Legal

Website terms and conditions | Website acceptable use policy | Privacy and data protection policy | Cookie policy | UK GDPR policies

Website Terms and Conditions

Please read these terms and conditions carefully before using our sites.

These terms of use (together with the documents referred to in it) tells you the terms of use on which you may make use of our website, our Online Learning Area and the CMP Academy (our sites), whether as a guest or a registered user.

Use of our sites includes accessing, browsing, or registering to use our sites.

Please read these terms of use carefully before you start to use our sites, as these will apply to your use of our sites. We recommend that you print a copy of this for future reference.

By using our sites, you confirm that you accept these terms of use and that you agree to comply with them.

If you do not agree to these terms of use, you must not use our sites.

Other applicable terms

These terms of use refer to the following additional terms, which also apply to your use of our sites:

Our Privacy Policy (see Tab above), which sets out the terms on which we process any personal data we collect from you, or that you provide to us. By using our sites, you consent to such processing and you warrant that all data provided by you is accurate.
Our Cookie Policy (see Tab above), which sets out information about the cookies on our sites.
If you purchase a course from our sites, our Student Learning Agreement (see Tab above) will apply to the sales.

These sites are operated by College of Media and Publishing Limited (“We”). We are registered in England and Wales under company number 05220267 and have our registered office at St. John’s House, St. John’s Street, Chichester, West Sussex, PO19 1UH. Our VAT number is 924385414.

Changes to these terms

We may revise these terms of use at any time by amending this page.

Please check this page from time to time to take notice of any changes we made, as they are binding on you.

Changes to our sites

We may update our sites from time to time, and may change the content at any time. However, please note that any of the content on our sites may be out of date at any given time, and we are under no obligation to update it.

We do not guarantee that our sites, or any content on them, will be free from errors or omissions.

Accessing our sites

Our websites are made available free of charge.

Our Online Learning Area (OLA) is only available to our current and former students, provided they are up-to-date with all payments due to us and have not been removed from their course(s) for breaching our Student Learning Agreement (see Tab above).

We do not guarantee that our sites, or any content on them, will always be available or be uninterrupted. Access to our sites is permitted on a temporary basis. We may suspend, withdraw, discontinue or change all or any part of our sites without notice. We will not be liable to you if for any reason our sites are unavailable at any time or for any period.

You are responsible for making all arrangements necessary for you to have access to our sites.

You are also responsible for ensuring that all persons who access our sites through your internet connection are aware of these terms of use and other applicable terms and conditions, and that they comply with them.

Your account and password

If you choose, or you are provided with, a user identification code, password or any other piece of information as part of our security procedures, you must treat such information as confidential. You must not disclose it to any third party.

We have the right to disable any user identification code or password, whether chosen by you or allocated by us, at any time, if, in our reasonable opinion, you have failed to comply with any of the provisions of these terms of use.

If you know or suspect that anyone other than you knows your user identification code or password, you must promptly notify us by email.

Intellectual property rights

We are the owner or the licensee of all intellectual property rights in our sites, and in the material published on them. Those works are protected by copyright laws and treaties around the world. All such rights are reserved.

You may print off one copy, and may download extracts, of any page(s) from our sites for your personal use and you may draw the attention of others within your organisation to content posted on our sites.

You must not modify the paper or digital copies of any materials you have printed off or downloaded in any way, and you must not use any illustrations, photographs, video or audio sequences or any graphics separately from any accompanying text.

Our status (and that of any identified contributors) as the authors of content on our sites must always be acknowledged.

You must not use any part of the content on our sites for commercial purposes without obtaining a licence to do so from us or our licensors.

If you print off, copy or download any part of our sites in breach of these terms of use, your right to use our sites will cease immediately and you must, at our option, return or destroy any copies of the materials you have made.

No reliance on information

The non-teaching content on our sites is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the non-teaching content on our sites.

Although we make reasonable efforts to update the information on our sites, we make no representations, warranties or guarantees, whether expressed or implied, that the non-teaching content on our sites is accurate, complete or up-to-date.

Separate arrangements apply for the teaching materials on our OLA. These can be seen in the Learning Agreement (see Tab above).

Limitation of our liability

Nothing in these terms of use excludes or limits our liability for death or personal injury arising from our negligence, or our fraud or fraudulent misrepresentation, or any other liability that cannot be excluded or limited by English law.

To the extent permitted by law, we exclude all conditions, warranties, representations or other terms which may apply to our sites or any content on them, whether expressed or implied.

We will not be liable to any user for any loss or damage, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, even if foreseeable, arising under or in connection with:

Use of, or inability to use, our sites; or
Use of, or reliance on any content displayed on our sites.

If you are a business user, please note that in particular, we will not be liable for:

Loss of profits, sales, business, or revenue;
Business interruption;
Loss of anticipated savings;
Loss of business opportunity, goodwill or reputation; or
Any indirect or consequential loss or damage.

If you are a consumer user, please note that we only provide our sites for domestic and private use. You agree not to use our sites for any commercial or business purposes, and we have no liability to you for any loss of profit, loss of business, business interruption, or loss of business opportunity.

We will not be liable for any loss or damage caused by a virus, distributed denial-of-service attack, or other technologically harmful material that may infect your computer equipment, computer programs, data or other proprietary material due to your use of our sites or to your downloading of any content on them, or on any websites linked to them.

We assume no responsibility for the content of websites linked on our sites. Such links should not be interpreted as endorsement by us of those linked websites. We will not be liable for any loss or damage that may arise from your use of them.

Uploading content to our sites

Whenever you make use of a feature that allows you to upload content to our sites, or to make contact with other users of our sites, you must comply with the content standards set out in our Website Acceptable Use Policy.

You warrant that any such contribution does comply with those standards, and you will be liable to us and indemnify us for any breach of that warranty. If you are a consumer user, this means you will be responsible for any loss or damage we suffer as a result of your breach of warranty.

Any content you upload to our sites will be considered non-confidential and non-proprietary. You retain all of your ownership rights in your content, but you are required to grant us a limited licence to use, store and copy that content and to distribute and make it available to third parties. The rights you license to us are described in the next paragraph (Rights you licence).

Rights you license

We also have the right to disclose your identity to any third party who is claiming that any content posted or uploaded by you to our sites constitutes a violation of their intellectual property rights, or of their right to privacy.

We will not be responsible, or liable to any third party, for the content or accuracy of any content posted by you or any other user of our sites.

We have the right to remove any posting you make on our sites if, in our opinion, your post does not comply with the content standards set out in our Website Acceptable Use Policy.

The views expressed by other users on our sites do not represent our views or values.

You are solely responsible for securing and backing up your content.

Viruses

We do not guarantee that our sites will be secure or free from bugs or viruses.

You are responsible for configuring your information technology, computer programmes and platform in order to access our sites. You should use your own virus protection software.

You must not misuse our sites by knowingly introducing viruses, trojans, worms, logic bombs or other material which is malicious or technologically harmful. You must not attempt to gain unauthorised access to our sites, the server on which our sites are stored or any server, computer or database connected to our sites. You must not attack our sites via a denial-of-service attack or a distributed denial-of service attack.

By breaching this provision, you would commit a criminal offence under the Computer Misuse Act 1990. We will report any such breach to the relevant law enforcement authorities and we will cooperate with those authorities by disclosing your identity to them. In the event of such a breach, your right to use our sites will cease immediately.

Linking to our sites

You may link to our home pages, provided you do so in a way that is fair and legal and does not damage our reputation or take advantage of it.

You must not establish a link in such a way as to suggest any form of association, approval or endorsement on our part where none exists.

You must not establish a link to our sites in any website that is not owned by you.

Our sites must not be framed on any other sites, nor may you create a link to any part of our sites other than the home page.

We reserve the right to withdraw linking permission without notice.

The websites in which you are linking must comply in all respects with the content standards set out in our Website Acceptable Use Policy.

If you wish to make any use of content on our sites other than that set out above, please contact us by email.

Third party links and resources in our sites

Where our sites contain links to other sites and resources provided by third parties, these links are provided for your information only.

We have no control over the contents of those sites or resources.

Applicable law

If you are a consumer, please note that these terms of use, its subject matter and its formation, are governed by English law. You and we both agree to that the courts of England and Wales will have non-exclusive jurisdiction. However, if you are a resident of Northern Ireland you may also bring proceedings in Northern Ireland, and if you are resident of Scotland, you may also bring proceedings in Scotland.

If you are a business, these terms of use, its subject matter and its formation (and any non-contractual disputes or claims) are governed by English law. We both agree to the exclusive jurisdiction of the courts of England and Wales.

Website terms and conditions v18.02 ©

Updated 30 December 2020

Website Acceptable Use Policy

This Website Acceptable Use Policy sets out the terms between you and us under which you may access our websites:

https://collegeofmediaandpublishing.co.uk/ and

https://ww2.collegeofmediaandpublishing.education (our sites).

This Website Acceptable Use Policy applies to all users of, and visitors to, our sites.

Your use of our sites means that you accept, and agree to abide by, all the policies in this Website Acceptable Use Policy, which supplement our Website Terms and Conditions.

Our website and OLA are sites operated by College of Media and Publishing Limited (we or us). We are registered in England and Wales under company number 05220267 and we have our registered office at St. John’s House, St. John’s Street, Chichester, West Sussex, PO19 1UH. Our VAT number is 924385414.

Prohibited uses

You may use our sites only for lawful purposes. You may not use our sites:

In any way that breaches any applicable local, national or international law or regulation.
In any way that is unlawful or fraudulent or has any unlawful or fraudulent purpose or effect.
For the purpose of harming or attempting to harm minors in any way.
To send, knowingly receive, upload, download, use or reuse any material which does not comply with our content standards (below).
To transmit, or procure the sending of, any unsolicited or unauthorised advertising or promotional material or any other form of similar solicitation (spam).
To knowingly transmit any data, send or upload any material that contains viruses, trojan horses, worms, time-bombs, keystroke loggers, spyware, adware or any other harmful programs or similar computer code designed to adversely affect the operation of any computer software or hardware.

