1. Your personal information and the purposes for which it is used

  1. As soon as you contact us, we create a record in your name. To that record we add information that you give us at reservation, registration and throughout your studies. We hold general information about students, such as their name, address, courses studied and fee payments, and data to do with examinations, assessments and course results. We keep records when you contact us and we keep records of your participation in learning

  2. We may monitor and record telephone calls between you and the Institute to make sure that we have carried out your instructions correctly and to help us improve our services through staff training.

  3. We do not sell personal information to other organisations

  4. The data controller for your personal data is The Institute for Optimum Nutrition.

  5. We use your personal information in the following ways:

    1. To process enquiries, applications and

    2. To provide services to enquirers and students including sending you information about current and future study opportunities with the Institute; providing certain online facilities. We sometimes use external service providers to process your personal information when providing relevant services to the Institute under strict contractual confidentiality obligations.

    3. To allow other organisations to provide services to students and alumni.

    4. To carry out research to help us plan and improve our services. We may contact you ourselves or ask outside research agencies to do so on our

    5. To produce aggregated statistical information, including data for monitoring equality of

    6. To provide information about students to other organisations, such as professional, regulatory and validating bodies.

    7. To support you in your studies. We may use information you have given us such as your ethnic background, disability and/or educational qualifications in addition to information we collect about your participation in learning activities to identify students who require additional support or specific services. We consider your disclosure of such information and your acceptance of the terms and conditions of registration as explicit consent to use this information for this

  6. We are required to send some of the information we hold about registered students to HESA. This information forms your HESA record. Your contact details may be passed to survey contractors to carry out the National Student Survey (NSS) and surveys of student finances. These contractors will use your details only for that purpose and will then delete

  7. We would also like students and alumni to be told about products or services offered by our associates, which may involve our associates receiving some personal information about you. If you do not want to receive information about products or services, either from the Institute or our associates, you can make this choice at registration.

  8. When you are awarded a qualification you automatically become a member of the ION Alumni Community at no extra charge. If you do not want to become a member, please contact us at any time using the details given in Section 6.

  9. If you are in debt to us, we may give other people information for the purposes of recovering the

  10. We submit the content of student assignments to a plagiarism detection system. This may involve data being held on a server outside the EEA. No personal details will be submitted to this

  11. We may contact HESA or other educational institutions to confirm the qualifications you have obtained or to check whether you have been included in a previous HESA or Individual Learner Record (ILR) return.

  12. Your information may be used to detect and prevent fraud in respect of public funding and we may release information to the police and other law enforcement agencies for crime prevention and detection purposes if required to do 

2. Our principles

  1. We are committed to the data protection principles of good practice for handling information. All personal information is held in secure computer and manual files, and we will only transfer data within the Institute on a ‘need-to-know’ basis so that we can support our academic and other services to you.

  2. We have a retention schedule for information and keep records only for as long as they have a legal or business purpose. For example, we will destroy some data that is relevant to exams and assessment shortly after the course result is decided, and we will only keep the result itself.

3. Transfer of data outside the EEA

  1. If you are studying outside the European Economic Area, we may need to transfer your personal data to countries outside the EEA and make it available to institutions which have a partnership arrangement with us so that we can provide services to

  2. Such countries may not have the same level of protection for personal information, and individual rights in relation to personal information, as in the EEA, but ION will only transfer your personal information to such recipients where necessary safeguards have been secured by contract.

  3. As part of our provision of online services and activities, your name and other information, may be visible to ION staff, students, ION service providers and other authorised persons who may be outside the EEA.

  4. By registering on an ION course, you agree to your personal information being processed in this way.

4. Cookies

  1. If you use the internet to carry out certain transactions with the Institute, your computer will store small pieces of information, known as ‘cookies’, in its memory. Cookies cannot read your computer’s hard disk or make any information available to third parties. They are used so that we can easily recognise you when you return to our websites and, as a result, will enable us to provide you with a better service. We also track user traffic patterns in order to determine the effectiveness of our website. We do not release this information to third parties. If you prefer not to receive cookies while browsing our website, you can set your browser to refuse them. However, if you are a registered user of the Institute you will need to allow “per-session” cookies in order to access password-protected sites. 

5.  Security

  1. All staff are made aware of the security procedures they must follow when handling personal information. Information is protected from unauthorised access and we are confident no one will be able to access your personal information unlawfully. We also protect information which is being transferred. As long as your web browser supports the Secure Sockets Layer (SSL), any personal information transmitted from your browser to our web service, or from the service to your browser, will be encrypted to make it unreadable. Please note that email is never a 100% secure way of communicating. By using it, you agree that you will send any information by email at your own risk.

