Data Protection Policy

The School must process personal information to fulfil its teaching, operational, and statutory obligations, including reporting to the Office for Students (OfS) and the Higher Education Statistics Agency (HESA). This information includes data on applicants, students, employees, alumni, and other stakeholders. The School is committed to transparency and adhering to the Data Protection Act 2018 (DPA) to ensure data security and legal compliance. This policy aims to minimise risks such as breaches, reputational damage, financial penalties, and investigations by the Information Commissioner. A glossary of terms is available in Appendix 1.

The School, as the data controller, is responsible for ensuring compliance with data protection principles under the Data Protection Act (DPA) and must demonstrate this compliance. In collaborative arrangements, data controller responsibilities may be shared as per the agreement. Data Owners (as defined in the Information Governance Policy) are accountable for the purposes, lawful basis mapping, transparency expectations, data quality and appropriate use of personal data within their domains, and for ensuring evidence is retained in the School’s governance and assurance repository (AGS) where required. Day-to-day privacy operations (RoPA, DPIAs, DSAR coordination, breach documentation and lessons learned) are coordinated by the Internal Data Protection Lead, with information security and systems controls operated by the Director of Technology, in line with the Information Governance Policy. Direct any queries to the Internal Data Protection Lead (privacy coordination) or the Director of Technology (information security and systems controls), as appropriate.

The School maintains up-to-date notification of its data processing activities with the Information Commissioner’s Office (ICO). The registration number is Z5395727. The School is registered as a Data Controller at:

• Institution Name: London School of Innovation (LSI)
• Registration Number: 11942630
• Address: 6 Sutton Park Road, Sutton, Greater London, United Kingdom, SM1 2GD
• Data Controller: London School of Innovation (LSI)
• Data Protection Lead: Internal Data Protection Lead
• Contact Information:
  • Email: dataprotection@lsi-ac.uk
  • Phone: +44 (0)203 507 0033

When the School engages third parties (Data Processors) requiring access to personal data, such as IT suppliers or specialist service providers, a written agreement must be established. This agreement ensures the processor complies with data protection legislation. Document these agreements in the School’s governed registers and repositories (including the supplier/processor register and relevant contract records) and have them reviewed by the Internal Data Protection Lead (privacy and governance coordination), with information security assurance from the Director of Technology where required.

All staff must process personal data, including special category and criminal record data, in line with the data protection principles outlined in Article 5 of the UK GDPR. This includes:

• Ensuring data is processed lawfully, fairly, and transparently.
• Collecting data for specified, legitimate purposes and not processing it further in ways incompatible with these purposes. Further processing for archiving, research, or statistical purposes is permissible.
• Ensuring data is adequate, relevant, and limited to what is necessary for its intended purpose.
• Keeping data accurate and up to date, and rectifying or erasing inaccuracies promptly.
• Storing data in a form that allows identification of individuals only as long as necessary, or for longer periods if for public interest, research, or statistical purposes, with appropriate safeguards.
• Protecting data with adequate security measures against unauthorised processing, accidental loss, destruction, or damage.

Refer to staff central pages, the relevant Privacy Notice, and the School’s Data Retention Schedule (as explained in the Information Governance Policy) for details on retention and disposal requirements

The School, as a data controller, must implement appropriate technical and organisational measures to uphold data protection principles, including:

• Adopting and enforcing data protection policies.
• Embedding data protection by design and by default.
• Establishing data sharing agreements with third parties as needed.
• Maintaining comprehensive documentation of processing activities.
• Recording and reporting personal data breaches to the Information Commissioner’s Office (ICO) as required.
• Conducting Data Protection Impact Assessments (DPIAs) for high-risk processing activities.
• Fostering a culture that prioritises privacy.
• Ensuring staff receive data protection training and understand their responsibilities.

