Data controller: Academy of Music and Sound, 54 High Street, Exeter, Devon EX4 3DJ

Data protection officer: Steve Ryan – email

The organisation collects and processes personal data relating to its students. The organisation is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.

What information does the organisation collect?

The organisation collects and processes a range of information about you. This includes:

  • your name, address and contact details, including email address and telephone number, date of birth and gender;
  • details of your current/previous educational establishments and academic attainments/grades;
  • financial records and bank details of students/parents for fee payment and funding applications;
  • pastoral records;
  • information about your next of kin and emergency contacts;
  • details of your attendance; and
  • information about medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments

The organisation collects this information in a variety of ways. For example, data is collected during enrolment; obtained from your passport or other identity documents; from forms completed by you at the start of or during your studies; from correspondence with you; or through interviews, meetings or other assessments.

In some cases, the organisation collects personal data about you from third parties, such as criminal records checks permitted by law.

Data is stored in a range of different places, including in secure offices (paper records) and IT systems (including the organisation’s email system).

Why does the organisation process personal data?

The organisation needs to process data to enter into a study agreement with you and to meet its obligations for compliance with partner colleges.

In some cases, the organisation needs to process data to ensure that it is complying with its legal obligations. For example, it is required to comply with health and safety laws. For certain positions, it is necessary to carry out criminal records checks to ensure that individuals are permitted to undertake the course in question.

In other cases, the organisation has a legitimate interest in processing personal data before, during and after the end of the study relationship. Processing employee data allows the organisation to:

  • run recruitment and enrolment processes;
  • maintain accurate and up-to-date student records and contact details (including details of who to contact in the event of an emergency)
  • keep a record of attendance and performance;
  • obtain health advice, to ensure that it complies with duties in relation to individuals with disabilities and meet its obligations under health and safety law;
  • ensure effective general business administration;
  • process funding applications;

Who has access to data?

Your information will be shared internally, including with teachers, managers in the business area and IT staff if access to the data is necessary for performance of their roles.

The organisation shares your data with third parties in order to facilitate courses and funding, for example with colleges and universities.

The organisation will not transfer your data to countries outside the European Economic Area.

How does the organisation protect data?

The organisation takes the security of your data seriously. The organisation has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties.

Where the organisation engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

For how long does the organisation keep data?

The organisation will hold student personal data for the duration of the course and for two years afterwards. Attainment records may be held for up to five years after completion of studies. Financial records are destroyed one month after successful enrolment on a course or receipt of funding.


Your rights

As a data subject, you have a number of rights. You can:

  • access and obtain a copy of your data on request;
  • require the organisation to change incorrect or incomplete data;
  • require the organisation to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
  • object to the processing of your data where the organisation is relying on its legitimate interests as the legal ground for processing; and
  • ask the organisation to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override the organisation’s legitimate grounds for processing data.

If you would like to exercise any of these rights, please contact the Data Protection Officer. You may make a subject access request by writing to the Data Protection Officer.

If you believe that the organisation has not complied with your data protection rights, you may complain to the Information Commissioner.

Automated decision-making

Enrolment and teaching decisions are not based solely on automated decision-making.