You also agree:

Not to reproduce, duplicate, copy or resell any part of our sites in contravention of the provisions of our terms of website use.
Not to access without authority, interfere with, damage or disrupt:
- Any part of our sites,
- Any equipment or network on which our sites are stored,
- Any software used in the provision of our sites, or
- Any equipment or network or software owned or used by any third party.

Interactive services

We may from time to time provide interactive services on our sites, including, without limitation:

Chatrooms.
Message boards.

Where we do provide any interactive service, we will provide clear information to you about the kind of service offered, if it is moderated and what form of moderation is used (including whether it is human or technical).

We will do our best to assess any possible risks for users (and in particular, for children) from third parties when they use any interactive service provided on our sites, and we will decide in each case whether it is appropriate to use moderation of the relevant service (including what kind of moderation to use) in the light of those risks. However, we are under no obligation to oversee, monitor or moderate any interactive service we provide on our sites, and we expressly exclude our liability for any loss or damage arising from the use of any interactive service by a user in contravention of our content standards, whether the service is moderated or not.

The use of any of our interactive services by a minor is subject to the consent of their parent or guardian. We advise parents who permit their children to use an interactive service that it is important that they communicate with their children about their safety online, as moderation is not foolproof. Minors who are using any interactive service should be made aware of the potential risks to them.

Where we do moderate an interactive service, we will normally provide you with a means of contacting the moderator, should a concern or difficulty arise.

Content standards

These content standards apply to any and all material which you contribute to our sites (contributions), and to any interactive services associated with them.

You must comply with the spirit and the letter of the following standards. The standards apply to each part of any contribution as well as to its whole.

Contributions must:

Be accurate (where they state facts).
Be genuinely held (where they state opinions).
Comply with applicable law in the UK and in any country from which they are posted.

Contributions must not:

Contain any material which is defamatory of any person.
Contain any material which is obscene, offensive, hateful or inflammatory.
Promote sexually explicit material.
Promote violence.
Promote discrimination based on race, sex, religion, nationality, disability, sexual orientation, gender or age.
Infringe any copyright, database right or trademark of any other person.
Be likely to deceive any person.
Be made in breach of any legal duty owed to a third party, such as a contractual duty or a duty of confidence.
Promote any illegal activity.
Be threatening, abuse or invade another’s privacy, or cause annoyance, inconvenience or needless anxiety.
Be likely to harass, upset, embarrass, alarm or annoy any other person.
Be used to impersonate any person, or to misrepresent your identity or affiliation with any person.
Give the impression that they emanate from us, if this is not the case.
Advocate, promote or assist any unlawful act such as (by way of example only) copyright infringement or computer misuse.

Suspension and termination

We will determine, in our discretion, whether there has been a breach of this Website Acceptable Use Policy through your use of our sites. When a breach of this policy has occurred, we may take such action as we deem appropriate.

Failure to comply with this Website Acceptable Use Policy constitutes a material breach of the terms of use upon which you are permitted to use our sites, and may result in our taking all or any of the following actions:

Immediate, temporary or permanent withdrawal of your right to use our sites.
Immediate, temporary or permanent removal of any posting or material uploaded by you to our sites.
Issue of a warning to you.
Legal proceedings against you for reimbursement of all costs on an indemnity basis (including, but not limited to, reasonable administrative and legal costs) resulting from the breach.
Further legal action against you.
Disclosure of such information to law enforcement authorities as we reasonably feel is necessary.

We exclude liability for actions taken in response to breaches of this Website Acceptable Use Policy. The responses described in this policy are not limited, and we may take any other action we reasonably deem appropriate.

Changes to the Website Acceptable Use Policy

We may revise this Website Acceptable Use Policy at any time by amending this page. You are expected to check this page from time to time to take notice of any changes we make, as they are legally binding on you. Some of the provisions contained in this Website Acceptable Use Policy may also be superseded by provisions or notices published elsewhere on our sites.

Website acceptable use policy v18.03 ©

Updated 18 August 2021

Privacy and data protection policy

WE ARE COMMITTED TO RESPECTING YOUR PRIVACY

Everyone has the right to privacy, and this also applies to online activities.

This page sets out how CMP (the College of Media and Publishing) complies with the UK GDPR.

Our promise to you

We are committed to protecting and respecting your privacy and other rights.

This is not because the UK GDPR tells us to. It’s because we want to.

We have always valued people’s personal information and privacy rights as part of our commitment to treating people with respect.

The UK GDPR means that we will continue to comply with all relevant laws and adopt good practice.

The “small print”

The UK GDPR says we must provide a written privacy policy. This appears below.

Defined terms

The term “we” applies to CMP.

The words “you” and “your” apply to anyone reading this document, and anyone who may later provide us with information, also known as “Data Subjects”.

The term “consent” means your voluntary agreement.

This policy describes:

What information we collect and why.
How we process your information.
What we do with the information.
What we won’t do with the information.
What rights you (our Data Subjects) have.

This policy also applies to:

Our Online Learning Area and our use of emails and social media for marketing.
Paper communications.
All other methods we use for collecting information.

PRIVACY POLICY

1. Who to speak to

The UK GDPR classes CMP as a Data Controller, to oversee our data operations.

For queries regarding your privacy and data protection with CMP, write to:

Jake Thom
St. John’s House, St. John’s Street, Chichester PO19 1UH, UK.

Or email: [email protected]

2. The personal data we collect

(a) What is personal data?

Personal data includes things like your name, address, and email address. This may be recorded on paper, or it could be an electronic version that is saved on a computer or cloud-based storage systems.

The UK GDPR says your personal data is your private property.

So, if we wrongly pass on your data, or misuse it, we may have breached your privacy if it identifies you, directly or indirectly.

For example, you can probably be identified through your postal address.

The UK GDPR says that personal data includes:

Names.
Email addresses.
Location data.
Online identifiers like usernames.
Employment details.

(b) Who do we collect personal data from?

Enquirers who complete enquiry forms and pop-ups.
Learners who fill our enrolment forms.
Employees and contractors.
Accrediting bodies and other organisations that we work with.
People who take part in our online challenges.

(c) Information we collect automatically

We may automatically collect the following information each time someone visits our website:

Technical information, including:
- The internet protocol (IP) address used to connect to the internet.
- Login information.
- Browser type and version.
- Time zone setting.
- Browser plug-in types and versions.
- Operating system and platform.
Information about the visit, including:
- The full Uniform Resource Locators (URL) clickstream to, through and from our website (including date and time).
- Products viewed or searched for.
- Page response times.
- Download errors.
- Length of visits to certain pages.
- Page interaction information (such as scrolling, clicks, and mouse-hovers).
- Methods used to browse away from the webpage.
- Any phone number used to call our customer service number.

(d) Information we receive from other sources

We may receive information about individuals who use any of the other websites we operate or the other services we provide.

In this case, we would have informed you when we collected your data of the fact that it may be shared internally and combined with data collected on this website.

We also work closely with business partners; subcontractors in technical, payment and delivery services; advertising networks; analytics providers; and search information providers, who may receive information about you.

(e) Special category data

Special category data is personal data which the UK GDPR says is more sensitive, and so needs more protection.

If we process special category data, we must meet an extra condition for processing.

The UK GDPR defines special category data as:

Racial or ethnic origin.
Political opinions.
Religious or philosophical beliefs.
Trade union membership.
Genetic data.
Biometric data.
Data concerning health.
Data concerning someone’s sex life or sexual orientation.
Information on an individual’s criminal activities.

(f) Who do we collect sensitive personal data from?

Learners who may be required to submit medical notes to support discretionary refund claims.
Staff members who may be required to submit medical notes to support discretionary refund claims.
Job applicants.

(g) Cookies

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a positive experience when you browse our website and allows us to improve our website. For detailed information on the cookies we use and why we use them, see our Cookie policy.

(h) Categories of Data Subjects

Our Data Subjects typically fall under one of the following categories:

Employees.
Service users.
Learners.
Enquirers.
Tutors.
Partner organisations.

3. Our lawful basis for processing personal data

Processing of personal data is only lawful if at least one of these legal conditions, as listed in Article 6 of the UK GDPR, is met:

The processing is necessary for a contract with the Data Subject.
The processing is necessary for us to comply with a legal obligation.
The processing is necessary to protect someone’s life (this is called “vital interests”).
The processing is necessary for us to perform a task in the public interest, and the task has a clear basis in law.

If none of the above legal conditions apply, the processing will only be lawful if the Data Subject has given their clear consent.

Processing of “special categories” of personal data is only lawful when, in addition to the conditions above, one of the extra conditions, as listed in Article 9 of the UK GDPR, is met. These conditions include situations where:

The processing is necessary for carrying out our obligations under employment and social security and social protection legislation.
The processing is necessary for safeguarding the vital interests (in emergency, life or death situations) of an individual, and the Data Subject is incapable of giving consent.
The processing is carried out during our legitimate activities and relates only to our members or people with whom we are in regular contact in connection with our purposes.
The processing is necessary for pursuing legal claims.

If none of the above legal conditions apply, the processing will only be lawful if the Data Subject has given their explicit consent.

4. Our intended purposes for processing personal data

We use information held about our Data Subjects in the following ways:

(a) Information given to us by Data Subjects

We will use this information to:

Fulfil requests for:
- Ebooks.
- Prospectuses.
- Newsletters.
- Information about promotions, discounts and free gifts.
- Returning phone calls.
Process payments and verify financial transactions.
Identify visitors, learners, and enquirers.
Provide a personalised service to people who visit our websites – this could include customising the content or layout of our webpages for individual users.
Record any contact we have with people.
Prevent or detect fraud or abuses of our websites and enable third parties to carry out technical, logistical or other functions on our behalf.
Carry out research on the demographics, interests and behaviour of our users and supporters, to help us gain a better understanding of them, and to enable us to improve our service.
Communicate with our supporters and service users.
Provide people with information, promotions and discounts that we think may be of interest to them, if consent is obtained.
Provide online courses, as described, to people who purchase them.

(b) Information we collect automatically

We will use this information to:

Administer our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes.
Improve our website to ensure that content is presented in the most effective manner for our website visitors.
Allow website visitors to participate in interactive features of our service, when they choose to do so.
Support our efforts to keep our website safe and secure.
Measure or understand the effectiveness of advertising we provide to website visitors, and to deliver relevant advertising.
Make suggestions and recommendations our website users about goods or services that may interest them.

