Stonebridge University is committed to protecting the privacy, confidentiality, and integrity of personal data. As an online higher education institution, the university processes significant volumes of personal and sensitive information relating to students, staff, applicants, partners, and other stakeholders.

This Data Protection Policy establishes the principles and procedures governing the collection, processing, storage, sharing, and protection of personal data. The university ensures compliance with applicable data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2.1 Purpose

The purpose of this policy is to:

• Ensure lawful, fair, and transparent processing of personal data.
• Protect the rights and freedoms of individuals.
• Safeguard personal data against unauthorised access, disclosure, alteration, or destruction.
• Establish clear responsibilities for data protection across the university.
• Promote a culture of data protection awareness and accountability.

2.2 Scope

This policy applies to:

• All employees, academic staff, contractors, and consultants.
• Students and applicants.
• Third-party service providers processing data on behalf of the university.
• All systems, platforms, and digital services used by the university, including virtual learning environments (VLE), admissions systems, HR systems, and cloud-based services.

It applies to all personal data processed by the university in both digital and physical formats.

3.1 Personal Data

Any information relating to an identified or identifiable individual, including names, contact details, identification numbers, academic records, financial information, IP addresses, and online identifiers.

3.2 Special Category Data

Sensitive personal data requiring enhanced protection, including data relating to health, ethnicity, religious beliefs, biometric data, or criminal convictions.

3.3 Processing

Any operation performed on personal data, including collection, recording, storage, organisation, retrieval, use, disclosure, or deletion.

Stonebridge University adheres to the following principles under UK GDPR:

4.1 Lawfulness, Fairness, and Transparency

Personal data shall be processed lawfully, fairly, and in a transparent manner.

4.2 Purpose Limitation

Data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.

4.3 Data Minimisation

Only data that is adequate, relevant, and necessary for the intended purpose shall be collected.

4.4 Accuracy

Personal data shall be accurate and kept up to date.

4.5 Storage Limitation

Data shall not be retained longer than necessary for the purposes for which it was collected.

4.6 Integrity and Confidentiality

Appropriate technical and organisational measures shall be implemented to ensure data security.

4.7 Accountability

The university is responsible for demonstrating compliance with data protection legislation.

Personal data will only be processed where a lawful basis applies, including:

• Consent of the data subject.
• Performance of a contract (e.g., student enrolment).
• Compliance with a legal obligation.
• Protection of vital interests.
• Performance of a task carried out in the public interest.
• Legitimate interests pursued by the university, provided these do not override individual rights.

Special category data will only be processed under additional lawful conditions as required by law.

6.1 Governing Body

• Ensure institutional compliance with data protection legislation.
• Oversee strategic data governance arrangements.

6.2 Data Protection Officer (DPO)

The university shall appoint a Data Protection Officer (DPO) who will:

• Monitor compliance with data protection laws.
• Provide advice and guidance on data protection obligations.
• Act as the primary contact point for the Information Commissioner’s Office (ICO).
• Support data protection impact assessments (DPIAs).

6.3 Staff and Contractors

All staff must:

• Process personal data in accordance with this policy.
• Maintain confidentiality of personal data.
• Complete mandatory data protection training.
• Report data breaches immediately.

6.4 Students

Students must:

• Respect the privacy and confidentiality of others.
• Use university systems responsibly and in compliance with policies.

The university implements appropriate technical and organisational measures, including:

• Secure cloud-based infrastructure.
• Encryption of sensitive data where appropriate.
• Multi-factor authentication for system access.
• Role-based access controls.
• Regular security audits and vulnerability testing.
• Secure data backup and disaster recovery procedures.

Physical records, where applicable, will be stored securely with controlled access.

Individuals have the following rights under UK GDPR:

• Right to be informed.
• Right of access.
• Right to rectification.
• Right to erasure (“right to be forgotten”).
• Right to restrict processing.
• Right to data portability.
• Right to object.
• Rights relating to automated decision-making and profiling.

Requests to exercise these rights must be submitted in writing. The university will respond within one month in accordance with legal requirements.

The university maintains a Data Retention Schedule specifying retention periods for different categories of data. Once retention periods expire, data will be securely deleted or anonymised.

A personal data breach includes any unauthorised access, disclosure, loss, or alteration of personal data.

10.1 Reporting

All suspected or actual data breaches must be reported immediately to the Data Protection Officer.

10.2 Investigation and Notification

The university will:

• Investigate the breach promptly.
• Assess the risk to individuals.
• Notify the Information Commissioner’s Office (ICO) within 72 hours where required.
• Inform affected individuals where there is a high risk to their rights and freedoms.

All breaches will be documented in a central breach register.

Where personal data is transferred outside the UK, the university will ensure appropriate safeguards are in place, such as:

• Adequacy decisions.
• Standard contractual clauses.
• Approved certification mechanisms.

Where external service providers process personal data on behalf of the university, written agreements will ensure:

• Compliance with data protection legislation.
• Appropriate security measures.
• Confidentiality obligations.
• Audit rights where necessary.

The university will provide regular data protection training to staff and relevant stakeholders. Training will include:

• Data handling best practices.
• Recognising and reporting data breaches.
• Information security awareness.

This policy will be reviewed annually or when significant legal, regulatory, or operational changes occur. Compliance will be monitored through internal audits and risk assessments.

Stonebridge University recognises that the protection of personal data is fundamental to maintaining trust, safeguarding individual rights, and upholding institutional integrity.

Through this Data Protection Policy, the university demonstrates its commitment to responsible data governance, regulatory compliance, and the secure delivery of high-quality online education.