Data Protection & Information Security Policy

CTDC Data Protection & Information Security Policy

Effective 15 December 2025

---

1. Purpose of the Policy

CTDC refers to the Centre for Transnational Development and Collaboration, a group of affiliated companies that collaborate across research, consulting, facilitation, digital innovation, and education. This policy applies to all entities within the CTDC group that handle personal data, and where applicable, clarifies the roles and responsibilities of each legal entity as data controller or processor. Data may be shared within the group under secure intra-group agreements in accordance with UK GDPR and other applicable laws and international data protection standards such as the EU GDPR and ICO guidance for cross-border service delivery.

This policy sets out the mandatory data protection and information security standards that CTDC must comply with.

The purpose is to ensure:

• Full compliance with the UK General Data Protection Regulation (UK GDPR)
• Adherence to the Data Protection Act 2018
• Alignment with SOC 2 Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy
• Protection of personal, sensitive, confidential, and organisational data
• Prevention of misuse of data in ways that could create risks under safeguarding, anti-bribery, anti-corruption, or conduct policies

Data protection is a legal obligation, governance duty, and moral requirement, particularly given CTDC’s work with vulnerable communities, sensitive research, and cross-border activities.

All CTDC personnel and partners are strictly bound by this policy.

This policy also specifically applies to CTDC Academy activities, including:

• Learner registration and enrolment processes
• Access and use of the online learning platform
• Participation in the alumni and community spaces
• Handling of personal data for course certification, assessment, and feedback
• Use of analytics and AI-enabled tools in the learning environment

---

2. Scope

This policy applies to:

• Employees, directors, and board members
• Consultants, contractors, trainers, researchers, interpreters
• Volunteers, interns, fellows
• Sponsored entities and implementing partners
• Service providers handling CTDC data (IT, cloud, storage, security)

This policy governs all data handled or processed:

• Physically (documents, notebooks, recordings)
• Digitally (email, systems, cloud services, mobile devices)
• Verbally (interviews, meetings, consultations)
• In any medium involving CTDC operations

Scope includes all Academy learners (past and present), guest facilitators, applicants, and individuals engaging with the CTDC Academy platform or alumni network. It extends to any course-related tools, assessments, communication systems, or cloud storage.

This policy applies across all countries CTDC operates in, regardless of local norms.

---

3. Legal & Regulatory Framework

CTDC adheres to the following:

3.1 UK GDPR

Principles:

1. Lawfulness, fairness, transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability

3.2 Data Protection Act 2018

CTDC complies with statutory requirements for:

• Sensitive personal data
• Criminal offence data
• Research and safeguarding exemptions (where applicable)
• Data subject rights

3.3 SOC 2 Trust Services Criteria

CTDC meets SOC 2–aligned controls for:

• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy

3.4 Alignment with CTDC Policies

This policy is fully aligned with:

• Safeguarding Policy: protects survivors’ and complainants’ data
• Code of Conduct: ensures proper use of information and power
• Anti-Fraud & Anti-Corruption Policy: prevents data manipulation, falsification, or misuse
• HR and disciplinary policies
• Responsible AI Use Policy: CTDC’s use of AI is governed by the Responsible AI Use Policy.

Violations of this policy may trigger action under any of the above.

---

4. Definitions

4.1 Personal Data

Any information relating to an identifiable individual.

4.2 Special Category Data

Sensitive data including health, gender identity, ethnicity, sexuality, political opinions, religious beliefs, biometric data.

4.3 Confidential Data

Information whose unauthorised disclosure could cause harm to individuals or CTDC.

4.4 Data Processing

Any operation performed on data (collection, storage, analysis, deletion, etc.).

4.5 Data Breach

Any accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to data.

4.6 Learner Data

Any personal or educational data collected as part of the application, enrolment, participation, or alumni engagement in CTDC Academy offerings.

4.7 Platform Analytics Data

Any behavioural, usage, or engagement data generated through use of the Academy’s learning management system (LMS) or community features, used solely for pedagogical, safeguarding, or platform improvement purposes.

4.8 AI-Generated Data and Interactions

Outputs, recommendations, or interactions involving artificial intelligence systems (e.g. course recommendations, chatbots, analytics) that form part of the CTDC Academy experience. These are subject to transparency, fairness, and human oversight. AI interactions never process identifiable client, learner, or staff data without explicit consent and legal justification. All AI-related data is subject to the safeguards detailed in Section 5 and 7.

---

5. Data Protection Principles

CTDC adheres to the following:

5.1 Lawfulness, Fairness, Transparency

Data must be collected and processed legally and transparently.

5.2 Purpose Limitation

Data shall be used only for the specific, explicit, and legitimate purposes stated at collection.

5.3 Data Minimisation

Only data strictly necessary for the purpose shall be collected.

5.4 Accuracy

Data must be accurate, up to date, and corrected when inaccurate.

5.5 Storage Limitation

Data shall not be stored longer than required.

5.6 Integrity and Confidentiality

Data shall be processed securely, ensuring protection against unauthorised access, loss, or damage.

5.7 Accountability

CTDC must be able to demonstrate compliance at all times.

5.8 Learning Integrity

CTDC Academy commits to transparency and clarity at every stage of data use. Learners will be informed of the specific purposes for which their data is being collected (e.g. certification, course access, impact measurement), with opt-in mechanisms for any non-essential use (e.g. marketing).

