London Institute of Business and Technology is committed to upholding the privacy of its learners and employees and conforming towards the Data Protection Act (2018) of the Isle of Man. To achieve this commitment, information about our learners, employees and other clients, contacts and other stakeholders which may be collected shall be used fairly, stored safely and not unlawfully disclosed to any other person or third party. Information that is already in the public domain is exempt from this requirement.
Our policy is to make as much information public as possible and in particular the following information will be available to the public.
- Names of our Directors
- Photographs of key staff
- List of staff
- Learner performance data
Our Institute, staff and others who process or use any personal information shall ensure that they follow the data protection principles set out in the Data Protection Act (2018) of the Isle of Man. We shall ensure that the following is adhered to pertaining to Data:
- Be obtained and processed fairly and lawfully
- Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose
- Be adequate, relevant and not excessive for those purposes
- Be accurate and kept up-to-date
- Not be kept longer than is necessary for that purpose
- Be processed in accordance with the data subject rights
- Be kept safe from unauthorised access, accidental loss or destruction
- Not be transferred to a country outside the European Economic area, unless that country has equivalent levels of protection for personal data
The Institute will not release staff or learner data to third parties except to relevant statutory bodies upon request. In all other circumstances the Institute will obtain the consent of the individuals concerned before releasing any personal data.
The management is responsible for the oversight and implementation of this policy. It will be the responsibility of the management and senior staff to ensure compliance with the policy and for communicating the policy to all staff.
3.1 Staff Responsibilities
- All staff are responsible for ensuring that any personal data, which they hold, is kept securely and personal information is not disclosed in any way and to any unauthorised third party.
- All staff are responsible for ensuring any personal data provided to the Institute is accurate and up-to-date.
- Informing the Institute of any changes to information, which they have provided, i.e. change of address;
- Informing the Institute of any errors or changes. The Institute cannot be held responsible for any errors unless the staff member has informed us of them.
The policy applies to all staff who process and access data about individuals on a regular basis, i.e., when marking registers, writing reports or references, or as part of a pastoral or academic supervisory role. The information must be privy to only relevant parties deemed fit by the Institute.
The Institute will ensure through procedures that all individuals give their consent to this type of processing. The information that staff deals with on a day-to-day basis will be ‘standard’ and will cover categories such as:
- General personal details such as name and address;
- Details about class attendance, course work marks and grades and associated comments;
- Notes of personal supervision, including matters about behaviour and discipline.
Information about an individual’s physical or mental health; sexual orientation; political or religious views; trade union membership or ethnicity or race is sensitive and can only be collected and processed with consent.
All staff have a duty to make sure that they comply with the data protection principles, which are set out in this policy. In particular, staff must ensure records are:
- Stored and disposed of safely, and responsibly.
The Director of Admissions / Administration will be responsible for ensuring that all personal data is kept securely. They must ensure personal data is:
- Put away in lockable storage;
- Not left on unattended desks or tables;
- Unattended ICT equipment should not be accessible to other users;
- ICT equipment used off-site must be password-protected;
- Data files on CD or floppy disk or memory stick or email attachments used off-site containing personal data must be password-protected;
- Shredded where appropriate
Staff must not:
- Staff must not disclose personal data to any individual, unless for normal academic or pastoral purposes, without authorisation or agreement from the Data Controller / Director, or in line with the Institute policy;
- Staff shall not disclose personal data to any other staff member except with the written authorisation or agreement of the designated Data Controller / Director, or in line with the Institute policy.
Before processing, all staff should consider the following:
- Do you really need to record the information?
- Is the information ‘sensitive’?
- If it is sensitive, do you have the data subject’s express consent?
- Has the individual been told that this type of data will be processed?
- Are you authorised to collect / store / process the data?
- If yes, have you checked with the data subject that the data is accurate?
- Are you sure that the data is secure?
- If you do not have the data subject’s consent to process, are you satisfied that it is in the best interests of the individual or the safety of others to collect and retain the data?
3.2. Student Responsibilities
All learners are responsible for ensuring that all personal data provided to the Institute is accurate and up-to-date.
Compliance with the Data Protection Act (2018) of the Isle of Man is the responsibility of all members of the Institute. Any breach of the Data Protection Policy may lead to disciplinary action being taken, access to the Institute being withdrawn, or even a criminal prosecution. Any questions or concerns about the interpretation of this policy should be referred to your line manager.
A review of this policy and related procedures will be reviewed on an annual basis.
5. Rights of Access Information
Staff, individuals and other users of the Institute have the right to access any personal data that is being kept about them either on computer or in certain files. Any person who wishes to exercise this right should write to the Data Controller: firstname.lastname@example.org
The Institute will make a charge on each occasion that access is requested, although the Institute has discretion to waive this. This charge will be automatically waived off for staff.
The Institute aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 21 days unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the data subject making the request.
6. The Data Controller and the Designated Data Controllers
The Institute has a designated Data Controller that will deal with day-to-day matters.
The Institute’s designated and nominated Data Controller may be a Director/ Administrator.
7. Retention of Data
We shall retain information in line with awarding organisation requirements and learner personal data and assessment records will be shared with awarding organisations and their qualifications regulator/s. Below is an outline of typical information gathered and retained:
- Learner Information such as but not limited to learner full name; learner’s Unique Learner Number (if applicable); date of birth; contact address; contact email; date of enrolment and registration with the awarding organisation.
- Learner Assessment Records such as but not limited to induction records, including evidence of identity authentication; assessment plans; list of units achieved, date, name of assessor; assessor documentation for example mark-sheets; learner assessments.
- Internal Quality Assurance Records such as but not limited to IQA assessment documentation; sampling plans; internal quality assurer reports; standardisation meeting minutes; assessor and IQA certificates, c.v.s and cpd records; certification/achievement claims.
- Record Retention Period
All records will be retained in accordance with awarding organisation requirements for qualifications, or for a maximum of  years.
After a period of 6 years, LIBT retains only the essential personal information required to verify the learner’s identity and confirm their enrolment at LIBT, as well as details of the awards and mark transcripts. All other personal data will be securely discarded.
Please see Appendix 1 for the guidelines for the retention of personal data.
Last updated on May 23, 2023 by LIBT Policy Committee
Approved by: Sesiri Pathirane – Board of Directors
Company Name: London Institute of Business & Technology Limited
Company Address: The Nunnery, Old Castletown Road, Douglas, IM2 1QB, Isle of Man, British Isles.
Date for the subsequent policy review: May 22, 2024