Data protection compliance is overseen through the School’s governance structure in line with the Information Governance Policy: Data Owners are accountable for lawful basis, transparency, appropriate use and data quality within their domains; operational oversight is provided through the Executive Committee, supported by the Information Governance Lead (Director of Technology) and coordinated privacy operations by the Internal Data Protection Lead; independent scrutiny and assurance is provided through QCAC, with escalation to the Board of Governors where material.

Each department must maintain records of personal data processing and assets in the School’s governed registers and repositories, and must ensure personal data is captured and maintained in the School’s systems-of-record (as defined in the Information Governance Policy) rather than unmanaged local copies or ‘shadow’ datasets. Evidence must be stored/linked in the governance evidence repository (AGS) where required. Data Owners (as defined in the Information Governance Policy) are accountable for completeness and accuracy of records in their domains, coordinated by the Internal Data Protection Lead, with systems support from the Director of Technology.

The School must establish a lawful basis for processing personal data. The possible bases are:

• Contract: Processing is required to fulfil a contract or to take steps before entering one.
• Legal Obligation: Processing is necessary to comply with legal requirements.
• Vital Interests: Processing is essential to protect someone's life.
• Public Task: Processing is required to perform a public task or official function with a legal basis.
• Legitimate Interests: Processing is necessary for legitimate interests unless these are overridden by the need to protect the individual's data. This does not apply to public tasks.
• Consent: Processing is based on explicit consent given by the individual for a specific purpose.

The lawful basis for processing must be determined before handling data and will be documented in Privacy Notices and the School’s governed registers and repositories (including RoPA documentation where applicable). For each processing activity, the relevant Data Owner (as defined in the Information Governance Policy) is accountable for confirming and maintaining the lawful basis and purpose within their domain, with coordination of RoPA maintenance and assurance evidence by the Internal Data Protection Lead.

For special category data and criminal records data, which involve higher risks, additional protections are required. Processing of this data must comply with Articles 9 and 10 of the UK GDPR and Schedule 1 of the Data Protection Act 2018. Relevant policies must be in place, and a Data Protection Impact Assessment (DPIA) must be completed and coordinated by the Internal Data Protection Lead, with approval recorded through the School’s governance arrangements and stored in the governance evidence repository.  Research involving such data must include data protection safeguards in the ethics application process.

All staff, students, and users have the following rights concerning their personal data:

• Information: Be informed about how their data is collected and used.
• Access: Obtain a copy of their data upon request (subject access request).
• Rectification: Request corrections to inaccurate or incomplete data.
• Erasure: Demand deletion or cessation of data processing if it is no longer needed.
• Objection: Object to processing, particularly if based on legitimate interests or for direct marketing.
• Restriction: Request a temporary halt on processing if data is inaccurate or if there is a dispute regarding processing grounds.
• Portability: Where processing is based on consent or contract, request data portability.
• Automated Decisions: Have rights concerning automated decision-making and profiling.

Any requests or queries about data processing or access should be directed to the Internal Data Protection Lead at dataprotection@lsi-ac.uk, who coordinates DSAR logging, identity verification, retrieval from systems-of-record (as defined in the Information Governance Policy), and response within statutory timescales. Data Owners and relevant service teams must support timely retrieval and decision-making on records within their domains. DSAR handling must follow the School’s governed DSAR process and evidence expectations (including logging and records of decision-making) as set out in the Information Governance Policy. Not all rights apply in every situation.

If a data subject is dissatisfied with how their personal data is processed or has questions or concerns, they should first contact the Internal Data Protection Lead at dataprotection@lsi-ac.uk. If the issue remains unresolved, they have the right to escalate their complaint to the Information Commissioner’s Office (ICO).

The Executive Committee (EC) must oversee implementation of data protection controls. Data Owners (as defined in the Information Governance Policy) are accountable for compliant processing, data quality, and appropriate use within their domains. The EC is supported by the Information Governance Lead (Director of Technology) and coordinated privacy operations by the Internal Data Protection Lead.

The Senior Information Risk Owner (SIRO), a member of the Executive Committee (Director of Technology), oversees information risk management and information security assurance, ensuring information risks are identified, managed and escalated through the governance routes set out in the Information Governance Policy. They ensure that information assets and risks are managed effectively and escalated to the Executive Committee when necessary.

