Data Protection Policy

Cambridge Management and Leadership School (‘centre’ hereafter) fully endorse and adheres to the principles of data protection (through its Data Protection Policy), as outlined in the Data Protection Act 2018. Cambridge Management and Leadership School is responsible for ensuring that Personal Data is properly safeguarded and processed in accordance with the General Data Protection Regulations (GDPR) and the Data Protection Act 2018 (collectively referred to in this document as Data Protection Legislation).

Cambridge Management and Leadership School, in the course of its day to day operation, is required to collect and use certain types of information about people and organisations with which it deals, in order to operate its various services. This includes data on current, past, and prospective employees, or suppliers, its students, clients/customers, or others with whom it communicates. In addition, it may also be occasionally required by law, to collect and use certain types of information to comply with the requirements of various government departments. 

This policy concerns the implications of The Disability Discrimination Act Part 4 as it applies to Centre personnel and students at the Centre.



Centre personnel and students are made aware of the existence of this policy and have open access to it in a folder in the Admin Office. This policy is reviewed annually and may be revised in response to feedback from students, staff and external organisations


Data Protection Policy

Information gathered during the operation of our services will be dealt with properly, in accordance with the safeguards detailed to the processing of Personal Data set out in the GDPR and the Data Protection Act 2018 which requires Personal Data to be:, whether it is collected, recorded and used, on paper, electronically, or by any other means should be processed by following principles 

a) Processed lawfully, fairly and in a transparent manner in relation to the data subject - (Lawfulness, Fairness and transparency)
b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes – (Purpose limitation)
c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed - (data minimisation)
d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay – (Accuracy)
e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject – (Storage Limitation)

The Centre regards the lawful and correct treatment of personal information, as very important to its successful operation, and to maintaining the confidence of those who we deal with. The Centre will always ensure that it treats any personal information collected, in a lawful and correct manner.



Data Protection and Privacy Law This includes the Data Protection Act, the EU General Data Protection Regulation, the Privacy and Electronic Communication Regulations, and other applicable law in relation to Data Protection.
Personal Data This is information that can identify a living person that is held either electronically or in paper form. This can include student records including enrolment, assessment and certification and staff/contractor personal details.
Data Controller The data controller decides how and why personal data is to be used and is legally required to comply with the law. Cambridge Management and Leadership School is the data controller for the personal data it uses.
Data Subject This is an identifiable living individual who is the subject of personal data.
Processing In relation to personal data, this means obtaining, recording or holding the data or carrying out any business operation or set of operations on the data.


Principles and Duties

Transparency - Whenever we collect personal data, we will take appropriate measures to provide data subjects with the information required to ensure they understand the nature of the processing and how to exercise their rights in relation to that processing.

Consent - Where we are relying on consent as a legal basis for processing personal data, individuals’ consent will be collected in a manner that ensures it is freely given, specific, informed and unambiguous.

Purpose - We will only collect and use personal data for specific legitimate purposes, and it will be kept only for as long as we need it for those purposes. We will not collect excessive or irrelevant information. We will ensure that personal data we collect and process will be accurate and kept up to date, where necessary.


  1. We will have appropriate security measures in place to protect personal data, taking account of the nature of the data and the harm that might be caused if it was lost. These security measures will be regularly tested, assessed and evaluated to ensure they maintain an appropriate level of security for personal data.
  2. Personal data will be accessible only to those people who need to use it as part of their work. Unauthorised or unlawful access to, use or disclosure of personal data may lead to disciplinary action, and in some cases could be considered as gross misconduct. In serious cases it could also be a criminal offence.
  3. We will provide prompt and effective notification to the relevant authority and to data subjects, where necessary, in the event of a personal data breach. We will cooperate fully with any regulatory investigations that result from a breach.

RightsData subjects will be able to exercise fully their rights to access, rectification, erasure, restriction, portability and objection, and their rights with regard to automated decision making and profiling.

Marketing - Electronic and other marketing will be carried out in accordance with the law. Guidance is available for staff to enable them to meet these requirements. g. Data

Protection by Design and Default - We will implement appropriate technical, organisational measures and Data Protection Assessment Measures to ensure that data protection principles are incorporated into the development and operation of personal data processing activities.

Accountability - We will maintain appropriate records to allow us to demonstrate our compliance with these principles and duties, including records of processing activities under our control. A Data Protection Officer who is an Academic Director will fulfil the tasks set out in law including compliance. The Data Protection Officer will be provided with the resources and support necessary to carry out those tasks.

International Transfers - We will not transfer data outside EEA area. Transfers of personal data outside of the European Economic Area will be subject to appropriate safeguards in accordance with the law and we will comply with our Data Protection rules and legislative. 


At Cambridge Management and Leadership School, we ensure that personal data

  • Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met;
  • Shall only be obtained for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  • Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;
  • Shall be accurate and, where necessary, kept up to date;
  • Shall not be kept for longer than is necessary for that purpose or those purposes;
  • Shall be processed in accordance with the rights of data subjects, under the Act;

and that:-

  • appropriate technical and organisational measures shall be taken against all unauthorised, or unlawful, processing of personal data and against accidental loss or destruction of, or damage to, personal data


Cambridge Management and Leadership School will, through appropriate management, and strict application of criteria and controls,

  • observe fully, conditions regarding the fair collection and use of any information;
  • meet its legal obligations to specify the purposes for which information is used;
  • collect and process appropriate information, only to the extent that it is needed to fulfil operational needs, or to comply with any legal requirements;
  • ensure the quality of information used;
  • apply checks to determine the length of time information is held;
  • ensure that the rights of people about whom information is held can be fully exercised under the Act. These include: the right to be informed that processing is being undertaken; the right of access to one’s personal information; the right to prevent processing in certain circumstances; the right to correct, rectify, block or erase information which is regarded as wrong information;
  • take appropriate technical and organisational security measures to safeguard personal information;
  • ensure that personal information is not transferred abroad without suitable safeguards.


In addition, Cambridge Management and Leadership will ensure that:-

  • everyone managing and handling personal information understands that they are responsible for following good data protection practice;
  • Data will be retained relating to HR, Students and their assessment record for at least 3 years;
  • everyone managing and handling personal information is appropriately trained to do so;
  • everyone managing and handling personal information is appropriately supervised;
  • anybody wanting to make enquiries about handling personal information knows what to do;
  • queries about handling personal information are promptly and courteously dealt with;
  • methods of handling personal information are clearly described;
  • a regular review and audit is made on the way personal information is managed;
  • methods of handling personal information are regularly assessed and evaluated;
  • performances regarding the handling of personal information are regularly assessed and evaluated.


Provide us with your feedback

We welcome your comments and feedbacks. Any feedback, please write us on


Further Readings

Privacy and Cookies Policy