BISMA Privacy, Data Protection & Data Processing Policy
Policy Statement
British International Sports Medicine Academy (BISMA) is committed to protecting the privacy and personal data of learners, staff, contractors, applicants, and other individuals whose data it processes.
BISMA processes personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data-protection legislation. This policy explains how BISMA collects, uses, stores, shares, and protects personal data, and outlines the rights of individuals whose data is processed.
This policy forms part of the terms under which learners enrol with BISMA.
Scope
This policy applies to:
All BISMA staff, tutors, assessors, internal quality assurance personnel, contractors, and volunteers
All learners and applicants
All third parties who process personal data on behalf of BISMA
It applies to all personal data processed by BISMA, whether held electronically, digitally, or in paper-based form.
Data Protection Principles
BISMA processes personal data in accordance with the UK GDPR principles of:
Lawfulness, fairness, and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability
Roles and Responsibilities
BISMA Management
BISMA management has overall responsibility for ensuring data-protection compliance and that appropriate policies, procedures, and controls are in place.
Data Protection Lead
BISMA has appointed a Data Protection Lead responsible for overseeing compliance with data-protection legislation, acting as the primary point of contact for data-protection matters, managing data-subject requests, and liaising with the Information Commissioner’s Office (ICO) where required.
All Staff and Contractors
All staff and contractors must process personal data in accordance with this policy, complete data-protection training where required, and report any data-protection concerns or suspected breaches immediately.
Lawful Basis for Processing
BISMA processes personal data only where a lawful basis applies. This will normally include one or more of the following:
Performance of a contract
Compliance with a legal obligation
Legitimate interests pursued by BISMA
Consent, where required and appropriate
BISMA does not routinely rely on public-interest or vital-interests bases, except in exceptional circumstances such as safeguarding.
Special Category Data
BISMA may process special category personal data, including health-related and fitness-related information, where necessary for course delivery, learner support, reasonable adjustments, safeguarding, or regulatory compliance.
Such data will be processed only where a lawful basis applies and an additional UK GDPR condition for special category data is met. Appropriate safeguards are implemented to protect this data.
Data Sharing and Disclosure
BISMA may share personal data where necessary and lawful, including with:
Awarding organisations and regulators
External quality assurers and auditors
Professional advisers
IT and learning-platform providers acting as data processors
Legal or regulatory authorities where required by law
Data is shared only where necessary, proportionate, and subject to appropriate safeguards.
International Data Transfers
BISMA does not routinely transfer personal data outside the United Kingdom. Where international transfers are required, appropriate safeguards will be applied in accordance with UK GDPR requirements.
Data Subject Rights
Individuals whose personal data is processed by BISMA have the right to:
Access their personal data
Request rectification of inaccurate data
Request erasure, where legally applicable
Request restriction of processing
Object to processing, where applicable
Request data portability, where applicable
Lodge a complaint with the Information Commissioner’s Office (ICO)
Requests may be submitted in writing, including by email. Identity may be verified before a request is processed.
BISMA will normally respond within one calendar month. This timeframe may be extended where permitted by law.
Requests may be refused, restricted, or redacted where permitted under data-protection legislation, including to protect third-party rights, safeguarding interests, confidential references, or internal decision-making material.
Data Security
BISMA implements appropriate technical and organisational measures to protect personal data, including secure storage systems, restricted access controls, password protection and two-factor authentication where appropriate, encryption of electronic communications where required, and staff training and awareness.
Data Retention
BISMA retains personal data only for as long as necessary for the purpose for which it was collected, including contractual, regulatory, safeguarding, audit, and legal requirements.
Retention periods are defined in BISMA’s Data Retention Schedule, which is available upon request.
Personal data is securely deleted or destroyed once retention periods expire.
Data Breaches
Any actual or suspected personal data breach must be reported immediately to BISMA management or the Data Protection Lead.
BISMA will assess the breach and, where required, notify the ICO within 72 hours and inform affected individuals where there is a high risk to their rights and freedoms. All breaches and actions taken are recorded.
Third-Party Data Processors
Where BISMA uses third-party processors, appropriate due diligence is carried out. Written data-processing agreements are in place, and processors must comply with UK GDPR requirements.
Related Policies
This policy should be read alongside BISMA’s:
Learner Registration & Certification Policy
Safeguarding Policy
Learner Sanctions, Disciplinary & Exclusion Policy
Learner Complaints Policy
Monitoring and Review
Data-protection compliance is monitored on an ongoing basis.
This policy is reviewed annually or sooner where required by legislative, regulatory, or organisational change.
