1. Document Control
Policy Owner: Principal / Director
Responsible Committee: Management Committee (with Academic Board oversight where academic delivery is affected)
Approval Authority: Principal / Director
Effective From: 15/12/2025
Version: 1.0
Applies To: All third-party providers, subcontractors, agents and partner organisations engaged by Equra College London to support delivery, operations or student services.
2. Purpose
Equra College London is committed to maintaining quality, integrity and compliance when working with third parties. This policy sets out how the College selects, contracts with, monitors and manages third-party providers and subcontractors to ensure:
a. Delivery and services meet required standards.
b. Risks are assessed and controlled.
c. Roles and responsibilities are clear.
d. Students are protected and treated fairly.
e. Partner due diligence expectations are satisfied.
3. Scope
This policy applies to third parties involved in:
a. Teaching delivery or module support
b. Student recruitment support (where applicable)
c. Student support services (where outsourced)
d. IT systems, learning platforms and data processing
e. Facilities and premises services
f. Assessment services (where permitted)
g. Marketing, events and external engagement services
h. Any subcontracted activity that affects student experience, academic standards or compliance
This policy applies regardless of whether the third party is paid, voluntary, short-term or long-term, where they represent or impact College operations.
4. Principles
The College’s approach is based on:
a. Clear contractual accountability
b. Quality assurance and evidence-based monitoring
c. Protection of academic standards and assessment integrity
d. Safeguarding and student protection
e. Data protection and information security compliance
f. Transparency for students about delivery and responsibility
g. Proportionate risk management
5. Definitions
Third-party provider: Any external organisation or individual providing services or functions for the College.
Subcontracting: Delegating delivery or services (including academic delivery or student-facing services) to another party.
Data processor: A third party that processes personal data on behalf of the College.
6. When Third Parties May Be Used
Third-party provision may be used where it supports College capability and student outcomes, including for:
a. Specialist expertise or guest teaching
b. IT platforms and digital delivery tools
c. Facilities and safety services
d. Professional services (legal, accounting, HR advice)
e. Events and conferencing support
f. Additional learning support services where appropriate
The College will not subcontract academic standards responsibilities. Ultimate responsibility for academic standards and student outcomes remains with Equra College London.
7. Due Diligence and Selection
Before appointing a third party, the College will apply proportionate due diligence, which may include:
a. Verification of legal status and relevant registrations
b. Review of experience and capability
c. References and performance evidence where appropriate
d. Safeguarding capability where the third party works with students
e. Health and safety compliance where premises or physical delivery is involved
f. Data protection and information security checks where personal data is involved
g. Financial and operational stability assessment where relevant
h. Review of conflicts of interest
8. Contracting Requirements
All third-party arrangements must be documented in writing and must include:
a. Scope of service and standards expected
b. Roles, responsibilities and reporting lines
c. Quality monitoring and performance expectations
d. Compliance requirements (safeguarding, EDI, H&S, academic integrity as applicable)
e. Data protection clauses and confidentiality requirements
f. Incident reporting and escalation routes
g. Termination rights and exit planning
h. Intellectual property ownership and permitted use where relevant
i. Requirements to co-operate with partner audits or College reviews where applicable
Where a third party processes personal data, appropriate data processing terms must be in place.
9. Quality Assurance and Monitoring
The College will monitor third-party performance through proportionate controls, which may include:
a. Service reviews and KPI monitoring
b. Student feedback and complaints themes
c. Teaching observation or sampling (where academic delivery is involved)
d. Moderation and assessment integrity checks (where relevant)
e. Regular reporting meetings
f. Audit or site visits where appropriate
g. Review of incidents, safeguarding reports and data protection issues
Where performance concerns arise, improvement actions must be agreed and monitored.
10. Safeguarding and Student Protection
Where a third party has contact with students or affects student wellbeing, the third party must:
a. Comply with the College’s Safeguarding Policy and Procedure
b. Follow reporting and escalation routes for safeguarding concerns
c. Ensure appropriate staff vetting and training where required
d. Maintain professional boundaries and appropriate conduct
11. Data Protection and Information Security
Where a third party handles personal data or College systems, the third party must:
a. Comply with the College’s Data Protection Policy and Information Security Policy
b. Follow secure handling practices
c. Report data breaches immediately in line with the Data Breach Incident Response Procedure
d. Only use personal data for the agreed purpose and not retain it longer than necessary
e. Support the College in responding to SARs and regulatory requirements where relevant
12. Transparency to Students
Where delivery or services are provided by a third party, the College will ensure transparency, including:
a. Clear communication to students about who provides the service
b. Clear routes for complaints and escalation
c. Assurance that academic responsibility remains with the College
13. Termination and Exit Management
The College will maintain appropriate exit planning for critical services, including:
a. Transition arrangements to minimise disruption
b. Return or secure deletion of data
c. Return of College materials and access removal
d. Documentation of outcomes and lessons learned
14. Reporting Concerns
Concerns about third-party performance, misconduct, safeguarding, fraud or data breaches must be reported promptly using appropriate routes, including whistleblowing routes where applicable.
15. Monitoring and Review
This policy will be reviewed annually and following any significant third-party incident or partner audit feedback.
16. Related Policies and Documents
a. Quality Assurance, Enhancement and Programme Management Policy
b. Academic Governance and Quality Assurance Policy
c. Safeguarding Policy and Procedure
d. Equality, Diversity and Inclusion (EDI) Policy
e. Health and Safety Policy
f. Risk Assessment Policy and Template
g. Business Continuity and Disaster Recovery Policy
h. Data Protection Policy
i. Information Security Policy
j. Data Breach Incident Response Procedure
k. Data Retention and Records Management Policy
l. Intellectual Property Policy
m. Whistleblowing, Public Interest Disclosure and Ethical Reporting Policy
n. Student Protection Plan