The SIRO represents information governance within the organisation, promoting a culture of effective information use and protection. 

• The President and directors must ensure that staff in their areas are informed about this policy and their data protection responsibilities, including completing mandatory training.
• They should foster and promote a culture of data protection compliance within their departments.
• They are accountable for the data processed in their areas and must collaborate with Data Owners (as defined in the Information Governance Policy) to identify, document, and manage data risks.

• All staff and third parties processing personal data on behalf of the School must comply with this policy and all related data protection, information security, and information management regulations, policies, processes, and procedures.
• Staff should understand their responsibilities, follow guidance, undertake necessary training relevant to their role, and seek advice as needed.
• Academic staff must handle personal data related to student work in line with this policy.
• All staff must report any personal data breaches immediately using the designated breach reporting process.
• Staff are responsible for ensuring their personal data provided to the School is accurate and up-to-date. They must inform the School of any changes or correct inaccuracies. The School is not liable for inaccuracies if the staff member has not provided correct information previously.

• Students must ensure that any personal information they provide to the School is accurate and up-to-date. They should promptly inform the School of any changes or correct inaccuracies.
• The School is not responsible for inaccuracies in student data if the student has not previously provided correct information.
• Students can usually update their records via the School’s systems-of-record, as set out in the Information Governance Policy. Students and staff must not create unmanaged ‘shadow’ datasets of personal data outside the School’s approved systems and governed repositories.
• Students processing personal data as part of their studies or employment with the School must follow the School's Data Protection Policy, relevant guidelines, and attend required training.
• Unless otherwise specified by a project’s funding or documentation, the School is the Data Controller for data processed by students in their studies. This includes data from various sources such as photographs, recordings, forms, surveys, and hosted websites. Students should consult with academic supervisors and the Internal Data Protection Lead for privacy compliance matters, and the Director of Technology for information security and systems controls, to ensure compliance.
• If students process data on behalf of another organisation, such as during a placement, they must adhere to that organisation’s Data Protection policies and provisions.

The School has appointed an Internal Data Protection Lead to coordinate privacy operations and compliance activity. The Internal Data Protection Lead will coordinate RoPA maintenance, DPIAs, DSARs, breach documentation and lessons learned, and support a culture of privacy across the School. They will:

• Enable compliance with data protection laws.
• Provide advice, assistance, and recommendations on data protection risks.
• Support and promote a data protection culture within the School.
• Assist in implementing key aspects of data protection legislation, including data processing principles, data subjects’ rights, data protection by design and by default, records of processing activities, and the security of processing. The Internal Data Protection Lead will coordinate notification and communication of data breaches in line with the School’s breach process and governance oversight.
• Coordinate communications with the Information Commissioner’s Office as required, with escalation and governance oversight through QCAC and, where material, the Board of Governors.

The Internal Data Protection Lead does not set the purposes or means of personal data processing. The Internal Data Protection Lead supports compliance by coordinating privacy operations, advising on risk and controls, and coordinating communications with the ICO where required, with escalation through QCAC and (where material) the Board of Governors.

Data protection by design and by default must be applied at all times. This requires:

• Implementing appropriate technical and organisational measures to uphold data protection principles and protect individual rights.
• Ensuring that data protection and privacy are considered by default and incorporated into the design and implementation of systems, services, products, and School practices from the outset and throughout their lifecycle.

The School will:

• Conduct a Data Protection Impact Assessment (DPIA) for high-risk activities. A DPIA must:
  • Describe the nature, scope, context, and purposes of data processing.
  • Identify and assess risks to individuals’ rights and freedoms.
  • Outline additional measures to mitigate these risks.
• Use the School's DPIA template to determine if a DPIA is necessary.
• Consult the Internal Data Protection Lead early in the planning phase to address risks and ensure compliance.
• DPIA completion and approval must be recorded in the governance evidence repository, with relevant stakeholders involved as needed.
• For research projects involving personal or special category data, seek approval through the Research Ethics Committee and consult the Internal Data Protection Lead to coordinate DPIA completion, recording and evidence.