(c) Information we receive from other sources

We may combine this information with information given to us and information we collect automatically. We may use this information and the combined information for the purposes set out above (depending on the types of information we receive).

5. Who we share personal data with

We may share your personal information with any member of our group, which includes our subsidiaries and our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.

We may share your information with selected third parties under these conditions:

If we are legally required to do so, for example, by a law enforcement agency legitimately exercising a power, or if compelled to by an order of the court.
If we believe it is necessary to protect or defend our rights, property or the personal safety of our people or visitors to our premises or websites.
If we are working with a carefully selected partner which is carrying out work on our behalf.
With analytics and search engine providers which assist us in the improvement and optimisation of our website.

We may disclose your personal information to third parties under these conditions:

If we sell or buy any businesses or assets, we may disclose your personal data to the prospective seller or buyer of such businesses or assets.
If CMP or substantially all of our assets are acquired by a third party, personal data held by us about our customers will be one of the transferred assets.
If we are under a duty to do so to comply with any legal obligation, or in order to enforce or apply our terms of use or terms and conditions of supply and other agreements; or to protect the rights, property, or safety of CMP, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud prevention and credit risk reduction.
We never sell or share your information to other organisations to use for their own purposes.

6. How we may use your personal information

We will use the personal information you provide to us:

(a) To supply the course(s) to you,

(b) To process your payment for the course(s), and

(c) To tell you about further courses that we provide. You may stop receiving these notifications at any time by contacting [email protected].

7. How we protect personal data

We will use appropriate measures to keep personal data secure at all points of the processing. Keeping data secure includes protecting it from unauthorised or unlawful processing, or from accidental loss, destruction or damage.

We will implement security measures which provide a level of security that is appropriate to the risks involved in the processing.

Measures will include technical and organisational security measures. In assessing which measures are the most appropriate, we will consider the following and anything else that is relevant:

The quality of the security measure.
The costs of implementation.
The nature, scope, context and purpose of processing.
The risk (of varying likelihood and severity) to the rights and freedoms of Data Subjects.
The risk which could result from a data breach.

Measures may include:

Technical systems security.
Measures to restrict or minimise access to data.
Measures to ensure that our systems and data remain available or can be easily restored in the case of an incident.
Physical security of information and of our premises.
Organisational measures, including policies, procedures, training and audits.
Regular testing and evaluation of the effectiveness of security measures.

If stored electronically, information is stored by us on computers located in the UK and on reputable cloud-based storage systems. We may transfer the information to other offices and to other reputable third-party organisations for the purposes of backup and mobile working.

Where we have given you (or where you have chosen) a password that enables you to access certain parts of our website, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website: any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

We may also store information in non-electronic forms, for which we have security procedures in place to protect it, in line with the UK GDPR.

Our Information Security Policy contains further details on the measures we have in place to protect personal data and prevent a data breach.

8. How we erase data upon expiry of retention period

We will not keep personal data longer than necessary for the purposes for which it was collected. We will comply with official guidance issued to our sector on retention periods for specific records. Further information can be found in our Data Retention Schedule.

Personal data stored electronically will be permanently deleted from our local files, and from our cloud-based storage systems.

Documentation containing personal data stored or archived in physical files will be shredded upon expiry of the retention period.

9. Data Subject rights

The UK GDPR brings new legal rights for individuals whose personal data is processed. We will process personal data in line with these rights so that you may:

Be informed that your personal information is being collected – at the point of collection – and the purposes for which it is being processed, the retention periods, and who it will be shared with.
Access personal data held and processed by us.
Rectify any personal data that is inaccurate or incomplete.
Erase, or to set as “be forgotten”, if your data is no longer necessary for the purpose for which it was collected, and Consent is the lawful basis for processing.
Request that processing be restricted, although we may still store your personal data. This is an alternative to requesting erasure of your data and the restriction is likely to be for a fixed period.
Request data portability, which means to receive your data, or some of your data, in a format that can be easily used by another person (including the Data Subject themselves) or organisation.
Object to processing in certain circumstances, including preventing the use of your data for direct marketing.

On receiving any request from a Data Subject that relates or could relate to their data protection rights, we will forward it to Jake Thom immediately, who will follow the Subject Access Request procedures accordingly.

We will act on all valid requests as soon as possible and (at the latest) within one calendar month, unless we have reason to (and can lawfully) extend the timescale. This can be extended by up to two months in some circumstances.

Any information provided to Data Subjects will be concise and transparent, with the use of clear and plain language.

10. Social media websites

We operate social media pages on Facebook and Twitter. Although this policy covers how we will use any data collected from those pages, it does not cover how the providers of social media websites will use your information. Please ensure that you read the privacy policy of any social media website before sharing data and make use of the privacy settings and reporting mechanisms to control how your data is used.

Before providing anyone else’s data (for example, tagging photos), please ensure that they are happy for you to do so. Under no circumstances must you make public another person’s home address, email address, or phone number. We take no responsibility and are in no way liable morally or legally for any outcomes that arise from you ignoring this instruction.

11. Social media platforms

Communication, engagement and actions taken through external social media platforms in which we participate are bound by the Website Terms and Conditions as well as the privacy policies held with each social media platform respectively.

You are advised to use social media platforms wisely and communicate or engage with them with due care and caution regarding your own privacy and personal details.

We will never ask for personal or sensitive information through social media platforms, and we will encourage users wishing to discuss sensitive details to contact us through primary communication channels, such as by telephone or email.

We may use social sharing buttons on our websites, which help to share web content directly from webpages to the social media platforms in question.

CMP is jointly responsible for any data that we share with third parties, and we have carried out all reasonable checks to ensure that these parties are compliant with the UK GDPR.

You are advised, before using such social sharing buttons, that you do so at your own discretion and note that the social media platform may track and save your request to share a webpage respectively through your social media platform account.

Shortened links in social media

Through our social media platform accounts, we may share web links to relevant webpages. By default, some social media platforms shorten lengthy URLs.

You are advised to use caution and good judgment before clicking on any shortened URLs published by us on social media platforms.

Despite the best efforts to ensure that only genuine URLs are published, many social media platforms are prone to spam and hacking. Therefore, we cannot be held liable for any damages or implications caused by your visiting any shortened links.

12. Links to third-party websites

Our website may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

13. Email newsletters

Our website provides an email newsletter programme, used to inform subscribers of information about our activities.

You can subscribe through an online automated process should you wish to do so, but you do so at your own discretion.

Some subscriptions may be manually processed through prior written agreement with the user.

The following information explains our legal position regarding email newsletters. If you do not agree with any or all of them, you should not sign to subscribe to an email newsletter.

Subscriptions are taken in compliance with UK spam laws as detailed in the Privacy and Electronic Communications (EC Directive) Regulations 2003.

All personal details relating to subscriptions are held securely and in accordance with the Data Protection Act 2018 (DPA).

No personal details are passed on to third parties or shared with companies or people outside the company that operates this website.

Under the DPA, you may request a copy of personal information held about you by our website’s email newsletter program. A small fee will be payable.

If you would like a copy of the information we hold about you, please write to:

Jake Thom, College of Media and Publishing, St. John’s House, St. John’s Street, Chichester PO19 1UH, UK.

In compliance with UK spam laws and the Privacy and Electronic Communications Regulations 2003, subscribers are given the opportunity to unsubscribe at any time through an automated system. This process is detailed at the footer of each email campaign.

Some subscriptions may be manually processed. By subscribing to a newsletter, you are giving your consent to manual processing.

14. Contact

Questions, comments and requests regarding this Privacy and data protection policy are welcomed and should be addressed to:

Jake Thom, College of Media and Publishing, St. John’s House, St. John’s Street, Chichester PO19 1UH, UK.

The processing of your personal data may involve us in disclosing your details to regulatory bodies or other third parties.

If you do not wish your personal data to be disclosed in this manner, you should make this clear by sending us an appropriately worded email.

FREQUENTLY ASKED QUESTIONS

Is it possible to access the website without disclosing personal data?

Yes. You can visit the website without identifying yourself or revealing any personal information.

Once you choose to provide us with any information by which you can be identified, it will only be used in accordance with this Privacy and data protection policy and our Cookie policy.

You do not have to provide personal information to use the website.

What information do you collect?

We collect the personal data that you volunteer on forms that you submit to us (for example in registering for our newsletter), and in emails that you send to us.

What do you do with the information you gather?

We use this information to understand your needs and to provide you with a better service.

We also use it to send you any information you have requested (for example, our newsletters and other updates).

You will only be contacted if you have given us authority to do so.

Do you disclose our personal data to third parties?

We will ensure that your personal data will not be disclosed to third parties, except insofar as you have consented to such disclosure, or if we are required to do so by law.

Can I see the information you hold about me? And, can I amend it?

You may request details of personal information we hold about you under the DPA.

If you would like a copy of the information, please write to:

Jake Thom, College of Media and Publishing, St. John’s House, St. John’s Street, Chichester PO19 1UH, UK.

If you believe that any information we are holding about you is incorrect, please write to us or email us.

We will correct any information that is incorrect within 28 days and without charge.

If you have agreed to the disclosure of personal information and to receiving marketing and promotional information, but no longer wish to do so, please contact us.

If you are unhappy with our response, you can ask the Information Commissioner to assess whether the requirements of the DPA have been met.

Write to:

The Information Commissioner at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, UK.

Is the information you hold secure?

We are committed to ensuring that your information is secure. To prevent unauthorised access or disclosure, we have put in place physical, electronic and managerial procedures to safeguard and secure the information we collect online. These comply with the requirements of the UK GDPR and the DPA.

All employees who have access to your personal data are contractually obliged to respect your confidentiality.

We have put in place technology measures and security policies and procedures to protect personal information from unauthorised access, improper use, alteration, unlawful or accidental destruction, or accidental loss.

Privacy and data protection policy v18.05 ©

Updated 30 December 2020

Cookie policy

This policy explains how cookies are used on this website and other websites.

You may delete and block all cookies from our website, but if you do, some parts subsequently will not work.

