Middlesex Policies – Page 4

Procedure 006: Extenuating Circumstances

If you have a disability which makes reading this document or navigating our website difficult and you would like to receive information in an alternative format, please contact: anddegree@acm.ac.uk

Procedure 006: Extenuating Circumstances

Introduction

1.1 This Procedure describes how the Academy of Contemporary Music (ACM) considers formal Extenuating Circumstances claims in relation to the outcome of a student’s summative assessment and overall programme/award/classification outcomes.

1.2 This Policy applies to students studying on the Foundation Year, and FHEQ Levels 4, 5, 6 and 7 at all ACM campuses.

Procedure

2.1 Students requesting consideration of Extenuating Circumstances are required to complete and submit the online Extenuating Circumstances form before the assessment deadline.

2.2 Once the online form has been submitted, students will be contacted with instructions on submitting the supporting documentation required. Details of the types of documentation required can be found in Appendix A.

2.3 Students may request the consideration of Extenuating Circumstances for the following reasons:

Illness (mental or physical) or Injury
Bereavement
Victim of a criminal offence
Public transport delays of over 1 hour
Private transport issues
Personal/ family/ wellbeing difficulties

2.4 If an extenuating circumstances request is received after the given deadline, without good reason, it will not normally be accepted.

2.5 All extenuating circumstances requests are considered by the Extenuating Circumstances Panel (ECP) or the designated nominee.

2.6 The ECP or designated nominee will consider the requests, on a prima facie case, to either approve or decline the applications.

2.7 The ECP or designated nominee will not make an academic judgment regarding submissions, resubmissions or possible conceded passing grades.

2.8 Students will normally receive a decision on the outcome of their Extenuating Circumstances request ahead of the assessment deadline. If the case is more complex and requires extensive discussion, it may take longer to communicate an outcome with the student. Where this is the case, the student will be kept up to date with the progress of their application. Students should be aware that by submitting work for assessment they are declaring themselves ‘Fit to sit.’

2.9 In the event that an extenuating circumstances request is not upheld, and the student feels there has been a material or procedural error in the operation of this procedure, or implementation of the relating policy, the student can be referred to ACM’s Student Complaints and Grievances Policy.

Fitness to Study

2.10 Upon presentation of pro forma, rationale and evidence, and where the Panel considers that there is a compelling and significant need, the Panel may action relevant stakeholders to engage the student in the Fitness to Study procedures.

Reasonable Adjustments

2.11 Students who have a long term condition or learning need which significantly impacts their ability to submit summative assessment work or otherwise complete summative assessment work throughout their candidature should be engaged with Reasonable Adjustments procedures. By virtue of their long term needs, students should be supported outside the Extenuating Circumstances procedures, and should be engaged with completing an Individual Learner Arrangement (ILA), which clearly and transparently articulates any adjustments to assessment modes or deadlines throughout their time with ACM.

2.12 In cases where the ECP or designated nominee considers that the student would be appropriately supported through long term reasonable adjustments, an action may be given for the student, Intervention Officer, Additional Needs and Disability Manager or equivalent and/ or other member of Student Services staff to convene to mutually agree the adjustments to be applied.

Responsible Parties

3.1 This Policy is under the responsibility of the Quality & Standards Committee. The responsible committee will ensure the cyclical review of this Policy is carried out under ACM’s Quality Assurance Framework.

Related Documentation

Extenuating Circumstances Policy
Academic Appeals Policy
Learning, Teaching, Assessment and Attainment Policy
Equality and Diversity Policy
Fitness To Study Policy

Date of Approval and Next Review

Version: 3.2

Approved on: 01 September 2023

Approved by: Academic Board

Date of next review: August 2024

Download: PRO_006_Extenuating Circumstances_202309

Appendix A: Supporting Documentation

Issue	Required Documentation	Further guidance
Illness/ Injury	An original medical certificate must be provided and be signed, dated and stamped by an approved Doctor/Surgery/Hospital.	It must state what the student was affected by, the period of time affected and how it may affect a student’s academic performance
Bereavement	A letter from a relative and a funeral order of service (where possible).	If either of these items are difficult to obtain, please speak to a member of the Assessment and Programme Team for advice.
Victim of a criminal offence	A letter provided by the police.	The letter must contain the police case reference number.
Public transport delays of over 1 hour	A letter from the operating company.	If this is difficult to obtain due to the timeliness of the request, please speak to a member of the Assessment and Programme Team for advice.
Private transport issues	Dependent on circumstances, please speak to a member of the Assessment and Programme Team for advice.	This will only be considered if acceptable authoritative evidence is supplied, if the problem is deemed unavoidable and if the student is able to articulate why they were unable to access forms of public transport.
Personal/ family/ wellbeing difficulties	Dependent on circumstances, please speak to a member of the Assessment and Programme Team for advice.

Policy 057: Refunds and Compensation

Purpose and Scope

1.1. This policy is an addendum to the Finance Policy and should be read in conjunction with the most recent version of that document.

1.2. ACM’s Finance Policy deals with refunds of tuition fees to students who have withdrawn or interrupted their study during an academic year.

1.3. The Refunds and Compensation Policy sets out the circumstances in which ACM will refund tuition fees and other relevant costs to students and provide compensation if appropriate where ACM is no longer able to provide programme continuation to one of more students.

1.4. Details regarding how continuation and quality of study will be preserved for current and potential students if a risk to their continued study materialises is set out with the Student Protection Plan. The Student Protection Plan identifies non-continuation of programmes at ACM as being of low risk.

1.5. Refunds and compensation of fees and costs is considered a remedy of last resort and ACM is committed to using its best endeavours to ensure all students can continue and complete their studies.

1.6. Financial compensation will not necessarily be the most appropriate response where the institution has failed to meet its obligations, it may be appropriate to offer, for example, an apology, a goodwill gesture, an alteration to learning methods, or an option to repeat tailored to the specific needs of the student.

1.7. ACM recognises its responsibilities in law, this includes:

1.7.1. Statutory responsibilities under the Consumer Rights Act 2015 (CRA) and the Higher Education and Research Act 2017 (HERA);

1.7.2. The Student Protection Plan and Refund and Compensation Plan are a requirement of registration with the Office of Students (OfS);

1.7.3. Sector wide responsibilities relating to the Office for the Independent Adjudicator (OIA) and the Quality Assurance Agency (QAA. Students have recourse to the OIA where internal ACM processes have been completed.

1.8. Within this policy reference to circumstances where ACM is no longer able to provide programme continuation include:

1.8.1. Scheduled Mid-programme termination

1.8.2. Unexpected programme termination

1.9. This policy is not applicable to changes to or terminations of programmes where all registered students expected to complete their programmes at the date of termination have done so.

Policy Statement

Scheduled Mid-Programme Termination

2.1. A scheduled mid-programme termination relates to circumstances where ACM can no longer preserve continuity but is able to plan and align the termination with the end of an academic year or academic Level.

2.2. Where such circumstances arise ACM, will in the first place, consult with students in preparing its plan for dealing with the termination. As minimum it will:

ensure students receive the relevant university award (in accordance with the validating university regulations) that recognises the stage or level they have achieved;
provide advice and support to help with the transfer to an equivalent or alternative programme at ACM to enable them to complete their programme if that is their preference.
provide advice and support to help with the transfer to another provider or university to enable them to complete their programme.
consult with students, through the student representative network, to put in place a compensation plan relevant to the circumstances of the termination that includes provision for compensation in respect of additional costs reasonably incurred by students as a result of any relocation.
commit to honouring any student bursaries that would have continued had the programme not been terminated.

Unexpected programme termination

2.3 An unexpected programme termination occurs when:

a risk to continuation of study materialises without prior warning and ACM has no alternative but to terminate during the course of an academic year or
ACM fails to recruit sufficiently to a programme and closes to new recruits impacting on individuals that have already been offered or accepted places on that programme

2.4 Where such circumstances arise, ACM will consult and communicate with relevant students as a priority. As a minimum ACM will:

ensure students receive the relevant University award (in accordance with the validating university regulations) that recognises the stage or level they have achieved;
provide advice and support to help with the transfer to an equivalent or alternative programme at ACM to enable them to complete their programme if that is their preference.
provide advice and support to help with the transfer to another provider or university to enable them to complete their programme.
consult with students, through the student representative network, to put in place a compensation plan relevant to the circumstances of the termination that includes provision for compensation in respect of additional costs reasonably incurred by students as a result of any relocation.
commit to honouring any student bursaries that would have continued had the programme not been terminated.

