Garden Design Open Morning

Read more
Back to Compliance

Data Protection GDPR

This GDPR Policy will be reviewed annually by our Management Committee. Any amendments require the approval of our Board of Directors. Last date of review: June 2023

Student and Alumni Fair Processing Notice

The General Data Protection Regulation (GDPR) protects the rights of individuals by setting out certain rules as to what organisations can and cannot do with information about people. A key element to this is the principle to process individuals' data lawfully and fairly. In order to meet the fairness part of this we need to provide information on how we process personal data.

This Fair Processing Notice satisfies this element of legislation and is designed to highlight the areas of Data Protection which may be of particular concern to current and/or former students, and to help those people understand how information about them will be used. It will also provide guidance on your individual rights and how to make a complaint to the Information Commissioner's Office (ICO), the regulator for data protection in the UK.

Fair Processing Notices are available for the Public, contracted Staff and Suppliers.

More widely, Inchbald is committed to meeting the entirety of its responsibilities to current and former staff under the General Data Protection Regulation (GDPR) and related legislation taking these matters very seriously. We will always ensure personal data is collected, handled, stored, shared, retained and disposed of in a secure manner.

For the purpose of your data protection, Inchbald is the recognised 'controller' of your data. A number of legal entities trade as Inchbald. These include list of entities. Regardless of which legal entity you liaise with, we make the same Data Protection Officer available to you, who can be contacted about any of the content held herein via:

Postal Address:

Data Protection Officer


7 Eaton Gate,
London SW1W 9BA,
United Kingdom

Telephone: +44 (0) 207 730 5508

Email: [email protected]

The legal basis by which we will process and may have already processed data about you:

When we collect or process data about you, we have to observe the requirements of the General Data Protection Regulation (GDPR).

Under the General Data Protection Regulation our legal bases for processing this information about you as a student will be that processing is necessary:

  • "For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller." This means the information is needed for the delivery and administration of your studies at Inchbald.
  • "For compliance with a legal obligation." This means Inchbald is legally required to share some information about you, for example with the Higher Education Statistics Agency (HESA).
  • "To protect the vital interests of a data subject or another person." This means that in some rare circumstances it may be necessary to share information about you, for example to the emergency services.

If you go on to be an alumna or alumnus of Inchbald the legal basis for continuing to process your personal information would then be:

  • "Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject." This means it is reasonable to expect that Inchbald would contact you once you have finished your studies.

If you were a student of Inchbald before May 25th 2018 (the date on which GDPR came into effect), it is important for you to remember that your personal data was already protected another way, by way of The Data Protection Act (The DPA). The DPA established a framework within which information about living individuals can be legally gathered, stored, used and disseminated. At its core were eight Data Protection Principles, which Inchbald and other organisations needed to abide by. These specified that personal information must be:

  • Processed fairly and lawfully, and only if certain conditions are met
  • Obtained for specified and lawful purposes, and not used for purposes other than those for which it was gathered
  • Adequate, relevant and not excessive
  • Accurate and where necessary kept up to date
  • Kept for no longer than necessary
  • Processed in accordance with individuals' rights
  • Kept secure
  • Not transferred outside the European Economic Area unless certain conditions are met

GDPR builds on these requirements and states that from 25 May 2018 information must be:

  • processed lawfully, fairly and in a transparent manner in relation to individuals;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

GDPR also requires that:

  • "the controller shall be responsible for, and be able to demonstrate, compliance with the principles."

These protections apply to information in electronic form and also many types of data in paper form. Further information about the Data Protection Act and the General Data Protection Regulation is available from the Information Commissioner's Office at

How and why does Inchbald use personal data?

