POLICY: Information Technology - Website Privacy Policy POLICY URL: https://lsi-ac.uk/policy/da662e6a-4fae-45ce-bc1c-6539f5f94915 POLICY STATEMENT: The School is committed to safeguarding the privacy of users visiting our website. Our Website Privacy Policy ensures that personal data is collected, stored, and used in compliance with UK data protection laws. We implement robust security measures and provide clear information about data handling practices to protect user privacy and maintain trust. POLICY PRINCIPLES: ------------------ - Data Collection Transparency : Clearly inform users about the types of personal data collected and the purposes for which it is used; - Data Minimisation : Collect only the data that is necessary for the specified purposes and avoid excessive data gathering; - User Consent : Obtain explicit consent from users before collecting or processing their personal data, and provide options to withdraw consent; - Data Accuracy : Ensure that personal data is accurate, complete, and up-to-date, and provide users with the means to correct inaccuracies; - Data Security : Implement appropriate technical and organisational measures to protect personal data from unauthorised access, loss, or damage; - Access Control : Limit access to personal data to authorised personnel only, and ensure that data is handled confidentially; - Retention Policy : Retain personal data only for as long as necessary to fulfil the intended purpose, and securely delete or anonymise data when it is no longer needed; - User Rights : Respect and facilitate users’ rights to access, correct, and request deletion of their personal data, and provide clear procedures for exercising these rights. REGULATORY CONTEXT: ------------------ This Policy has been developed in line with the applicable laws, regulations, regulatory advice, and sector best practices, including the following: R1. UK Government : Data Protection Act 2018 - Legislation aimed at controlling the processing of personal data, laying down principles with respect to the processing of personal data, and the rights of data subjects R2. Quality Assurance Agency (QAA): Advice - Learning and Teaching - R3. Quality Assurance Agency (QAA): The Quality Code - This code represents a shared understanding of quality practice across the UK higher education sector, protecting public and student interests and championing the UK's reputation for quality. R4. Information Commissioner's Office (ICO): Guide for higher education institutions - Provides guidance for higher education providers on their obligations under data protection law. R5. Office for Students (OfS): Regulatory Notices and Advice - Regulatory notices are additional information about OfS' regulatory requirements and are part of the regulatory framework. Regulatory advice helps providers understand and meet OfS requirements. R6. JISC (Joint Information Systems Committee): Digital Infrastructure Guidelines - Guidelines for universities and colleges in the UK on how to manage their digital infrastructure. METRICS AND KPIS: ------------------ The following metrics will be measured and regularly reviewed as key performance indicators for the School to ensure the effectiveness of this policy and associated operations: M1. Compliance Audit Frequency: Conduct internal privacy compliance audits at least once every six months. Regular checks ensure ongoing compliance with data protection regulations and identify areas for improvement. M2. Cookie Consent Management: Implement cookie consent management with a compliance rate of 100%, ensuring users can easily manage their cookie preferences. Aligns with legal requirements and gives users control over their data preferences. M3. Data Breach Response Time: Respond to and address any data breaches within 24 hours of discovery. Minimises potential harm and demonstrates prompt action in safeguarding user data. M4. Data Retention Policy Adherence: Ensure 100% adherence to the data retention policy, with all personal data deleted or anonymised as per the policy. Prevents unnecessary storage of data and reduces risk of non-compliance. M5. User Access Requests Fulfilment Rate: Fulfil 100% of user requests to access or correct their personal data within 30 days. Ensures users' rights are upheld and data accuracy is maintained. SECTION 1: 1. Introduction ------------------ 1.1. Text: Welcome to the London School of Innovation (LSI). We are committed to safeguarding your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, and protect your personal information when you interact with our website and services. By using our website, you consent to our practices described in this policy. For processing activities that require explicit consent (such as marketing and non-essential cookies), we will obtain your consent separately through appropriate mechanisms. SECTION 2: 2. Who We Are ------------------ 2.1. Text: Institution Name: London School of Innovation (LSI); Registration Number: 11942630; Address: 6 Sutton Park Road, Sutton, Greater London, United Kingdom, SM1 2GD; Data Controller: London School of Innovation (LSI); Data Protection Officer (DPO): Director of Technology; Contact Information:; Email: privacy@lsi-ac.uk; Phone: +44 (0)203 507 0033 SECTION 3: 3. Information We Collect ------------------ 3.1. Text: A. Technical Data:; IP Address: Identifies your device and location. We use IP addresses to enhance security and to ensure that our website functions properly; Device Information: Details about the device you use, including hardware and software. This helps us ensure compatibility and optimise the website’s performance for different devices; Referral Data: Information about how you found our website. This assists us in understanding and improving our marketing strategies; Pages Visited: URLs of pages you visit on our site. We use this data to track user interests and to improve the content we offer; Time Spent: Duration of your visit on specific pages. This helps us gauge the effectiveness of our content and user engagement; Clickstream Data: Your interactions with