Data Use and Management Policy

London Vesta College Ltd holds and manages data about individuals and organizations: we do this to provide our services to individuals and organizations. We recognize our fundamental need to ensure that this information is accurate and secure and go beyond the needs of any legislative requirements in this. The secure management of data is central to the way we work. In particular, this policy requires staff to ensure that the Data Controller be consulted before any significant new data processing activity is initiated, in order that the relevant compliance steps are addressed.


Definition of Personal Data

Any information relating to an ‘identified or identifiable natural person’, i.e. one who can be identified directly, or indirectly, in particular by reference to the points below:
  • Name
  • Identification Number
  • Location Data
  • Online Identifier
  • One or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Examples of Personal Data

  • Driver's License Number
  • Home Address
  • Email
  • Telephone Number
  • Facebook Profile
  • IP Address

Business Purposes

The purposes for which personal data may be used by us:
  • Personnel
  • Administrative
  • Financial
  • Regulatory
  • Payroll
  • Business Development Purposes

Business purposes include the following:
  • Compliance with our legal, regulatory and corporate governance obligations and good practice.
  • Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests.
  • Ensuring business policies are adhered to.
  • Operational reasons, such as recording transactions, training, ensuring the confidentiality of commercially sensitive information, security vetting.
  • Investigating complaints.
  • Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities, and staff absences, administration and assessments.
  • Monitoring staff conduct and disciplinary matters.
  • Marketing our business.
  • Improving services.


We operate under certain principles. All of the following should be considered and applied when considering any processing of both old and new information. This policy applies to all staff. You must be familiar with this policy and comply with its terms.

The principles we apply

The Purpose-Limitation Principle

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Personal data shall be obtained only for one or more specified, lawful purposes. Personal data may not be further processed in any manner incompatible with those purposes.

The Data Minimization Principle

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

The Accuracy Principle

Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.
Individuals may ask that we correct inaccurate personal data relating to them. If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform the Data Controller.
You must also take reasonable steps to ensure that personal data we hold about you is accurate and updated as required. If your personal circumstances change, please inform the Data Controller.

The Storage Limitation Principle

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. We have a business policy of retaining financial information for six years plus the current year, we retain signed documents for seven years after their end and we retain anything with a witnessed signature for 12 years after the end-of-contract date.
Once information is no longer needed it must be securely disposed of.
A data subject has a right to be forgotten and may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with that request. An erasure request can only be refused if an exemption applies.

The Integrity and Confidentiality Principle

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and also accidental loss, destruction or damage, using appropriate technical or organizational measures.

The processing of all data must comply with one of the following bases:

  • Consensual
  • Necessity for a contract
  • Legal Obligations
  • Vital Interests
  • Public Interest
  • Legitimate Interests

Storing Data Securely

You must keep personal data secure against loss or misuse. Where other organizations process personal data as a service on our behalf, we will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third-party organizations.
Please comply with the following:

  • In cases when data is stored on printed paper, it should be kept in a secure place where unauthorised personnel cannot access it.
  • Printed data should be shredded when it is no longer needed.
  • Data stored on a computer should be protected by password.
  • Data stored on CDs or memory sticks must be locked away securely when not being used.
  • Any cloud storage system must be approved.
  • Servers containing personal data must be kept in a secure location.
  • Data should be regularly backed up in line with the company’s backup procedures.
  • Data should never be saved directly to mobile devices such as laptops, tablets and smartphones.

Reporting Breaches

All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:

  • Investigate the failure and take remedial steps if necessary.
  • Maintain a register of compliance failures.
  • Notify the Supervisory Authority of any compliance failures that are material either in their own right or as part of a pattern of failures.

Subject Access Request

Please note that individuals are entitled (subject to certain exceptions) to request access to information held about them.
If you receive a subject access request, you should refer that request immediately to the Data Controller.
Please contact the Data Controller if you would like to correct or request information that we hold about you. There are restrictions on the information to which you are entitled under applicable law.

Data requests by individuals or organizations

All individuals or organisations are entitled to ask about data about them held by us.
They can ask questions including:
  • What information we hold about them and why.
  • How to gain access to it.
Such a request for information is called a “subject access request”. All such requests must be forwarded to the Data Controller and their receipt logged. Applications for subject access data can be made by email to [email protected] or by post. The title of the email should state that it is a “subject access request”. We will aim to provide the relevant data within 10 working days. We will always verify the identity of a person making a subject access request before providing any information. In certain circumstances the GDPR and the DPA allow data to be disclosed to law enforcement agencies without the consent of the data subject. We will only disclose data if the request is found to be legitimate and will seek advice from the Board and/or our legal advisers, where necessary.

Processing in Accordance with Individual Rights

You should abide by any request from an individual not to use their personal data for direct marketing purposes and notify us about any such request.
Do not send direct marketing material to someone electronically unless you have an existing business relationship with them in relation to the services being marketed.
Please contact Data Controller for advice on direct marketing before engaging in any such activity.

Contacts and their responsibilities

We take compliance with this policy very seriously. Failure to comply puts both you and London Vesta College Ltd at risk.
The importance of this policy means that failure to comply with any requirement may lead to disciplinary action under our procedures which may result in dismissal.
If you have any questions or concerns about anything in this policy, do not hesitate to contact the people below.

Who is responsible for this policy?

The Director of Education is responsible for this policy.

Compliance and cooperation with regulatory authorities

We regularly review compliance with our Privacy Policy. We also ensure that we meet the GDPR (General Data Protection Regulation) and DPA 1998 (Data Protection Act). When we receive formal, written complaints, we will contact the person who made the complaint to follow up. We work with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints.


Our Privacy Policy may change from time to time. We will not reduce your rights under this Privacy Policy without your explicit consent. We will post any Privacy Policy changes on this page and, if the changes are significant, we will provide a more prominent notice (including, for certain services, email notification of Privacy Policy changes). We will also keep prior versions of this Privacy Policy in an archive for your reference. We keep your personal information private and safe — and put you in control.

Version 3 August 2021