What are cookies?

This site uses cookies. These are small text files that are placed on your computer or device to help websites provide a better experience.

They are normally used to retain user preferences and store information for things like shopping baskets. They do not retain your name or other personal information.

They also provide anonymised tracking data to third party applications like Google Analytics.

However, you may prefer to disable cookies on this site and on others, by using your browser.

If you need help, use your browser’s Help section or visit this website.

About our Cookie policy

This Cookie policy applies to our website and mobile applications.

In this Cookie policy, when we refer to any of our websites, we mean any website or mobile application operated by or on behalf of College of Media and Publishing Ltd.

This Cookie policy forms part of and should be read together with our:

Website terms and conditions

Website acceptable use policy

Privacy and data protection policy

UK-GDPR / Privacy and Electronic Communications Regulations

By accessing the website, you agree that this Cookie policy will apply whenever you access the website on any device. We will alert you on our website of changes to this policy.

Your continued use of the website constitutes your agreement to all such changes.

Below, you can find out more about the cookies we use on our website, as well as information on how to turn off cookies, or change the cookie settings on your browser.

Strictly necessary cookies

These cookies are essential in order to enable you to move around the website and use its features.

These cookies will:

Ensure that our website functions correctly.
Facilitate a product selection or track a sales order you have made.

These cookies will not:

Gather information that could be used for marketing.
Retarget advertising to you on other websites.

Analytic cookies

These cookies collect anonymous information about how visitors use our website to help us improve the way the website works.

These cookies will:

Provide statistics on how our website has been used.
Measure any errors on our website and support improvements and test new designs.

These cookies will not:

Gather information that could be used for marketing.
Retarget advertising to you on other websites.

Personalisation cookies

These cookies allow our website to remember certain choices you have made on the website so that when you subsequently return, we can provide you with your personalised settings.

These are also used to recommend content we think you will be interested in based on what you have looked at before.

These cookies will:

Remember previous choices you have made on the website.
Remember if you have previously registered with our website.

These cookies will not:

Gather information that could be used for marketing.
Retarget advertising to you on other websites.

Third-party cookies

Social sharing, video and other services we offer are run by other companies. These companies may drop cookies on your computer when you use them on our website or if you are already logged in to them.

If you do not wish to receive third-party cookies, please see the following section.

Managing cookie settings through your browser

Most web browsers automatically accept cookies but you can alter your browser settings to prevent automatic acceptance or you can manually delete your cookie history whenever you wish.

These links explain how you can control cookies via your browser. Remember that if you turn off cookies in your browser, it will apply to all websites not just CMP’s:

Safari

Microsoft Internet Explorer

Mozilla Firefox

Chrome

Cookie policy v19.01 ©

Updated 30 December 2020

UK GDPR POLICIES

Every effort is made to ensure that the information provided in this document is accurate and up to date at the time of publishing. No legal responsibility is accepted for any errors, omissions, or misleading statements. Modifying this document may result in it not meeting the DPA and/or UK GDPR requirements.

Definitions:

“Company” and “we” refers to the College of Media and Publishing.

ANTIVIRUS POLICY

POLICY STATEMENT

Personal Information is any information from which an individual can be identified, for example name, address, telephone number and email address.

It is the College of Media and Publishing’s policy to take all necessary steps to ensure that any Personal Information is held securely, and processed fairly, lawfully, and transparently, and in accordance with the UK’s Data Protection Act 1998, the General Data Protection Regulations and the Data Protection, Privacy and Electronic Communications (Amendments, etc) (EU Exit) Regulations 2020.

This policy also adheres to the guidelines laid down by the Information Commissioners Office, if further clarification is required, please see the ICO website: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr

Circulation

This policy should be read by all staff involved in the processing of personal data and applies equally to staff in a permanent, temporary, contractor or volunteer role acting for or on behalf of the College of Media and Publishing and who have reason to access the Company’s network or systems.

Scope

This policy addresses the Antivirus procedures and responsibilities in relation to the processing of personal data.

Purpose

The purpose of this policy is to set the standards for the deployment of antivirus software and to ensure all staff members are aware of their responsibilities in relation to safeguarding the confidentiality, integrity, and availability of data and software within the College of Media and Publishing.

Antivirus precautions

All PCs and laptops that run Microsoft Windows or Apple OSX operating systems must have an antivirus application installed and activated and must be kept updated with the latest definition files. This applies to all PCs and laptops that are used to access the College of Media and Publishing’s network or systems, including, but not limited to, personally owned devices such as PCs, laptops, tablets and smartphones.

To assist staff in complying with this policy, all College of Media and Publishing supplied PCs, laptops, tablets and smartphones, have antivirus software pre-installed and configured automatically to update on a regular basis. The College of Media and Publishing can also provide antivirus software for home use upon request.

Anyone who brings removable mediums, such as USB or similar devices (eg memory sticks, portable hard drives) into the College of Media and Publishing, which is suspected of being virus infected, must have it scanned before connecting it to any device or network.

If a home device is found to be virus infected or is suspected of being virus infected, then the infected product must be immediately disconnected from the College of Media and Publishing’s network. The College of Media and Publishing should be contacted at the earliest opportunity and arrangements made to have the media, laptop, PC, etc, inspected before being reconnected to the College of Media and Publishing network.

Antivirus policy v18.02

Back to UK GDPR policies

BRING YOUR OWN DEVICE (BYOD) POLICY

POLICY STATEMENT

Personal Information is any information from which an individual can be identified, for example name, address, telephone number and email address.

Circulation

This policy should be read by all staff involved in the processing of personal data and applies equally to staff in a permanent, temporary, contractor or volunteer role, particularly mobile workers, acting for or on behalf of the College of Media and Publishing.

Scope

This policy addresses the procedures and responsibilities in relation to the processing of personal data when it is processed on personally owned, rather than Company-owned, devices.

Introduction

The College of Media and Publishing recognises the benefits that can be achieved by allowing staff to use their own electronic devices when working, whether that is at the office, home, or while travelling. Such devices include laptops, smartphones and tablets.

The use of such devices to create and process Company information and data creates issues that need to be addressed, particularly in the area of information security.

The College of Media and Publishing will:

Ensure that it remains in control of the data for which it is responsible, regardless of the ownership of the device used to carry out the processing,
Protect its intellectual property as well as empower staff to ensure that they protect their own personal information.

Information Security Policies

All relevant College of Media and Publishing policies still apply to staff using BYODs, and several of these are directly relevant to staff using BYODs, including:

Safeguarding Information on Mobile Devices Policy,
Antivirus Policy,
Data Protection Policy.

Staff responsibilities

Individuals who make use of BYODs must take responsibility for their own device and how they use it. They must:

Familiarise themselves with their device and its security features so that they can ensure the safety of Company information,
Use all the relevant supplied security features,
Maintain the device themselves by ensuring relevant updates, etc.

Staff using a BYOD must take responsibility for supporting their device/s and take all reasonable steps to:

Prevent theft and loss of data,
Keep information confidential where appropriate,
Maintain the integrity of data and information,
Take responsibility for any software they download onto their device.

Staff using BYOD must also:

Set up passwords, passcodes, passkeys or biometric equivalents where available. These must be of sufficient length and complexity for the particular type of device.
Set up remote wipe facilities if available and implement a remote wipe if they lose the device.
Encrypt documents or devices as necessary.
Not hold any information that is sensitive, personal, confidential or of commercial value.
Ensure that when it is essential to hold information that is sensitive, personal, confidential or of commercial value on a personal device, it should be copied back onto the College of Media and Publishing’s systems and deleted from the device as soon as possible, once it is no longer required. This includes information contained within emails.
Report the loss of any device containing Company data (including emails) to the department as soon as you become aware,
Be aware of any data protection issues and ensure personal data is handled appropriately,
Ensure that no Company information is left on any personal device indefinitely. Particular care must be taken if a device is disposed of, sold or transferred to a third party.

Monitoring and access

The College of Media and Publishing will not routinely monitor personal devices, however, it does reserve the right to:

Prevent access to a particular device from either the wired or wireless networks or both,
Prevent access to a particular system,
Take all necessary and appropriate steps to retrieve information owned by the College of Media and Publishing.

Data Protection and BYOD

The College of Media and Publishing will process “personal data”, i.e. data about identifiable living individuals in accordance with the Data Protection Act 1998, and this type of information must be handled with a high degree of protection at all times.

The College of Media and Publishing recognises that there are inherent risks in using personal devices to hold personal data. Therefore, all staff must follow the guidance in this document when considering using BYOD to process personal data.

A breach of the Data Protection Act can lead to the College of Media and Publishing being fined. Any member of staff found to have deliberately breached the Act may be subject to disciplinary measures, or even a criminal prosecution.

BYOD policy v18.02

Back to UK GDPR policies

DATA COMPLAINTS POLICY

POLICY STATEMENT

If you wish to complain to the College of Media and Publishing about:

How your personal information has been processed,
How your complaint has been handled, or
Appeal against any decision made following a complaint.

Please use the complaints form, addressed to the Data Protection Officer or person designated to deal with data protection.

Contact details for the Data Protection Officer and a copy of the complaints form can be found on the College of Media and Publishing website (www.collegeofmediaandpublishing.co.uk – under the Contact Us section.)

The procedure for handling these complaints is as follows:

Complaints regarding how your personal information has been processed should be submitted on the appropriate form and submitted to the Data Protection Officer, who will acknowledge receipt within 10 working days.
The Data Protection Officer will review and respond in writing, to your complaint within 20 working days of receipt of the complaint. If a complaint is complex and we cannot send a full reply within 20 working days of receipt, we will tell you the reason why and let you know when we will be able to reply in full. If an extension is required, this will be with the agreement of both parties and up to a maximum of a further 28 working days.
If you are dissatisfied with the way in which your complaint has been handled, then you may contact us outlining your concerns and an independent staff member will respond to you within 10 working days to outline the next steps.
If you remain dissatisfied, you may forward your complaint to the Information Commissioner’s Office (contact details can be found on their website https://ico.org.uk/make-a-complaint)

Data complaints policy v18.02

Back to UK GDPR policies

DATA CONSENT POLICY

POLICY STATEMENT

All processing of personal data requires a lawful basis. Consent can provide one such lawful basis.

