Introduction

This privacy policy is based on General Data Protection Regulation (GDPR) [EU 2016/679] and the Data Protection Act 2018 to help you understand how and why we collect personal information and what we do with that information. It also explains the decisions that you can make about your personal information.

If you have any questions about this notice please contact dataprotection@iconcollege.ac.uk

Definitions

GDPR regulates the processing of personal data. The following definitions are used:

• Personal Data are data which can identify you as an individual and relates to you. As well as images, names and contact details, it can also include next of kin and financial information. CCTV, photos and video recordings of you are also personal information.

GDPR Article 4.1: “personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

• Special Category Data are personal data about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, or sexual orientation, biometric data and genetic data.

• Data Subject is the individual who is the subject of personal data.

• Data Controller determines the purposes and means processing personal data.

GDPR Article 4.7: “controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;”

• Data Processor is responsible for processing personal data on behalf of a controller

GDPR Article 4.8: “processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;”

Scope

ICON College of Technology and Management’s Privacy Policy outlines the ways in which we collect, process and disseminate personal data, and covers the personal data of candidates, students, website users, staff, tutors, suppliers and third-party contacts. Your privacy is important to us and we are fully committed to protecting and safeguarding your data privacy rights.

ICON College of Technology and Management (company no. 04903429), of Unit 21, 1-13 Adler Street, London, E1 1EG is the data controller and is responsible for your personal data.

ICON College of Technology and Management (ICTM, or The College) is a registered data controller with the Information Commissioner’s Office (registration no. Z1729933). ICTM’s data protection representative can be contacted at dataprotection@iconcollege.ac.uk. Should you have any concerns in relation to your personal data, we would appreciate the opportunity to address them in the first instance. However, you have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).

Responsibility for Data Protection

The College has a designated Data Protection Officer (DPO) who will deal with all your requests and enquiries concerning the use of your personal data and endeavour to ensure that all personal data is processed in compliance with this policy and GDPR [EU 2016/679] and the Data Protection Act 2018.

Please contact dataprotection@iconcollege.ac.uk

Principles

The College is required to process personal data according to the following key 7 principles that guide GDPR:

GDPR Principles

The context for the College

Legality, Transparency and Fairness

The College explains to its students and staff how to process personal data in accordance with the rules and guidance of GDPR

Purpose limitation

The College only uses the personal data collected for specified, legitimate and explicit purpose

Data Minimisation

The College only collects personal data relevant, adequate and limited to what it is necessary in relation to the purpose.

Accuracy

The College ensures that the data is correct, up to date and able to be rectify any mistakes quickly

Storage Limitation

The College will retain personal data no longer than it is needed

Integrity and Confidentiality

The College protects its personal data against unlawful access, loss or destruction by a range of security measures

Accountability

The College ensures that both the controller and processor comply with all GDPR principles

 

Personal data ICTM collects

ICTM processes personal information about our students, employees, current, past and prospective employers, professional advisers, consultants, business contacts, welfare and pastoral professionals, complainants, enquirers, persons who may be the subject of an enquiry, suppliers and service providers, individuals captured by CCTV images.

ICTM will only ever request, use, store, transfer and process personal information for education, employment and other service we are providing to the data subjects. The collection includes but is not limited to your personal details, family details, lifestyle and social circumstances, financial details, education and employment details, student records, visual images, personal appearance and behaviour, information held in order to publish the College magazine, goods or services provided.

Special Category: In addition, the College may carry out financial or criminal background checks, verify their identity using their passports or provide them with diversity information, so there may be additional personal data we need to collect to facilitate these procedures. Diversity information includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, information about your health and genetic and biometric data For suppliers, there are certain details that we need to collect, use, store, transfer and process such as contact details of individuals who work within the organisation and bank details so that we can pay you. We may collect information about individuals from a candidate or member of staff for referencing or emergency contact purposes including name, address and contact number.

Personal Data Collection Purpose

We process personal data to enable us to provide education, support and general advice services for our students and facilities to our clients, to promote the College and our services, to publish the College magazine, to maintain our own accounts and to support and manage our staff. ICTM may also use the personal information collected from our students to send targeted and relevant course information which we think will be of interest to you, in accordance with local laws and requirements.

Our processing also includes the use of CCTV to maintain the security of the premises and for preventing and investigating crime.

Who the information may be shared with

We sometimes need to share the personal information we process with a third-party and also with other organisations. Where this is necessary we are required to comply with all aspects of the GDPR.

