skip to main content

Data Protection Policy


General Data Protection Regulation (GDPR).

International Students House (ISH) is a registered charity, (no 313512) Limited by Guarantee. ISH is registered under the Data Protection Act, which includes One Park Crescent, and additional subsidiaries and affiliated bodies. 

General Statement of ISH's Duties and Scope

International Students House  is required to process relevant personal data regarding members of staff, volunteers, applicants, parents, students, next of kin, alumni and customers as part of its operation, and shall take all reasonable steps to do so in accordance with this Policy.

Data Protection Controller

ISH has appointed the Finance Director as the Data Protection Controller (DPC) who will endeavour to ensure that all personal data is processed in compliance with this Policy and the Principles of the Data Protection Act 1998. The Freedom of Information Act 2000 and the Protection of Freedoms Act 2012 are also relevant to parts of this policy.

ISH recognises The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) adopted 27 April 2016, the two-year transition period and the application date of 25 May 2018 and is actively working towards compliance with that directive.

The Principles

ISH shall so far as is reasonably practicable comply with the Data Protection Principles (the Principles) contained in the Data Protection Act to ensure all data is:-

  1. Processed lawfully, fairly and in a transparent manner.

Consent must be unambiguous.  It can’t be assumed by inaction.  This means that you must ask for positive agreement, for example, “Tick here if you agree to receive further information, rather than “Tick here if you don’t want to receive marketing information”.

  1. Collected for specific, explicit and legitimate purposes.

You can’t say you are going to use data for one thing and then use it for something else. If you DO decide you want to use it in a different way you have to get further consent before you can do this.

  1. Adequate, relevant and limited to what is necessary.

You can’t ask for information simply because it might be useful in the future.  Information should be on a need to know basis.

  1. Accurate and up to date

People have the right to request that their data is changed, completed, corrected or deleted.

  1. Not kept for longer than necessary.

When data is no longer needed for the purpose it was collected, it must be deleted. 

  1. Kept secure from loss, destruction, damage or unauthorised access.

Systems and processes must be designed with privacy in mind.  Security and privacy must not be an afterthought.  Data security is a duty shared by both Data Controllers and Data Processors.  Data should not be transferred to other countries without adequate protection.


  • Data Subject: an individual who is the subject of the personal data.
  • Data Processor: the person or organisation who processes the data.
  • Data Controller: the person or organisation with overall responsibility for personal data, how and why it is processed, and making sure the organisation adheres to the GDPR.


Personal Data

Personal data is anything which could be used to identify a person, such as their genetic, economic, cultural or social identity. For example, it includes information necessary for employment such as the member of staff’s name and address and details for payment of salary or a student’s residential record and room rents information. Personal data may include online identifiers, such as IP addresses & cookie IDs.

Processing of Personal Data

Consent may be required for the processing of personal data unless processing is necessary for the performance of the contract of employment. Any information which falls under the definition of personal data and is not otherwise exempt, will remain confidential and will only be disclosed to third parties with appropriate consent.

Data about children under the age of 16 requires special protection, as they are particularly vulnerable and may not understand the risks involved  in giving out their personal data.

In some cases, specific organisations may publish a detailed privacy policy relating to their services, for example: - ISH Summer School: - See Appendix ‘A’ Summer schools below

Special Categories of Personal Data

Some personal data is considered to be more sensitive than others, and is called Special Categories of Personal Data.  ISH may, from time to time, be required to process sensitive personal data. Sensitive personal data includes data relating to medical information, gender, religion, race, sexual orientation, political opinions, trade union membership and criminal records and proceedings.  Other types of information that the GDPR considers to be more sensitive includes financial data and data which could lead to discrimination.

Rights of the Individual

The GDPR gives people certain rights over

 the personal data that’s held about them. 

Everyone has:

  1. The Right to be Informed.

A person has the right to be told why you want their information, where it will be processed and stored, how long you will keep it, who else will see it, how they can change or delete it, and also whether any automated decisions will be made using that data.  They should also be told of their right to withdraw their consent and of their right to complain.

  1. The Right of Access

At any time, a person has the right to be provided with the personal information ISH holds about them in a clear and intelligible formAny data subject wishing to access their personal data should put a Subject Access Request in writing to the ISH Data Protection Officer.  ISH must provide the information within one month of receiving the request, free of charge, in an electronic format.

  1. The Right to Rectification

A person can have any mistakes corrected in the data held about them, so if the data you hold on them is inaccurate or incomplete they have the right to request you change it.  You have a limit of 1 month to respond to these requests, or 2 months if it’s particularly complex.

  1. The Right to Erasure or The Right to be Forgotten

Under certain circumstances, people have the right to have all the data you hold on them deleted, if holding their data is no longer necessary, if it’s no longer relevant to the original purposes of processing, if they withdraw their consent, or if their data was processed unlawfully.

  1. The Right of Restrict Processing

People have the right to prevent you from processing their data any further.  You can store it, but not process it any more.


  1. The Right to Data Portability

A person can ask ISH to provide them with their data - to be used however they like across different services or they may ask you to directly transfer it.  You would need to provide them with a structured electronic copy of all their data.

  1. The Right to Object

People must be made aware of their right to object from your very first communication with them, as well as having it in the privacy notice.

  1. Rights in Relation to Automated Decision-Making and Profiling

People have the right not to have important or legal decisions made about them automatically, for example by a computer using a points scoring system.  They should be offered the opportunity to have a decision considered by a human so they can express their view or challenge the decision.

Data Security

ISH will take appropriate technical and organisational steps to ensure the security of personal data.

