Data Protection Policy

1. Purpose

YouLearnt is committed to protecting personal data and respecting the privacy rights of individuals whose information we process.

This Policy sets out the principles, responsibilities, and procedures that govern the collection, use, storage, disclosure, transfer, retention, protection, and deletion of personal data across YouLearnt’s services and operations.

This Policy supports compliance with the UK General Data Protection Regulation, the Data Protection Act 2018, and applicable guidance issued by the Information Commissioner’s Office. Where more detailed, external, or user-facing information is required, YouLearnt will refer individuals to its Privacy Policy, and where security controls are relevant, to its Security page.

 

2. Scope

This Policy applies to:

  • All employees, contractors, consultants, and temporary workers.
  • All systems, applications, platforms, services, and business processes operated by or on behalf of YouLearnt.
  • All personal data processed by YouLearnt, whether stored electronically or in physical form.
  • All third parties and service providers that process personal data on behalf of YouLearnt.

 

3. Definitions

For the purposes of this Policy:

Personal Data means any information relating to an identified or identifiable natural person.

Processing means any operation performed on personal data, including collection, recording, storage, use, disclosure, transfer, deletion, or destruction.

Data Subject means an individual whose personal data is processed by YouLearnt.

Personal Data Breach means a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to personal data.

Controller, Processor, Joint Controller, and other capitalised terms have the meanings given to them under applicable data protection law.

 

4. Data Protection Principles

YouLearnt processes personal data in accordance with the following principles:

  • Lawfulness, fairness, and transparency.
  • Purpose limitation.
  • Data minimisation.
  • Accuracy.
  • Storage limitation.
  • Integrity and confidentiality.
  • Accountability.

YouLearnt shall maintain appropriate evidence of compliance with these principles where required.

 

5. Roles and Responsibilities

YouLearnt shall designate appropriate responsibility for data protection compliance.

Responsibilities may include:

  • Maintaining and updating this Policy.
  • Overseeing privacy governance and compliance.
  • Supporting responses to data subject rights requests.
  • Reviewing DPIAs where required.
  • Managing processor oversight and contractual safeguards.
  • Coordinating breach response and notification.
  • Ensuring staff receive appropriate privacy and security training.

Where applicable, YouLearnt shall identify a Data Protection Officer, privacy lead, or other responsible person in its Privacy Policy or internal governance records.

 

6. Lawful Basis for Processing

Personal data shall only be processed where a valid lawful basis exists under UK GDPR.

Depending on the activity, lawful bases may include:

  • Consent.
  • Performance of a contract.
  • Compliance with a legal obligation.
  • Protection of vital interests.
  • Performance of a task carried out in the public interest.
  • Legitimate interests pursued by YouLearnt or a third party.

YouLearnt shall record lawful basis determinations where required and review them when processing purposes change.

 

7. Privacy Information

YouLearnt shall provide privacy information to individuals in a clear, concise, transparent, intelligible, and easily accessible form.

The public-facing Privacy Policy shall normally explain:

  • What personal data is collected.
  • Why it is collected and used.
  • The lawful basis relied upon.
  • Whether data is obtained directly or indirectly.
  • Categories of recipients.
  • International transfers.
  • Retention periods.
  • Data subject rights.
  • How to contact YouLearnt.

Where appropriate, YouLearnt may provide privacy information through layered notices, just-in-time notices, account-based notices, or other suitable methods.

 

8. Data Subject Rights

YouLearnt respects and supports the rights of data subjects, including:

  • Right to be informed.
  • Right of access.
  • Right to rectification.
  • Right to erasure.
  • Right to restrict processing.
  • Right to data portability.
  • Right to object.
  • Rights relating to automated decision-making and profiling.

Requests relating to these rights shall be handled without undue delay and within applicable statutory timeframes. Requests shall be verified, recorded, assessed, and resolved in accordance with internal procedures.

 

9. Privacy by Design and Default

Data protection considerations shall be embedded into products, services, systems, and business processes from the earliest stages of design and development.

YouLearnt shall ensure that, by default, only personal data necessary for a specific purpose is processed.

 

10. Data Protection Impact Assessments

A Data Protection Impact Assessment shall be conducted where processing is likely to result in a high risk to the rights and freedoms of individuals.

DPIAs shall be reviewed periodically and updated whenever significant changes occur in the relevant processing activities. Where a DPIA identifies residual high risk that cannot be mitigated, YouLearnt shall consider whether consultation with the Information Commissioner’s Office is required.

 

11. Security of Personal Data

YouLearnt shall implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, destruction, or loss.

Security measures may include:

  • Access controls.
  • Authentication mechanisms.
  • Encryption where appropriate.
  • Logging and monitoring.
  • Vulnerability management.
  • Secure development practices.
  • Incident management processes.
  • Backup and recovery controls.
  • Staff security awareness training.

Further information about security controls may be set out in YouLearnt’s Security page and related internal security standards.

 

12. Third Party Processors

Where third parties process personal data on behalf of YouLearnt:

  • Appropriate due diligence shall be performed.
  • Written agreements shall be established.
  • Data Processing Agreements shall be maintained where required.
  • Processors shall be required to implement appropriate security measures.
  • Sub-processing arrangements shall be controlled where applicable.
  • Ongoing oversight shall be maintained where appropriate.