Compensation

2.5 Any payments associated with a compensation plan will include appropriate provision for:

tuition fee costs (cover tuition fee loans, from the Student Loans Company, self-funded tuition fees or payment of tuition fees from a sponsor)
maintenance costs
lost time
additional tuition costs
travel costs as a result of relocation of provision

2.6 Further to this relevant guidance published by the Office for Students or the Office of the Independent Adjudicator for Higher Education will be taken into account in preparing such plans.

General

2.7 This Refund and Compensation Policy is linked to ACM’s Student Protection Plan, and the Finance Policy. Both documents are subject to an annual review.

2.8 This policy will not normally apply to individuals who have completed the studies for which they registered as a student of ACM.

2.9 Queries about the application of this policy should be addressed to complaints@acm.ac.uk in the first instance.

3. Reference Points

3.1 Internal

3.2 External

4. Approval and Review

The policy will be reviewed as part of departmental annual review cycle and agreed by the most relevant committee.

Department: Finance

Committee: SEQC

Version: 1.1

Approved on: 01 Sep 2025

Policy 041: Lone Workers

Purpose and Scope

1.1. This policy outlines ACM’s approach towards the safety of those who work alone, without close or direct supervision.

Policy Statement

2.1 ACM, as an employer, has a legal duty to assess all risks to health and safety, including the risks of lone working. The Health and Safety Executive (HSE) defines lone workers as “those who work by themselves without close or direct supervision”. Many of the hazards that lone workers face are similar to those faced by other workers. However, the risks involved may be greater because the worker is on their own. Lone working may also occur where it is necessary for ACM staff to work outside their nominated working hours, or in settings where staff are required to work away from ACM sites when representing the business, for example, external events. This may refer to representation of ACM overseas, and away from a worker’s home domicile.

2.2 There is no specific law dealing with lone working. However, all health and safety legislation applies equally to lone workers and in some cases, is even more applicable. Lone working does not in itself contravene the law, but it may often bring additional risks.

2.3 Some of the key hazards are:

Violence and assault – for staff working alone the risks are even greater than usual. They are more vulnerable to assault, and less able to call for assistance.
Manual handling – the most common accidental injury at work is manual handling and for lone workers, the risk is even higher – there is no-one to ask for help.
Fire – Lone workers are less likely to be aware of a fire until they themselves see or smell it and less able to call for assistance if they get into trouble. It is important that staff always know how to deal with or escape from a fire whilst working.
The increased risk of threatening behaviour, due to the vulnerability of lone workers, including the risk of theft and intruders.
The suitability of the workplace for lone working.
Lone worker medical suitability for lone working.
The risk of social isolation.

2.4 All lone workers should be fully trained in the safe working practices to be adopted in order to carry out their tasks safely. This will apply to employees and other workers where applicable, such as agency staff and self-employed contractors.

2.5 Line Management have a responsibility to engage direct reports in discussions to ascertain the suitability for lone working arrangements, taking into account feedback and staff concerns, relating to risk or staff suitability for lone working practices.

2.6 Staff hold the right to decline lone working arrangements based on the suitability of the lone-working setting, and based on their ability to discharge their responsibilities in a lone-working setting, taking into account any medical or personal barriers or complexities.

2.7 Where lone working arrangements are deemed unsuitable or undesirable, line management and direct reports should engage in an open dialogue to propose alternative arrangements.

2.8 Where lone working arrangements are agreed, all lone workers are expected to co-operate fully with any instructions given by their employer. They are also expected to follow their employer’s safe systems of work and any associated procedures.

2.9 It is the joint responsibility of line management and direct reports to establish a point of contact, and contact procedures, to ensure oversight of lone workers safety and well-being. The nominated contact should be agreed prior to lone working taking place.

Risk Assessment

2.10 Prior to the joint agreement of lone working arrangements, line management will ensure a comprehensive risk assessment is completed.

2.11 The risk assessment procedure operates to identify potential hazards, taking into account:

Assess the nature and severity of the risks taking into account the likelihood of any violence and abuse
Enable control measures to be sought and implemented to remove the risks

2.12 It is expected that the risk assessment will allow line management and staff to identify and minimise possible areas of risks so that they are adequately controlled.

2.13 The risk assessment must take into account:

Immediate risks associated with the vulnerability of lone working staff, relating to the increased risk of violence, threatening behaviour, theft, and intruders.
The suitability of the nominated place of work, where lone working will occur. The suitability of the workplace should take into account the availability of welfare facilities, hygiene facilities (taking into account individual staff needs and personal circumstances)
Any necessary reasonable adjustments to a nominated workplace.
The availability of training, prior to the commencement of lone working arrangements, to ensure staff are made aware of manual handling practices.
The availability of nominated staff trained in First Aid, including ensuring that lone workers are aware of the specific named staff member, and their contact details.
The ease of which, if necessary, emergency services are able to access individuals, should such an emergency situation arise.
The availability of contact points, via landline phones, mobile phone coverage, and wifi connectivity.

2.14 All lone workers should ensure that they are fully conversant with the Lone Worker Policy prior to lone working arrangements commencing.

2.15 Lone workers are expected to exercise sound judgement relating to their individual circumstances, their surroundings, their personal boundaries and their safety in instances where lone working arrangements occur.

Responsible Parties

3.1 The policy lead is responsible for the cyclical monitoring and review of the policy in liaison with the Quality Assurance and Enhancement Manager. The Lone Workers Policy lead is:

Human Resources Operations Manager

3.2 All ACM staff with line management responsibility, and direct reporting staff, have a responsibility to demonstrate due regard to the Lone Workers Policy.

3.3 Implementation and compliance with the Policy, overseen by the following designated staff:

Human Resource Department
Staff with Line Management Responsibility of a Lone Worker
Staff with responsibility for casual student employees, particularly Student Ambassadors,
Nominated First Aid contacts within the Business
Designated Safeguarding staff

4. Reference Points

4.1 Internal

Critical Incident Policy
Safeguarding Policy
Staff Code of Conduct Policy
Staff Grievance Policy
Health and Safety Policy
Equality and Diversity Policy

4.2 External

Health and Safety at Work Act 1974
Management of Health and Safety at Work Regulations 1999

Date of Approval and Next Review

Version: 1.2

Approved on: 01 Sep 2025

Approved by: Academic Board

Next Review: August 2026

Click to download this policy

Procedure 002: Academic Appeals Procedure

PROCEDURE 002: ACADEMIC APPEALS

PURPOSE AND SCOPE

1.1 This Procedure describes how the Academy of Contemporary Music (ACM) ensures the equitable, transparent and timely consideration of a student’s appeal against an academic decision in relation to assessment, progression, grades, and award outcomes.

1.2 This Procedure aims to explain the reasonable due course which students are required to consider and follow when submitting an Academic Appeal.

1.3 This Procedure applies to ACM students on HE programmes, including Foundation programmes.

FE students

1.4 ACM applies UAL’s Academic Appeals Policy and Procedure to its UAL-validated Level 3 diploma programmes. FE students should therefore follow UAL’s Academic Appeals Policy and Procedure HERE and pay close attention to Section 2 in the UAL Policy in order to determine whether they have grounds to appeal. All appeals from ACM FE students should be sent to diplomaleadership@acm.ac.uk

2. PROCEDURE

2.1. ACM seeks to resolve all appeals and complaints in a timely manner through considered escalation of matters as outlined in this procedure.

Early Resolution Stage 1:

2.2. Students should note that formal academic appeals (stage 2) should usually be submitted in writing to appeals@acm.ac.uk within 21 working days of the publication of the academic decision that is being disputed. Early resolution should be undertaken and completed within this timeframe. Where a student wishes to dispute an academic outcome they should, in the first instance, seek further advice and clarification via assessment@acm.ac.uk They will assign staff who will facilitate meetings and responses to the student’s queries. This is considered the first early resolution stage. Normally, consultation through this stage will provide further clarity around the academic decision and provide guidance in relation to the formal appeals process, where relevant.

