Data Protection Policy
DATA PROTECTION POLICY
Access Law Online Ltd
1. Introduction and purpose
This policy sets out how Access Law Online Ltd (“Access Law”) complies with data protection law when it collects and processes personal data. The law that applies is the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”), which together govern how organisations must handle personal data and set out the rights of individuals. The Information Commissioner’s Office (ICO) is the UK’s supervisory authority for data protection.
Access Law processes personal data in order to run its business and to provide its services to students, apprentices and employers. We keep records about our students, staff (including employees and temporary workers), and contractors so that we can meet our statutory, regulatory and audit obligations and operate effectively. Access Law is registered with the ICO as a data controller.
2. Scope
This policy applies to all personal data processed by Access Law, whether held electronically or on paper, and to all staff, students, apprentices, contractors and other individuals whose data we hold. It covers data collected at every stage, including at enquiry and application, not only once a person has enrolled.
3. Your rights
Under the UK GDPR you have the right to:
● be informed about how your personal data is used (through our privacy notices);
● access a copy of your personal data (a subject access request — see Appendix One);
● have inaccurate personal data corrected (rectification);
● have your personal data erased in certain circumstances (subject to the public-interest and other applicable tests);
● restrict or object to processing, including objecting to direct marketing;
● data portability where applicable; and
● not be subject to solely automated decision-making with significant effects.
You also have the right to lodge a complaint with the ICO at https://ico.org.uk/concerns/.
Where you exercise your right to erasure, we will retain a core set of personal data about past students (name, subject(s), record of learning and achievement and award details, your unique Access Law identification number and date of birth) so that we do not contact you inadvertently in future while preserving our record of your academic achievements. We may also retain certain financial records for statutory purposes (for example anti-fraud and accounting). We apply the relevant statutory tests when considering any erasure request.
4. Definitions
Personal data
Personal data means any information relating to an identified or identifiable living individual. An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to their identity. It includes opinions about the individual and indications of the data controller’s intentions in respect of them.
Special category data
Special category data (referred to in older documents as “sensitive personal data”) is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health, or data concerning a person’s sex life or sexual orientation. Personal data relating to criminal convictions and offences is subject to separate, additional safeguards. Pseudonymised data can still be personal data where the individual can be re-identified.
These categories are drawn broadly: for example, the fact that someone has a broken leg is data concerning health. We record any agreement to include special category data in our records of conversations with students.
5. Data Protection Officer
Access Law’s Data Protection Officer (DPO) is Louise Ainley, Principal. The DPO is responsible for:
● informing and advising the organisation and its staff about their obligations under the UK GDPR, the DPA 2018 and other relevant law;
● monitoring compliance, including managing internal data protection activity, advising on data protection impact assessments, training staff and conducting internal audits; and
● acting as the first point of contact for the ICO and for individuals whose data we process.
Access Law ensures the DPO has adequate resources to meet these obligations and can perform the role without being penalised for doing so. The DPO can be contacted at louise.ainley@alo-email.com.
6. Lawful basis and consent
Access Law’s lawful basis for processing is usually that the processing is necessary for the performance of a contract with the individual (or to take steps to enter into a contract), and/or that the individual has given consent. Where we rely on consent, it must be freely given, specific, informed and unambiguous, given by a clear affirmative act (a positive opt-in). Consent cannot be inferred from silence, pre-ticked boxes or inactivity, must be separate from other terms and conditions, and can be withdrawn at any time as easily as it was given.
Where we process special category data, we do so only where an additional condition under Article 9 of the UK GDPR and the DPA 2018 applies — for example, where processing is necessary for the purposes of occupational medicine or assessing working capacity, the provision of health or social care, or for archiving, research or statistical purposes in the public interest, in each case with appropriate safeguards.
7. Data protection principles
As data controller, Access Law is responsible for, and able to demonstrate compliance with, the principles that personal data shall be:
● processed lawfully, fairly and in a transparent manner — we have a lawful basis, do not use data in ways that have unjustified adverse effects, are transparent and provide privacy notices when collecting data, and handle data only in ways individuals would reasonably expect;
● collected for specified, explicit and legitimate purposes and not further processed in an incompatible manner (further processing for archiving, research or statistical purposes in the public interest is not treated as incompatible);
● adequate, relevant and limited to what is necessary — we identify and hold the minimum personal data needed for our purpose;
● accurate and, where necessary, kept up to date — inaccurate data is erased or rectified without delay;
● kept in a form that permits identification for no longer than necessary (longer retention is permitted only for archiving, research or statistical purposes in the public interest with appropriate safeguards); and
● processed securely, using appropriate technical and organisational measures against unauthorised or unlawful processing and accidental loss, destruction or damage.
Access Law is accountable for compliance with these principles and retains records to demonstrate it.
