Data Protection Policy - INTERNATIONAL BUSINESS SCHOOL

Data Protection Policy
Version Number		IBS/DPP/2026Apr/V001
Member of Staff Responsible		Ibrahim Sirkeci
Record of Revisions to Policy
Date	Details	Approved by
Apr 2026	Published	Board of Directors
Apr 2026	Reviewed	Board of Directors
July 2023	Reviewed	Board of Directors

Date of Current Policy		April 2026
Next Review Date		April 2028
Review to be approved by		Board of Directors

Related IBS Policies

Equal Opportunities and Diversity Policy
Admissions Policy
Student Complaints Policy
Academic Appeals Policy
Academic Misconduct Policy
Staff Code of Conduct
Data Breach Policy
Records Retention Policy

External Reference Points

UK General Data Protection Regulation (UK GDPR)
Data Protection Act 2018
Human Rights Act 1998
Freedom of Information Act 2000 (where applicable)
Office for Students (OfS) Regulatory Framework
Information Commissioner’s Office (ICO) guidance

1. Policy Statement

International Business School (IBS) is committed to protecting the privacy, rights and freedoms of individuals whose personal data it processes. IBS processes personal data lawfully, fairly and transparently and is fully committed to complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and all related regulatory obligations.

IBS recognises its responsibilities as a higher education provider under the Office for Students (OfS) regulatory framework and ensures that robust data protection arrangements support student protection, regulatory compliance, institutional accountability and public trust.

2. Purpose

The purpose of this policy is to:

Set out how IBS collects, processes, stores and protects personal data
Ensure compliance with UK GDPR, Data Protection Act 2018 and ICO guidance
Clarify responsibilities for data protection across IBS
Safeguard the rights of students, staff, applicants and other data subjects
Support OfS requirements relating to governance, risk management and student protection

3. Scope

This policy applies to:

All personal data processed by IBS in any format (electronic, paper or verbal)
All students, applicants, staff, contractors, volunteers and governors
All academic, administrative, support and governance activities

This policy applies to all staff and students when processing personal data on behalf of IBS, whether on‑campus or remotely.

4. Definitions

Personal Data: Any information relating to an identified or identifiable living individual.
Special Category Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or data concerning a person’s sex life or sexual orientation.
Data Subject: The individual to whom personal data relates.
Data Controller: IBS, which determines the purposes and means of processing personal data.

5. Data Protection Principles

IBS processes personal data in accordance with the UK GDPR principles. Personal data must be:

Processed lawfully, fairly and transparently
Collected for specified, explicit and legitimate purposes
Adequate, relevant and limited to what is necessary
Accurate and kept up to date
Retained no longer than necessary
Processed securely to ensure appropriate protection

Accountability underpins all data processing activities, and IBS maintains appropriate records to demonstrate compliance.

6. Lawful Basis for Processing

IBS will only process personal data where there is a lawful basis, including:

Performance of a contract
Compliance with a legal obligation
Performance of a task carried out in the public interest
Legitimate interests pursued by IBS
Consent, where appropriate

Additional conditions are applied when processing special category data.

7. Data Subject Rights

IBS upholds the rights of data subjects under UK GDPR, including:

The right to be informed
The right of access (Subject Access Requests)
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights relating to automated decision‑making and profiling

Requests may be made by contacting dataprotection@theibs.uk.

8. Roles and Responsibilities

8.1 Institutional Responsibilities

IBS, as Data Controller, is responsible for:

Compliance with data protection legislation
Cooperation with the ICO
Managing data protection risks and incidents
Maintaining appropriate policies, procedures and records

8.2 Data Protection Officer

The Data Protection Officer (DPO) is responsible for:

Monitoring compliance with data protection legislation
Advising on Data Protection Impact Assessments (DPIAs)
Acting as the point of contact with the ICO
Supporting staff and data subjects on data protection matters

8.3 Staff and Student Responsibilities

All staff and students processing personal data on behalf of IBS must:

Complete mandatory data protection training
Process data in line with this policy and associated procedures
Maintain confidentiality and data security
Report actual or suspected data breaches immediately

9. Data Security and Breach Management

IBS implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss or disclosure.

Any personal data breach must be reported immediately in accordance with the IBS Data Breach Policy. Serious breaches will be reported to the ICO within statutory timescales where required.

10. Data Retention

Personal data is retained only for as long as necessary and in line with the IBS Records Retention Policy. Secure disposal arrangements are applied when data is no longer required.

11. Monitoring and Review

Compliance with this policy is monitored through:

Internal audits and risk reviews
Staff training and awareness activities
Review of data protection incidents and requests

This policy is reviewed annually or sooner if required by legislative or regulatory change.

12. Alternative Formats

This policy is available in alternative formats upon request. Requests should be directed to the Academic Standards and Quality Office.