Student and Alumni personal data is processed primarily for, but not limited to, the following purposes:

  • To administer and support your studies and record academic achievements, e.g. your course choices, attendance, assessments and the publication of any graduation programmes
  • To assist in pastoral and welfare needs, e.g. the counselling service and services to students with disabilities
  • To administer financial aspects of your registration as a student, e.g. payment of fees, debt collection
  • To tell you about things that are happening in and around Inchbald
  • To manage course facilities, such as computing facilities and the Library
  • To produce management statistics and to conduct research into the effectiveness of our courses
  • To monitor our equal opportunities policies, e.g. compliance with the Race Relations Act
  • To administer student employment processes, if you choose to work for Inchbald whilst you are studying with us
  • For security and disciplinary purposes
  • For internal and external audits and quality assurance exercises
  • For alumni relations purposes

We may disclose your data to certain outside organisations as outlined in this Fair Processing Notice.

We may use copies of the data, including sensitive personal data, which we hold about you for the purpose of testing our IT systems. If your data is used for system testing, it will be copied to a test environment and used with data on other students to test changes to our IT systems in a realistic way. This is done to ensure that changes will be effective and will not cause loss or damage to data. The data about you which we hold in our live systems will not be affected. Your data will not be kept in the test environment for longer than is necessary for testing purposes. Data in that environment will not be used for purposes other than testing. We will also apply appropriate security precautions to the data.

What personal data does Inchbald collect?

Inchbald collects personal data from students at various stages. The volume and nature of the personal data collected is described below, but is not limited to the data items specified:

  • Personal data:
  • Your name
  • Your contact details
  • Details of your emergency contacts / parents / guardians / next of kin
  • Your date of birth
  • Your nationality, your country of residence and other such items to assess your eligibility for study.
  • Your ethnic origin, your gender identity and other equality and diversity characteristics for the purpose of monitoring and reporting on access to opportunity.
  • Any disabilities which you have disclosed to us for the purpose of ensuring we can provide you the most appropriate education.
  • A digital photograph used to produce your student ID, and for security and identification purposes
  • Medical information, such as information held by Student Services
  • Audio/Visual data relating to your application / enrolment at Inchbald.

Course related data:

  • Information from your application process
  • Your academic background and qualifications
  • Your academic record while at Inchbald (including measures of attendance, engagement and attainment)
  • Details of any degrees which you are awarded
  • Finance data:
  • Fee information
  • Bursary or sponsorship details
  • Payment / Bank details.

Other data:

  • Any disciplinary action taken against you
  • Information relating to any academic appeals or complaints raised by you
  • Attendance warnings issued to you
  • Official letters requested by you during your studies, for example Council Tax exemption
  • Your use of Inchbald's facilities, such as the Library
  • Online identifiers, such as your Inchbald username that is used to access our systems

Some of this information, such as your ethnicity, medical information and information about disabilities, is classed as "sensitive" personal data under the Data Protection Act. Under the General Data Protection Regulation sensitive data covers information consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation. Sensitive personal data is subject to extra legal protection and we have to meet an additional set of conditions in order use the data fairly and lawfully.

Sensitive data about you, for example relating to your health, may be shared with restricted departments within Inchbald to ensure that you have access to appropriate services and support. Sensitive personal data may also be used to monitor equality of opportunity and access to higher education, but will not be used to make decisions about you.

Your Student Profile

In the normal course of study, your name, course and Inchbald email address may be made available to your fellow Students via Inchbald systems. Your contact details will also be made available in a directory to staff via Inchbald systems. This may include name, photo, course, Inchbald email address and a contact telephone number. Should there be times at which you are unable to be contacted by way of Inchbald-operated communications platforms, relevant staff may be provided access to your non-Inchbald contact details, only as necessary. This may extend to sharing of emergency contact details, if the need arises.

Information, such as your name, course and career credits may be made available in a public manner, where relevant to promote Inchbald's work, for example in our prospectus and on our website.

Inchbald Communications Platforms

Where Inchbald's email and other communications services are provided by third parties, you are bound by their terms of service. Inchbald undertakes that data held within these services is held in accordance with GDPR legislation. Inchbald has contracts in place with these providers to ensure the protection of Inchbald owned personal data.

Student email addresses are issued and used for communicating about Inchbald and studies, and are monitored to ensure compliance with our Data Protection and associated policies, as well as legislation such as The Prevent Duty.

Who else has access to my data?

