Data Protection Policy

5. Processing data fairly and lawfully

5.1 The first data protection principle requires that personal data is obtained fairly and lawfully and processed for purposes that the data subject has been told about. Processing will only be lawful if certain conditions can be satisfied, including where the data subject has given consent, or where the processing is necessary for one or more specified reasons, such as where it is necessary for the performance of a contract.

5.2 To comply with this principle, every time we receive personal data about a person directly from that individual, which we intend to keep, we need to provide that person with “the fair processing information”. In other words we need to tell them:

  • (a) the type of information we will be collecting (categories of personal data concerned);
  • (b) who will be holding their information, i.e. the IAP including contact details and the contact details of our Secretary, in the capacity of the Academy Data Protection Officer;
  • (c) why we are collecting their information and what we intend to do with it for instance to process their request for support or send them online updates about our activities;
  • (d) the legal basis for collecting their information (for example, are we relying on their consent, or on our legitimate interests or on another legal basis);
  • (e) if we are relying on legitimate interests as a basis for processing what those legitimate interests are;
  • (f) whether the provision of their personal data is part of a statutory or contractual obligation and details of the consequences of the data subject not providing that data;
  • (g) the period for which their personal data will be stored or, where that is not possible, the criteria that will be used to decide that period;
  • (h) details of people or organisations with whom we will be sharing their personal data;
  • (i) if relevant, the fact that we will be transferring their personal data outside the European Economic Area (EEA) and details of relevant safeguards; and
  • (j) the existence of any automated decision-making including profiling in relation to that personal data.


5.3 Where we obtain personal data about a person from a source other than the person his or her self, we must provide that individual with the following information in addition to that listed under 5.2 above:

  • (a) the categories of personal data that we hold; and
  • (b) the source of the personal data and whether this is a public source.


5.4 In addition, in both scenarios, (where personal data is obtained both directly and indirectly) we must also inform individuals of their rights outlined in section 9 below, including the right to lodge a complaint with the relevant national data protection authority and, the right to withdraw consent to the processing of their personal data.


5.5 This fair processing information can be provided in a number of places including on web pages, in mailings or on application forms. We must ensure that the fair processing information is concise, transparent, intelligible and easily accessible.