our website, such as links clicked and navigational paths. This data helps us enhance user experience by improving website navigation; Form Submissions: Data entered into forms on our site. We use this information to process your requests and provide the services you need; Search Queries: Terms you search for on our website. This helps us understand user needs and improve our content and search functionality; Content Downloads: Files or content you download from our site. This helps us monitor the popularity of our content and improve our offerings; Cookies and Tracking Technologies: Used to enhance your browsing experience and track your preferences. Cookies are used in accordance with the Privacy and Electronic Communications Regulations (PECR), and we inform you about their use through our Cookie Policy; JavaScript and Page Errors: Errors encountered during your visit to improve website performance. This helps us fix bugs and enhance the functionality of our website; B. Personal Data:; Contact Details: Your name, email address, phone number, and other contact information may be collected. We collect this information to communicate with you and provide the services you request. Legal basis: Consent and contractual necessity; Use Surveys: Feedback provided through surveys and questionnaires. This helps us understand user satisfaction and improve our services. Legal basis: Consent; Registration Data: Information, in particular, provided during registration for events or services. This allows us to manage your participation and provide relevant information. Legal basis: Contractual necessity; Login Attempts: Details of attempts to access secure areas of our website. This is used to maintain security and prevent unauthorised access. Legal basis: Legitimate interest; Security Logs: Records of activities to monitor for security purposes. This helps us detect and respond to potential security threats. Legal basis: Legitimate interest; Geolocation: Information about your location for personalisation and service improvements. We use this data to offer location-specific content and services. Legal basis: Consent; Consent Tracking: Records of your consent for data processing activities. We keep track of your consent to comply with GDPR requirements and to manage your preferences. Legal basis: Legal obligation. SECTION 4: 4. How We Use Your Information ------------------ 4.1. Text: We use your personal data for various purposes, including:; A. Providing Services:; Prospective Students: To provide information on courses and programmes and facilitate requests for information. This may be necessary to fulfil our contractual obligations and to provide information you have requested. Legal basis: Contractual necessity; General Visitors and Researchers: To provide information about research activities, events, and community outreach. This helps us engage with our community and provide relevant updates. Legal basis: Legitimate interest; B. Improving Our Website:; All Users: To analyse website performance and user behaviour, helping us enhance your browsing experience, identify and fix technical issues, and improve website functionality. Legal basis: Legitimate interest; C. Marketing and Communications:; Prospective Students: To provide updates about new courses, events, and offerings that may be of interest. We rely on your consent or our legitimate interests to send marketing communications; General Visitors: To keep you informed about relevant activities and updates. Legal basis: Consent or legitimate interests; Users can withdraw their consent at any time by following the unsubscribe instructions included in each marketing communication or by contacting us directly. SECTION 5: 5. Cookies and Tracking Technologies ------------------ 5.1. Text: Cookies are small data files stored on your device to help us enhance your browsing experience. We use the following types of cookies:; A. Functional Cookies:; User Log Cookies: To remember your login status and preferences. These cookies are essential for providing a seamless user experience; Preferred Language Settings Cookies: To set and remember your language preferences. This ensures the website is presented in your preferred language; Saved User Video Player Cookies: To retain video player settings. This allows you to continue watching videos from where you left off; B. Analytical Cookies:; Google Analytics Tracking Cookies: To collect data on how you use our website, helping us analyse performance and improve user experience. These cookies are used under our legitimate interests to monitor and enhance website performance. Consent will be obtained for these cookies; Google Analytics Tracking for User Engagement Cookies: To track user engagement metrics, such as time spent on pages. This helps us understand which content is most engaging. Consent will be obtained for these cookies; C. Security Cookies:; Bot Management and Security Cookies: To protect against malicious activity and ensure secure user sessions. These cookies are essential for maintaining the security of our website; Trusted Web Traffic Cookies: To ensure legitimate web traffic and prevent fraud. These cookies help us distinguish between genuine users and malicious traffic; Protection from Malicious Bots Cookies: To detect and block automated bots and harmful scripts. This is important for protecting our site from security threats; D. Cookie Consent:; Cookie Consent Preferences Cookies: To remember your choices regarding cookie usage on our site. We use these cookies to ensure we comply with your preferences and legal requirements; You can manage your cookie preferences through your browser settings or via our cookie management tool, which allows you to opt-in or opt-out of non-essential cookies. For detailed information on how cookies are used, please refer to our Cookie Policy. SECTION 6: 6. Third-Party Services ------------------ 6.1. Text: We collaborate with several third-party providers to offer various services. These include:; Stripe: For secure payment processing, including handling credit card