8. Information security
Security is central to keeping information confidential. Access Law takes steps to hold all information securely, both physically and electronically. Appendix Three sets out our security procedures and Appendix Four sets out the procedure for handling any personal data breach.
9. Retention
Access Law retains personal data in accordance with its Records Management Policy. Retention periods reflect statutory, regulatory and audit requirements, including the evidence-retention requirements of Qualifications Scotland for assessment and certification records (for regulated qualifications, assessment records are retained for six years, and for longer where an appeal or malpractice case remains live).
10. Data sharing
There are two types of data sharing: systematic (routine or pooled sharing) and exceptional (one-off sharing, which may be needed in an emergency). Before sharing, we consider what the sharing is meant to achieve, what information needs to be shared, who needs access (on a need-to-know basis), when and how it should be shared securely, the risks involved, whether the objective could be met without sharing or by anonymising the data, and whether any transfer outside the United Kingdom is involved.
Routine data sharing
Personal data is shared routinely with Qualifications Scotland (the UK awarding and accreditation body that replaced the Scottish Qualifications Authority (SQA) in December 2025) and with the Council for Licensed Conveyancers (CLC). When students register with us they are informed of this sharing. Where data is shared routinely with other organisations, a data sharing agreement is put in place.
A data sharing agreement documents at least: the purpose(s) of sharing; the recipients and the circumstances of access; the data to be shared; data quality; data security; retention; individuals’ rights and how access requests, queries and complaints are handled; review and termination; and sanctions for non-compliance.
International transfers
Where personal data is transferred outside the United Kingdom — for example where a supplier or processor stores or processes data outside the UK — Access Law ensures that an appropriate transfer mechanism or safeguard required by the UK GDPR is in place before the transfer takes place. Access Law maintains a record of its processors and the transfer mechanism relied on for each, and will not transfer personal data outside the UK without such a safeguard.
Exceptional data sharing
Access Law shares information to safeguard individuals in line with recognised safeguarding guidance, including its obligations under the Prevent duty (Counter-Terrorism and Security Act 2015). Information is shared with the right people at the right time to prevent death or serious harm, coordinate responses, enable early intervention, prevent abuse, support good safeguarding practice, and help individuals access appropriate support.
11. Cookies
When you use the Access Law website, small files known as “cookies” may be stored on your device. Where cookies are not strictly necessary for the operation of the site, we ask for your consent before setting them, in line with the Privacy and Electronic Communications Regulations (PECR) and the UK GDPR standard of consent, and you can refuse non-essential cookies as easily as you can accept them. You can manage or refuse non-essential cookies through our cookie controls or your browser. Registered students will need to allow strictly necessary, per-session cookies to access password-protected areas. The cookies section of our Privacy Policy sets out the categories of cookies we use and how to manage them.
12. Contact and complaints
If you have any query or concern about how your personal data is handled, please contact the Data Protection Officer, Louise Ainley, at louise.ainley@alo-email.com.
If you remain dissatisfied, you have the right to complain to the ICO. There is no charge. The ICO’s contact details are: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; telephone 0303 123 1113; https://ico.org.uk/concerns/.
13. Review
This policy is reviewed annually, or sooner if the law or guidance changes. It should be read with the Records Management Policy and the Privacy Policy and Privacy Notice for Students. The Subject Access Request procedure (Appendix One) and the Personal Data Breach / Incident Response procedure (Appendix Four) form part of this policy and are Access Law’s authoritative procedures for those matters — they are not maintained as separate documents.
Date: 15 June 2026
Appendix One — Subject Access Request (SAR) Procedure
This appendix is Access Law’s Subject Access Request procedure. It is the authoritative procedure for handling SARs and does not exist as a separate document.
An individual (the data subject) has the right to obtain confirmation of whether we process their personal data and, if so, a copy of that data and certain supplementary information. The steps below set out how Access Law handles a request.
Step 1 — Recognise and record Any member of staff who receives a request for personal data — in writing, by email or verbally — passes it to the Data Protection Officer (DPO) immediately. All staff are trained to recognise a SAR. The DPO logs the request in the SAR log, recording the date received, the requester, and a reference number. The one-month response clock starts on the day the request is received.
Step 2 — Verify identity Before disclosing anything, the DPO verifies the requester’s identity using the identity-validation checks appropriate to a prospective, current or past student, an approved third party, or a current or former member of staff. Where a third party makes the request on someone’s behalf, the DPO confirms they have the authority to act.
Step 3 — Clarify if needed Where a request is unclear or very wide, the DPO may ask the requester to clarify what they are looking for. The response clock pauses until the clarification is received. Any clarification is noted in the SAR log.
Step 4 — Locate the information The DPO coordinates the search and may ask the relevant Information Champions to search the records in their area and provide the information. The individual is entitled to confirmation that we process their data, a copy of it, a description of the data and the reasons for processing, the recipients, and the source of the data where known.
