1. Introduction
Zone School of Business Studies London(“the School”, “we”, “our”, “us”) is committed to protecting the privacy and security of personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all other applicable privacy laws.
This policy outlines how the School collects, uses, stores, and shares personal information relating to students, staff, agents, partners, and other stakeholders. It also establishes our commitment to ensuring that personal data is handled responsibly, lawfully, and transparently.
2. Scope
This policy applies to:
– All staff, faculty, contractors, agents, and representatives of Zone School of Business Studies London.
– All personal data processed by the School in connection with its academic, administrative, and commercial operations.
– All systems, whether electronic or paper-based, used to store or process personal data.
This policy covers data collected directly by the School and data shared with or by third parties (e.g., recruitment agents, service providers, accrediting bodies).
3. Legal Framework
This policy has been developed in line with:
– The UK General Data Protection Regulation (UK GDPR)
– The Data Protection Act 2018
– Relevant guidance from the Information Commissioner’s Office (ICO)
4. Data Protection Principles
In accordance with the UK GDPR, the School adheres to the following key principles. Personal data shall be:
1. Processed lawfully, fairly, and transparently
2. Collected for specified, explicit, and legitimate purposes
3. Adequate, relevant, and limited to what is necessary
4. Accurate and kept up to date
5. Stored only as long as necessary for the purposes collected
6. Processed securely, protecting against unauthorised or unlawful processing, accidental loss, destruction, or damage
5. Lawful Basis for Processing
The School processes personal data under one or more lawful bases as defined in Article 6 of the UK GDPR, including:
– Consent
– Performance of a contract
– Compliance with a legal obligation
– Legitimate interests of the School or third parties
– Public task or official authority
Special category data (e.g., health or ethnicity) will only be processed in compliance with Article 9 of the UK GDPR.
6. Data Collection and Use
We may collect and process the following categories of personal data:
– Students: name, contact details, academic history, financial information, attendance, and academic performance.
– Staff: employment details, payroll data, professional qualifications, and background checks.
– Agents/Partners: business details, contact information, and contractual arrangements.
Data is used for purposes such as admissions, academic delivery, administration, student support, employment management, compliance, and institutional improvement.
7. Data Sharing and Third Parties
Personal data may be shared with third parties such as:
– Government agencies (e.g., UKVI, HMRC, Ofqual)
– Accrediting and awarding bodies
– Professional and regulatory authorities
– Recruitment and marketing agents
All third parties handling personal data on behalf of the School are required to comply with UK GDPR standards and enter into a Data Processing Agreement (DPA) where applicable.
8. Agent and Partner Confidentiality
All contracts and agreements shared with agents, representatives, or partners are strictly confidential.
These documents:
– Must not be disclosed, copied, or shared with any unauthorised third party.
– Are intended solely for the purpose of conducting official business on behalf of Zone School of Business StudiesLondon.
– Contain sensitive institutional and commercial information protected under confidentiality clauses and UK GDPR.
Any breach of this confidentiality obligation may result in immediate termination of contract and potential legal action.
9. Data Retention
Personal data will be retained only for as long as necessary to fulfil the purposes for which it was collected, in accordance with our Data Retention Schedule and legal obligations. After this period, data will be securely deleted or anonymised.
10. Data Security
We employ appropriate technical and organisational measures to safeguard personal data, including:
– Secure servers and password protection
– Restricted data access
– Encrypted transmission of sensitive data
– Regular staff training on data protection and confidentiality
11. Data Subject Rights
Individuals have the right to:
– Access their personal data
– Request rectification or erasure
– Restrict or object to processing
– Data portability
– Withdraw consent (where applicable)
– Lodge a complaint with the Information Commissioner’s Office (ICO)
12. Policy Review
This policy will be reviewed annually or as required by changes in legislation or operational requirements.