2.3 Where there are reasonable grounds to remedy the academic decision due a clear material or administrative error, the investigating staff may take actions to remedy the matter. Any resolutions and actions that are agreed with the appellant must be kept on record and communicated to the student and Assessment and Programme Team in writing.

2.4 Where a student is not satisfied with the outcome of the informal stage, they may escalate their appeal to the formal stage.

2.5 If the ACM Assessment Board or Final Exam Board (FEB) considers that there may be grounds for an academic appeal, it may request, through the Assessment and Programme Team, that a written statement be provided to the Board providing the required information. These written statements should be in a form suitable for use as evidence at an Appeal Panel as they may be escalated to the first formal stage.

Formal Stage 2:

2.6 All academic appeals should usually be submitted in writing to appeals@acm.ac.uk within 21 working days of the publication of the academic decision that is being disputed. This should allow students to undertake and complete early resolution within this timeframe. The appellant should attach relevant supporting materials and evidence to support their appeal. Appeals that lack relevant supporting documentation may be dismissed. Appeals that are submitted after the 21-day timeframe without clear and compelling reasons may be dismissed.

2.7 The Quality Assurance Team or an appointed nominee will assess whether the application meets conditions for an academic appeal and may request further information from the appellant, relevant programme team, or independent staff, to ensure a fair assessment is made of the appeal.

2.8 The Quality Assurance Team or an appointed nominee will acknowledge receipt of the appeal in writing and notify the appellant of the next steps within 21 working days of receiving the appeal. Normally one of the following will apply:

the matter the appellant has raised does not meet conditions for academic appeal and no action will be taken;
the matter the appellant has raised does not meet conditions for academic appeal, whereupon they may seek further recourse through the Complaints and Grievances provisions;
the matter will be referred to an Appeal Panel, the Assessment Board or Finalist Exam Board for consideration.

Appeal Panel

2.9 An Appeal Panel will be constituted by the Quality Assurance Team or an appointed nominee and will consist of a minimum of three staff members, chaired by a senior staff member that has not been directly involved in the matter that is subject to appeal. The panel will normally consist of a member from the Programme or Quality team and two members from the Academic Leadership Team. The panel will examine the evidence that has been submitted, and may opt to call meetings with the appellant and staff involved in order to gather further evidence to make a reasonable determination of the outcome of appeal.

2.10 For an appeal against a penalty imposed for academic misconduct, the documentation used in relation to the academic misconduct shall be provided to the Appeal Panel.

Assessment and Progression Panel, Finalist Exam Board (Appeal Panel)

2.11 Appeals of provisional grades may be considered by the Assessment Board and appeals of the final grades will be considered by the FEB. These Panels shall consist of a minimum of three members including the Chair.

2.12 In compelling circumstances, the Chair of the Assessment Board or FEB may take Chair’s Action in the student’s favour, and this decision must be reported at the first opportunity at the sitting of the ACM Assessment Board or Final Exam Board. The Chair shall formally communicate this decision to the Academic Leadership Team who will notify the appellant within 5 working days.

2.13 A record of all panel interviews and a record of the panel outcome(s) will be provided to the Academic Leadership Team in writing.

2.14 Panel proceedings should be concluded within 21 working days of the initial notification of the receipt of the academic appeal. The outcome reached by the Panel will be communicated to the appellant in writing through Registry. Registry will communicate the outcome of the Panel proceedings within 5 working days.

2.15 A decision on an appeal by the Appeal Panel (Assessment Board or FEB) is final and no further appeal is possible against it.

2.16 At this stage the academic appeal procedures of ACM are concluded. Where the appellant is dissatisfied with the outcome they may escalate the matter to the awarding body.

2.17 An appellant’s failure to reply in writing within 21 working days of the date on the letter offering an informal settlement shall be taken as acceptance of the offer.

2.18 A decision on an appeal by an ACM Assessment Board or Final Exam Board is final and no further appeal is possible against it within ACM. Students have the right to follow the Appeals Regulations of the awarding body for their programme.

Student Progression:

2.19 Until the appeal is concluded, the appellant:

Will be allowed to continue their studies, except under circumstances where the academic decision being disputed is in relation to a progression decision in accordance with institutional progression regulations,
Must continue to meet the attendance, engagement, and assessment requirements for the programme.

Formal Stage 3:

2.20 Where a student is dissatisfied with the outcome of ACM’s Academic Appeal procedure, they may escalate their appeal to Middlesex University. Students may request a review of the outcome of the Stage 2 investigation carried out by ACM, by completing a CPULR form (Collaborative Partner University Level Review) available from Middlesex University. The CPULR form must be submitted to the Director of Affairs at Middlesex University within 21 working days of the date of the Stage 2 Outcome Letter. Middlesex University Regulations for Appeals apply to all Higher Education programmes and these are set out in Section G: Appeal Regulations and Procedures, of the Middlesex University Regulations which are available online at: https://www.mdx.ac.uk/__data/assets/pdf_file/0034/759256/FINAL-Regulations-2023-24.pdf

2.21 The receipt of the CPULR form will normally be acknowledged within 7 working days, and ACM will be informed of the nature and substance of the complaint.

2.22 The CPULR form will be reviewed by the Director of Student Affairs or nominee. The University review will consider whether a) there has been a procedural irregularity in the investigation of the appeal by ACM, or b) any new evidence has come to light which would have had a material impact on the investigation. Discussion may be held with the student and/ or subject of the appeal and with members of staff involved in ACM’s investigation process.

2.23 Where possible, reviews should normally take no more than 21 working days to investigate from the acknowledgement being sent. The Director of Student Affairs or nominee will establish appropriate timescales based on the nature and complexity of the case. These timescales should be communicated to the student and the student kept informed of any changes.

2.24 The Director of Student Affairs or nominee will inform all parties of the proposed outcome of their investigation and give all parties the opportunity to comment. Following consideration of any comments, the Director of Student Affairs or nominee will communicate the outcome of the review, with reasons and in writing, to all parties within 21 working days.

Formal Stage 4:

2.25 The University will issue a Completion of Procedures (CoP) letter at the end of Formal Stage 3 Review. Where the student is not satisfied with the outcome of the University proceedings, they may escalate their complaint to the Office of the Independent Adjudicator (OIA) for students in Higher Education. The University can provide further guidance to the appellant if they wish to escalate their appeal. Information about the OIA is available here: http://www.oiahe.org.uk/

3. RESPONSIBLE PARTIES

3.1 This Policy is under the responsibility of the Academic Board. The responsible committee will ensure the cyclical review of this Policy is carried out under ACM’s Quality Assurance Framework.

3.2 Decisions and appropriate actions in support of the implementation of the Policy will be authorised by the following designated staff:

Quality Assurance and Enhancement Manager
Head of Quality and Standards
Assessment Lead (Academic)

4. SUPPORTING INFORMATION

4.1 Internal

Fitness to Study Policy
Appeals Policy
Extenuating Circumstances Policy
Extenuating Circumstances Procedure
Extenuating Circumstances Form
Student Disciplinary Policy
Safeguarding Policy
Equality and Diversity Policy
Data Protection Policy

4.2 External

Middlesex University (MDX) Regulations
Middlesex University (MDX) Learning and Quality Enhancement Handbook (LQEH), Section 1: An Overview of quality assurance and enhancement activity at Middlesex-University.
The UK Quality Code for Higher Education, Chapter B6
The UK Quality Code for Higher Education, Chapter B9
OfS Conditions B1 – B6
UAL Awarding Body qualifications resources (Link: http://www.arts.ac.uk/about-ual/awarding-body/resources/ )
Data Protection Act 1998
UK QAA Quality Code, Chapter B9: Academic Appeals and Student Complaints

5. DOCUMENT HISTORY AND NEXT REVIEW

Version: 3.3

Approved on: 01 September 2025

Approved by: Academic Board

Date of next review: August 2026

Download: PRO_002 Academic Appeals_AY2526

Gender Pay Gap Reporting for 2021 / 22

The Equality Act 2010 (Specific Duties and Public Authorities 2017 requires gender pay reporting for employers with 250 or more employees to publish statutory calculations showing how large the pay gap is between their male and female employees. For organisations with less than 250 employees this is voluntary (as was applicable to The Academy of Contemporary Music in 2021-22).

View the organisation’s 2021-22 Gender Pay Gap Report here.