Where necessary or required we share information with:

• family, associates and representatives of the person whose personal data we are processing

• professional advisers • current, past or prospective employers

• educators and examining bodies

• trade, employer and professional organisations

• UCAS

• trade unions and staff associations

• voluntary and charitable organisations

• healthcare, social and welfare organisations

• suppliers

• financial organisations

• survey and research organisations

• persons making an enquiry or complaint

• careers service

• press and the media

• local and central government

• security organisations

• police forces, prison and probation services, courts and tribunals

• service providers

We may also share information with a third-party service provider who perform functions on our behalf (e.g., in carrying out a financial or criminal background checks, our accountants, payroll service providers and HM Revenue & Customs, regulators and other authorities acting as processors in the United Kingdom.)

For website users we will share your personal information with web analytic services, to help us analyse and improve the functionality of the website.

Personal Data Security

Keeping your personal data secure is extremely important to us at ICTM, and we have put measures in place to prevent the misuse of your data and unauthorised access to it. ICTM holds personal data relating to our students, employees, clients and suppliers in a variety of places, including within our internal ICT systems, saved on the computers of ICTM employees, within Microsoft applications, in emails, and within paper files.

Third Country Transfer

In nearly all instances, your personal information will be stored securely and backed up within the UK. However, in some rare instances the data we collect may be transferred to, processed and stored at a destination outside of, the European Economic Area (EEA). If this were to occur, we would gain your explicit consent beforehand.

Data Retention

The College will keep your personal data securely and only in line with how long it is necessary to keep for a legitimate and lawful reason. Typically, the College keeps students’ assessments and internal verification records up to 5 years following completion of the course. However, incident reports and safeguarding files will need to be kept much longer, in accordance with specific legal requirements. The College also can keep information about you for a longer period of time if the College needs this for historical, research or statistical purposes.

The College will usually keep data for the following durations:

  • Prospective students (not enrolled) - 1 year
  • Students (enrolled but course not completed) - 5 years
  • Student data (completed course) - 5 years
  • Supplier data (placed) - 5 years
  • Prospective employee (staff/tutor) -1 year
  • Employee data (left/retire) – 5 years

If you have any specific question please contact us on dataprotection@iconcollege.ac.uk

Data Subject Rights

Right to be informed

In accordance with the GDPR (Regulation (EU) 2016/679), you have the right to be informed about the collection and use of your personal data. If you would like to get in touch with us about the data that we hold for you, please contact us on dataprotection@iconcollege.ac.uk and we will respond to your request promptly and in any event within a month of receiving your request (unless the type of personal data request is exempt from the right of subject access).

Right to Access

You have the right to access your personal data and supplementary information. This can include confirmation that your data is processed, access to your personal data, and other supplementary information. If you would like to access your data, please contact us on dataprotection@iconcollege.ac.uk and we will respond to your request promptly and in any event within one month of receipt. Any access request will usually be free of charge. We will endeavour to provide information in a format requested, but we may charge you a reasonable fee for additional copies.

Right to Rectification

You have the right to rectify your personal data if you believe any of it to be incorrect or incomplete. Please contact us on dataprotection@iconcollege.ac.uk if you believe this to be the case and we will respond to your request promptly and in any event within one month of receipt.

Right to erasure

You have the right to erasure if you would like us to delete the personal data we have for you including if we no longer need it for the purpose we collected it, or you withdraw your consent. Please let us know if you would like us to erase any of the personal data we hold for you and we will respond to your request promptly and in any event within one month of receipt. Following such a request we will erase your personal data without undue delay unless continued retention is necessary and permitted by law. If we made the personal data public, we will take reasonable steps to inform other data controllers processing your personal data about your erasure request.

Right to Restrict Processing

You have the right to restrict processing of your personal data in certain circumstances. In this instance we would only store your data but will not carry out any further processing activities. This right could apply if you dispute the accuracy of the data we are processing about you, where you object to the processing of your data for our legitimate interests, where our processing of your data is unlawful but you would prefer that we cease to process it rather than erase it, or where we have no further need to process your personal data but you require the data in order to assist with legal claims. Please contact us on dataprotection@iconcollege.ac.uk if you would like to exercise your right to restrict processing and we will respond to your request promptly and in any event within one month of receipt.

Right to withdraw consent

You have the right to withdraw consent, whereby you may withdraw a previously given consent and we will cease to carry out that activity any longer unless we consider there is a legitimate reason for us to continue processing your data for this purpose. Please contact us on dataprotection@iconcollege.ac.uk if you would like to withdraw your consent and will respond to your request promptly and in any event within one month of receipt. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

Right to data Portability

You have the right of data portability, should you wish to transfer the data that we have for to another data controller. In this instance we will provide you with the personal data required in a commonly read format that is password encrypted. Please contact us on dataprotection@iconcollege.ac.uk to discuss this requirement and we will respond to your request promptly and in any event within one month of receipt.