Personal data is any information related to a natural person or “data subject”, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

This policy adheres to the guidelines laid down by the Information Commissioners Office, if further clarification is required, please see the ICO website: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr

Circulation

This Policy should be read by all staff involved in the consent process and applies equally to staff in a permanent, temporary, contractor or volunteer role acting for or on behalf of the College of Media and Publishing.

Scope

This policy addresses the procedures and responsibilities for obtaining consent to process personal data.

Valid consent

The College of Media and Publishing will adopt measures to ensure consent is:

Freely given,
Specific,
Informed, and
An unambiguous indication of the data subject’s agreement to the processing of his or her personal data.

Therefore, consent will be obtained by a statement or a clear affirmative action.

Freely given

The College of Media and Publishing recognises that consent will only be valid if the data subject has a genuine, free choice, and the ability to refuse or withdraw consent without detriment.

Consent is presumed not to have been freely given where there is a “clear imbalance” between the controller and the data subject. Therefore, the College of Media and Publishing will not rely on consent as a lawful basis for processing the personal data of its own employees.

When assessing whether consent is freely given, the College of Media and Publishing will, wherever possible, avoid making the performance of a contract/ service conditional upon the data subject’s consent to the processing of personal data.

Specific consent

The College of Media and Publishing accepts that to be specific, consent must be understandable. Blanket consent that does not specify the exact purpose of the processing will not be considered valid consent.

The controller must clearly and precisely explain the scope and the consequences of the data processing. Consent cannot apply to an open-ended set of processing activities—it must be limited to a specific context..

Informed consent

Data subjects will be provided with sufficient information to enable them to understand what they are consenting to.

Existing consent

If the initial consent was compliant with the requirements of the UK GDPR, consent will not be collected a second time. However, any existing consents that do not satisfy the requirements of the UK GDPR, will be re-obtained.

Consent forms

The College of Media and Publishing will ensure consent forms comply with the UK GDPR rules, e.g.:

Using clear, plain language.
Using positive opt-ins.
Ensuring consent is freely given,
Ensuring consent is separate from other matters, and
Explaining clearly how data subjects can withdraw consent.

Children

If services are offered directly to children, the College of Media and Publishing will ensure the request for consent is presented in a way to enable a child to understand what they are consenting to, the College of Media and Publishing will only seek consent if we have age-verification measures, and parental-consent measures for younger children, in place.

Withdrawing consent

The College of Media and Publishing recognises that the UK GDPR gives individuals a specific right to withdraw their consent “at any time”.

It is the College of Media and Publishing’s policy to ensure that it is easy to withdraw consent as it was to give it, in the form of an easily accessible one-step process. If possible, individuals will be able to withdraw their consent using the same method as when they gave it. Therefore, data subjects will be supplied with online preference-management tools and other ways of opting out (for example phone numbers, on paper, in person, etc.).

The UK GDPR does not prevent a third party acting on behalf of an individual to withdraw their consent, but the College of Media and Publishing will need to be satisfied that the third party has the authority to do so.

The College of Media and Publishing will ensure that individuals will able to withdraw their consent to processing without suffering any detriment.

If an individual withdraws their consent, this will not affect the lawfulness of the processing up to that point. However, the College of Media and Publishing will either stop the processing as soon as possible or identify another lawful basis and be able to justify why continued processing is fair.

Record keeping

The College of Media and Publishing will ensure accurate records are kept of when and how consent was received and what the information supplied to the data subject at the time.

Consent management

The College of Media and Publishing will ensure that:

Consent is regularly reviewed.
Consent is appropriately refreshed.
Preference-management tools are in place.
Withdrawing consent is simple,
Withdrawals of consent are dealt with promptly,
Data subjects are not penalised for withdrawing consent.

Data consent policy v18.02

Back to UK GDPR policies

DATA ACCURACY POLICY

POLICY STATEMENT

Personal information is any information from which an individual can be identified, for example name, address, telephone number and email address.

Circulation

This Policy should be read by all staff involved in processing personal data and applies equally to staff in a permanent, temporary, contractor or volunteer role acting for or on behalf of the College of Media and Publishing.

Scope

This policy applies to all the data that the College of Media and Publishing holds when processing personal information.

Processing personal information

When processing personal data, the College of Media and Publishing will:

Take reasonable steps to ensure the accuracy of any personal data we obtain.
Ensure that the source of any personal data is clear.
Carefully consider any challenges to the accuracy of information, and
Consider whether it is necessary to update the information.

Data accuracy policy v18.02

Back to UK GDPR policies

DATA BREACH POLICY

POLICY STATEMENT

This is the Data Breach Policy of the College of Media and Publishing.

Background

The General Data Protection Regulation (UK GDPR) brings new legal rights for individuals whose personal data is processed and introduces a duty on all organisations to report certain types of personal data breach to the Information Commissioner’s Office (ICO). When the confidentiality, integrity or availability of the personal data we process has been compromised, we have procedures in place to manage this breach which comply with UK GDPR requirements. We must also keep a record of all personal data breaches regardless of whether we are required to notify.

Aim

In the event of a serious data breach as defined by the UK GDPR, we must follow appropriate procedures, as detailed in this policy and our Data Breach Notification Procedures, and notify the ICO and data subjects if it is likely to result in a high risk of adversely affecting the rights and freedoms of the individuals whose personal data was affected by the breach. This policy sets out how we deal with such a data security breach.

What is a personal data breach?

UK GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

Destruction: where the data no longer exists or exists in a format that is no longer usable.

Damage: where personal data has been altered, corrupted or is no longer complete.

Loss: the data may still exist, but the controller has lost control or possession of it.

Unauthorised/unlawful: may include disclosure of personal data to or access by recipients who are not authorised to receive or access the data, or any other form or processing which violates the UK GDPR.

While all data breaches are considered information security incidents, not all information security incidents constitute a data breach, the UK GDPR applies when a data breach involves personal data.

Action to be taken in the event of a data breach

1. Containment and recovery

The immediate priorities are to:

Contain the breach,
Assess the potential adverse consequences for individuals, based on how serious or substantial these are, and how likely they are to happen, and
To limit the scope.

In the event of a security incident or breach, staff must immediately inform Jake Thom.

Jake Thom will take the lead in investigating the breach. In the event where Jake Thom is absent for whatever reason, Cleland Thom will take the lead in investigating a breach.

Steps to take where personal data has been sent to someone not authorised to see it:

Inform the recipient not to pass it on or discuss it with anyone else,
Inform the recipient to destroy or delete the personal data they have received and get them to confirm in writing that they have done so,
Explain to the recipient the implications if they further disclose the data, and
Where relevant, inform the data subjects whose personal data is involved what has happened so that they can take any necessary action to protect themselves.

2. Assessing the risk

Perhaps most important is an assessment of potential adverse consequences for individuals, how serious or substantial these are and how likely they are to happen.

Examples of the type of questions to consider:

What type of data is involved?
How sensitive is it?
If data has been lost or stolen, are there any protections in place such as encryption?
What has happened to the data?

For example, if stolen, could it be used for purposes which are harmful to the individuals to whom the data relate?, if it has been damaged, this poses a different type and level of risk

Estimate how many individuals’ personal data are affected by the breach
Who are the individuals whose data has been breached?

Whether they are staff, customers, clients or suppliers, for example, will to some extent determine the level of risk posed by the breach and, therefore, your actions in attempting to mitigate those risks.

What harm can come to those individuals?

Are there risks to physical safety or reputation, of financial loss or a combination of these and other aspects of their life?

Are there wider consequences to consider such as a risk to public health or loss of public confidence in an important service you provide?

Establish whether there is anything you can do to recover any losses and limit the damage the breach can cause.

3. Notifying the ICO and individuals, where relevant

a. Who is responsible?

In the College of Media and Publishing, Jake Thom is the point of contact for staff and the ICO on this policy and on all matters relating to data protection.

Jake Thom is also responsible for notifying the ICO and individuals (where applicable) of relevant personal data breaches.

b. What breaches do we need to notify the ICO about?

When a personal data breach has occurred, we need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it is likely that there will be a risk then we must notify the ICO, if it is unlikely then we do not have to report it.

If we decide we do not need to report the breach, we need to be able to justify this decision, and we should document it.

c. When to notify the ICO and dealing with delays

Notifiable breaches must be reported to the ICO without undue delay, but not later than 72 hours after becoming aware of it.

If we do not comply with this requirement, we must be able to give reasons for the delay.

In some instances, it will not always be possible to investigate a breach fully within 72 hours to understand exactly what has happened and what needs to be done to mitigate it. Where that applies we should provide the required information in phases, as long as this is done without undue further delay.

d. Breach information to the ICO

When reporting a breach, we will provide the following information:

A description of the nature of the personal data breach including, where possible:
- The categories and approximate number of individuals concerned.
- The categories and approximate number of personal data records concerned.
- Our contact person and contact details.
A description of the likely consequences of the personal data breach, and
A description of the measures taken or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

e. Individuals

Where notification to individuals may also be required, Jake Thom will assess the severity of the potential impact on individuals as a result of a breach and the likelihood of this occurring. Where there is a high risk, we will inform those affected as soon as possible, especially if there is a need to mitigate an immediate risk of damage to them.

g. Information to individuals

Jake Thom will consider who to notify, what we are going to tell them and how we are going to communicate the message. This will depend to a large extent on the nature of the breach but will include the name and contact details of our Data Protection Officer (where relevant) or another contact point where more information can be obtained, a description of the likely consequences of the personal data breach, and a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.

The breach need not be reported to individuals if:

We have implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach,
We have taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise,
It would involve disproportionate effort (in this case a public communication may be more appropriate).

h. Third parties

In certain instances, Jake Thom may need to consider notifying third parties such as the police, insurers, professional bodies, bank or credit card companies who can assist in reducing the risk of financial loss to individuals.

i. Document all decisions

Jake Thom must document all decisions that we take in relation to security incidents and data breaches, regardless of whether or not they need to be reported to the ICO.