All staff will be made aware of this policy and their duties under the Act. ISH and therefore all staff and students are required to respect the personal data and privacy of others and must ensure that appropriate protection and security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to all personal data.

An appropriate level of data security must be deployed for the type of data and the data processing being performed. In most cases, personal data must be stored in appropriate systems and be encrypted when transported offsite. Other personal data may be for publication or limited publication within ISH, therefore having a lower requirement for data security.

If you deal with sensitive or personal data, you should operate a clear desk policy, making sure you don’t leave information which is sensitive or personal on your desk, or on the printer or photocopier, and it is locked away.  Also be careful that no one can read from your computer screen while you are working or away from your desk.

Attention is also drawn to the existence of the Information and Computing Technology (IT) Policy, which provides more specific information on digital data protection within the IT policy, and best practice guides that are published and updated on ASK4 whom we use for connectivity.

External Processors

ISH must ensure that data processed by external processors, for example, service providers, Cloud services including storage, web sites etc. are compliant with this policy and the relevant legislation.

Secure Destruction

When data held in accordance with this policy is destroyed, it must be destroyed securely in accordance with best practice at the time of destruction.  Always make sure you shred papers containing personal information, do not just through away or put in recycling.

Retention of Data

ISH may retain data for differing periods of time for different purposes as required by statute or best practices. Individual departments incorporate these retention times into their processes and manuals. Other statutory obligations, legal processes and enquiries may also necessitate the retention of certain data.

ISH may store some data such as employment records, registers, photographs, achievements, books and works etc. indefinitely in its archive.


ISH owns and operates a network for the purposes of crime prevention and detection, and Safeguarding.

Automated Number Plate Recognition (ANPR) cameras are operated for automated vehicle access.

Where a data subject can be identified, images must be processed as personal data.

Data Breaches & Reporting

The GDPR defines a data breach as any “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”.  If this happens you need to report it immediately to the ISH Data Protection Officer (normally the Finance Director).  The DPO must report the breach to the Information Commissioner’s Office within 72 hours with a proposal for recovery.  They may also have to inform the relevant data subjects that their data has been breached, depending on the type of breach.  Organisations in breach of the GDPR can be fined up to 4% of turnover or 20 million euros, depending on the nature, gravity and duration of the infringement. 




















Appendix A

ISH is committed to ensuring that your privacy is protected. This privacy policy explains how we use the information we collect about you from our website, how you can instruct us if you prefer to limit the use of that information and procedures that we have in place to safeguard your privacy.

  1. The information we collect and how we use it

1.1 In some areas of our website, we ask you to provide information that will enable us to or reply to you after your visit. When you do so, we ask you to give us your name, email address, and other personal information that will be needed to supply the goods, services or information to you.

1.2 We use information held about you in the following ways:

To ensure that content from our site is presented in the most effective manner for you and for your computer;

To provide you with information, products or services that you request from us or which we feel may interest you, where you have consented to be contacted for such purposes;

To carry out our obligations arising from any contracts entered into between you and us;

To allow you to participate in interactive features of our service, when you choose to do so;

To notify you about changes to our service.

1.3 We may share your email address We will not share your information with any other third party.

1.4 We may also use aggregate information and statistics for the purposes of monitoring website usage in order to help us develop our website and our services and may provide such aggregate information to third parties. These statistics will not include information that can be used to identify any individual.

  1. Our use of cookies and other information gathering technologies

2.1 We do use cookies (defined below) on the site to enhance your visit. If you do not wish to accept cookies your web-browser should be configured to notify you and/or reject cookies.

Definition of Cookies: Message given to a web browser by a web server. The message is then stored by the browser in a text file called cookie.txt. Each time the browser requests a page from the server, this message is sent back. A cookie's main objective is to identify users and personalise their visit by customising web pages for them, for example by welcoming them by name the next time they visit the same site. A site using cookies will usually invite you to provide personal information such as your name, email address and interests.

  1. How we protect your information

3.1 The internet is not a secure medium; however, we take your security seriously. We have in place a full range of technical and security procedures, including the latest firewall technology and browser certification encryption, in order that we protect your interests in relation to privacy and your personal information.

3.2. We also keep your information confidential. The internal procedures of cover the storage, access and disclosure of your information.

  1. Updating your details

4.1. If any of the information that you have provided to MCSS changes, for example if you change your name, email or postal address, please let us know the correct details by sending an email to, by using the "Contact Us" link on the website or by sending a letter to International Students House, 229 Great Portland Street, London. W1W 5PN, United Kingdom.

4.2. If you prefer not to receive any email newsletters or brochures from us, you can at any time by sending an email to, by using the "Contact Us" button on the website or by sending a letter to International Students House, 229 Great Portland Street, London. W1W 5PN, United Kingdom.

  1. Your consent

5.1. By submitting your information you consent to the use of that information as set out in this policy. If we change our privacy policy, we will post the changes on this page, and may place notices on other pages of the website, so that you may be aware of the information we collect and how we use it at all times. We will also email you should we make any changes so that you may consent to our use of your information in that way. Continued use of the service will signify that you agree to any such changes.

5.2 Owing to the global nature of the Internet infrastructure, the information you provide may be transferred in transit to countries outside the EU that do not have similar protections in place regarding your data and its use as set out in this policy. However, we have taken the steps outlined above to try to improve the security of your information. By submitting your information, you consent to these transfers.

  1. How to contact ISH.

We welcome your views about our website and our privacy policy. If you would like to contact us with any queries or comments please send an email to or call 0207 631 8300.

Martin J Chalker


Jan 2018.