Right to Object

You have the right to object to us processing your personal data where we do so based on our legitimate interests or the performance of a task in the public interest or exercise of official authority, in the case of direct marketing (including profiling), or for the purpose of research and statistics. If your objection relates to the processing of personal data where we do so based on our legitimate interests or the performance of a task in the public interest or exercise of official authority and you feel it impacts your fundamental rights and freedoms, we will stop processing your personal data unless specific exemptions apply. If your objection relates to the processing of personal data for direct marketing purposes, we will stop processing your data for direct marketing purposes immediately. Please contact us on dataprotection@iconcollege.ac.uk if you would like to object to us processing your data for any of these purposes.

Lawful Processing Basis

We have set out below, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the Tables 1- 4 below.

Purpose/Activity Type of data Lawful basis for processing

To Access application

a. identifying information including name, username or similar identifier (‘Identity Data’) and

b. Contact information including address, email address and telephone number (‘Contact Details’).

Performance of contract or for entering into the contract

To Enroll student

a. identifying information including name, username or similar identifier (‘Identity Data’) and

b. Contact information including address, email address and telephone number (‘Contact Details’).

c. Identity document (i.e. Passport)

d. Academic Certificates

e. Employment Details f. Special categories Data

g. Financial Details

a. Necessary for our legitimate interest to provide our education services to you

b. Legal obligation to check the immigration status

c. Fulfil the contractual obligation

d. Legal Obligation

To provide agreed services

a) Registering student to Certificate awarding body

b) Contacting you to inform about your course status, enrolment status and any information related to your course

a. Identity Data

b. Contact Data

c. Attendance Record

d. Progress Report

a. Necessary for contractual obligation (to provide you with agreed certificate)

b. Necessary for our legitimate interests (to keep our records updated and to ensure

To administer and protect our business (including troubleshooting, data analysis, monitoring, system maintenance, support, reporting and hosting of data)

a. Identity Data

b. Contact Data

c. Technical data including IP address, log in data, browser type and version, browser plug-in types and versions, operating system and platform and other technology on the devices you connect to the college Wi-Fi facility

a. Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)

b. Necessary to comply with a legal obligation

For employment purpose

a. Identity Data

b. Contact Data

c. Profile Data

d. bank account and payment card details (‘Financial Data’)

e. Next of Kin/Emergency Contact data

f. employment related data including employment history, salary, skills and attributes, education details, qualifications and national insurance number and

g. in some circumstances we may require diversity information including details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data (‘Diversity Information’)

a. All Employment related personal data will be processed either on contract or legitimate interest.

b. For any processing with legitimate interest, LIA will be completed.

c. Conducted on the basis of your explicit consent

To carry out financial or criminal background checks

a. Identity Data

b. Contact Data and

c. Financial Data

a. On the basis of your explicit consent

b. Necessary to comply with a legal obligation

c. Employment exemption (necessary in connection with employment)

To carry out payroll or invoicing activities

a. Identity Data

b. Contact Data

c. Financial Data

d. Transaction Data

a. Performance of a contract with your employer (please review your employment relationship for information on data processing)

b. Necessary for our legitimate interests (to recover fees and debts due to us)

Table 1: How the College may use student/staff/tutors’ personal data

 

 

Purpose/Activity Type of data Lawful basis for processing

To obtain your services and perform and manage a contract with you.

a. Contact Data and

b. Identity Data

a. Performance of a contract with you.

To carry out invoicing activities

a. Identity Data

b. Contact Data

c. Financial Data

d. Transaction Data

a. Performance of a contract with you

Table 2: How the College may use suppliers’ personal data

 

 

Purpose/Activity Type of data Lawful basis for processing

To obtain a reference for a candidate.

a. Contact Data and
b. Identity Data

a. Necessary for our legitimate interests (to confirm the information given by a candidate is correct

to enable us to consider a candidate’s suitability for a role applied for

Table 3: How the College may use individual referees’ personal data

 

 

Purpose/Activity Type of data Lawful basis for processing

To hold emergency contact details for candidates.

a.Contact Data

b.Identity Data

a. Necessary for our legitimate interests (in cases of accidents or emergency)

Table 4: How the College may use individual emergency contacts’ personal data

ICTM use cookies

Cookies are used by nearly all websites and are small files which are stored on a user’s computer. ICTM uses them to track your activity whilst browsing our website and help us to ensure we can deliver the best experience whilst using our site. We also use cookies to analyse traffic and ultimately improve the functionality of the website.

Changes to Privacy Policy

ICTM’s privacy policy may be altered or updated by the College at any time

Download Privacy Policy in PDF

Download PDF