4. Evaluate our response and mitigation steps

We investigate the cause of any breach, decide on remedial action and consider how we can mitigate it. As part of that process, we also evaluate the effectiveness of our response to incidents or breaches. To assist in this evaluation, we consider:

What personal data is held, where and how it is stored.
Risks that arise when sharing with or disclosing to others.
This includes checking the method of transmission to make sure it is secure and that we only share or disclose the minimum amount of data necessary.
Weak points in our existing security measures such as the use of portable storage devices or access to public networks.
Whether or not the breach was a result of human error or a systemic issue, and we determine how a recurrence can be prevented – whether this is through better processes, further training or other corrective steps.
Staff awareness of security issues and look to fill any gaps through training or advice.
The need for a Business Continuity Plan for dealing with serious incidents.
The group of people responsible for reacting to reported breaches of security.

Data breach policy v18.02

Back to UK GDPR policies

DATA RETENTION, DISPOSAL AND DESTRUCTION POLICY

POLICY STATEMENT

Personal information is any information from which an individual can be identified, for example name, address, telephone number, email address, etc.

This policy also adheres to the guidelines laid down by the Information Commissioners Office. If further clarification is required, please see the ICO website: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr

Circulation

This policy should be read by all staff involved in processing personal data, and applies equally to staff in a permanent, temporary, contractor or volunteer role acting for or on behalf of the College of Media and Publishing.

Scope

This policy applies to all the data that the College of Media and Publishing holds when processing personal information on:

Our own servers.
Third party servers.
Email accounts.
Desktops.
Employee-owned device (BYOD),.
Backup storage, and/ or
Paper files.

Retaining personal information

It is the College of Media and Publishing’s policy to adhere to the UK GDPR requirements that personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed.

However, the College of Media and Publishing will take into consideration each individual document in relation to the:

Legal and related requirements (eg tax, employment, etc). Current and future value of the information.
Company’s need to access the information.
Costs, risks and liabilities associated with retaining the information
Ease or difficulty of making sure it remains accurate and up to date, and
Historical, statistical or scientific value of the information (if relevant).

In the absence of any legal requirements, etc, personal data will only be retained for as long as necessary for the purpose of processing. This means data is to be securely deleted when, for example:

The data subject has withdrawn consent to processing,
A contract has been performed or cannot be performed anymore, or
The data is no longer up to date.

Obligation to inform data subjects

The College of Media and Publishing will inform individuals of:

The retention period,
If no fixed retention period can be provided – the criteria used to determine that period, and
If the purpose of processing has changed after personal data has been obtained, the new retention period.

Disposal of personal data

Disposal of records could refer to the:

Transfer of records from one media to another e.g. Paper records to CD-Rom or onto the College of Media and Publishing’s server, or
Transfer of records from one organisation to another e.g. places of deposit or commercial storage.

Agreements with suppliers that can access records shall contain appropriate confidentiality and disposal clauses.

The College of Media and Publishing will ensure that disposal will take place in accordance with current retention schedules and that disposals occur promptly and consistently. Regular disposal of personal information (including electronic records) is vital to promote the efficient use of space and resources within the College of Media and Publishing and ensure that information is not retained for longer than is necessary for the purpose for which it was recorded, in order to comply with Data Protection requirements.

Destruction of records

The destruction of records is an irreversible act and will only take place in accordance with the retention schedules. The destruction of any records will be clearly documented. Logs of records destroyed locally will be kept in line with the retention schedule by the responsible department. These logs will always include the date of destruction and the type or name of the record destroyed.

For records not already in the public domain (ie published or already accessible records), it is vital that confidentiality is safeguarded at every stage, including destruction.

The College of Media and Publishing will not destroy or alter information that has been requested, in an attempt to avoid disclosure, this will ensure compliance with Data Protection and Freedom of Information laws.

If a record due for destruction is known to be the subject of a request for information, destruction will be delayed. Once the information request is completed, the record will be retained until the complaint and appeal provisions have been processed.

Sensitive and/ or confidential information and their destruction will be conducted in a secure manner to ensure there are safeguards against accidental loss or disclosure.

The normal destruction method used within the College of Media and Publishing for confidential/sensitive information in paper form is shredding. All loose confidential waste will be placed in the allocated confidential waste consoles or confidential waste sacks. Non-confidential waste will be placed in the recycle bins.

Agreements with suppliers that can access records shall contain appropriate confidentiality and destruction clauses.

In accordance with the IT Security Policy and associated IT guidelines, the secure destruction of computer media is undertaken/approved by the person responsible for IT and includes:

Computer media (eg CD, Blu-ray and DVD).,
The eraser of electronic records from servers and systems.,
Computer hardware (eg hard drives, laptops, tablets and smartphones).

At end of life, all IT equipment shall be returned for erasure of data and secure disposal or, the process and standards of destruction for computer media being returned to third party suppliers shall be approved by the person responsible for IT.

A record of disposal decisions will be kept for reference.

Data retention, disposal and destruction policy v18.02

Back to UK GDPR policies

IDENTIFYING DATA SUBJECTS POLICY

POLICY STATEMENT

Personal Information is any information from which an individual can be identified, for example name, address, telephone number and email address.

Right of access

The College of Media and Publishing will ensure that individuals have the right to access their personal data and supplementary information, via a Subject Access Request, which enables individuals to be aware of and verify the lawfulness of the processing.

Right to rectification

The UK GDPR includes a right for individuals to have inaccurate personal data rectified or completed if it is incomplete.

Identifying data subjects

The College of Media and Publishing must verify the identity of the person making the request, using “reasonable means”.

If the College of Media and Publishing is uncertain about the identity of the person making the request, we can, and may, request more information. However, the College of Media and Publishing will only request information that is necessary to confirm identity, taking into consideration: what data we hold, the nature of the data, and what the data is used for.

The College of Media and Publishing will let the individual know, without undue delay, and, within one month that we will need more information from them to confirm their identity and may not comply with the request until we have received the additional information.

Identifying data subjects policy v18.02

Back to UK GDPR policies

INFORMATION SECURITY POLICY

POLICY STATEMENT

This is the Information Security Policy of the College of Media and Publishing.

Background

This policy details the information security measures we have in place to protect the confidentiality, integrity and availability of our information assets, the data we process and to facilitate the rights of the individuals to whom personal data relates.

We do this through implementing systems and procedures to minimise the risks of malware attacks, unauthorised access to our systems and potential compromise of the data contained within them. It covers the following aspects of our information security:

Virtual Access

Only authorised staff/volunteers will be permitted access to company computer systems. Their access will be revoked upon termination of their contract/services.

See section on User Access Control for further information.

Clear desk & clear screen policy

Clear desk

If leaving desks unattended, all paperwork containing personal or sensitive data is to be cleared away to prevent access by visitors or unauthorised individuals.

Sticky notes containing passwords or personal data must not be attached to or visible on desks and/or screens.

Clear screen

If screens are left on but unattended, they must be locked to prevent access by visitors or unauthorised individuals, they can then be unlocked when the user returns to the screen. If users need to leave their screens for more than a few minutes, or at the end of their working day, they must log out.

If printing documents containing personal or sensitive data, they must be taken from the printer immediately and not left and collected at a later time.

User access control

Access to company computers and systems is on a “need to access” basis.

New staff/volunteers will be granted access to the systems necessary to perform their job with an access level appropriate to their role and responsibilities.

Strong passwords should be used and contain a combination of upper and lowercase letters, numbers and symbols, passwords should not be shared or written down.

When an employee/ volunteer leaves at the end of their contract, their user access is revoked.

Secure configuration

Secure configuration refers to security measures that are implemented when building and installing computers and network devices in order to reduce unnecessary security vulnerabilities.

The College of Media and Publishing policy is to protect the confidentiality, integrity and availability of the data we process and contain within our systems. We do this by removing or disabling unnecessary functionality from our systems, and to quickly fix known vulnerabilities, usually via patching.

Firewalls

A firewall is a software application, or combination of software and a hardware device, in place to examine, filter and control network traffic flow to and from the computers and network, and to allow authorised communications and prevent unauthorised or malicious access or communications.

The College of Media and Publishing have firewall protection on our network and on all our computers that process and store personal data. If staff members use their own devices for company work, they must have a firewall installed.

Encryption

Data encryption is necessary to protect data confidentiality and integrity when transmitted using the internet or other networks, authenticate the origin and prove that the contents have not changed since sending. It is a process whereby the data is encrypted when transferred and then decrypted upon opening by the intended, authorised recipient.

The College of Media and Publishing minimise the personal data we send electronically and only do so when absolutely necessary. When transmitting personal data electronically, we use applications that have encryption built in by design. When staff or volunteers use their own devices for company work to send personal data, they must send via applications that have encryption built in by design.

Malware protection

Malware is malicious software that is designed to infect computers and devices and inflict harm upon their processes and corrupt or steal the data stored within them. Malware has become increasingly sophisticated therefore robust malware protection on all devices is essential.

All the College of Media and Publishing computers have malware protection software installed. Staff or volunteers who use their own devices for company work must have malware protection installed on their device before undertaking any company work.

Security patch / update management

A security patch is a piece of software designed to update, fix or improve an existing application on your computer or device. Some patches improve the security and/or efficient working of the program to which it relates so it is essential to install any patches/updates when notified.

We ensure that all our devices are kept up to date with the latest updates and patches. Patches/updates must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements.

Backups and disaster recovery

Backup and disaster recovery is essential under the UK GDPR, to ensure the availability and access to personal data in a timely manner in the event of a physical or technical incident.

The College of Media and Publishing backup and recovery procedure include regular backups of all company data. Backups are performed daily and retained for 36 months before being overwritten.

Upon completion of backups, media copies are stored in secure locations. All media is logged and dated to enable quick recovery in the event of an incident.

Incident management / data breach

Situations that constitute a security incident include, but are not limited to, the following:

An adverse event that causes accidental or malicious loss or destruction of data contained within the IT system in question or alteration or access of the data in respect of availability, integrity and confidentiality of the data.,
Unauthorised access to systems used by the College of Media and Publishing resulting in disclosure of confidential information.,
A malware attack or attempted unauthorised access to any of our internal or external IT systems.,
Staff disclosure to unauthorised persons of confidential data.