  2. While we will take all reasonable precautions to make sure that other organisations who we deal with have good security practices, we are not responsible for the privacy practices of those organisations whose websites may be linked to our

6. Access to your data

  • Under the Data Protection Act, you have the right to receive a copy of the personal data we have about you. If you want a copy, please write to:

The Institute for Optimum Nutrition

Ambassador House

Paradise Road



or email [email protected]

You will have to pay a fee for this.

7. Processing personal data as part of your studies

  1. Students are not usually expected to process personal data as part of their Institute for Optimum Nutrition studies, but if you need to do so you must get the agreement of your tutor or supervisor that the processing is necessary and immediately tell the Data Protection Officer at the address

  2. If you do need to process personal data, you will be covered by the Institute’s notification as long as you have followed the advice in 7.1 above. Otherwise, it will be your own responsibility.

8. More information and advice

  1. For more information and advice on data protection matters, contact the Data Protection Coordinator at the address above.

9. General Data Protection Regulation (GDPR)

  1. The General Data Protection Regulation (GDPR) is a new EU legal framework for data protection. The GDPR will apply to all member states from the 25th May 2018.
  2. The Regulation will replace our current UK Data Protection Act 1998, introduce greater protections for personal data and bring data protection law into the digital age. The GDPR introduces some new obligations for organisations that collect, use, share and store personal data.
  3. A GDPR Working Group, chaired by the Business Manager, has been set up to look at the impact on Institute operations and oversee the implementation of any changes required.
  4. What are the key changes that GDPR will bring?
  5. Consent
    1. The GDPR will introduce more robust requirements for collecting and using people's data with their consent. Under the GDPR there must be an 'affirmative act establishing a freely given, informed, and unambiguous indication' of the persons wishes, and we must be able to evidence this.
  6. What does this mean?
    1. It means assuming someone has consented if they do not indicate otherwise (or opt out) will no longer be acceptable. Pre ticked boxes will not meet the necessary thresholds. It means we need to be really clear when we explain to people what we are going to do with their data, for example, when conducting marketing surveys or research studies, and ensure that they 'opt in' to that. 'Freely given' means we cannot make non-essential uses of people's data (further marketing or contact about other things we are doing) a condition of providing another service that we offer. We must also keep records of people's preferences, including if they later withdraw consent.
  7. Records of data processing activities
    1. To comply with the GDPR we need to have a clear picture of what data we hold, where it is, what we use it for, who we may share it with, and how long we keep it.
  8. Notification of high risk data security Incidents
    1. The GDPR will introduce a mandatory requirement to notify the Information Commissioner's Office (the UK data regulator) in the event of a breach of data that could have serious consequences for those whose data has been compromised. Where this is the case, these must be reported to the regulator within 72 hours.
  9. How do we do that?
    1. A new Information Security Incident Policy has been introduced and includes the procedures that key members of the Institute will take in the event of a breach, and also explains how any member of staff can report an incident. It is now even more important that all incidences are reported quickly so we can manage the situation effectively. Never be afraid to report an issue, mistakes are easy to do and very often not as bad as you think it might be. The worst action to take is to do nothing and hope for the best. Reporting an incident also means we can look at what went wrong and whether anything can be done to prevent reoccurrences. We can also support you in remedying and mitigating the impact as far as possible.
  10. Data Protection by Design and Default
    1. The GDPR also requires us to think about data protection and privacy from the very offset of anything we plan to do with people's data, for example when procuring or designing new tools for managing data, and embarking on new uses for data. This is particularly the case when any new initiative, project, or data hosting tool could pose a high risk to privacy or data security. The Data Protection Officer must be involved in cases where this applies. Measures we can take to evidence Data Protection by Design would include conducting privacy impact assessments to identify any risks early on, designing processes that take into account privacy, and documenting measures taken to mitigate against any risks that remain. Another measure would be performing due diligence checks on any third parties that may hold data on our behalf to ensure they have enough technical security and contractual terms that cover data protection.
  11. What are the requirements for marketing?
    1. Unsolicited marketing by email, SMS and fax is subject to rules imposed by the Privacy of Electronic Communications Regulations 2003. We are already required to have consent to send unsolicited marketing, which will include fundraising communications, via these channels. These regulations are also soon to be updated and will be covered by the new E-Privacy Regulation. The E-Privacy Regulation will bring the standard of consent in line with that of the GDPR. Opt Out approaches, silence, inactivity or un-ticked or pre-ticked boxes will not meet the GDPR consent standard (and arguably, that someone didn't opt out only ever indicated 'I have no objection' and not 'I consent'). Some different rules apply where contact details were obtained as part of a sale. More information specifically for marketers and fundraising will be available soon. In the meantime see the ICO pages for more information, here.


Back to top