Procedure 003: Complaints and Grievances Procedure

Procedure 003: COMPLAINTS AND GRIEVANCES

1. PURPOSE

1.1 This procedure describes how the Academy of Contemporary Music (ACM) ensures the equitable, transparent and timely consideration of student complaints and grievances in relation to any aspects of their student experience, student services, administration, financial matters, and information for their programme of study.

1.2 This procedure aims to explain the reasonable due course which students are required to consider and follow when submitting a complaint or grievance.

1.3 This policy and procedure relates to students studying at ACM Guildford, ACM London and ACM Birmingham, on programmes validated by Middlesex University (HE) and University of the Arts London (FE).

2. PROCEDURE STATEMENT

2.1 ACM encourages all students to discuss any concerns that they may have at the earliest opportunity to avoid delays and unnecessary escalation of matters. Most issues can normally be resolved quickly at the local level, without going through the complaints and grievances procedures. Key points of contact if there is a concern are:

Student Relations Officers (in campus reception areas)
Student Services (Hub), who will direct you to the department or information source
Registry team, who will direct you to the department or regulations, policies and documentation registry@acm.ac.uk
If unsure who to contact, the Student Hub team studentsupport@acm.ac.uk can assist students at this stage.

2.2 ACM seeks to resolve all complaints and grievances in a timely manner through considered escalation of concerns as outlined in this procedure. Students that wish to lodge an appeal of an academic decision should refer to the Academic Appeals Policy and Procedure (POL 002).

Stage 1: Early Resolution

2.3 In the first instance students who wish to make a complaint should discuss it with the relevant team responsible to be invited to an in-depth discussion for early resolution. They will advise whether or not the complaint is best progressed through:

An informal meeting or mediation;
A Student Forum or Board of Studies (for concerns impacting a wider group/cohort);
Consultation with specific persons who can resolve the problem (E.g. Tutor, Module Leader);
Referral to an external agency, or
Escalation to the Formal Stage 2

2.4 A student should, if possible, address their complaint to the member of staff most directly involved in the event leading to the complaint in order to give that person the opportunity to address the concerns.

2.5 If for any reason the student does not feel that this is possible, they should seek advice from the Student Hub team (studentsupport@acm.ac.uk) in order to identify an appropriate alternative mechanism of early resolution.

2.6 Every effort will be made to resolve the complaint simply and quickly. The member of staff investigating the complaint may invite the student to a meeting to discuss the matter in an attempt to reach a resolution. The member of staff investigating shall discuss the complaint with the student and, with the student’s consent, engage anyone else involved, to see if the concern can be resolved through early resolution.

2.7 Any resolutions and actions that are agreed with the student must be kept on record and communicated to the student in writing within 21 working days. At the end of Stage 1, a student will be provided with a written response to their complaint, which will either:

Detail the proposed resolution; OR
If no resolution has been proposed, explain why the resolution has not been considered to be possible.

Stage 2: Formal Stage

2.8 If the student is dissatisfied with the outcome of an early attempt to resolve the matter, for example, under Stage 1, they may opt to escalate the complaint to the second (formal) stage. All formal complaints must be submitted in writing to complaints@acm.ac.uk within 21 working days of the informal stage having been completed. The student should complete the Complaints Form and attach all relevant supporting materials and evidence to support their complaint. Complaints that lack relevant supporting documentation may be dismissed or referred back to the student for further consideration.

2.9 The Quality Assurance team will acknowledge receipt of the complaint in writing and notify the student of the next steps within 7 working days of receiving the complaint. Student Engagement will assign the complaint to a senior member of ACM staff who will undertake a provisional investigation to see if a resolution to the concern can be reached prior to the proceeding to a formal panel.

2.10 If a Quality Assurance team member was involved in the case at Stage 1, they will nominate an appropriate alternative individual to take a lead on the case. If no appropriate individual can be found, the Student Engagement team may refer it to Registry, who will then assign the lead to an appropriate individual.

2.11 The lead investigator shall convene a panel of relevant staff to consider the case appropriately. They will consider the evidence, written or otherwise, and, if necessary, hold such discussions with the complainant and any other persons they deem appropriate in order to fully investigate the complaint.

2.12 The complaints panel will determine appropriate timescales based on the nature and complexity of the case. These timescales should be communicated to the student and the student kept informed of any changes. Where possible, complaints should normally take no longer than 21 working days to investigate from the acknowledgement being sent.

2.13 The lead investigator having fully investigated the complaint over a period not normally exceeding 21 working days from its receipt, shall decide whether:

the complaint should be progressed through other procedures; or whether
there is no reasonable justification for the complaint, in which case the complaint shall be terminated at this stage; or whether
there is reasonable justification for the complaint.

2.14 The lead investigator shall:

make their decision known in writing and sent to the student within 5 working days;
recommend resolutions to any justifiable complaint which all parties involved in the complaint shall be invited to accept; and
if the recommendations are agreed, shall take steps to ensure that they are implemented in full within the agreed time period.

2.15 The Quality Assurance team will:

Inform the student and the members of staff or other students involved of the decision.
Monitor the agreed resolutions to the complaint as necessary.
The Quality Assurance team will seek confirmation from the student(s) that they are satisfied with the agreed outcome.

Where a student is not satisfied with the outcome of the second stage, and where the complaint is related to the student’s academic programme, they may escalate their appeal to the formal stage 3.

2.16 Where a student is not satisfied with the outcome of the second stage, and where the complaint is not related to the student’s academic programme, students are not required to escalate the matter to ACM’s validating partner (as described in Stage 3 of this Procedure) and may escalate their appeal to the Office of the Independent Adjudicator (OIA) for Higher Education. Where this is the case, ACM will make this clear in the Stage 2 outcome letter and will also issue a Completion of Procedures (COP) letter. Information and eligibility rules are available at: www.oiahe.org.uk

Stage 3: Validating Body/ Partner Institution Review

Middlesex University Provision

2.17 This section applies to students studying on the BA(Hons) Music Industry Practice programme or the BA(Hons) Creative Industry Futures programme or the MCCI or MA/MSc in Creative Industry Futures programme at ACM Guildford, ACM Birmingham or ACM London.

2.18 If a student considers that:

there has been a procedural irregularity in the investigation of a complaint regarding a matter related to their academic programme carried out by ACM;
new information has come to light, which the student was unable to disclose previously, and which would have had a material impact upon the investigation previously undertaken;
the decision reached was unreasonable based on the information that had been available to ACM when the case was considered,

they can request a review of the outcome of the investigation carried out by ACM, by completing a CPULR form (Collaborative Partner University Level Review).

2.19 The student is expected to submit the CPULR form and all supporting documentation within 21 working days of receiving written confirmation from ACM of the final outcome of ACM’s investigation. The CPULR form must be submitted to the Director of Affairs at Middlesex University.

2.20 The receipt of the CPULR form will normally be acknowledged within 7 working days, and ACM will be informed of the nature and substance of the complaint.

2.21 The CPULR form will be reviewed by the Director of Student Affairs or nominee. The University review will consider whether a) there has been a procedural irregularity in the investigation of the complaint by ACM, or b) any new evidence has come to light which would have had a material impact on the investigation. Discussion may be held with the student and/ or subject of the complaint and with members of staff involved in ACM’s investigation process.

2.22 Where possible, reviews should normally take no more than 21 working days to investigate from the acknowledgement being sent. The Director of Student Affairs or nominee will establish appropriate timescales based on the nature and complexity of the case. These timescales should be communicated to the student and the student kept informed of any changes.

2.23 The Director of Student Affairs or nominee will inform all parties of the proposed outcome of their investigation and give all parties the opportunity to comment. Following consideration of any comments, the Director of Student Affairs or nominee will communicate the outcome of the review, with reasons and in writing, to all parties within 21 working days.

Stage 4: (HE students only)

2.24 When the review has been concluded, the student will be issued with a Completion of Procedures (COP) letter. Following this, any student who is dissatisfied with the final decision on their case may be able to apply to the Office of the Independent Adjudicator (OIA) for Higher Education. Information and eligibility rules are available at: www.oiahe.org.uk.

University of the Arts London (UAL) Provision (FE)

2.25 This section applies to students on Level 2 and Level 3 provision at ACM whose complaints relate to their course/ award.

