Data Protection Policy Version [V1] March 2024  Policy adopted from Charlotte’s Forest School

Data Protection Policy

 Overview 1.1 The goal of the data protection policy is to depict the legal data protection aspects in one summarising document. It can also be used as the basis for statutory data protection inspections, e.g. by the customer within the scope of commissioned processing. This is not only to ensure compliance with the European General Data Protection Regulation (GDPR) but also to provide proof of compliance.

1.2 The General Data Protection Regulation (GDPR) is a regulation, which requires any business that processes data belonging to UK & EU citizens to protect it and not misuse it. As a responsible business, Nature of Learning Forest School aims to robustly implement the requirements of the GDPR. Part of meeting the obligation of meeting the obligations of GDPR is the production and implementation of this policy.

1.3 Nature of Learning Forest School is committed to the rules of data protection and abiding by eight data protection principles. These are the principles that must be satisfied when obtaining, handling, processing, moving and the storage of personal data.

1.4 As an ITC First approved training centre, Nature of Learning Forest School must collect and process information as required by ITC First awarding body and its regulators. Nature of Learning Forest School is therefore considered the Data Processor and its course candidates and employees the Data Subjects.

  1. The 8 Data Protection Principles a) Data must be obtained and processed fairly and lawfully. b) Data must be obtained for a specified and lawful purpose. c) Data must be adequate, relevant and not excessive for its collection purpose. d) Data must be accurate and kept up to date. e) Data must not be kept for longer than is necessary for its purpose. f) Data must be processed in accordance with the Data Subject’s rights. g) Data must be kept safe from unauthorised access, accidental loss or destruction. h) Data must not be transferred to a country outside the European Economic Area.


  1. Data Subjects Rights 3.1 Under the GDPR individuals have rights associated with their data, described below: a) The right to be informed b) The right of access c) The right to rectification d) The right to erasure 4 e) The right to restrict processing f) The right to data portability g) The right to object h) Rights in relation to automated decision making and profiling 3.2 Children’s Personal Data For the benefit of this policy a child is classed as a young person under the age of 16. Children must have parental (or an individual in loco-parentis) consent for ITC First to collect and process their data. ITC will maintain evidence of consent using our learner registration process.
  2. Data Collection 4.1 Nature of Learning Forest School acts on behalf of ITC First, by gathering and submitting learner data securely via the ITC website and/or registered post. Nature of Learning Forest School has a legally binding Centre Agreement, which confirms that Nature of Learning Forest School publishes and implements a Data Protection Policy (this document).


4.2 Nature of Learning Forest School collects data as part of the booking and registration process required for qualification delivery. Nature of Learning Forest School collects and retains data as part of its Nature of Learning Forest School administrative tasks.

4.3 When individuals provide their data to Nature of Learning Forest School, the data is submitted to ITC First and is used to: a) Attribute qualification credit to learners b) Produce commemorative certificates c) Produce CPD certificates d) Receive information pertinent to qualifications e) Enable ITC to contact you at your request (depending on when your data is provided and in which specific context or interaction with ITC First) f) Monitor ITC First qualifications to ensure equality and inclusivity

4.4 Learners’ data will only be used for the legitimate purposes described above. Any changes to the ways in which learner data is used will be communicated to those individuals affected.

  1. Data Storage Nature of Learning Forest School will ensure that: a) Data is held securely such as password protected computer, locked cabinets/drawers, encrypted, computers have appropriate virus/data protection software appropriate to the business. b) Course registrations (which includes, name, address, contact details, ethnicity, signature) are removed from sight and access of other course candidates immediately after completion. c) Data is not disclosed or shared verbally or in writing to any unauthorised party. d) Nature of Learning Forest School will download course candidate data to their part of the ITC website and promptly submit all documentation to ITC First. Data submitted will only be viewable via individual unique User log on and password of Nature of Learning Forest School and ITC First. e) Nature of Learning Forest School will not share their log on and passwords with any unauthorised individuals or companies.
  2. Data Retention a) Nature of Learning Forest School will retain any data in accordance with ITC retention periods, currently 5 years. b) Nature of Learning Forest School will review its necessity to retain data once it has been submitted and accepted by ITC First.
  3. Data Destruction a) Nature of Learning Forest School will ensure it destroys data in a confidential manner i.e. shredding of paper documents, deletion/psuedonymisation of digital records from computer systems. b) Nature of Learning Forest School will ensure it does not retain data longer than is required for the purpose of the qualification.
  4. Subject Access

8.1 Any party who has provided personal data to Nature of Learning Forest School, has the right to request what information is stored and its content.

8.2 Access request may be made in writing by letter or email to the Nature of Learning Forest School Director who will discuss the request with the data subject.

8.3 Data will be provided in accordance with the subject’s Rights of Access under the GDPR.

  1. Breaches of Data Protection Data Protection Policy a) Breaches or suspected breaches should be reported to Sarah Allington who will make the necessary investigations and provide a response to the informant within 3 weeks of receipt. b) Breaches may also be raised with ITC First by contacting their office either via email, telephone or in writing.