While all data breaches are considered an information security incident, not all information security incidents constitute a data breach, under the UK GDPR a data breach in only when personal data is affected.

If you believe there has been a data breach, please notify Jake Thom immediately who will assess the breach and invoke the Data Breach Notification Procedure if necessary.

Staff training

All new staff and volunteers will undergo information security guidance and awareness training, existing staff will undergo refresher information security training on an annual basis.

Information security policy v18.02

Back to UK GDPR policies

LEGITIMATE INTEREST POLICY

POLICY STATEMENT

Personal information is any information from which an individual can be identified, for example name, address, telephone number and email address.

Circulation

Scope

This policy applies to all the data that the College of Media and Publishing holds when processing personal information.

Responsibility

The College of Media and Publishing is aware that it is our responsibility to protect the individual’s interests.

Lawful basis

The College of Media and Publishing recognises that legitimate interest can be a valid lawful basis to process personal data, providing:

We use an individual’s data in ways they would reasonably expect, and
Which have a minimal privacy impact, or
Where there is a compelling justification for the processing.

Legitimate Interests may be considered where:

Another lawful basis is not available due to the nature and/or scope of the proposed processing, or
Where legitimate interest is the most appropriate basis.

Test for legitimate interest

The College of Media and Publishing will consider the three-part test when considering legitimate interest as the lawful basis for processing personal data, e.g.:

Purpose: identify a legitimate interest.,
Necessity: show that the processing is necessary to achieve it, and

Balance it against the individual’s interests, rights and freedoms.

Purpose

The College of Media and Publishing will take into consideration:

The reason and aim of processing the data.
The benefits.
Any wider public benefits.
The importance of the benefits.,
The impact of not processing the personal data, and
Whether the use of the data is unethical or unlawful in any way.

Necessity

The College of Media and Publishing will take into consideration whether:

The processing helps to further the legitimate interest,
The approach is reasonable, and
There is no other less intrusive way to achieve the same result.

Balance

The College of Media and Publishing will take into consideration:

The nature of the relationship with the individual.
Whether the data is particularly sensitive or private.
Whether the individual would expect their data to be used in this manner.
How to explain the legitimate interest in processing personal data.
Whether an individual is likely to object.
Whether an individual is likely to find the processing intrusive.
The possible impact on the individual.
The possible scale of the impact.
Whether children’s data is being processed as extra care is required.
Whether vulnerable individual’s data is being processed as extra care is required.
Adopting safeguards to minimise the impact on individuals (eg encryption), and
The requirement to offer an opt-out.

Legitimate interest policy v18.02

Back to UK GDPR policies

RIGHT TO ERASURE POLICY

POLICY STATEMENT

Personal Information is any information from which an individual can be identified, for example name, address, telephone number and email address.

Circulation

Scope

This policy addresses the procedures and responsibilities for the erasure of personal data.

Right to erasure

The College of Media and Publishing recognises an individual’s right to have personal data erased, also known as “the right to be forgotten”.

The right is not absolute and only applies in certain circumstances, such as:

The personal data is no longer necessary for the purpose which it was originally collected or processed it for.
The College of Media and Publishing is relying on consent as the lawful basis for holding the data, and the individual withdraws their consent.
The College of Media and Publishing is relying on legitimate interests as the basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing.
The College of Media and Publishing is processing the personal data for direct marketing purposes and the individual objects to that processing.
The College of Media and Publishing has processed the personal data unlawfully (ie in breach of the lawfulness requirement).
The College of Media and Publishing must do it to comply with a legal obligation, or
The College of Media and Publishing has processed the personal data to offer information society services to a child.

Children’s data

The College of Media and Publishing recognises the emphasis, under the UK GDPR, on the right to have personal data erased if the request relates to data collected from children, especially in online environments, particularly to any request for erasure if the processing of the data is based upon consent given by a child. This still applies when the data subject is no longer a child, as a child may not have been fully aware of the risks involved in the processing at the time consent was given.

Right of erasure not applicable

The right to erasure does not apply if processing is necessary: for one of the following reasons:

To exercise the right of freedom of expression and information.
To comply with a legal obligation.
For the performance of a task carried out in the public interest or in the exercise of official authority,
For archiving purposes in the public interest, scientific research, historical research or statistical purposes (where erasure is likely to render impossible or seriously impair the achievement of that processing), or
For the establishment, exercise or defence of legal claims.

The UK GDPR also specifies two circumstances where the right to erasure will not apply to special category data:

If the processing is necessary for public health purposes in the public interest, or
If the processing is necessary for the purposes of preventative or occupational medicine.

Informing other organisations

The College of Media and Publishing will inform other organisations about the erasure of personal data if the personal data has been:

Disclosed to others, or
Made public in an online environment (eg social networks, forums or websites).

If the College of Media and Publishing has disclosed the personal data to others, each recipient will be contacted and informed of the erasure, unless this proves impossible or involves a disproportionate effort. If asked to, the College of Media and Publishing will also inform the individuals about these recipients.

The UK GDPR defines a recipient as a / an:

Natural or legal person.
Public authority.
Agency.
Other body.
Controller,
Processor, and
Person who (under the direct authority of the controller or processor) is authorised to process personal data.

Where personal data has been made public in an online environment, reasonable steps will be taken to inform other controllers who are processing the personal data to erase links to copies or replication of that data.

When deciding on what steps are reasonable the College of Media and Publishing will take into consideration available technology and the cost of implementation.

Refusal of erasure

The College of Media and Publishing can refuse to comply with a request for erasure, if the request is manifestly unfounded or excessive, or is repetitive in nature. In these situations, the College of Media and Publishing may:

Request a “reasonable fee” to deal with the request (for administrative costs), or
Refuse to deal with the request.

The College of Media and Publishing will contact the individual promptly if a reasonable fee is requested or for the need for additional information to identify the individual, without undue delay, and within one month of receipt of the request and inform them:

Of the decision to charge a fee.
That the request may not be complied with until the fee has been received.
The reasons for not acting,
Of their right to make a complaint to the ICO or another supervisory authority, and
Their ability to seek to enforce this right through a judicial remedy.

Right to erasure policy v18.02

Back to UK GDPR policies

RIGHT TO RECTIFICATION POLICY

POLICY STATEMENT

Personal Information is any information from which an individual can be identified, for example name, address, telephone number and email address.

Circulation

Scope

This policy addresses the procedures and responsibilities for the rectification of personal data, or completion if incomplete.

Right to rectification

The College of Media and Publishing recognises an individual’s right to have inaccurate personal data rectified. Individuals may also be able to have incomplete personal data, completed, however, this will depend on the purposes of the processing and may involve providing a supplementary statement to the incomplete data.

This right has close links to the accuracy principle of the UK GDPR, and imposes a specific obligation to reconsider, upon request, the accuracy of personal data the College of Media and Publishing processes, even if steps were taken to ensure that the personal data was accurate when it was obtained.

The UK GDPR does not give a definition of the term accuracy. However, the Data Protection Act 2018 states that personal data is inaccurate if it is incorrect or misleading as to any matter of fact.

In most cases, the College of Media and Publishing will not charge a fee to comply with a request for rectification.

Right to restrict processing

An individual can make a request for restricting processing, while accuracy is being confirmed:

Verbally.
In writing.
To any part of the College of Media and Publishing, and
To any contact point (not necessarily to a specific person).

If the College of Media and Publishing receives a request for rectification, reasonable steps will be taken to ensure that the data is accurate, and to rectify the data (if necessary), taking into consideration the arguments and evidence provided by the data subject.

The steps will depend on the nature of the personal data and what it will be used for. The more important it is that the personal data is accurate, the greater the effort will be placed into checking its accuracy and, if necessary, taking steps to rectify it (eg if it is used to make significant decisions that will affect an individual or others).

The College of Media and Publishing may also take into consideration any steps already taken to verify the accuracy of the data, prior to the challenge made by the data subject.

A request to rectify personal data does not need to mention the phrase “request for rectification”, or Article 16 of the UK GDPR, to be a valid request, providing the individual has:

Challenged the accuracy of their data, and
Asked it to be corrected, or
Asked for incomplete data to be completed.

Determining whether personal data is inaccurate can be complex if the data:

Refers to a mistake that has subsequently been resolved, or
Records an opinion.

However, the College of Media and Publishing may log this information, along with:

The affirmation of the mistake,
The corrected information,
The information regarding an opinion, and/ or
Whose opinion it is (where appropriate).

As a matter of good practice, the College of Media and Publishing may restrict the processing of the personal data in question while verifying its accuracy, even if the individual has not exercised their right to restriction.

Company systems

The College of Media and Publishing will ensure that if processing is restricted, appropriate methods are in place to:

Restrict the processing of personal data on the College of Media and Publishing’s systems, and
Indicate on our systems that further processing has been restricted.

Storing

When processing is restricted, the College of Media and Publishing may store the personal data but will not use it.

Lifting the restriction

In many cases the restriction of processing is only temporary, particularly when the restriction is claiming:

The individual has disputed the accuracy of the personal data and the College of Media and Publishing is investigating this, or
The individual has objected to the College of Media and Publishing processing their data on the basis that it is necessary for the performance of a task carried out in the public interest or the purposes of your legitimate interests, and you are considering whether your legitimate grounds override those of the individual.

Once the College of Media and Publishing has decided on the accuracy of the data, or whether the legitimate grounds override those of the individual, the decision may be to lift the restriction. However, the College of Media and Publishing will inform the individual before the restriction is lifted.

Refusal to comply

The College of Media and Publishing can refuse to comply with a request for rectification if the request is:

Manifestly unfounded,
Excessive, or
Repetitive in nature.

If the College of Media and Publishing considers that a request is manifestly unfounded or excessive, we may:

Request a “reasonable fee” (based on administrative costs), to comply with the request, or
Refuse to deal with the request.

The College of Media and Publishing:

Will supply justification for the decision,
Will contact the individual promptly, if a fee is charged,
May not comply with the request until the fee has been received.

Requesting identification

The College of Media and Publishing may ask for more information from the person making the request for identification purposes. However, the College of Media and Publishing will only request information that is necessary to confirm identity, taking into consideration:

The data being held.
The nature of the data.
What it is being used for.