2.26 UAL will onIy consider a complaint from a student at a partner institution in circumstances where a student feels that there was a material or procedural error in the operation of ACM’s procedures, and the University Secretary and Registrar considers it fair and reasonable in all the circumstances to permit the complaint.

2.27 Students can find further information on UAL’s complaints procedure on their website (click here).

East Surrey College (FE)

2.28 This section applies to students on Level 2 and Level 3 provision at ACM whose complaints relate to funding.

2.29 Details on East Surrey College’s Concerns and Feedback procedure can be found on their website (click here).

Groups of Complainants

2.30  ACM recognises that students may wish to lodge complaints collectively. In such instances students are asked to nominate one spokesperson with whom ACM staff will liaise to address the complaint. The spokesperson should endeavour to gather the views of all of the students who wish to lodge the complaint. If Stage 1 does not satisfactorily address the complaint, the spokesperson should complete a written explanation of the complaint (either a report or via the Student Complaints Form), which should be agreed by the entire group before submission. Students may opt to have their elected Student Representative act as spokesperson for the group.

Student Progression

2.31 Until the complaint is concluded, the student:

Will be allowed to continue their studies, except under circumstances where there is a disciplinary matter involved where the student has been suspended for their own or others’ safety;
Must continue to meet attendance, engagement, and assessment requirements for the programme.

3. POLICY OWNER

3.1 The policy lead is responsible for the cyclical monitoring and review of the policy in liaison with the Quality Assurance Team. The Student Complaints and Grievances Procedure lead is:

Quality Assurance and Enhancement Manager

3.2 Decisions and appropriate actions in support of the implementation of the Policy will be authorised by the following designated staff:

Quality Assurance and Enhancement Manager or nominee
Head of Student Services
Registry Manager
Senior Management, including Executive Senior Management

4. SUPPORTING INFORMATION

4.1 Internal Documents

Academic Appeals
Academic Integrity
Admissions
Student Disciplinary
Equality and Diversity

4.2 External Documents

Middlesex University Regulations: Student complaints and grievance procedures
University of the Arts, London: Student Complaint Procedures
East Surrey College: Client Feedback Policy
QAA Quality Code, Chapter B9: Academic Appeals and Student Complaints
OfS Conditions B1 – B6

5. DOCUMENT HISTORY AND NEXT REVIEW

5.1 This procedure applies to Academic Year 2024-25

Version	3.2
Approved on	03 September 2024
Approved by	Academic Board
Date of next review	August 2025

Download: Procedure 003 Complaints and Grievances AY2024-25

Student and Alumni Fair Processing Notice

The General Data Protection Regulation (GDPR) protects the rights of individuals by setting out certain rules as to what organisations can and cannot do with information about people. A key element to this is the principle to process individuals’ data lawfully and fairly. In order to meet the fairness part of this we need to provide information on how we process personal data.

This Fair Processing Notice satisfies this element of legislation and is designed to highlight the areas of Data Protection which may be of particular concern to current and/or former students, and to help those people understand how information about them will be used. It will also provide guidance on your individual rights and how to make a complaint to the Information Commissioner’s Office (ICO), the regulator for data protection in the UK.

This Fair Processing Notice applies to all students aged 13 and over. If you are under the age of 13, we will require your parent/guardian to provide initial consent in accordance with UK law, in order to process your data and will also need to involve them in certain aspects of your relationship with ACM. If you are between the age of 13 and 18, we will not need your parent/guardian’s consent to process your data, but we may still need to involve your parent/guardian in certain aspects of your relationship with ACM. For such reasons, therefore, this Fair Processing Notice also applies to parents/guardians providing information about students.

Separate Fair Processing Notices are available for the Public, contracted Staff and Suppliers.

More widely, ACM is committed to meeting the entirety of its responsibilities to current and former staff under the General Data Protection Regulation (GDPR) and related legislation taking these matters very seriously. We will always ensure personal data is collected, handled, stored, shared, retained and disposed of in a secure manner.

For the purpose of your data protection, ACM is the recognised ‘controller’ of your data. A number of legal entities trade as ACM. These include ACM Commercial Ltd, ACM Education Ltd, The Academy of Contemporary Music Ltd, ACM Guildford Ltd, ACM London Ltd, ACM Birmingham Ltd and Industrication Ltd. Regardless of which legal entity you liaise with, we make the same Data Protection Officer available to you, who can be contacted about any of the content held herein via:

Postal Address:

Data Protection Officer
The Academy of Contemporary Music Rodboro Buildings
Bridge Street
Guildford
Surrey
GU1 4SB
United Kingdom

Telephone: +44 (0) 1483 500 800 Email: dpaofficer@acm.ac.uk

The legal basis by which we will process and may have already processed data about you:

When we collect or process data about you, we have to observe the requirements of the General Data Protection Regulation (GDPR).

Under the General Data Protection Regulation our legal bases for processing this information about you as a student will be that processing is necessary:

○ “For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.” This means the information is needed for the delivery and administration of your studies at ACM.
○ “For compliance with a legal obligation.” This means ACM is legally required to share some information about you, for example with the Higher Education Statistics Agency (HESA).
○ “To protect the vital interests of a data subject or another person.” This means that in some rare circumstances it may be necessary to share information about you, for example to the emergency services.

If you go on to be an alumna or alumnus of ACM the legal basis for continuing to process your personal information would then be:

If you were a student of ACM before May 25th 2018 (the date on which GDPR came into effect), it is important for you to remember that your personal data was already protected another way, by way of The Data Protection Act (The DPA). The DPA established a framework within which information about living individuals can be legally gathered, stored, used and disseminated. At its core were eight Data Protection Principles, which ACM and other organisations needed to abide by. These specified that personal information must be:

○ Processed fairly and lawfully, and only if certain conditions are met
○ Obtained for specified and lawful purposes, and not used for purposes other thanthose for which it was gathered
○ Adequate, relevant and not excessive
○ Accurate and where necessary kept up to date
○ Kept for no longer than necessary
○ Processed in accordance with individuals’ rights
○ Kept secure

○ Not transferred outside the European Economic Area unless certain conditions are met

GDPR builds on these requirements and states that from 25 May 2018 information must be:

○ processed lawfully, fairly and in a transparent manner in relation to individuals;
○ collected for specified, explicit and legitimate purposes and not further processed ina manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
○ adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
○ accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
○ kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
○ processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against

accidental loss, destruction or damage, using appropriate technical or organisational measures.

GDPR also requires that:

○ “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

These protections apply to information in electronic form and also many types of data in paper form. Further information about the Data Protection Act and the General Data Protection Regulation is available from the Information Commissioner’s Office at www.ico.org.uk .

How and why does ACM use personal data?

Student and Alumni personal data is processed primarily for, but not limited to, the following purposes:

○ To administer and support your studies and record academic achievements, e.g. your course choices, attendance, assessments and the publication of any graduation programmes
○ To assist in pastoral and welfare needs, e.g. the counselling service and services to students with disabilities

○ To administer financial aspects of your registration as a student, e.g. payment of fees, debt collection
○ To tell you about things that are happening in and around ACM
○ To manage course facilities, such as computing facilities and the Library
○ To produce management statistics and to conduct research into the effectiveness ofour courses
○ To monitor our equal opportunities policies, e.g. compliance with the Race RelationsAct
○ To administer student employment processes, if you choose to work for ACM whilstyou are studying with us
○ For security and disciplinary purposes
○ For internal and external audits and quality assurance exercises
○ For alumni relations purposesWe may disclose your data to certain outside organisations as outlined in this Fair Processing Notice.
We may use copies of the data, including sensitive personal data, which we hold about you for the purpose of testing our IT systems. If your data is used for system testing, it will be copied to a test environment and used with data on other students to test changes to our IT systems in a realistic way. This is done to ensure that changes will be effective and will not cause loss or damage to data. The data about you which we hold in our live systems will not be affected. Your data will not be kept in the test environment for longer than is necessary

for testing purposes. Data in that environment will not be used for purposes other than testing. We will also apply appropriate security precautions to the data.

What personal data does ACM collect?