CTDC ensures that any use of AI systems for educational delivery, assessment feedback, or learner support is disclosed, ethically governed, and subject to regular human review. AI-driven functions will not be used for high-stakes decision-making without human involvement.

CTDC will provide data to learners in accessible formats upon request (e.g. screen-reader compatible, large print), in accordance with its accessibility and inclusion commitments.

For further details on how CTDC governs AI-enabled systems, see the CTDC Responsible AI Use Policy, which outlines use cases, oversight, prohibited practices, and consent mechanisms.

---

6. Data Subject Rights

CTDC ensures individuals can exercise:

• Right to be informed
• Right of access
• Right to rectification
• Right to erasure (exceptions apply for safeguarding, legal, research)
• Right to restrict processing
• Right to data portability
• Right to object
• Rights relating to automated decision-making

Note for Academy: Academy participants may exercise these rights via the designated contact on the Academy platform. Requests relating to assessments, certificates, or alumni data will be treated with the same priority and processed within the stipulated timeframes.

Requests must be processed within one month.

---

7. Data Protection Roles

7.1 Data Protection Officer (DPO) / Responsible Person

CTDC appoints a responsible senior person to:

• Oversee policy compliance
• Advise on GDPR obligations
• Respond to rights requests
• Manage data breaches
• Maintain documentation

7.2 All CTDC Personnel

Must:

• Handle data lawfully and securely
• Report any breaches immediately
• Use only approved systems
• Follow all retention and disposal procedures

7.3 Partners & Processors

Must:

• Sign a Data Processing Agreement (DPA)
• Implement data protection measures equal to CTDC standards
• Report breaches to CTDC immediately

CTDC may terminate agreements for non-compliance.

---

8. Information Security Standards (SOC 2 Aligned)

CTDC enforces the following:

8.1 Security Controls

• Strong password requirements
• Multi-factor authentication (MFA)
• Device encryption (laptops, phones, drives)
• VPN use for remote access
• Role-based access control (RBAC)
• Automatic log-out and session expiry

8.2 Data Transmission

• No personal or confidential data sent unencrypted
• Use of secure, approved cloud platforms only
• Prohibition of public Wi-Fi for handling sensitive data without VPN

8.3 Data Storage

• Encrypted storage only
• No personal data stored on personal devices without authorisation
• No storage on USBs unless encrypted and approved

8.4 Physical Security

• Locked storage for physical files
• Restricted office access
• Secure disposal (shredding, certified destruction)

8.5 Incident Logging

All systems handling sensitive data must have:

• Access logs
• Audit trails
• Change-tracking

Note: All Academy platforms, tools, and third-party integrations (e.g. payment processors, survey tools, LMS) must meet CTDC’s minimum data security standards. Contracts with educational vendors must include binding Data Processing Agreements.

---

9. Data Retention & Disposal

9.1 Retention

Data must be retained only for:

• The purpose it was collected
• Legal or contractual requirements
• Safeguarding or research obligations
• Donor or audit requirements
• Not for Academy: Learner records will be retained only for the duration necessary to fulfil contractual and educational obligations (e.g. certification verification, quality assurance) and for no longer than 7 years unless required by law. Alumni data may be stored with explicit consent for continued community access.

Retention schedules are approved by CTDC Directors.

9.2 Secure Disposal

• Digital deletion must be permanent and irreversible
• Physical documents must be shredded or professionally destroyed

---

10. Data Breach Procedure

A breach includes any unauthorised access, loss, disclosure, or alteration.

10.1 Immediate Actions (within 24 hours)

• Notify the DPO / Responsible Person
• Contain the breach
• Prevent further data loss

10.2 Assessment (within 48 hours)

Determine:

• Nature and scope
• Data involved
• Individuals affected
• Risk level

10.3 Notification Requirements

If risk is high:

• Notify affected individuals
• Notify the ICO within 72 hours, if required

10.4 Documentation

CTDC must maintain a breach log including:

• Incident description
• Response steps
• Outcomes
• Preventative actions

Note on Academy: In the event of a breach affecting learners or Academy systems, notifications will be issued through official Academy channels and affected individuals will be contacted directly.

---

11. Alignment With CTDC’s Safeguarding, Anti-Fraud, and Conduct Policies

This policy supports:

11.1 Safeguarding

• Ensures survivor data is strictly confidential
• Sets legal limits on who can access safeguarding case files
• Protects sensitive identities (gender, sexuality, status)
• Prevents digital or data-enabled harm

11.2 Code of Conduct

• Prohibits misuse of information, insider advantage, or privacy violations
• Enforces responsible power use

11.3 Anti-Fraud & Anti-Corruption

• Prevents data manipulation, falsification, destruction
• Ensures financial and procurement data integrity
• Enforces auditability and traceability

Violation of this policy is grounds for disciplinary action, including dismissal or contract termination.

---

12. Monitoring & Review

CTDC will:

• Conduct annual reviews of this policy
• Perform periodic data protection audits
• Monitor compliance with SOC 2 controls
• Update procedures based on legal or organisational changes
• The Academy Team will be responsible for ensuring regular audits of all education technology systems and maintaining data transparency with learners. Feedback loops will be built into course evaluations to monitor data-related concerns.