This policy will be reviewed annually (or sooner after material change) under the School’s governance arrangements, coordinated by the Internal Data Protection Lead with operational input from the Director of Technology, and approved in line with delegated authority. Version control, archiving and evidence of what applied at any point in time will be maintained in the governance and assurance system-of-record (AGS) in line with the Information Governance Policy.

The School shall:

• Ensure a Clear Basis for Sharing Data: Confirm that there is a clear, objective, and lawful reason for sharing personal data.
• Verify Necessity: Ensure that sharing personal data is necessary to achieve the identified purpose(s). Use anonymised or pseudonymised data when identification is not required.
• Share Minimal Data: Only share the minimum amount of personal data needed to fulfil the objective(s).
• Provide Privacy Notices: Inform data subjects about who their data is shared with through privacy notices. Obtain consent if data subjects have the option to choose.
• Establish Agreements: Create Data Sharing Agreements or Contracts with third parties where systematic data sharing is involved.
• Handle Police Requests Properly: Direct all Police enquiries or requests for disclosure to the Internal Data Protection Lead, with operational support from the relevant service teams, and advice from the Director of Technology where technical/security factors apply.
• Maintain Records: Keep a record of all non-routine disclosures.

In some cases, the School may be asked to provide notices e.g. from the Higher Education Statistics Agency (HESA) on Collection notices, HESA Student Collection Notices, and HESA Staff Collection Notices.  

Personal data must be stored and shared securely within network conditions, with additional measures applied for special category data where necessary. Data Owners are responsible for ensuring that staff with permissions to access and edit data are trained appropriately on the relevant systems. It is crucial that staff use only School-approved tools for processing personal data, as these tools have been technically assessed and include the correct contractual terms. If there is any uncertainty about a tool's approval status, staff should consult servicedesk@lsi.ac.uk.

In general, freely available tools that do not have contractual agreements are unlikely to be approved or compliant and should not be used. This may include tools such as DropBox, Eventbrite, Mailchimp, and Zoom where they are not under an appropriate contract and not approved through the School’s governance and supplier controls. Staff must use only School-approved tools for processing personal data, as confirmed through the School’s governed registers and onboarding controls. Personal data must be captured and maintained in the School’s systems-of-record and governed repositories (as defined in the Information Governance Policy), and must not be duplicated into unmanaged local trackers or external tools.

Under Data Protection legislation, transferring personal data outside the UK is generally restricted unless specific conditions or safeguards are met. This ensures that data subjects receive an equivalent level of protection and that their rights are not compromised.

Data may be transferred if:

• It is shared with the EU/EEA, which the UK government considers to have 'adequacy'.
• It is shared with third countries deemed to have adequacy by the EU.
• It involves the use of EU Standard Contractual Clauses (SCC), Binding Corporate Rules (BCR), or other derogations as safeguards for international data sharing.

Colleagues must consult the Internal Data Protection Lead to determine the most suitable safeguard, and record the safeguard in contracts and/or data sharing agreements and in the governed registers. Additionally, data subjects must be informed as per the transparency principle.

For non-UK data transfers, a Data Protection Impact Assessment (DPIA) may be required, as such transfers are considered high risk.

Training is essential to meet Data Protection legislation and the Accountability principle. The School must not only establish appropriate policies and procedures but also demonstrate their implementation and provide comprehensive training at all levels.

Training must:

• Ensure that staff have the skills and knowledge to protect personal data effectively.
• Address data protection risks and reinforce data security.
• Promote a culture of good data protection and information security.
• Include mandatory reading and understanding of relevant policies by all staff.

The Director of Technology will oversee the implementation and effectiveness of these training systems.