ACM collects personal data from students at various stages. The volume and nature of the personal data collected is described below, but is not limited to the data items specified:

Personal data:

○ Your name
○ Your contact details
○ Details of your emergency contacts / parents / guardians / next of kin
○ Your date of birth
○ Your nationality
○ Your country of residence
○ Your ethnic origin
○ Your gender identity
○ Any disabilities which you have disclosed to us
○ A digital photograph used to produce your student ID, and for security andidentification purposes
○ Medical information, such as information held by Student Services
○ Audio/Visual data relating to your application / enrolment at ACM.

Course related data:

○ Information from your application process
○ Your academic background and qualifications
○ Your academic record while at ACM (including measures of attendance,engagement and attainment)
○ Details of any degrees which you are awardedFinance data:

○ Fee information
○ Bursary or sponsorship details
○ Payment / Bank details.Other data:

○ Any disciplinary action taken against you
○ Information relating to any academic appeals or complaints raised by you
○ Attendance warnings issued to you
○ Official letters requested by you during your studies, for example Council Taxexemption
○ Your use of ACM’s facilities, such as the Library
○ Online identifiers, such as your ACM username that is used to access our systemsSome of this information, such as your ethnicity, medical information and information about disabilities, is classed as “sensitive” personal data under the Data Protection Act. Under the

General Data Protection Regulation sensitive data covers information consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation. Sensitive personal data is subject to extra legal protection and we have to meet an additional set of conditions in order use the data fairly and lawfully.

Sensitive data about you, for example relating to your health, may be shared with restricted departments within ACM to ensure that you have access to appropriate services and support. Sensitive personal data may also be used to monitor equality of opportunity and access to higher education, but will not be used to make decisions about you. For further information about sensitive personal data, see ACM’s Data Protection Policy.

NB If you are under 18, we may also need to collect details from a parent/guardian for the purpose of administering your education with ACM, and if you are under 13, we will need to specifically collect their consent to collect and process your information.

Your Student Profile

In the normal course of study, your name, course and ACM email address may be made available to your fellow Students via ACM systems. Your contact details will also be made available in a directory to staff via ACM systems. This may include name, photo, course, ACM email address and a contact telephone number. Should there be times at which you are unable to be contacted by way of ACM-operated communications platforms, relevant staff may be

provided access to your non-ACM contact details, only as necessary. This may extend to sharing of emergency contact details, if the need arises.

Information, such as your name, course and career credits may be made available in a public manner, where relevant to promote ACM’s work, for example in our prospectus and on our website.

ACM Communications Platforms

Where ACM’s email and other communications services are provided by third parties, you are bound by their terms of service. ACM undertakes that data held within these services is held in accordance with GDPR legislation. ACM has contracts in place with these providers to ensure the protection of ACM owned personal data.

Student email addresses are issued and used for communicating about ACM and studies, and are monitored to ensure compliance with our Data Protection and associated policies, as well as legislation such as The Prevent Duty.

CCTV

For safeguarding and crime prevention purposes, we may operate CCTV systems that cover areas you access at ACM. Please refer to our CCTV policy for more information.

Who else has access to my my data?

ACM is required to share personal data with certain other organisations in order to meet statutory requirements or to provide services to students. Sharing will always be undertaken in line with the requirements of data protection law, either through the consent of the individual, or another relevant legal gateway. The personal data that is actually shared will always be limited precisely to what the other organisation needs to meet its requirements or deliver its services.

Although we do not transfer data outside of the European Economic Area (EEA) as a matter of course of usual business, if this disclosure involves the transfer of your data outside the European Economic Area (EEA), we will inform you of this in advance, along with information about the safeguards in place. The data will only be transferred outside the EEA if one of the conditions set down in the Data Protection Act has been met, or in compliance with the conditions of transfer outlined in the General Data Protection Regulation.

Your data may also be sent to different companies/departments within the ACM group where this is necessary for our day to day administration. The full list of ACM Group companies is: The Academy of Contemporary Music Ltd, ACM Commercial Ltd, ACM Education Ltd, ACM Guildford Ltd, ACM London Ltd, ACM Birmingham Ltd, Industrication Ltd, Metropolis London Music Ltd.

The information below outlines the key partners with whom ACM shares personal data with on a periodic basis:

● Professional and Funding Bodies:

○ Validation of registrations and awards; and
○ Approval of funding applications.

○ Partner institutions such as Middlesex University (Guildford and Birmingham HE), Falmouth University (London HE), East Surrey College (Guildford FE), University of the Arts London Awarding Body (Guildford and Birmingham FE) and/or Walsall Studio School (Birmingham FE);
○ External examiners connected to the awards we operate for examination, assessment and moderation purposes.

● National/Local Government Departments and other public bodies:
- ○ Higher Education Statistics Agency (HESA) to produce a variety of statistical reports about higher education that are required to be published in the public interest for which a separate data collection notice can be found at https://www.hesa.ac.uk/about/regulation/data-protection/notices#student ;
- ○ The Office Of The Independent Adjudicator to review student complaints;
- ○ The Office for Students during institutional audits and other qualityassessment exercises;
- ○ the Student Loans Company in connection with grants, fees, loans andbursaries;
- ○ the courts, the police and other organisations with a crime prevention or lawenforcement function (subject to the proper entitlements);
- ○ Local authorities for the purposes of assessing and collecting council tax.
● Communications Platforms to facilitate marketing and communications of ACM services (governed by GDPR compliant data sharing agreements):
- ○ Facebook for re-marketing of ACM services to you via its channels;
- ○ Clickatell for SMS (text message) services; and
- ○ Mailchimp and Mandrill for campaign and transactional email services.

● Service Platforms to facilitate the administration and distribution of ACM services (governed by GDPR compliant data sharing agreements):
- ○ Canvas Virtual Learning Environment for your online learning tools;
- ○ Turnitin plagiarism detection software for verifying the originality of yoursubmitted work; and
- ○ Music Gateway for your professional development opportunities.
● Other individuals / organisations:
- ○ International recruitment consultants and agents (for relevant internationalstudents);
- ○ Housing providers for students;
- ○ ACM’s insurers and legal advisers for the purpose of providing insurancecover or in the event of a claim;
- ○ Employers who request a reference from ACM (for relevant staff andstudents).
- ○ If you leave ACM owing money to ACM, we may at our discretion pass thisinformation to a debt collection agency.
- ○ We may disclose information for the purpose of verifying data about you heldby ACM, held by another higher education institution, or held by government
  agencies.
- ○ We may disclose information if there are concerns regarding studentvulnerability and susceptibility to radicalisation as part of our responsibilities under the Counter Terrorism and Security Act 2015.

Personal data may also be disclosed when legally required or where there is a legitimate interest, either for ACM or the data subject, taking into account any prejudice or harm that may be caused to the data subject.

ACM may also use third party companies as data processors to carry out certain administrative functions on behalf of ACM. If so, a written contract will be put in place to ensure that any personal data disclosed will be held in accordance with GDPR legislation.

How long do you keep data for?

ACM takes its obligations under GDPR very seriously in terms of not holding onto personal data for any longer than is necessary. ACM has a retention schedule in place for the different categories of data it holds.

After you leave ACM we will continue to hold data about you in digital and paper form. Some information, such as your dates of attendance and your qualification achievements, will be retained permanently. Other data will be disposed of from time to time in accordance with ACM’s data retention policies. For example:

○ Data relating to your application – retained for 6 years after you leave ACM
○ Anonymised records which don’t identify you which are used for data analysispurposes – retained indefinitely
○ Records relating to applications for Extenuating Circumstances – retained for 1 yearafter the end of the academic year in which the application is made

○ Your contact details – ACM is required by statute to retain these to enable the Higher Education Statistics Agency’s national survey of Graduate Outcomes
○ Data relating to your assessment and degree outcome – retained indefinitely to be able to provide academic transcripts
○ Data relating to any student complaints or academic appeals – retained for one year post completion of complaint and appeal procedures
○ Financial data relating to payments received from you or paid to you – there is a mandatory requirement to keep financial data for at least seven years for audit purposesBy enrolling as a ACM student, you agree to ACM processing data relating to you after you leave ACM for any purposes connected with your studies, your status as a former student and for other legitimate reasons.
Examples of how we may use your data after you finish or graduate include:

○ To provide evidence of your academic achievements when requested to do so: e.g. transcripts, confirmation of qualifications and references
○ To provide information to regulatory bodies and other agencies to whom we are legally required to supply data
○ To produce management statistics
○ To maintain contact with you as a ACM alumnus/alumna
○ For audit and quality assurance purposesWe may contact you for a limited range of research purposes after you leave ACM.

