Data Management Policy


Objective of the Policy

1. The purpose of this policy is to confirm that proper procedures are in place for the processing and management of personal data.

2. The DPO has specific responsibility for data protection compliance. All teaching or non- teaching staff understand that their responsibility when processing personal data and that methods of handling that information are clearly understood

3. A supportive environment and culture of best practice processing of personal data is provided for staff and individuals should be fully aware of who to who to contact, where to submit the request and fully aware of rights of other individuals as well.

4. Staff know that Subject Access Requests and other relevant requests need to be dealt with punctually and courteously and individuals need to be sure that their personal data is processed in accordance with the data protection principles, that their data is secure at all times and safe from unauthorised access, alteration, use or loss and also that other organisations with whom personal data needs to be shared or transferred, meets compliance requirements.

5. Any new systems being implemented are assessed (if necessary a Data Protection Impact Assessment) to determine whether they will hold personal data, whether the system presents any privacy risks, damage or impact to individuals’ data and that it meets this policy’s requirements

The data protection principles and individual rights

  1. The General Data Protection Regulation (GDPR) covers six “Data Protection

Principles” set out in Article 5. These specify that personal data must be:
1. Processed lawfully, fairly and in a transparent manner in relation to individuals

2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

3. Adequate, relevant and limited to what is necessary in relation to the purposes

4. Kept in a form which permits identification of data subjects for no longer than is necessary;

5. Processed in a manner that ensures adequate security of the personal data using appropriate technical or organisational measures;

6. Accurate and, where necessary, kept up to date.

7. Article 5(2) also sets out an overarching accountability principle ‘the controller shall be responsible for, and be able to demonstrate, compliance with the principles.’

8. Individual rights are set out in a separate part of the GDPR. In brief, the GDPR provides the following rights for individuals: a) The right to be informed

1. The right of access
2. The right to rectification
3. The right to erasure
4. The right to restrict processing
5. The right to data portability
6. The right to object
7. Rights in relation to automated decision making and profiling.

Scope of Policy

9. This policy has been written within relevant ICO guidelines.

10. Definitions and terms used in relation to the GDPR can be found at

11. This policy applies to all personal data and special categories of data (sensitive personal data) collected and processed by Mont Rose College of Management and Sciences during the conduct of its business, in electronic in any medium and within paper filling

12. This policy applies to all College employees, whether permanent, temporary, contractor, students, teaching staff, non-teaching staff, consultants and apprentices.


13. To fulfil the requirements of data protection principles and individual rights set out in the GDPR, the College follows to the following values when processing personal data:

Fair Collection and Processing

14. The particular conditions contained in Article 6 and 9 of the GDPR regarding the fair collection and use of personal data will be complied with

15. Individuals will be made aware that their information has been collected, and the intended use of the data specified either on collection or at the earliest opportunity following collection through relevant privacy notices

16.Personal data will be collected and processed only to the extent that it is needed to fulfil business needs or legal requirements

17. Personal data held will be kept up to date and accurate, where necessary

18. Retention of personal data will be valued and risk assessed to determine and meet business needs and legal requirements, with the appropriate retention schedules applied to that data

19. Personal data will be processed in accordance with the rights of the individuals about whom the personal data are held

20. It is important that you determine a lawful basis for processing any personal data and document this. This becomes more of an issue under the GDPR because the lawful basis for processing has an effect on individuals’ rights. A ‘cease processing request’ from an individual will be acknowledged within 3 working days, with the final response within 21 days. The final response will state whether the College intends to comply with the request and to what extent, or will state the reasons why it is felt the requestor’s notice is unjustified

21. Staff will advise the Data Protection Officer in the event of any intended new purposes for processing personal data. The DPO may then arrange for a Data Protection Impact Assessment to be conducted


22. Suitable technical, organisational and administrative security measures to safeguard personal data will be in place

23. This policy relates to hard copy material as well as electronic data

24. Hard copy data will be kept secure under lock and key

25. Staff will report any actual, near miss, or suspected data breaches to the DPO for investigation. Lessons learnt during investigation of breaches will be relayed to those processing information to enable necessary improvements to be made