Inchbald is required to share personal data with certain other organisations in order to meet statutory requirements or to provide services to students. Sharing will always be undertaken in line with the requirements of data protection law, either through the consent of the individual, or another relevant legal gateway. The personal data that is actually shared will always be limited precisely to what the other organisation needs to meet its requirements or deliver its services.

Although we do not transfer data outside of the European Economic Area (EEA) as a matter of course of usual business, if this disclosure involves the transfer of your data outside the European Economic Area (EEA), we will inform you of this in advance, along with information about the safeguards in place. The data will only be transferred outside the EEA if one of the conditions set down in the Data Protection Act has been met, or in compliance with the conditions of transfer outlined in the General Data Protection Regulation.

Your data may also be sent to different companies/departments within the Inchbald group where this is necessary for our day to day administration. Information on full list of Inchbald Group companies is:

The information below outlines the key partners with whom Inchbald shares personal data with on a periodic basis:

Professional and Funding Bodies:

  • Validation of registrations and awards; and
  • Approval of funding applications.
  • Partner institutions such as Wrexham University;
  • External examiners connected to the awards we operate for examination, assessment and moderation purposes.

National/Local Government Departments and other public bodies:

  • Jisc (registered in England with company number: 05747339 and charity number: 1149740), trading as Higher Education Statistics Agency (HESA), who is the designated data body of our regulator, and to whom we return data at their request and specification, for which a separate data collection notice can be found at
  • The Office Of The Independent Adjudicator to review student complaints;
  • The Office for Students during institutional audits and other quality assessment exercises;
  • the Student Loans Company in connection with grants, fees, loans and bursaries;
  • the courts, the police and other organisations with a crime prevention or law enforcement function (subject to the proper entitlements);
  • Local authorities for the purposes of assessing and collecting council tax.
  • Communications Platforms to facilitate marketing and communications of Inchbald services (governed by GDPR compliant data sharing agreements):
  • Facebook for re-marketing of Inchbald services to you via its channels;
  • Clickatell for SMS (text message) services; and
  • Mailchimp and Mandrill for campaign and transactional email services.

Service Platforms to facilitate the administration and distribution of Inchbald services (governed by GDPR compliant data sharing agreements):

  • Our Virtual Learning Environment for your online learning tools;
  • Turnitin plagiarism detection software for verifying the originality of your submitted work

Other individuals / organisations:

  • International recruitment consultants and agents (for relevant international students);
  • Housing providers for students;
  • Inchbald's insurers and legal advisers for the purpose of providing insurance cover or in the event of a claim;
  • Employers who request a reference from Inchbald (for relevant staff and students).
  • If you leave Inchbald owing money to Inchbald, we may at our discretion pass this information to a debt collection agency.
  • We may disclose information for the purpose of verifying data about you held by Inchbald, held by another higher education institution, or held by government agencies.
  • We may disclose information if there are concerns regarding student vulnerability and susceptibility to radicalisation as part of our responsibilities under the Counter Terrorism and Security Act 2015.

Personal data may also be disclosed when legally required or where there is a legitimate interest, either for Inchbald or the data subject, taking into account any prejudice or harm that may be caused to the data subject.

Inchbald may also use third party companies as data processors to carry out certain administrative functions on behalf of Inchbald. If so, a written contract will be put in place to ensure that any personal data disclosed will be held in accordance with GDPR legislation.

How long do you keep data for?

Inchbald takes its obligations under GDPR very seriously in terms of not holding onto personal data for any longer than is necessary. Inchbald has a retention schedule in place for the different categories of data it holds.

After you leave Inchbald we will continue to hold data about you in digital and paper form. Some information, such as your dates of attendance and your qualification achievements, will be retained permanently. Other data will be disposed of from time to time in accordance with Inchbald's data retention policies. For example:

  • Data relating to your application - retained for 6 years after you leave Inchbald
  • Anonymised records which don't identify you which are used for data analysis purposes - retained indefinitely
  • Records relating to applications for Extenuating Circumstances - retained for 1 year after the end of the academic year in which the application is made
  • Your contact details - Inchbald is required by statute to retain these to enable the Higher Education Statistics Agency's national survey of Graduate Outcomes
  • Data relating to your assessment and degree outcome - retained indefinitely to be able to provide academic transcripts
  • Data relating to any student complaints or academic appeals - retained for one year post completion of complaint and appeal procedures
  • Financial data relating to payments received from you or paid to you - there is a mandatory requirement to keep financial data for at least seven years for audit purposes

By enrolling as a Inchbald student, you agree to Inchbald processing data relating to you after you leave Inchbald for any purposes connected with your studies, your status as a former student and for other legitimate reasons.