We are required by statute to maintain and share your contact details to enable the carrying out of surveys conducted by or on behalf of HESA, the Office for Students or other official agencies. Where we report a variety of data to HESA, a separate data collection notice can be found at https://www.hesa.ac.uk/about/regulation/data-protection/notices#student. We may also contact you to carry out our own research into your experiences at ACM and after leaving ACM, in order to evaluate the effectiveness of our courses and improve our services to students. If you do not want to be contacted for these purposes, please notify dpaofficer@acm.ac.uk

ACM graduates automatically become members of the ACM Alumni Network as ACM would like to stay in contact with you.

ACM retains some data about current and former students indefinitely, for the reasons outlined below:

● to be able to verify qualifications with future employers;
● to be able to respond to safeguarding responsibilities;A full schedule concerning data retention and disposal is available via the policies section of our website.
What are my rights regarding the personal data you hold relating to me?

An individual has the right to be informed about data collection via a Fair Processing Notice. This is that notice.

An individual has the right to ask ACM what personal data we hold about them , and to ask for a copy of that information. ACM reserves the right to ask you to provide proof of identification and for you to clarify your request if it is unclear in the first instance. You will

receive a reply no longer than 30 calendar days from the date you make the request in writing. If you are unhappy with the initial response you can ask ACM to undertake a further search if there is specific information you have good reason to believe exists but that hasn’t been delivered to you.

You have the right to rectify data that is incorrect. If you believe ACM holds information about you that is factually incorrect please email our registry department to provide the correct information, and ACM should update it within one month.

You have the right to be forgotten. Where there is not a legal / statutory obligation for ACM to hold data about you, you have the right to be forgotten.

You have the right to data portability where the personal data is processed with the consent of the data subject, not where the personal data has been collected using any of the other legal basis for processing.

You have the right to restrict processing.
You have rights in relation to automated decision making and profiling.

You also have the right to object / withdraw consent from the processing of your personal data by ACM at any time , if your consent was sought initially to use your personal data.

You also have the right to complain to the UK Regulator the Information Commissioner’s Office (the ICO) if you believe you request has not been dealt with properly or you have a complaint to raise against ACM for any other data protection related issue. A complaint can be raised via the ICO’s website at www.ico.org.uk or by writing to the following address:

The Office of the Information Commissioner Wycliffe House
Water Lane

Wilmslow Cheshire SK9 5AF

How do I exercise my rights under GDPR?

Postal Address:
Data Protection Officer
The Academy of Contemporary Music Rodboro Buildings
Bridge Street
Guildford
Surrey
GU1 4SB
United Kingdom

Telephone: +44 (0) 1483 500 800 Email: dpaofficer@acm.ac.uk

What are my responsibilities?

ACM will make every reasonable effort to keep your details up to date. However, it is your responsibility to provide us with accurate information about yourself when you provide it. It

is also your responsibility to let us know of any subsequent changes to your details. You must also abide by ACM’s Data Protection Policy when handling any personal data you come into contact with for which ACM is responsible.

Supplier Fair Processing Notice

This Fair Processing Notice satisfies this element of legislation and is designed to highlight the areas of Data Protection which may be of particular concern to current and/or former Suppliers, and to help those people understand how information about them will be used. It will also provide guidance on your individual rights and how to make a complaint to the Information Commissioner’s Office (ICO), the regulator for data protection in the UK.

Separate Fair Processing Notices are available for the Public, contracted Students and contracted Staff. If you are working for ACM under a self-employed/freelance contract, ACM may require and process your personal data in accordance with the Staff Fair Processing Notice.

Postal Address:

Data Protection Officer
The Academy of Contemporary Music Rodboro Buildings
Bridge Street
Guildford
Surrey
GU1 4SB
United Kingdom

Telephone: +44 (0) 1483 500 800 Email: dpaofficer@acm.ac.uk

The legal basis by which we will process and may have already processed data about you:

Under the General Data Protection Regulation our legal basis for processing this information about you as a supplier will be that processing is necessary:

○ “For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.” This means the information is needed for the delivery and administration of your relationship with ACM.
○ “For compliance with a legal obligation.” This means ACM is legally required to share some information about you, for example with HMRC. More information on this is covered below.
○ “To protect the vital interests of a data subject or another person.” This means that in some rare circumstances it may be necessary to share information about you, for example to the emergency services.If you cease to be a supplier of ACM, the legal basis for continuing to process your information would then be:

○ “Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.” This means it is reasonable to expect that ACM would contact you if it had a query about any products or services you supplied to ACM, a

matter relating to a time in which you were supplying those products/services and/or in relation to another statutory/legal obligation it may have.

If you were a supplier of ACM before May 25th 2018 (the date on which GDPR came into effect), it is important for you to remember that your personal data was already protected another way, by way of The Data Protection Act (The DPA). The DPA established a framework within which information about living individuals can be legally gathered, stored, used and disseminated. At its core were eight Data Protection Principles, which ACM and other organisations needed to abide by. These specified that personal information must be:

○ ○

○ ○ ○ ○ ○ ○

GDPR ○

Processed fairly and lawfully, and only if certain conditions are met
Obtained for specified and lawful purposes, and not used for purposes other than those for which it was gathered
Adequate, relevant and not excessive
Accurate and where necessary kept up to date
Kept for no longer than necessary
Processed in accordance with individuals’ rights
Kept secure
Not transferred outside the European Economic Area unless certain conditions are met

builds on these requirements and states that from 25 May 2018 information must be: processed lawfully, fairly and in a transparent manner in relation to individuals;

○ collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
○ adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
○ accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
○ kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
○ processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

GDPR also requires that:

○ “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

How and why does ACM use personal data?

Supplier personal data is processed primarily for, but not limited to, the following purposes:

● the general administration of our relationship with you, including for financial reasons;
● the selection process of suppliers;
● administration of non-ACM staff contracted to provide services on behalf of ACM;
● planning and management of ACM’s workload or business activity;
● disputes and disciplinary matters;
● training and development;
● vetting checks;We may disclose your data to certain outside organisations as outlined in this Fair Processing Notice.

We may use copies of the data, including sensitive personal data, which we hold about you for the purpose of testing our IT systems. If your data is used for system testing, it will be copied to a test environment and used with data on other students to test changes to our IT systems in a realistic way. This is done to ensure that changes will be effective and will not cause loss or damage to data. The data about you which we hold in our live systems will not be affected. Your data will not be kept in the test environment for longer than is necessary for testing purposes. Data in that environment will not be used for purposes other than testing. We will also apply appropriate security precautions to the data.

What personal data does ACM collect?

ACM collects the following information from suppliers, which is outlined below:

○ name and address
○ contact details (telephone number, email address)
○ Details and dates of usage of the products/services being supplied
○ payment / bank detailsCCTV
For safeguarding and crime prevention purposes, we may operate CCTV systems that cover areas you may work in if you visit ACM. Please refer to our CCTV policy for more information.

Who else has access to my my data?

ACM will make some statutory and/or routine disclosures of personal data to third parties where appropriate. These third parties include:

● HM Revenue and Customs (HMRC)
● Financial Auditors
● Other organisations who have asked us for a reference of your services.
● Communications Platforms to facilitate marketing and communications of ACMservices (governed by GDPR compliant data sharing agreements):
- ○ Facebook for re-marketing of ACM services to you via its channels;
- ○ Clickatell for SMS (text message) services; and
- ○ Mailchimp and Mandrill for campaign and transactional email servicesPersonal data may also be disclosed when legally required or where there is a legitimate interest, either for ACM or the data subject, taking into account any prejudice or harm that may be caused to the data subject.
  ACM may also use third party companies as data processors to carry out certain administrative functions on behalf of ACM. If so, a written contract will be put in place to ensure that any personal data disclosed will be held in accordance with GDPR legislation.
  
  How long do you keep data for?
  
  Data we hold that is only relevant to current suppliers (such as bank information) will be deleted within 1 year of your last supply to us. All other relevant correspondence in relation to the supply of products/services will be held on file and retained for 6 years after an employee has left ACM, in accordance with HMRC recommendation, after which time it will be securely disposed of. Basic information about a supply of service (ie a log that the service was provided) will be

retained indefinitely, along with any other data we are required to hold indefinitely for legal/statutory reason.