The School utilises the Automated Governance System (AGS) to support its strategy of innovation. The AGS facilitates various functions, including:

• The School uses its systems-of-record to manage operational and academic data, including admissions and student record management, as defined in the Information Governance Policy. The Automated Governance System (AGS) is the governance and assurance system-of-record, and supports governance processes, approvals, evidence capture, registers, issue logs, and assurance documentation in line with the Information Governance Policy.
• Managing programme and module approvals and modifications to ensure a high-quality academic experience.
• Coordinating monitoring and evaluation by collecting metrics for strategy and operations oversight.
• Supporting governance workflows relating to assessment and standards (for example, approvals, scrutiny, boards and decision recording), with the authoritative academic records retained in the School’s systems-of-record as defined in the Information Governance Policy.
• Managing misconduct and exclusion processes.
• Ensuring accurate information for consumer protection.
• Supporting student well-being and support.
• Ensuring good governance and compliance.
• Measuring performance effectively.

The AGS operates in line with the School’s regulations and policies, including the IT Regulations, Data Protection Policy, and AI Policy. It supports the School’s mission efficiently while adhering to additional requirements such as the Sustainability & Environmental Policy outlined in the Vision and Values Statement.

The Automated Governance System (AGS) supports the governance of the School by integrating and streamlining processes for Boards, Departments, and Committees. Each entity has a defined role in ensuring the effective operation of the School, as outlined in the School’s regulations and policies. The School acknowledges that a reliable and efficient online system is essential for robust governance.

The Automated Governance System (AGS) is vital for the School to fulfil its data protection obligations. The AGS integrates workflows to ensure data is processed and stored in line with the Data Protection Policy. This includes processing data lawfully, fairly, and transparently, and collecting it for legitimate purposes. The School maintains governed registers and evidence repositories to support accountability (including RoPA documentation, DPIAs, DSAR and breach logs, and assurance evidence) coordinated by the Internal Data Protection Lead and supported by the Director of Technology through appropriate systems. It ensures data is processed for lawful reasons, such as fulfilling contractual obligations, and upholds the rights of data subjects, including their right to access and obtain copies of their data. The Director of Technology, a member of the Executive Committee and the Senior Information Risk Owner (SIRO), oversees the AGS.

All members of the School are responsible for complying with the Data Protection Act (DPA). Any negligent or intentional breach of the data protection policy by employees or students may lead to disciplinary action following a proper investigation. If a supplier fails to adhere to the policy or related data protection conditions, it may result in termination of the contract and/or claims for compensation. Any questions or concerns regarding privacy compliance and interpretation of this policy should be directed to the Internal Data Protection Lead. Queries relating to information security and systems controls should be directed to the Director of Technology.

The School must promptly identify and report personal data breaches to the Internal Data Protection Lead using the designated reporting process. This includes all breaches, whether accidental, suspected, or confirmed. Breaches must be reported to the ICO within 72 hours where reportable, and the School must ensure all incidents are logged within 24 hours and triaged within 48 hours, in line with the incident logging and triage expectations set out in the Information Governance Policy.The Internal Data Protection Lead will coordinate risk assessment, containment and mitigation actions, notification decisions, and records of all breaches, with operational and technical support from the Director of Technology and relevant Data Owners for affected domains. Personal data breach handling must follow the School’s governed incident and breach process and evidence expectations (including escalation where material) as set out in the Information Governance Policy.

Staff must seek guidance from the Internal Data Protection Lead for privacy compliance matters, and from the Director of Technology for information security and systems controls.

The following definitions clarify key data protection terms within the context of the School:

• Data: Information processed automatically, recorded with the intention of being part of a relevant filing system, or recorded as part of such a system.

• Data Breach: A breach of security leading to the destruction, loss, alteration, unauthorised disclosure, or access to personal data.

• Data Controller: The individual or entity that determines the purposes and means of processing personal data. For the School, this is the institution itself.

• Data Processor: An individual or entity that processes personal data on behalf of the Data Controller, following their instructions. Data Processors have specific obligations under legislation.

