1. It is the policy of MEH to take all necessary steps to ensure that personal data held by the institution about its employees, students, suppliers and all other individuals is processed fairly and lawfully.
    The institution will take all reasonable steps to implement this policy.
  2. It is the policy of MEH to ensure that all relevant statutory requirements are complied with and that internal procedure is monitored periodically to ensure compliance.
  3. MEH will implement and comply with the eight Data Protection Principles contained in the Data Protection Act 1998 (“the Act”) which promotes good conduct in relation to processing personal information.
    These principles are:
    • Personal data shall be processed fairly and lawfully.
    • Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
    • Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
    • Personal data shall be accurate and, where necessary, kept up to date.
    • Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
    • Personal data shall be processed in accordance with the rights of data subjects under the Act.
    • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction or, damage to, personal data.
    • Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
  1. The attention of all staff is drawn to the data protection rules and procedures laid down by the institution from time to time.
    Staffs have a duty to follow these rules and procedures and to co- operate with the institution to ensure this policy is effective.
    Disciplinary action may be taken against any member of staff who fails to comply with these rules and procedures.
  2. MEH has a responsibility to ensure that personal data dealt with in the course of its business is handled in accordance with statutory requirements and reasonable steps will be taken by all concerned to ensure this duty is effective.
  3. MEH will consult with staff periodically to ascertain what measures should be taken to increase awareness of data protection issues and to ensure that all necessary measures are taken to make this policy effective.
  4. MEH will take such measures as may be necessary to ensure the proper training, supervision and instruction of all relevant staff in matters pertaining to data protection and to provide any necessary information.
  5. MEH will monitor on an on-going basis compliance with the provisions of the Act by third party processors of the institution’s data.
  6. The person having overall responsibility for data protection will be the Principal.
    l have delegated responsibility for the following areas:-
    Staff records – Principal
    Student records – Vice Principal
    Supplier/Consultant records – Director of Operations
    Customer records – Office Manager
  7. Each member of staff will have immediate responsibility for data protection matters in his/her own area of work.
    Any queries should be raised with the relevant member of staff in 9 above.
  8. MEH will periodically review data security arrangements, monitor the risk of exposure to major threats to data security, review and monitor security incidents, and establish and implement initiatives to enhance data security.






  1. Data protection is a responsibility shared by all staff of the institution. Staff must familiarise themselves with and observe at all times these Rules and Procedures relating to data protection, the Data Protection Policy Statement and any additional instructions which may be issued from time to time.
  2. The person having overall responsibility for data protection within the institution is the Principal.
    A team of colleagues will have delegated responsibility customer, bursar, student, and staff records, based within the Astrum Group.
  3. Each member of staff will have responsibility for data protection matters in his/her own immediate area of work, but in addition, many employee doing their normal duties may be required to process personal data within the meaning of the DPA 1998; for example, information about customers, suppliers or fellow staff members.
  4. Staff who have any questions, comments or suggestions in relation to data protection should contact the relevant member of staff outlined above.




  1. Over and above the information for which MEH has obtained the individuals consent to hold/process and for which the Data Protection Registrar has confirmed the consent to hold/process, there may be occasions when additional information about an individual needs to be held/processed.
    In such instances, the institution is required to obtain the consent of the individual to hold/process this additional information about him/her.
    Staff will be advised when such consent is required and how such consent should be obtained.
    If you are in any doubt about whether consent is required from an individual, you should contact the relevant officer detailed in 2.
    Remember that an ‘individual’ could be a student, a colleague, customer, supplier or other third party with whom you have dealings.
  2. When additional consent is required, the individual concerned will be provided with the following:- the purpose or purposes for which the data is intended to be held/processed and the identity of the party to whom the information may be given.
  3. Personal data should only be used for the purpose or purposes advised to the individual and not for any ancillary purpose.
    For example, if an individual such as a supplier or customer was informed that his/her data would only be used for marketing purposes, then such data cannot be used for any purpose other than marketing.
    The purposes for which data is held are detailed in the Rules and Procedures document.
  4. Personal data held about an individual should be adequate, relevant and not excessive in relation to the purpose or purposes for which it is held.
    All opinions and/or statements of fact recorded about the individual must be accurate and relevant to the purpose or purposes for which the personal data is held.
  5. Personal data held about an individual must be kept up-to-date and accurate, and all staff are required to notify the Academic Administrator of changes in their circumstances so that accurate, up-to-date records can be maintained.
    Students are required to notify their personal tutor and the Director of Studies of any changes.
  6. If the individual staff member or student, as the case may be, withholds his/her consent or if his/her consent is not provided, then immediate reference should be made to the Principal for instruction.




  1. All personal data held by the institution is to be treated as strictly confidential.
  2. Personal data must not be disclosed to anyone outside theinstitution unless the individual concerned has consented to such disclosure, or the Principal has given you a specific instruction to do so.
  3. Personal data must not be disclosed to any unauthorised employees.
    The Principal will establish and control personal data access.
  4. User passwords will be issued to relevant employees who deal with computerised personal data.
    Such user passwords are not to be disclosed to any third party or unauthorised employee.
  5. Individuals will have a right, on written request, to obtain a copy of such personal data relating to him/her held by the institution as is required under the Data Protection Act 1998.
    All requests by individuals for information about personal data the institution holds about them must  be referred, immediately on receipt, to the relevant officer identified in 1.2 of this document who will co-ordinate the response to the relevant individual.
    The institution reserves the right to charge a fee for this service.
    The Principal will determine the level of fee to be charged.
  6. All security breaches, or suspected security breaches,  relating to unauthorised access to or disclosure of personal data must be reported immediately to the Principal.
    Disciplinary action may be taken against any employee who fails to comply with the above rules and procedures.