The College of Media and Publishing will inform the individual without undue delay and within 28 days that more information is needed from them to confirm their identity. The College of Media and Publishing may not comply with the request until the additional information has been received.

Right to rectification policy v18.02

Back to UK GDPR policies

RIGHT TO RESTRICT PROCESSING POLICY

POLICY STATEMENT

Personal Information is any information from which an individual can be identified, for example name, address, telephone number and email address.

Circulation

Scope

This policy addresses the procedures and responsibilities for restricting the processing of personal data.

Right to restrict processing

The College of Media and Publishing is aware that individuals have the right to request the restriction or suppression of the processing of their personal data in certain circumstances, such as, where:

An individual has contested the accuracy of the personal data and the College of Media and Publishing is in the process of verifying the accuracy.
The data has been unlawfully processed and the individual opposes erasure and instead requests restriction.
The College of Media and Publishing no longer requires the personal data, but the individual needs the College of Media and Publishing to keep it to establish, exercise or defend a legal claim.
The individual has objected to the processing of their personal data and the College of Media and Publishing is considering whether there are legitimate grounds which override those of the individual,
An individual has challenged the accuracy of their data and asked the College of Media and Publishing to rectify it, they also have a right to request the restriction of processing while their rectification request is being considered, or
An individual has exercised their right to object to the processing of their personal data, they also have a right to request the restriction of processing while the College of Media and Publishing considers their request.

Processing includes a broad range of operations including collection, structuring, dissemination and erasure of data.

A fee will not be charged to comply with a request for restriction, unless the request is manifestly unfounded or excessive, in which case a “reasonable fee” may be charged for the administrative costs of complying with the request.

The College of Media and Publishing will not process the restricted data in any way except to store it unless:

The individual has given consent,
It is for the establishment, exercise or defence of legal claims,
It is for the protection of the rights of another person (natural or legal), or
It is for reasons of important public interest.

Recognising a request to restrict processing

An individual can make a request for restricting processing:

Verbally,
In writing,
To any part of the College of Media and Publishing, and
To any contact point (not necessarily to a specific person).

(A request may not include the phrase “request for restriction” for Article 18 to apply.)

Company systems

The College of Media and Publishing will ensure that if processing is restricted, appropriate methods are in place to:

Restrict the processing of personal data on the College of Media and Publishing’s systems, and
Indicate on our systems that further processing has been restricted.

Storing

When processing is restricted, the College of Media and Publishing may store the personal data but will not use it.

Lifting the restriction

In many cases the restriction of processing is only temporary, particularly when the restriction is claiming:

The individual has disputed the accuracy of the personal data and the College of Media and Publishing is investigating this, or
The individual has objected to the College of Media and Publishing processing their data on the basis that it is necessary for the performance of a task carried out in the public interest or the purposes of their legitimate interests, and they are considering whether legitimate grounds override those of the individual.

Refusal to comply

The College of Media and Publishing can refuse to comply with a request for restriction if the request is:

Manifestly unfounded,
Excessive, or
Repetitive in nature.

If the College of Media and Publishing considers that a request is manifestly unfounded or excessive, we may:

Request a “reasonable fee” (based on administrative costs), to comply with the request, or
Refuse to deal with the request.

The College of Media and Publishing:

Will supply justification for the decision,
Will contact the individual promptly, if a fee is charged,
May not to comply with the request until the fee has been received.

Requesting identification

The data being held.
The nature of the data.
What it is being used for.

Restricting the data

1. The College of Media and Publishing will ensure that staff who regularly interact with individuals receive training to identify a request for restricting the processing of their personal data.

2. When the College of Media and Publishing receives a request, it will seek confirmation from the requester to ensure it is understood.

3. The College of Media and Publishing will keep a log of verbal requests received by telephone or in person.

4. The College of Media and Publishing will respond to a request without undue delay, and within 28 days.

5. The College of Media and Publishing will not process the restricted data in any way (except to store it) unless:

The individual has given consent,
It is for the establishment, exercise or defence of legal claims,
It is for the protection of the rights of another natural/ legal person, or
It is for reasons of important public interest.

6. The methods for restricting the processing of personal data will be appropriate to the operation of the processing and could include:

Temporarily moving the data to another processing system,
Making the data unavailable to users, or
Temporarily removing published data from a website.

7. The College of Media and Publishing will inform data subjects before any temporary restriction is lifted.

8. If a request is refused because it is manifestly unfounded or excessive, the College of Media and Publishing:

May charge a “reasonable fee” (based on administrative costs) to comply with the request, or
May refuse to deal with the request.

Furthermore, the College of Media and Publishing:

Will supply justification for the decision,
Will contact the individual promptly if a fee is charged,
May not to comply with the request until the fee has been received.

9. Time limits to respond to a request can be extended by two months, if:

It is manifestly unfounded or excessive,
An exemption applies, or
You are requesting proof of identity before considering the request.

The individual will be informed

Within one month of receiving the request, and
Why the extension is necessary.

10. The College of Media and Publishing will automatically restrict the processing of personal data if its accuracy or the legitimate grounds for processing is in question.

11. The College of Media and Publishing will inform any recipients if any restriction is placed on the processing of the personal information that has been shared with them (if possible).

12. The College of Media and Publishing will inform individuals before a restriction is lifted.

13. If the College of Media and Publishing uses an automated filing system, technical measures will be used to ensure that:

Any further processing cannot take place,
The data cannot be changed while the restriction is in place, and
A note is placed on the system stating that the processing of this data has been restricted.

14. If a restriction is lifted or refused, the data subject will be informed:

Without undue delay, and within 28 days.
The reasons the College of Media and Publishing is not acting.
Whether a fee will be charged.
Of the right to make a complaint to the ICO, or
Another supervisory authority, and
Of their ability to seek a judicial remedy.

Right to restrict processing policy v18.02

Back to UK GDPR policies

SAFEGUARDING INFORMATION ON MOBILE DEVICES POLICY

POLICY STATEMENT

Personal Information is any information from which an individual can be identified, for example name, address, telephone number and email address.

Circulation

Scope

This policy addresses the procedures and responsibilities for Safeguarding Information on Mobile Devices in relation to the processing of personal data.

Introduction

The aim of this policy is to ensure that both individuals and the College of Media and Publishing comply with legal requirements and are protected from risks such as identity theft and other forms of cyber-crime. A balance between ensuring the security of both information and individuals needs to be made with efficient and effective working.

Policy

It is the policy of the College of Media and Publishing that no electronic information, owned by the College of Media and Publishing, that is confidential, sensitive, personal or of commercial value should be stored in an unencrypted format.

Complying with the policy

The holding of confidential, sensitive, personal or commercially valuable information on mobile devices should be minimised, both in terms of the volume of data stored, and the amount of time the data is held.

Where possible, remote access should be used rather than downloading information to hold copies of it locally.

The inclusion of confidential, sensitive, personal or commercially valuable information on email should be minimised where possible.

Individuals holding information locally on PCs, laptops or tablets must ensure appropriate backups are made. These backups, if not held centrally, should be treated with the same sensitivity and security considerations as the original data.

Laptop devices

Confidential, sensitive, personal or commercially valuable information owned by the College of Media and Publishing and held on laptop computers owned or not owned by the College of Media and Publishing must be encrypted.

Smartphones and tablets

To protect from risks such as identity theft and other forms of cyber-crime, regardless of who owns the device, it is recommended that:

a. Where possible, a passcode or PIN be set up on any smartphone or tablet, and that any passcode used contains a mixture of letters, numbers and other characters, and should be more than four characters,

b. Where possible, the device is set up to wipe all information, should the wrong passcode or PIN be entered sequentially 10 times,

c. All sensitive, personal or commercially valuable emails are deleted once you have finished with them,

d. In the event of loss or theft, change the password to all Company services accessed from the devices.

USB devices

Data held on USB or similar devices (eg memory sticks, portable hard drives) regarding Company-owned information or otherwise sensitive data must be encrypted.

Social networking websites

No information of a confidential, sensitive, personal or commercially valuable nature belonging to the College of Media and Publishing should ever be posted on a social networking website.

Application of the Policy

This policy applies to all users of information owned by the College of Media and Publishing that is of a confidential, sensitive, personal or commercial value. This policy only applies to information that is not in the public domain.

Safeguarding information on mobile devices policy v18.02

Back to UK GDPR policies

SUBJECT ACCESS REQUESTS AND TIME LIMITS POLICY

POLICY STATEMENT

Personal Information is any information from which an individual can be identified, for example name, address, telephone number and email address.

Circulation

This policy should be read by all staff involved in the consent process and applies equally to staff in a permanent, temporary, contractor or volunteer role acting for or on behalf of the College of Media and Publishing.

Scope

This policy addresses the procedures and responsibilities for responding to access requests from data subjects.

Subject access requests

The College of Media and Publishing will ensure that individuals have the right to access their personal data and supplementary information, which enables individuals to be aware of and verify the lawfulness of the processing.

Under the UK GDPR, individuals will have the right to obtain:

Confirmation that their data is being processed,
Access to their personal data, and
Other supplementary information (eg the information provided in the privacy notice).

Timescale

The College of Media and Publishing recognises the information must be provided without delay and at the latest within one month of receipt. Unless the requests are complex or numerous where the period of compliance may be extended by a further two months. However, the will inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Verify identity and supply data requested

1. The College of Media and Publishing will verify the identity of the person making the request, using “reasonable means”.

2. If the request is made electronically, the College of Media and Publishing will provide the information in a commonly used electronic format.

3. The College of Media and Publishing will provide individuals with a copy of the information they have requested, free of charge.

4. If the request is manifestly unfounded, excessive or repetitive, a “reasonable fee” will be charged for administrative costs. Alternatively, the College of Media and Publishing may not comply but will inform the individual of the reason for the refusal and any right to appeal, if applicable.

5. The information will be provided without delay and at the latest within one month of receipt. However, the College of Media and Publishing may be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, the College of Media and Publishing will inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Subject access requests and time limits policy v18.02

Back to UK GDPR policies

CMP ©

Last updated 31 December 2020