Privacy Policy

BISMA Privacy, Data Protection & Data Processing Policy

Policy Statement

British International Sports Medicine Academy (BISMA) is committed to protecting the privacy and personal data of learners, staff, contractors, and other individuals whose data it processes.

BISMA processes personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection legislation. This policy sets out BISMA’s approach to data protection, the responsibilities of those handling personal data, and the rights of individuals whose data is processed.

Scope of This Policy

This policy applies to:
• All BISMA staff, tutors, assessors, IQAs, contractors, and volunteers
• All learners and applicants
• All third parties who process personal data on behalf of BISMA

It applies to all personal data processed by BISMA, whether held electronically or in paper-based form.

Data Protection Principles

BISMA processes personal data in accordance with the UK GDPR principles:
• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

Roles and Responsibilities

BISMA Management
• Overall responsibility for data protection compliance
• Ensuring appropriate policies, procedures, and controls are in place

Data Protection Lead
BISMA has appointed a Data Protection Lead responsible for overseeing compliance with data protection legislation, acting as the point of contact for data protection matters, managing data subject requests, and liaising with the Information Commissioner’s Office (ICO), where required.

All Staff and Contractors
• Must process personal data in accordance with this policy
• Must complete data protection training where required
• Must report data protection concerns or breaches immediately

Lawful Basis for Processing

BISMA processes personal data only where there is a lawful basis to do so. This will normally include one or more of the following, as appropriate:
• Performance of a contract
• Compliance with a legal obligation
• Legitimate interests pursued by BISMA
• Consent, where required and appropriate

BISMA does not routinely rely on public interest or vital interests as a lawful basis, except in exceptional circumstances.

Special Category Data

BISMA may process special category personal data, including health and fitness-related information, where necessary for the delivery of qualifications, safeguarding, or learner support.

Such data will be processed only where a lawful basis applies and an additional UK GDPR condition for processing special category data is met. Appropriate safeguards will be in place to protect this data.

Data Subject Rights

Individuals whose personal data is processed by BISMA have the right to:
• Access their personal data
• Request rectification
• Request erasure
• Restrict or object to processing
• Data portability (where applicable)
• Lodge a complaint with the Information Commissioner’s Office (ICO)

Requests should be made in writing to BISMA. Identity may be verified before processing a request. Requests will normally be responded to within one calendar month.

Data Security

BISMA implements appropriate technical and organisational measures to protect personal data, including:
• Secure storage systems
• Restricted access to personal data
• Password protection and two-factor authentication where appropriate
• Encryption of electronic communications where required
• Staff training and awareness

Data Retention

BISMA retains personal data only for as long as necessary for the purpose for which it was collected.

Retention periods are defined in BISMA’s Data Retention Schedule, taking into account awarding body requirements, regulatory obligations, and operational needs.

Personal data is securely deleted or destroyed once retention periods expire.

Data Breaches

Any actual or suspected data breach must be reported immediately to BISMA management or the Data Protection Lead.

BISMA will assess the breach, notify the ICO within 72 hours where required, inform affected individuals where there is a high risk to their rights and freedoms, and record all breaches and actions taken.

Third-Party Data Processors

Where BISMA uses third parties to process personal data on its behalf, appropriate due diligence will be carried out, written data processing agreements will be in place, and processors must comply with UK GDPR requirements.

Related Policies

This policy should be read alongside:
• Learner Registration & Certification Policy
• Safeguarding Policy
• Malpractice & Maladministration Policy
• Learner Complaints Policy

Monitoring and Review

Data protection compliance is monitored on an ongoing basis.

This policy is reviewed annually or sooner if required by legislative, regulatory, or organisational change.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.