Examples of how we may use your data after you finish or graduate include:

  • To provide evidence of your academic achievements when requested to do so: e.g. transcripts, confirmation of qualifications and references
  • To provide information to regulatory bodies and other agencies to whom we are legally required to supply data
  • To produce management statistics
  • To maintain contact with you as a Inchbald alumnus/alumna
  • For audit and quality assurance purposes

We may contact you for a limited range of research purposes after you leave Inchbald.

We are required by statute to maintain and share your contact details to enable the carrying out of surveys conducted by or on behalf of HESA, the Office for Students or other official agencies.

We may also contact you to carry out our own research into your experiences at Inchbald and after leaving Inchbald, in order to evaluate the effectiveness of our courses and improve our services to students. If you do not want to be contacted for these purposes, please notify our data protection officer using the contact details we provide in this notice.

Inchbald graduates automatically become members of the Inchbald Alumni Network as Inchbald would like to stay in contact with you.

Inchbald retains some data about current and former students indefinitely, for the reasons outlined below:

  • to be able to verify qualifications with future employers;
  • to be able to respond to safeguarding responsibilities;
What are my rights regarding the personal data you hold relating to me?

An individual has the right to be informed about data collection via a Fair Processing Notice. This is that notice.

An individual has the right to ask Inchbald what personal data we hold about them, and to ask for a copy of that information. Inchbald reserves the right to ask you to provide proof of identification and for you to clarify your request if it is unclear in the first instance. You will receive a reply no longer than 30 calendar days from the date you make the request in writing. If you are unhappy with the initial response you can ask Inchbald to undertake a further search if there is specific information you have good reason to believe exists but that hasn't been delivered to you.

You have the right to rectify data that is incorrect. If you believe Inchbald holds information about you that is factually incorrect please email our registry department to provide the correct information, and Inchbald should update it within one month.

You have the right to be forgotten. Where there is not a legal / statutory obligation for Inchbald to hold data about you, you have the right to be forgotten.

You have the right to data portability where the personal data is processed with the consent of the data subject, not where the personal data has been collected using any of the other legal basis for processing.

You have the right to restrict processing.

You have rights in relation to automated decision making and profiling.

You also have the right to object / withdraw consent from the processing of your personal data by Inchbald at any time, if your consent was sought initially to use your personal data.

You also have the right to complain to the UK Regulator the Information Commissioner's Office (the ICO) if you believe you request has not been dealt with properly or you have a complaint to raise against Inchbald for any other data protection related issue. A complaint can be raised via the ICO's website at or by writing to the following address:

The Office of the Information Commissioner
Wycliffe House
Water Lane

How do I exercise my rights under GDPR?

For the purpose of your data protection, Inchbald is the recognised 'controller' of your data. A number of legal entities trade as Inchbald. These include Inchbald School of Design Ltd., and Inchbald Online Ltd. Regardless of which legal entity you liaise with, we make the same Data Protection Officer available to you, who can be contacted if you would like to exercise any of your rights under GDPR:

Postal Address:

Data Protection Officer


7 Eaton Gate,
London SW1W 9BA,
United Kingdom

Telephone: +44 (0) 207 730 5508

Email: [email protected]

What are my responsibilities?

Inchbald will make every reasonable effort to keep your details up to date. However, it is your responsibility to provide us with accurate information about yourself when you provide it. It is also your responsibility to let us know of any subsequent changes to your details. You must also abide by Inchbald's Data Protection Policy when handling any personal data you come into contact with for which Inchbald is responsible.