• Data Protection Act 2018 (DPA): The UK legislation that sets the data protection framework, working alongside the UK GDPR.

• Data Protection Impact Assessment (DPIA): An assessment conducted by the Data Controller to evaluate the impact of proposed data processing on personal data protection.

• Internal Data Protection Lead: The role responsible for coordinating privacy compliance activity for the School, including RoPA, DPIAs, DSAR coordination, breach documentation and lessons learned, and supporting privacy by design. Contact at dataprotection@lsi-ac.uk

• Data Subject: An identifiable natural person, directly or indirectly identifiable by identifiers such as a name, identification number, or online identifier. This includes staff, students, visitors, research participants, mailing list subscribers, and applicants.

• Data Subject Access Request (DSAR): A request made by or on behalf of a Data Subject to access their personal data as granted under data protection legislation.

• General Data Protection Regulation 2018 (GDPR): Applies to organisations within the EU and those outside the EU that offer goods or services to EU individuals. From 1 January 2021, this is mirrored in the UK by the UK GDPR, alongside the DPA 2018.

• Inaccurate Data: Data that is incorrect or misleading as to a matter of fact.

• Notification: The entry on the public register maintained by the Information Commissioner’s Office detailing the types and range of information processed by the School. The School’s registration number is Z5395727.

• Personal Data: Any information relating to an identified or identifiable natural person, including identifiers such as names, contact details, or identification numbers. Personal data can be in various formats, including paper, electronic, emails, photos, or videos.

• Privacy Notice: A statement provided to data subjects explaining who the Data Controller is, how their information will be used, to whom it may be disclosed, and other necessary information to ensure fair processing, as outlined in Articles 13 and 14 of the UK GDPR.

• Processing: Any operation performed on personal data, including obtaining, recording, holding, organising, adapting, altering, disclosing, or deleting data.

• Protective Measures: Appropriate technical and organisational measures to safeguard personal data, such as pseudonymisation, encryption, ensuring system resilience, and regularly evaluating these measures.

• Special Category Data: Data related to:

  • Racial or ethnic origin
  • Political beliefs
  • Religious or similar beliefs
  • Trade union membership
  • Genetics
  • Biometrics (used for identification)
  • Physical or mental health or condition
  • Sex life or sexual orientation

  Note: Data protection rules for sensitive (special category) data do not apply to criminal allegations, proceedings, or convictions. Separate safeguards are outlined in Article 10.

For further details on key definitions, visit the ICO's guide: ICO Key Definitions

When using social media, do not publish colleagues' or students' personal information. Ensure that all processing aligns with the Data Protection Policy and the Data Protection Act 2018.

All uploads, storage, and communications must be lawful and fair. Before using a social media account, inform all parties about the type of information being shared, its purpose, and who will have access to it. Familiarise yourself with privacy settings and adjust them according to the content and intended audience. Obtain and document appropriate informed consent.

Ensure that passwords and access controls for School social media accounts are strong and secure. Avoid using the same password for School systems and social media sites. Change passwords regularly and never share them. Devices with stored social media login details should lock or log out automatically. If a device with login details is lost or stolen, change the passwords for all affected accounts and inform other account managers.

Be cautious with social media postings to avoid revealing personal information such as your location or contact details. Only accept invitations from known contacts and verify identities if unsure. Avoid clicking on unsolicited links to prevent installing malicious software.

Be aware that social media applications may share your profile data with third parties. Review privacy settings regularly. Adhere to the IT Regulations, including the Social Media Policy and Social Media Guidelines.

The School operates a CCTV monitoring system to detect and deter crime and assist the Police and civil authorities during major emergencies. This system will be managed to respect individuals’ privacy rights.

All CCTV footage is owned by the School, which holds the copyright. Cameras will be placed in public view with clear signage indicating their presence and purpose. Recorded footage will be retained according to the School's Records Retention Schedules. After the retention period, if the footage is not needed for evidence, it will be recycled. If the footage is required for legal proceedings, it will be kept for the duration necessary for the case.