Skip to content
  • info@equracollege.org.uk
  • Twickenham, United Kingdom
  • How to Apply
  • Fees & Funding
  • Visit/ Open day
REGISTER NOW

Data Protection Policy

Equra College London
Version: 1.0
Approved by: Governing Body / Academic Board (as applicable)
Effective from: 15/01/2026
Review date: 25/12/2025
Owner: Data Protection Lead / Governing Body

1. Purpose

Equra College London (“Equra”) is committed to protecting personal data and handling it lawfully, fairly and transparently. This policy sets out how Equra manages personal data across its operations, learning delivery, student services, staffing, marketing and governance.

2. Scope

This policy applies to all personal data processed by Equra relating to:

  • Students, applicants, alumni (where relevant), visitors, and event attendees
  • Staff, contractors, volunteers, guest speakers and suppliers
  • Delivery on-site, online, off-site, and at partner venues where Equra is involved

3. Data protection principles

Equra processes personal data in line with the UK GDPR principles, including:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

4. Roles and responsibilities

4.1 Governing Body

  • Holds overall accountability for compliance, oversight and policy review.

4.2 Data Protection Lead (DPL)

  • Oversees day-to-day compliance, advice, training, records, and incident response.
  • Maintains the record of processing activities and supports lawful processing decisions.

4.3 All staff, contractors and volunteers

  • Must follow this policy, complete required training, and report data incidents promptly.

5. Personal data and special category data

5.1 Personal data includes any information relating to an identifiable person (e.g., name, contact details, student ID, assessments, communications, CCTV where applicable).

5.2 Special category data may include health data, disability information, and safeguarding-related information. Equra treats this information with higher protection, restricted access and additional controls.

6. Lawful basis and transparency

6.1 Equra will identify and document a lawful basis for processing personal data and will explain how it uses personal data through a clear Privacy Notice and related notices where appropriate.

6.2 Equra will ensure processing purposes are specific and aligned with reasonable expectations of individuals.

7. Data minimisation and accuracy

7.1 Equra will only collect personal data that is relevant and necessary for stated purposes.

7.2 Equra will take reasonable steps to keep personal data accurate and up to date, and will correct inaccuracies where appropriate.

8. Storage limitation and retention

Equra will keep personal data only for as long as necessary for the purposes collected, including legal, regulatory, safeguarding and audit needs. Retention periods will be set out in Equra’s Data Retention Schedule.

9. Security and access control

Equra will implement appropriate organisational and technical measures to protect personal data, which may include:

  • Role-based access controls and least-privilege access
  • Secure storage, encryption where appropriate, and secure disposal
  • Strong password and account management practices
  • Secure handling of emails and attachments
  • Controlled access to physical records and devices
  • Secure remote working practices and device protection

Equra will limit access to personal data to those with a legitimate need to know.

10. Sharing personal data and confidentiality

10.1 Equra shares personal data only where there is a lawful basis and a clear purpose, for example with:

  • Awarding bodies, assessment services or learning platforms
  • Partner institutions (where applicable and communicated clearly)
  • Professional advisers (where necessary)
  • Public authorities where legally required

10.2 Equra will ensure that disclosures are proportionate, documented, and shared securely.

11. Processors and third-party suppliers

Where Equra uses third-party suppliers to process personal data (e.g., learning platforms, email systems, payment providers), Equra will ensure appropriate contractual terms are in place, including confidentiality, security requirements and clear processing instructions.

12. International transfers

Where personal data is transferred outside the UK, Equra will ensure appropriate safeguards are in place and that individuals are informed through the Privacy Notice where required.

13. Individual rights requests

Equra recognises individual rights under data protection law and will respond to valid requests within required timeframes.

13.1 Subject access (SAR)
Equra will respond to subject access requests without undue delay and at the latest within one month of receipt. The response time may be extended by up to a further two months where requests are complex or numerous, and Equra will explain the reasons for any extension.

13.2 Identity verification
Equra may request reasonable proof of identity before disclosing personal data, to protect confidentiality.

13.3 Exemptions and restrictions
Equra will apply exemptions only where a valid legal basis applies and will explain decisions as appropriate.

14. Data Protection Impact Assessments (DPIAs)

Equra will assess privacy risks for new or significantly changed processing activities, and will complete DPIAs where appropriate to identify and reduce risks to individuals.

15. Personal data breaches and incident management

15.1 All suspected or confirmed personal data breaches must be reported immediately to the Data Protection Lead.

15.2 Equra will:

  • Contain and assess the incident quickly
  • Record the facts, effects and remedial actions
  • Notify the ICO where the breach is notifiable, without undue delay and where feasible within 72 hours of awareness
  • Notify affected individuals where required due to high risk

16. Training and awareness

Equra will provide induction and ongoing training for staff and relevant contractors to ensure secure and lawful handling of personal data, including breach awareness and secure communications.

17. Monitoring, audit and compliance records

Equra will maintain appropriate records to demonstrate compliance, including:

  • Processing records and purpose documentation
  • Supplier and platform assurance checks (where appropriate)
  • Breach logs and incident learning
  • Training completion records

18. Non-compliance

Failure to comply with this policy may result in investigation and appropriate action under relevant Equra procedures, and may include restrictions on system access or disciplinary action where applicable.

19. Review

This policy will be reviewed annually or sooner where required due to regulatory changes, incidents, new systems, or partner requirements.