skip to primary navigationskip to content

Data Protection Policies and Statements

The ICO updates its guidance on General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA) regularly. It also offers a range of resources and support that can be accessed here.

Principle 1 of the GDPR includes a requirement for organisations to communicate how they process individuals’ personal data in a transparent manner. This corresponds with the individual’s right to be informed. For more information, see the ICO’s guidance relating to communicating such ‘privacy information’.

The Office of Intercollegiate Services has produced a range of data protection statement templates for Colleges to adapt and use as required. The intention is that Colleges will, on a single website, host a number of separate statements depending on the nature of the “data subject” and their relationship to the Colleges. Some people may therefore have more than one statement that applies to them.

All of the statements include:

  • Contextual notes as comments (which of course should be deleted prior to publication)
  • Areas highlighted in yellow (where Colleges will have to tailor the statement)

Two of the statements (for alumni and students) additionally have a separate guidance note, to reflect their complexity. 

The templates should be completed using the results of the personal data audit, paying particular attention to local College policies on retention times. Care should be taken to include additionally any processing not included in the statement.


Colleges are advised to review these statements regularly to ensure they remain up-to-date. Version controls should be maintained and previous versions stored for auditing purposes.