Data Protection & GDPR Policy 

Data Protection Policy and GDPR


During the course of our activities Godolphin Flying Start will process personal data (which may be held on paper, electronically, or otherwise) about our trainees and we recognise the need to treat it in an appropriate and lawful manner, in accordance with the Data Protection Act 1998 (DPA) and the General Data Protection Regulation 2018 (GDPR). The purpose of this policy is to make you aware of how we will handle your personal data.

  1. Data protection principles
    • We will comply with the eight data protection principles in the DPA, which say that personal data must be:
      • Processed fairly and lawfully.
      • Processed for limited purposes and in an appropriate way.
      • Adequate, relevant and not excessive for the purpose.
      • Not kept longer than necessary for the purpose.
      • Processed in line with individuals’ rights.
      • Not transferred to people or organisations situated in countries without adequate protection.
    • As part of GDPR the programme has developed an inventory of all personal data it holds as follows


  • Why is it being held?
  • How was it obtained?
  • Why was it obtained?
  • How long will it be retained?
  • How secure is it?
  • Is it ever shared with third parties and, if so, why?


Rights individuals enjoy under current data protection legislation (Data Protection Acts 1988 and 2003) will remain but with significant enhancements.  These include:


  • Right of access to the data
  • Right to have inaccuracies corrected
  • Right to have information erased when statutory retention period has expired
  • Right to object to direct marketing
  • Right to restrict the processing of information (including automated decision making)
  • Right to data portability


  • “Personal data” means recorded information we hold about you from which you can be identified. Most of this data has been created and collected from trainees through the candidate application or registration process. It may include contact details, other personal information, photographs, expressions of opinion about you or indications as to our intentions about you. “Processing” means doing anything with the data, such as accessing, disclosing, destroying or using the data in any way.
  1. Fair and lawful processing
    • We will usually only process your personal data where you have given your consent or where the processing is necessary to comply with our legal obligations. In other cases, processing may be necessary for the protection of your vital interests, for our legitimate interests or the legitimate interests of others. The full list of conditions is set out in the DPA.
    • We will only process “sensitive personal data” about ethnic origin, political opinions, religious or similar beliefs, trade union membership, health, sex life, criminal proceedings or convictions, where a further condition is also met. Usually this will mean that you have given your explicit consent, or that the processing is legally required for employment purposes. The full list of conditions is set out in the DPA.
  2. How we are likely to use or share your personal data
    • We will process data about trainees for legal, personnel, administrative and management purposes and to enable us to meet our obligations as a training provider, for example to pay you, monitor your performance and to confer benefits in connection with your training.
    • We may process sensitive personal data relating to trainees including, as appropriate:
      • information about a trainee’s physical or mental health or condition in order to monitor sick leave and take decisions as to the trainee’s fitness;
      • the trainee’s racial or ethnic origin or religious or similar information in order to monitor compliance with equal opportunities legislation;
      • in order to comply with legal requirements and obligations to third parties including health insurance providers, immigration agents and accrediting universities
  1. Processing for limited purposes

We will only process your personal data for the specific purpose or purposes notified to you or for any other purposes specifically permitted by the DPA.



  1. Adequate, relevant and non-excessive processing

Your personal data will only be processed to the extent that it is necessary for the specific purposes notified to you.

  1. Accurate data

We will keep the personal data we store about you accurate and up to date. Data that is inaccurate or out of date will be destroyed. Please notify us if your personal details change or if you become aware of any inaccuracies in the personal data we hold about you.

  1. Data retention and disposal

We will not keep your personal data for longer than is necessary for the purpose. This means that data will be destroyed or erased from our systems when it is no longer required or after 7 years.

  1. Processing in line with your rights

You have the right to:

  • Request access to any personal data we hold about you.
  • Prevent the processing of your data for direct-marketing purposes.
  • Ask to have inaccurate data held about you amended.
  • Prevent processing that is likely to cause unwarranted substantial damage or distress to you or anyone else.
  • Object to any decision that significantly affects you being taken solely by a computer or other automated process.
  1. Data Storage and Security
    • We will ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
    • We have in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. We will only transfer personal data to a third party if he agrees to comply with those procedures and policies, or if he puts in place adequate measures himself.
    • Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorised purposes) of the personal data whether stored electronically or physically.



  1. Providing information to third parties

We will not disclose your personal data to a third party without your consent unless we are satisfied that they are legally entitled to the data. Where we do disclose your personal data to a third party, we will have regard to the eight data protection principles.

  1. Subject access requests

If you wish to know what personal data we hold about you, you must make the request in writing, with an accompanying fee of £10. All such written requests should be forwarded to the programme management.

  1. Breaches of this policy

If you consider that this policy has not been followed in respect of personal data about yourself or others you should raise the matter with the programme management. Any breach of this policy will be taken seriously and may result in disciplinary action.