Step 5 — Apply exemptions and check third-party data The DPO decides what must be disclosed, applies any exemptions (taking legal advice where needed), and handles any third-party data in line with Appendix Two. A full audit trail of the decisions and exemptions applied is kept.
Step 6 — Respond Access Law responds without undue delay and within one month of receipt. This may be extended by up to two further months where the request is complex or numerous, in which case the DPO informs the requester within the first month and explains why. No fee is charged unless the request is manifestly unfounded or excessive.
Step 7 — Close and retain When the response is sent, the DPO updates the SAR log with the date sent and retains a copy of the information supplied.
Manifestly unfounded or excessive requests
Where a request is manifestly unfounded or excessive, including because it is repetitive, Access Law may charge a reasonable fee or refuse to act, explaining why and informing the requester of their right to complain to the ICO. Legal advice is sought before any refusal.
Examination scripts and marks
Information comprising the answers given by a candidate in an examination is exempt from the right of subject access. The exemption does not extend to examiners’ comments or to the marks awarded; where a SAR for such information is made before results are announced, a response is provided within the earlier of five months of the request and 40 days of the announcement of results. We would not refuse details of examination marks because tuition fees were unpaid.
Appendix Two — Third party data
Access Law does not have to comply with a SAR if doing so would disclose information about another identifiable individual, except where that individual has consented or it is reasonable in all the circumstances to comply without consent. We balance the requester’s right of access against the third party’s rights, considering any duty of confidence, steps taken to seek consent, the third party’s capacity to consent, and any express refusal. Where possible we provide the requested information with third-party details redacted. Unlawfully obtaining or disclosing personal data is an offence under section 170 of the DPA 2018.
Appendix Three — Information security
Access Law applies physical and technical security measures, including controlled building access, ID cards, intruder alarms, CCTV, visitor management, document classification and secure storage, strong unique passwords, locking of unattended devices, need-to-know access, secure email practice, and a document retention and destruction process. Staff are accountable for activity under their user ID. The Remote Working Policy provides further detail on laptops, mobile devices and removable media.
Appendix Four — Personal Data Breach / Incident Response Procedure
This appendix is Access Law’s personal data breach and incident response procedure. It is the authoritative procedure for handling personal data breaches and does not exist as a separate document.
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Examples include data sent to the wrong person, lost or stolen devices or paper records, data destroyed in error, and unauthorised access to systems. The steps below apply from the moment any breach is suspected.
Step 1 — Report immediately Any member of staff who becomes aware of, or suspects, a personal data breach reports it to the Data Protection Officer (DPO) without delay. The breach is logged in the Information Security Breach Log. If the breach appears serious (likely to result in a risk to individuals) and the DPO cannot be reached at once, the report is escalated to the Principal or another member of the senior leadership team.
Step 2 — Contain The immediate priority is to contain the breach and limit the damage — for example by recovering lost data, disabling access, or stopping the activity causing the breach. Containment actions are documented as they are taken.
Step 3 — Assess the risk The DPO assesses the nature and severity of the breach: what data and how many individuals are involved, how sensitive the data is, what harm could result, whether the data was encrypted, and whether any third parties (other controllers or processors) are involved. This assessment determines whether the breach is notifiable.
Step 4 — Notify the ICO (within 72 hours) Where the breach is likely to result in a risk to individuals’ rights and freedoms, the DPO notifies the Information Commissioner’s Office without undue delay and, where feasible, within 72 hours of Access Law becoming aware of it. Where full information is not yet available, it is provided in phases. If the breach is not notifiable, the DPO records the reasons for that decision.
Step 5 — Notify affected individuals Where the breach is likely to result in a high risk to individuals, the DPO notifies those individuals directly and without undue delay, in clear plain English, including the nature of the breach, the DPO’s contact details, the likely consequences, and the steps taken or recommended (for example resetting passwords). The method of contact is chosen to reach the individuals effectively.
Step 6 — Record and review All facts, decisions and actions relating to the breach are documented and retained in the Data Protection File for six years, so that the ICO can see that the breach was handled properly. The breach and the lessons learned are reported to the Senior Leadership Team at its next available meeting, and any changes needed to prevent recurrence are actioned.
Appendix Five — Records held
Access Law holds, among other things, the following categories of personal data:
● Students (including alumni): contact details; application forms; award information; complaints data; equality and diversity information; information provided by third parties; mitigating circumstances documents; academic misconduct information.
● Staff (including former staff): job application documents and references; next of kin / emergency contacts; payroll and tax information; absence and sickness records; medical and health information; performance and probation records; promotion or transfer records; training and development records; disciplinary records; record of service; health and safety and accident records; contact, payment, passport and financial details.