top of page

Privacy Policy

1.Policy Statement

Legends Learning Centre is committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We ensure that the personal data we process is handled with care, is kept secure, and that individuals’ rights are protected.

 

2.Purpose

The purpose of this policy is to outline our approach to data protection and to inform employees, learners, partners, and stakeholders of their responsibilities in ensuring compliance with applicable data protection laws.

 

3.Scope

This policy applies to:

  • All employees, contractors, and volunteers of Legends Learning Centre,

  • All personal data processed by the organisation,

  • All systems and processes involving personal data,

  • All third-party processors acting on behalf of the organisation.

 

 

4.Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.

  • Processing: Any operation or set of operations performed on personal data.

  • Data Subject: The individual to whom personal data relates.

  • Data Controller: The person or organisation that determines the purposes and means of processing.

  • Data Processor: A person or organisation that processes data on behalf of the controller.

 

 

  • DPO: Data Protection Officer, the designated individual responsible for overseeing data protection strategy and implementation.

 

5.Principles of Data Protection

Legends Learning Centre adheres to the principles of data protection as set out in the UK GDPR:

  • Lawfulness, fairness and transparency

  • Purpose limitation

  • Data minimisation

  • Accuracy

  • Storage limitation

  • Integrity and confidentiality (security)

  • Accountability

 

 

6.Legal Bases for Processing

We only process personal data where there is a lawful basis under the UK GDPR. These include:

  • Consent

  • Contractual necessity

  • Legal obligation

  • Vital interests

  • Public task

  • Legitimate interests

 

 

7.Rights of the Data Subject

 

  1. Right to be Informed

Individuals have the right to be informed about the collection and use of their personal data. This includes information about the purposes for processing, retention periods, and who it will be shared with. This is typically provided through a privacy notice or policy.

 

2.Right of Access

Also known as a Subject Access Request (SAR), this right allows individuals to obtain a copy of their personal data, as well as other supplementary information. It helps individuals understand how and why you are using their data, and check if it is being done lawfully.

 

3.Right to Rectification

Individuals have the right to have inaccurate personal data corrected or completed if it is incomplete. Organisations must respond within one calendar month to a rectification request.

 

4.Right to Erasure

Also known as ‘the right to be forgotten’, this right enables individuals to request the deletion or removal of personal data where there is no compelling reason for its continued processing. This is not an absolute right and applies in specific circumstances.

 

5.Right to Restrict Processing

Individuals have the right to request the restriction or suppression of their personal data. This means the data can be stored but not used. It typically applies when the individual contests the accuracy of the data or has objected to its use.

 

6.Right to Data Portability

This right allows individuals to obtain and reuse their personal data for their own purposes across different services. It enables them to move, copy or transfer personal data easily in a structured, commonly used, and machine-readable format.

 

7.Right to Object

Individuals have the right to object to the processing of their personal data in certain circumstances, such as for direct marketing, profiling, or where processing is based on legitimate interests or public tasks.

 

8.Rights Related to Automated Decision Making and Profiling

Individuals have rights to not be subject to a decision based solely on automated processing, including profiling, which has legal or similarly significant effects. Safeguards must be put in place to allow human intervention and review.

 

8.Data Subject Access Requests (DSARs)

Data subjects have the right to request access to their personal data. Requests must be submitted in writing to the DPO. [Organisation Name] will respond within one month, as required by law, and will not charge a fee unless the request is manifestly unfounded or excessive.

 

9.Data Security

We employ appropriate technical and organisational measures to ensure the security of personal data, including:

  • Password protection and access controls

  • Encryption of sensitive data

  • Regular security audits and updates

  • Staff training and awareness

  • Secure disposal of personal data

 

 

10.Data Breaches

All data breaches must be reported immediately to the DPO. The DPO will assess the risk and determine whether the breach must be reported to the Information Commissioner’s Office (ICO) within 72 hours and/or to affected individuals.

 

11.Data Retention

We retain personal data only as long as necessary for the purposes it was collected. Retention periods are outlined in our Data Retention Schedule. Data that is no longer required is securely deleted or destroyed.

 

12.Third Parties and Data Sharing

Any third-party service provider processing data on our behalf must have appropriate data protection safeguards in place. We ensure data sharing is governed by written agreements and data sharing protocols.

 

13.Training and Awareness

All staff receive mandatory training on data protection, with annual refreshers and ad hoc updates when laws or policies change. Awareness campaigns ensure data protection is embedded in the organisation’s culture.

 

14.Roles and Responsibilities

  • Board/Governors: Provide strategic oversight of data protection.

  • DPO: Monitors compliance, advises on obligations, and is the point of contact for data subjects and the ICO.

  • All Staff: Must comply with this policy and report any concerns or breaches to the DPO.

 

15.Monitoring and Review

This policy is reviewed annually or in response to changes in legislation or regulatory guidance. Compliance is monitored through internal audits and incident reporting mechanisms.

 

16.Linked Policies

  • Information Security Policy

  • Data Retention Schedule

  • Safeguarding and Child Protection Policy

  • IT and Acceptable Use Policy

  • Confidentiality Policy

bottom of page