Data protection policy for JBSEEL

Cambridge Judge Business School Executive Education

JBS Executive Education Limited (“JBSEEL”) is a wholly owned subsidiary of the University of Cambridge (company number 5908393). It designs, develops and delivers executive education from Cambridge Judge Business School at the University of Cambridge.

JBSEEL is committed to protecting and respecting individuals’ privacy in compliance with data protection legislation.

Purpose and scope

  1. The purpose of this policy is to ensure compliance with the UK GDPR (‘data protection law’). Data protection law applies to the storing or handling (‘processing’) of information (‘personal data’) about living identifiable individuals (‘data subjects’).
  2. This policy applies to JBSEEL (‘data controller’). It does not apply to the University of Cambridge, Cambridge Assessment, Cambridge University Press, Colleges or other associated trusts or subsidiary companies of the University, which are separate legal entities and data controllers.
  3. This policy applies to all staff except when acting in a private or non-JBSEEL capacity. In this policy, the term ‘staff’ means anyone working in any context within JBSEEL at whatever level or whether permanent, fixed term of temporary, including but not limited to employees, workers, trainees, interns, seconded staff, agency staff, agents and volunteers.
  4. This policy is not, and should not be confused with, a privacy notice (a statement informing data subjects how their personal data is used by JBSEEL).
  5. This policy should be read in conjunction with the obligations in the following documents, which supplement this policy where applicable:
    1. Staff employment contracts and comparable documents (eg worker agreements), which impose confidentiality obligations in respect of information held by JBSEEL;
    2. Information security policies, procedures and terms and conditions, which concern the confidentiality, integrity and availability of JBSEEL information, and which include rules about acceptable use, breach reporting, IT monitoring, and the use of personal mobile devices;
    3. Records management policies and guidance, which govern the appropriate retention and destruction of JBSEEL information;
    4. Any other contractual obligations on JBSEEL or individual staff which impose confidentiality or data management obligations in respect of information held by JBSEEL, which may at times exceed the obligations of this and/or other policies in specific ways.

Policy statement

  1. JBSEEL is committed to complying with data protection law as part of everyday working practices.
  2. Complying with data protection law may be summarised as but is not limited to:
    1. Understanding, and applying as necessary, the data protection principles when processing personal data (lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality);
    2. Understanding, and fulfilling as necessary, the rights given to data subjects under data protection law (to be informed; access; rectification; erasure; restriction; data portability; and objection (including in relation to automated decision-making); and
    3. Understanding, and implementing as necessary, JBSEEL’s accountability obligations under data protection law (these include: implementing appropriate data protection policies; implementing data protection by design and default in projects, procurement and systems; using appropriate contracts with third party data controllers and data processors; holding relevant records about personal data processing; implementing appropriate technical and organisational security measures to protect personal data; reporting certain personal data breaches to the Information Commissioner’s Office; conducting Data Protection Impact Assessments where required; and ensuring adequate levels of protection when transferring personal data).

Roles and responsibilities

  1. JBSEEL has a corporate responsibility as a data controller (or when acting as a joint data controller or a data processor) for:
    1. Complying with data protection law and holding records demonstrating this;
    2. Cooperating with the Information Commissioner’s Office (ICO) as the UK regulator of data protection law; and
    3. Responding to regulatory/court action and paying administrative levies and fines issued by the ICO.
  2. JBSEEL has a Data Protection Officer who is responsible for:
    1. Advising JBSEEL on all aspects of its compliance with data protection law;
    2. Acting as JBSEEL’s standard point of contact with the ICO with regard to data protection law, including in the case of personal data breaches; and
    3. Acting as an available point of contact for complaints from data subjects.
  3. Individual staff, as appropriate for their role and in order to enable JBSEEL to comply with data protection law, are responsible for:
    1. Completing relevant data protection training;
    2. Following relevant advice, guidance and tools/methods provided by the Data Protection Officer depending on their role, regardless of whether access to and processing of personal data is through JBSEEL or University-owned and managed systems, or through their own or a third party’s systems and devices;
    3. When processing personal data on behalf of JBSEEL, only using it as necessary for their contractual duties and/or other JBSEEL roles and not disclosing it unnecessarily or inappropriately;
    4. Recognising, reporting internally, and cooperating with any remedial work arising from personal data breaches;
    5. Recognising, reporting internally, and cooperating with the fulfilment of data subject rights requests;
    6. Only deleting, copying or removing personal data when leaving JBSEEL as agreed with their line manager and as appropriate.
  4. Non-observance of the responsibilities in paragraph (3) may result in disciplinary action.
  5. The roles and responsibilities in paragraphs (1) to (4) do not waive any personal liability for individual criminal offences for the wilful misuse of personal data under data protection law (these criminal offences include: unlawfully obtaining, disclosing or retaining personal data; recklessly re-identifying de-identified personal data without the data controller’s consent; deliberately altering or deleting personal data to prevent disclosure in accordance with data subject access rights; forcing a data subject to exercise their access rights; and knowingly giving false statements to the ICO).

Contact and date of last revision

This policy was last revised in March 2021. Last reviewed May 2023.

Who to contact

For data protection and records management:

[email protected]

For Freedom of Information requests and enquiries:

[email protected]

To withdraw your consent to receive marketing communications from JBSEEL:

[email protected]