transactions and financial data. Stripe complies with the Payment Card Industry Data Security Standard (PCI DSS) to protect your financial information. Legal basis: Contractual necessity; Vimeo: For hosting and streaming video content on our site. Vimeo has its own privacy policies that govern how your data is handled. Legal basis: Legitimate interest; Google Analytics: For analysing website usage and performance. Google Analytics uses cookies and other tracking technologies, and its data handling practices are governed by its privacy policy. Legal basis: Consent; WordPress: For managing and maintaining our website content. WordPress provides technical support and ensures the platform's security. Legal basis: Legitimate interest; CookieYes: For managing user consent regarding cookies. CookieYes helps us comply with legal requirements for cookie consent. Legal basis: Legal obligation; Social Media Platforms: Facebook, Twitter, LinkedIn, Instagram for social media integration and marketing. These platforms have their own privacy policies and practices. Legal basis: Consent or legitimate interest; These third parties may have their own privacy policies. We encourage you to review them to understand how they handle your data. If any of these services involve international data transfers, appropriate safeguards will be implemented, such as Standard Contractual Clauses or other measures compliant with UK GDPR. SECTION 7: 7. Data Protection and Security ------------------ 7.1. Text: We are committed to ensuring the security of your personal data through:; TLS/SSL Encryption: To secure data transmitted between your browser and our servers. This encryption helps protect data during transmission, complying with GDPR's requirement for appropriate technical measures; Database Encryption: To protect data stored within our systems from unauthorised access. This ensures that data is stored securely and cannot be accessed without proper authorisation; Regular Security Audits: To identify and address vulnerabilities. Regular audits help us maintain the highest level of data security and compliance; Data Access Controls: To ensure that only authorised personnel have access to your data. This includes role-based access controls and monitoring to prevent unauthorised access; Staff Training: To ensure that all staff are aware of data protection principles and responsibilities. Regular training helps us maintain a culture of data protection compliance; Incident Response Plan: To handle data breaches or security incidents effectively. We have a process in place for identifying, containing, and responding to breaches in accordance with GDPR requirements, including notifying the ICO and affected individuals when required. SECTION 8: 8. Data Retention ------------------ 8.1. Text: We will retain your personal data only for as long as necessary to fulfil the purposes for which it was collected or as required by law:; Financial Information: Retained for up to 6 years to comply with legal obligations, including accounting and tax purposes; Marketing Data: Retained until you withdraw your consent or unsubscribe. Users can opt-out of marketing communications at any time; User Feedback and Surveys: Retained for 2 years for research and service improvement purposes; Registration and Contact Data: Retained for up to 6 years following the end of the user relationship to comply with legal and regulatory obligations; Technical Data and Security Logs: Retained for 1 year for security, auditing, and troubleshooting purposes; Event Participation Data: Retained for up to 6 years for event management and compliance purposes; Exceptions may apply to these retention periods, such as when we need to comply with a legal obligation, protect our legal rights, or fulfil contractual requirements. SECTION 9: 9. Your Rights ------------------ 9.1. Text: As a data subject, you have the following rights under the UK GDPR:; Access: Request a copy of the personal data we hold about you; Rectification: Request that we correct any inaccuracies in your personal data; Erasure: Request the deletion of your personal data, subject to legal and contractual limitations; Restriction of Processing: Request that we limit the processing of your data under certain conditions; Data Portability: Request to receive your personal data in a structured, commonly used, and machine-readable format, or to have it transferred directly to another data controller; Object to Processing: Object to the processing of your data based on our legitimate interests or for direct marketing purposes; Withdraw Consent: Withdraw your consent for processing activities at any time, where processing is based on consent; Complain to ICO: If you are not satisfied with our handling of your data, you can lodge a complaint with the Information Commissioner's Office (ICO) via their website: https://ico.org.uk/ ; To exercise your rights, please contact us at privacy@lsi-ac.uk. We may require verification of your identity before processing your request. SECTION 10: 10. International Data Transfers ------------------ 10.1. Text: We do not transfer personal data outside the European Economic Area (EEA) without appropriate safeguards. Where our third-party service providers may involve international data transfers, we will ensure that adequate protection is in place through mechanisms like Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or reliance on adequacy decisions by the European Commission. SECTION 11: 11. Changes to This Policy ------------------ 11.1. Text: We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. Any changes will be posted on this page. We encourage you to review this policy periodically to stay informed about how we protect your data. SECTION 12: 12. Contact Us ------------------ 12.1. Text: If you have any questions, comments, or concerns about this Privacy Policy or our data practices, please contact us:; Email: privacy@lsi-ac.uk; Phone: +44 (0)203 507 0033; Address: London School of Innovation (LSI), 6 Sutton Park Road, Sutton, Greater London, United Kingdom, SM1 2GD