilities under the Act and outlines the College’s expectations regarding personal data processing and safeguarding individuals’ rights.

Scope and Responsibilities

All staff members are expected to familiarise themselves with and comply with data protection regulations. They must read and understand this policy, ensure compliance throughout the data lifecycle, and respect individuals’ rights under the Act. Staff should be aware of what constitutes ‘sensitive personal data’ and how to handle it appropriately. If there is any uncertainty, the Data Protection Officer (DPO) should be consulted to avoid jeopardising individuals’ rights or violating the law.

Data Protection Officer (DPO):

The Data Protection Officer is responsible for overseeing compliance and providing guidance on data protection issues. The designated contact person is: Mrs Elise de Carteret

Key Principles of Data Protection

The College adheres to the following principles when processing personal data:

Personal data shall be processed fairly and lawfully.
Data shall only be collected for specified and legitimate purposes and not further processed in an incompatible manner.
Data shall be relevant, adequate, and not excessive for the intended purpose.
Personal data shall be accurate and kept up to date.
Data shall not be retained longer than necessary.
Processing shall be carried out in accordance with individuals’ rights.
Appropriate security measures shall be implemented to prevent unauthorised access, loss, or damage.
Personal data shall not be transferred outside the European Economic Area unless adequate protections exist.

Best-Practice Guidelines for the Data Lifecycle

Acquisition of Personal Data:

When collecting personal data, staff must comply with the DPO’s guidelines. Individuals must be informed of the purpose of data collection, and explicit consent must be obtained, particularly for sensitive data. Only the necessary data should be collected.

Holding, Safeguarding, and Disposal:

Personal data must not be retained longer than necessary and should be periodically reviewed for accuracy. The College follows records management policies to determine appropriate retention periods. Data security measures should be proportional to the sensitivity of the data, ensuring protection against unauthorised access or accidental loss.

Processing of Personal Data:

Personal data should only be processed for the purposes it was originally collected for. If processing is required for a new purpose, consent must be obtained unless an exemption applies.

Disclosures and Transfers:

The College exercises discretion when disclosing personal data. Staff are not permitted to share information about applicants, students, or employees unless they have explicit authorisation. Caution must be taken when posting personal data online. References may only be provided with the individual’s consent. Personal data must not be disclosed to authorities such as the police unless authorised by the Data Protection Officer. Transfers outside the College or beyond the EEA require appropriate safeguards or explicit consent.

Destruction of Personal Data:

When data is no longer needed, it must be securely destroyed to prevent reconstruction or misuse.

Data Breach Reporting

In the event of a data breach, immediate action must be taken to mitigate risks and report the incident. All breaches, whether accidental or deliberate, must be reported to the Data Protection Officer without delay. The DPO will assess the severity of the breach, take remedial action, and determine whether notification to the Information Commissioner’s Office (ICO) or affected individuals is required. Serious breaches must be reported to the ICO within 72 hours of discovery. Staff must cooperate fully in breach investigations and follow the College’s data breach response procedures.

Individual Rights Requests

Individuals have the right to access their personal data, request rectification, erasure, or restriction of processing, and object to data usage. They also have the right to data portability. Requests should be submitted in writing to the Data Protection Officer, who will respond within one month. Where requests are complex or numerous, an extension of two months may be applied, with the requester being informed of the delay. If a request is refused, the individual will be provided with a reason and informed of their right to lodge a complaint with the ICO.

Review and Compliance

This policy will be reviewed periodically to ensure compliance with changes in legislation and ICO guidance. Staff are expected to stay informed about data protection requirements and attend training as necessary.

Data Protection Contacts

For general inquiries or to make a formal data access request, contact:

College of Contract Management United Kingdom

5 St Georges Yard

Farnham

Surrey

GU9 7LW
Telephone: 01420 481681
Email: enquiries@theccm.co.uk

Disciplinary Consequences

Unlawful access, disclosure, or transfer of personal data in violation of this policy will be taken seriously and may result in disciplinary action, including dismissal or expulsion.

Updated on: 1st February 2024

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.