26. A breaches policy is attached and the DPO will follow that policy in the event of a breach

27. Any authorised use of corporate email by staff, including sending of sensitive or personal data to unauthorised persons, or use that brings the College into disrepute will be regarded as a breach of this policy

28. Relevant Data Protection Awareness Training will be provided to staff to keep them better informed of relevant legislation and guidance regarding the processing of personal information. Data protection training will also promote awareness of the College’s data protection and information security policies, procedures and processes. Staff are strongly encouraged to complete this training this training during induction and subsequently on an annual basis

29. Relevant Data Protection Awareness Training will be given to staff to keep them better educated of applicable enactment and direction in regards to the handling of individual data. Information insurance preparing will likewise advance consciousness of the College’s information assurance and data security approaches, techniques and procedures. Staff are firmly urged to finish this preparation this preparation amid acceptance and along these lines on a yearly premise.

Sharing and disclosure of personal information

30. The College shall routinely make certain personal information publicly available. For an example include publication of degree results in graduation booklets, contact details on the website etc. The College will undertake to cease such activity, where possible, for any data subject on the grounds of such disclosure causing damage and distress on application to, and agreement by, the Data Protection Officer.

31. Regular information sharing with third parties, where there is a valid business reason for sharing information, shall be carried out under a written agreement setting out the scope and limits of sharing. Data processing Agreements will be applied to all contracts and management agreements where the College is the data controller contracting out services and processing of personal data to third parties (data processors). These agreements will clearly outline the roles and responsibilities of both data controller and the data processor. A log of data processing agreements will be kept in the attached format

32. Data processors shall agree to follow to this policy and the GDPR as far as possible, assure the College against any prosecution, claim, proceeding, action or payments of compensation or damages without limitation and provide any personal information specified on request to the Data Protection Officer.

33. All relevant privacy notices the College will inform individuals of the identity of third parties to whom we may share, disclose or be required to pass on information to, while accounting for any exemptions which may apply under the GDPR and other relevant legislation.

34. Personal data will not be transferred outside the European Economic Area unless that country or territory can ensure suitable level of protection for the rights and freedoms of the data subjects in relation to the processing of their personal data. The DPO shall be consulted before any data is sent out side of the EU


35. Only where it is required member of staff will have access to personal data and Staff should also be aware that in the event of a Subject Access Request being received   their emails may be searched and relevant content disclosed, whether marked as personal or not

36. A relevant contact address will be made available on the internet for data subjects to use should they wish to submit a Subject Access Request, make a comment or complaint about how the College is processing their data, or about our handling of their request information. A log of Access Requests in the attached format will be kept

37. In the event of a Subject Access Request the attached procedure will be followed

38. Until their identity has not been verified data subject personal information will not be disclosed to them

39. Third party personal data will not be released by Mont Rose College of
Management and Sciences when responding to a Subject Access Request or Freedom of Information request (unless consent is specifically obtained, obliged to release by law or necessary in the substantial public interest)

40. All data subjects have a right of access to their own personal data. Advice will be provided to data subjects on how to request or access their personal data held by the College


41. Documents templates are available at

Data Protection responsibilities

Who What
College as a corporate body Data Controller
Board of Directors Ultimately responsible for compliance with the GDPR.

Data             Protection            Officer

(Ahmar Adnan) with assistance from the Risk Assessment   (Ali Fraz Khan)


Nominated processor for all post sent to and within the College.

Compliance with data protection legislation and with the principles set out in this policy.

All staff

Be familiar with and comply with the policy.

Ensure that information provided in connection with employment is up-to-date and accurate.

Observe and comply with the data protection principles and individuals’ data protection rights.

Bring queries and issues around data protection to the attention of the Information Governance Officer.

Do not attempt to gain access to information that is not necessary to hold, know or process.

Report subject access and other requests to Information Governance staff.

Note that unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases. It may also result in a personal liability for the staff member as there is provision within the legislation to prosecute individuals for certain offences.
All students

Be familiar with and the policy and comply where necessary.

Ensure that personal information provided is up-to-date and accurate.

Observe and comply with the data protection principles and individuals’ data protection rights.

Note that unauthorised disclosure of personal data will usually be a disciplinary matter.