The Data Processing Agreement shall reflect the parties’ obligations regarding processing instructions, confidentiality, security, breach notification, assistance with rights requests, audit rights, deletion or return of data, and international transfers where applicable.

 

13. International Data Transfers

Where personal data is transferred outside the United Kingdom, YouLearnt shall ensure that appropriate safeguards are implemented in accordance with UK GDPR requirements.

Such safeguards may include:

  • UK adequacy regulations.
  • International Data Transfer Agreements.
  • Standard Contractual Clauses where applicable.
  • Other legally recognised transfer mechanisms.
  • Transfer risk assessments may be conducted where required.

 

14. Data Retention and Disposal

Personal data shall be retained only for as long as necessary to fulfil legitimate business, contractual, legal, regulatory, or operational requirements.

When retention is no longer necessary, personal data shall be securely deleted, anonymised, or destroyed.

Retention schedules and supporting procedures may be maintained separately.

 

15. Training and Awareness

All personnel with access to personal data shall receive appropriate privacy and security awareness training.

Training shall be provided upon onboarding and periodically thereafter, with additional training provided where roles, systems, or legal obligations change.

 

16. Records of Processing Activities

Where required by applicable law, YouLearnt shall maintain records of processing activities that include:

  • Processing purposes.
  • Categories of data subjects.
  • Categories of personal data.
  • Categories of recipients.
  • International transfers.
  • Retention periods.
  • Security measures.

 

17. Monitoring and Compliance

Compliance with this Policy shall be monitored through periodic reviews, audits, risk assessments, and management oversight activities.

Corrective actions shall be implemented where deficiencies are identified. Material issues shall be escalated to appropriate management.

 

18. Policy Review

This Policy shall be reviewed periodically and updated whenever legal, regulatory, operational, or technological changes require revision.

Material changes may be reflected in YouLearnt’s public Privacy Policy, Security page, the DPA, or internal procedures as appropriate.

 

19. Contact

For any questions regarding this Data Protection Policy, please reach out via contact page

 

 

Personal Data Breach Notification Policy

20. Purpose

The purpose of this section is to ensure that personal data breaches are identified, assessed, managed, documented, and reported in accordance with UK GDPR and ICO requirements.

 

21. Reporting of Suspected Breaches

All employees, contractors, and service providers must immediately report any actual, suspected, or potential personal data breach upon discovery.

Reports shall be escalated through established incident management channels without delay.

 

22. Initial Assessment

Upon becoming aware of a potential breach, YouLearnt shall conduct an initial assessment to determine:

  • The nature of the incident.
  • The categories of personal data involved.
  • The number of affected individuals.
  • The likely consequences.
  • The severity of the risk to individuals.
  • Whether the incident involves a processor, sub-processor, or third-party service.

 

23. Investigation

All personal data breaches shall be investigated to determine:

  • Root cause.
  • Scope of impact.
  • Data affected.
  • Individuals affected.
  • Remediation requirements.
  • Whether the breach is ongoing.
  • Whether evidence preservation is required.

Appropriate evidence shall be preserved throughout the investigation process.

 

24. Notification to the Information Commissioner’s Office

Where a personal data breach is likely to result in a risk to the rights and freedoms of individuals, YouLearnt shall notify the Information Commissioner’s Office without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach.

Where notification is made after 72 hours, reasons for the delay shall be documented.

Notifications shall include, where available:

  • Description of the breach.
  • Categories and approximate number of affected individuals.
  • Categories and approximate number of personal data records concerned.
  • Likely consequences of the breach.
  • Measures taken or proposed to address the breach.

Where all information is not yet available, YouLearnt shall provide the available information and supplement it as soon as practicable.

 

25. Notification to Affected Individuals

Where a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, affected individuals shall be informed without undue delay.

Communications shall include:

  • Nature of the breach.
  • Likely consequences.
  • Measures taken by YouLearnt.
  • Recommended actions individuals may take.
  • Contact information for further assistance.

Notification to individuals may be delayed or withheld only where a lawful exception applies.

 

26. Breach Register

YouLearnt shall maintain a Personal Data Breach Register.

The register shall include:

  • Date and time of discovery.
  • Description of the incident.
  • Categories of data involved.
  • Risk assessment outcome.
  • Notification decisions.
  • Remedial actions taken.
  • Closure date.

All personal data breaches shall be recorded, regardless of whether notification is required.

 

27. Corrective and Preventive Actions

Following each breach, appropriate corrective and preventive measures shall be implemented to reduce the likelihood of recurrence.

Policies, procedures, technical controls, and training programmes shall be updated where necessary.

 

28. Post Incident Review

A post-incident review shall be conducted for significant breaches to evaluate response effectiveness, identify lessons learned, and strengthen future resilience.

 

29. Processor Breaches

Where a breach occurs at a processor or sub-processor, the relevant third party must notify YouLearnt without undue delay in accordance with the applicable DPA and incident reporting requirements.

YouLearnt shall assess the incident promptly and determine whether notification to the ICO and affected individuals is required.