Watney College Logo
Watney College Logo

Data Protection Policy

Watney College is committed to protecting the privacy and security of personal data in compliance with the UK GDPR and the Data Protection Act 2018. This policy sets out the principles, rights and responsibilities governing all data processing at the College.

Principles and lawful basis for processing

The College recognises its responsibility in ensuring the confidentiality, integrity and security of personal data. This policy applies to all staff, students and third parties who process personal data on behalf of Watney College.

Personal data will be:
  • Processed lawfully, fairly and transparently
  • Collected for specific, legitimate purposes only
  • Adequate, relevant and limited to what is necessary
  • Kept accurate and up to date
  • Not retained longer than necessary
  • Processed in a secure manner

Lawful basis for processing

Consent · Contractual necessity (e.g. student enrolment or employment) · Legal obligation · Legitimate interests · Vital interests · Public task. Processing will only occur where a valid lawful basis exists under UK GDPR.

Types of data covered

Personal Identifiable Information (PII) including names, addresses and contact details · Special Category Data including health data and religious beliefs · Student academic records, enrolment details and performance data.

Your rights and data security

Under UK GDPR, individuals have the right to:
  • Access request a copy of personal data held
  • Rectification request corrections to inaccurate data
  • Erasure request deletion, subject to conditions
  • Restrict processing block further processing in certain circumstances
  • Data portability receive data in a machine-readable format
  • Object object to processing in certain situations

Data security measures

Secure physical and electronic storage · Strong access controls (staff access only what is necessary) · Regular staff training on data protection · Encryption of sensitive data where appropriate.

Third-party processors

Where personal data is shared with third parties such as awarding bodies, quality agencies or IT support providers, appropriate data processing agreements are in place to ensure GDPR compliance.

Data Protection Officer, breach reporting and responsibilities

Data Protection Officer (DPO)

The College has appointed a DPO responsible for overseeing data protection compliance and monitoring adherence to UK GDPR. Contact the DPO at: info@watneycollege.co.uk or +44 (0) 2080046463.

Breach reporting

Where a data breach could result in harm to individuals, the College will notify the relevant supervisory authority and affected individuals within 72 hours, as required under UK GDPR. All suspected breaches must be reported immediately to the DPO.

All staff and students who handle personal data must:
  • Be familiar with and follow this policy and relevant guidelines
  • Ensure personal data is stored securely and used appropriately
  • Report any suspected data breaches immediately to the DPO

Data will be retained in accordance with the College's data retention schedule and securely deleted or anonymised when no longer required.

Legal and regulatory framework

Legislation / guidanceRelevance
UK General Data Protection Regulation (UK GDPR)Primary data protection framework
Data Protection Act 2018UK implementation of GDPR obligations
ICO Guide to the General Data Protection RegulationRegulatory guidance on compliance
GDPR (EU) 2016/679EU origin regulation informing UK framework

Last reviewed: 5 November 2025  ·  Version: 1.2  ·  Next review: November 2026

Download the full Data Protection Policy (PDF)