Data Protection Policy



The ISL Director has overall responsibility for this policy.


The ISL General Manager has day-to-day responsibility for maintaining the policy and providing advice and guidance on its implementation.


All employees are responsible for their own adherence to the policy. Compliance with this policy is mandatory.


Data Protection


ISL are registered as a ‘data controller’ with the Information Commissioner.


As a registered ‘data controller’ under the General Data Protection Regulation (GDPR) 2016/679, ISL will only process data if there is at least one lawful basis to do so, irrespective of whether this is processed automatically, electronically or as part of a manual system.

  • The data subject has given consent to the processing of personal data for one or more specific purposes.
  • Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.
  • Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Processing is necessary to protect the vital interests of the data subject or of another natural person.
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party unless such interests are overridden by the interests or fundamental rightsand freedoms of the data subject, which require protection of personal data, in particular if the data subject is a child.


The GDPR covers both:

  1. a) data held on equipment that can automatically process information in response to instructions; and
  2. b) data held as part of manual filing systems.


In terms of ISL, this definition covers data held on:

  • All types of computer e.g. operational databases, marketing databases and the ISL website
  • Email and the Internet;
  • Any structured filing system in which data is held, whether in electronic form or on paper.


All ISL team members are responsible for ensuring that the principles of GDPR are adhered to in those areas of ISL to which the Regulation relates.


Any data subject who believes that ISL are processing data of which they are the subject (e.g. customer, client or service provider) is entitled under the Regulation (right of access (Article 15))  to submit a written subject access request asking for details of all information about them that is held.



Data Protection Officer


The General Manager performs the duties and responsibilities of the Data Protection Officer for ISL.


Requests for copies information (subject access requests) should be made in writing to;

Robert Mynett

Data Protection Officer, Unit 4, Royds Close, Lower Wortley, Leeds, UK, LS12 6LL.



It is the responsibility of the Data Protection Officer to administer and respond to such requests, liaising with other departments as relevant.


Privacy Protection


ISL is committed to ensuring that the privacy of employees, suppliers and customers is protected. Should ISL request certain information by which a person can be identified, it will only be used in accordance with this privacy policy.


ISL may collect the following information:

  • name and job title
  • personal image
  • contact information including email address
  • demographic information such as town, country preferences and interests
  • other information completed on
  • other information relevant to customer surveys and/or offers


This information is gathered for the following reasons:

  • Internal record keeping
  • Keeping records of course progress and completion
  • Registration/Certification with the Awarding Body
  • Security administration
  • Marketing and external communication
  • To improve ISL’s products and services
  • To promote new products, special offers or other information of interest, using the provided email address
  • Providing work opportunities
  • To contact customers for market research purposes by email, phone, fax or mail.


ISL is committed to ensuring that all information is secure. In order to prevent unauthorized access or disclosure suitable physical, electronic and managerial procedures have been implemented to safeguard and secure information.

Personal information and images will never be used externally without the individual being given the chance to opt-out of their use.


Data Breach


ISL will take every measure possible to reduce the chances of a Personal Data Breach occurring.


  1. Upon becoming aware of a personal Data Breach, we shall;
  2. Notify you without undue delay
  3. Reasonable co-operate with you and take such reasonable commercial steps as are requested in writing by you to assist you in the investigation, mitigation and remediation of that Personal Data Breach, provided in each case that you reimburse us for all costs (including for internal resources and any third party costs) reasonably incurred by us in providing such assistance under this clause within 14 days of our invoice, to the extent the Personal Data Breach was not caused by us;
  4. Implement such technical and organisational measures to ensure a level of security for the Personal Data which is appropriate to the risks to individuals that may result from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data;
  5. Ensure that our employees who may have access to the Personal data are subject to confidentiality undertakings;
  6. Not transfer any Personal data from the European Union to, or access or allow access to such data from, outside the European Economic Area (EEA) unless
    1. The transfer is to, or the access is from, a country that the European Commission has decided pursuant to Article 25(2) of the Data Protection Directive 95/46/EC (or any equivalent provision under Data Protection Laws ensures an adequate level of protection for the processing of Personal Data (a “Safe Country”); or
    2. where that is not the case, measures are in place to ensure that the transfer/access will not put you in breach of the rules contained in the Data Protection Laws which govern the transfer of Personal Data from the European Union to recipients located outside the EEA.
  7. unless you request otherwise in writing, you agree that we will retain student application forms and user accounts that contain Personal Data for 20 years from the enrolment of a course or qualification for your convenience, to enable you to access these courses again and to ensure our records are complete. You warrant that the retention of the Personal Data by us following enrolment on a course shall not put us in breach of Data Protection Laws. At the end of the 20 year period following enrolment onto a course or, if earlier, upon expiration or termination of this Agreement, we shall delete all Personal Data in our possession unless we are required to retain the Personal Data in order to comply with applicable laws or registrations.


  1. Personal data is information about a living individual from which they can be identified, directly or indirectly. This includes expressions of opinion about the individual. It does not include intentions in respect of that individual.