A full schedule concerning data retention and disposal is available via the policies section of our website.

What are my rights regarding the personal data you hold relating to me?

An individual has the right to be informed about data collection via a Fair Processing Notice. This is that notice.

An individual has the right to ask ACM what personal data we hold about them , and to ask for a copy of that information. ACM reserves the right to ask you to provide proof of identification and for you to clarify your request if it is unclear in the first instance. You will receive a reply no longer than 30 calendar days from the date you make the request in writing. If you are unhappy with the initial response you can ask ACM to undertake a further search if there is specific information you have good reason to believe exists but that hasn’t been delivered to you.

You have the right to rectify data that is incorrect. If you believe ACM holds information about you that is factually incorrect please email our HR department to provide the correct information, and ACM should update it within one month.

You have the right to be forgotten. Where there is not a legal / statutory obligation for ACM to hold data about you, you have the right to be forgotten.

You have the right to restrict processing.
You have rights in relation to automated decision making and profiling.

You also have the right to object / withdraw consent from the processing of your personal data by ACM at any time , if your consent was sought initially to use your personal data.

The Office of the Information Commissioner Wycliffe House
Water Lane
Wilmslow

Cheshire SK9 5AF

How do I exercise my rights under GDPR?

Postal Address:

Data Protection Officer
The Academy of Contemporary Music Rodboro Buildings
Bridge Street
Guildford
Surrey
GU1 4SB
United Kingdom

Telephone: +44 (0) 1483 500 800 Email: dpaofficer@acm.ac.uk

What are my responsibilities?

ACM will make every reasonable effort to keep your details up to date. However, it is your responsibility to provide us with accurate information about yourself when you provide it. It is also your responsibility to let us know of any subsequent changes to your details. You must also abide by ACM’s Data Protection Policy when handling any personal data you come into contact with for which ACM is responsible.

Staff Fair Processing Notice

This Fair Processing Notice satisfies this element of legislation and is designed to highlight the areas of Data Protection which may be of particular concern to contracted and/or former staff, and to help those people understand how information about them will be used. It will also provide guidance on your individual rights and how to make a complaint to the Information Commissioner’s Office (ICO), the regulator for data protection in the UK.

Separate Fair Processing Notices are available for the Public, contracted Students and Suppliers.

Postal Address:

Data Protection Officer
The Academy of Contemporary Music Rodboro Buildings

Bridge Street Guildford Surrey
GU1 4SB United Kingdom

Telephone: +44 (0) 1483 500 800 Email: dpaofficer@acm.ac.uk

The legal basis by which we will process and may have already processed data about you:

While you are a staff member at ACM and after you cease to be a staff member, ACM needs to collect, store, use and disclose certain data about you. ACM needs to process this data in order to function effectively as an organisation. Personal data is processed for administrative, academic, statutory, support and health and safety purposes. All such personal data shall be collected and held in accordance with GDPR.

Under the General Data Protection Regulation our legal basis for processing this information about you as a staff member will be that processing is necessary:

○ “For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.” This means the information is needed for the delivery and administration of your employment with ACM.
○ “For compliance with a legal obligation.” This means ACM is legally required to share some information about you, for example with the Higher Education Statistics Agency (HESA). More information on this is covered below.

○ “To protect the vital interests of a data subject or another person.” This means that in some rare circumstances it may be necessary to share information about you, for example to the emergency services.

If you leave the employment of ACM, the legal basis for continuing to process your personal information would then be:

If you were a staff member of ACM before May 25th 2018 (the date on which GDPR came into effect), it is important for you to remember that your personal data was already protected another way, by way of The Data Protection Act (The DPA). The DPA established a framework within which information about living individuals can be legally gathered, stored, used and disseminated. At its core were eight Data Protection Principles, which ACM and other organisations needed to abide by. These specified that personal information must be:

○ Processed fairly and lawfully, and only if certain conditions are met
○ Obtained for specified and lawful purposes, and not used for purposes other thanthose for which it was gathered
○ Adequate, relevant and not excessive
○ Accurate and where necessary kept up to date
○ Kept for no longer than necessary
○ Processed in accordance with individuals’ rights
○ Kept secure

○ Not transferred outside the European Economic Area unless certain conditions are met

GDPR builds on these requirements and states that from 25 May 2018 information must be:

○ processed lawfully, fairly and in a transparent manner in relation to individuals;
○ collected for specified, explicit and legitimate purposes and not further processed ina manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
○ adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
○ accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
○ kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
○ processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

GDPR also requires that:

○ “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

How and why does ACM use your personal data?

Staff personal data is processed primarily for, but not limited to, the following purposes:

● the administration of prospective, current and past employees including self-employed, contract personnel, temporary staff or voluntary workers;
● the recruitment and selection process;
● administration of non-ACM staff contracted to provide services on behalf of ACM;
● planning and management of ACM’s workload or business activity;
● occupational health service;
● administration of agents or other intermediaries;
● pensions administration;
● disciplinary matters, staff disputes, employment tribunals;
● staff training and development;
● ensuring staff are appropriately supported in their roles;
● vetting checks;
● assessing ACM’s performance against equality objectives as set out by the EqualityAct 2010 .
We may disclose your data to certain outside organisations as outlined in this Fair

Processing Notice.

We may use copies of the data, including sensitive personal data, which we hold about you for the purpose of testing our IT systems. If your data is used for system testing, it will be copied to a test environment and used with data on other students to test changes to our IT systems in a realistic way. This is done to ensure that changes will be effective and will not cause loss or damage to data. The data about you which we hold in our live systems will not

be affected. Your data will not be kept in the test environment for longer than is necessary for testing purposes. Data in that environment will not be used for purposes other than testing. We will also apply appropriate security precautions to the data.

What personal data does ACM collect?

ACM collects personal data from teaching and non-teaching staff. The volume and nature of the personal data collected is described below, but is not limited to the data items specified:

● Initial application:
- ○ name and address
- ○ national insurance number
- ○ contact details (telephone number, email address)
- ○ self-declaration of permission to work in the UK and upload of passport/visacopy if necessary
- ○ relevant qualifications or indication of highest qualification held
- ○ professional development / training and membership of any professional body
- ○ employment history
- ○ supporting statement
- ○ Referee details
- ○ Criminal record disclosure
- ○ Data captured for equal opportunities monitoring (gender, date of birth,nationality, marital status, sexual orientation, religious belief, ethnicity)
- ○ Declaration about any disability as defined under the Equality Act 2010
● Once a candidate has been made an offer of employment:
- ○ Bank details
- ○ Emergency contact details
- ○ Qualification information required to be shared with HESA
- ○ Data captured for equal opportunities monitoring (as above)
- ○ Health information
- ○ Certain positions also require a DBS compliance check to be completed

○ A photograph for your Staff ID card
Further personal data captured about an employee is likely to relate to any performance or

appraisal process and any information needed to maintain a sickness/absence record.

Some of this information, such as your ethnicity, medical information and information about disabilities, is classed as “sensitive” personal data under the Data Protection Act. Under the General Data Protection Regulation sensitive data covers information consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation. Sensitive personal data is subject to extra legal protection and we have to meet an additional set of conditions in order use the data fairly and lawfully.

Your Staff Profile

In the normal course of employment, your work contact details will be made available via ACM systems. This may include name, job title, work location, work email address and work telephone number. Your Line Manager and other Senior Managers (as necessary) at ACM may request access to your personal contact details for the purpose of your line management, only as necessary, should there be times at which you are unable to be contacted by way of ACM-operated communications platforms. This may extend to sharing of emergency contact details, if the need arises.

Information, such as CVs/career credits, photos and specialisms, may be made available in a public manner, where relevant to promote ACM’s work, for example in our prospectus and on our website.

ACM Communications Platforms

ACM’s email and other communications services are provided by third parties and you are bound by their terms of service. ACM undertakes that data held within these services is held in accordance with GDPR legislation. ACM has contracts in place with these providers to ensure the protection of ACM owned personal data.

Staff email addresses are issued and used for communicating about ACM business, and are monitored to ensure compliance with our Data Protection and associated policies, as well as legislation such as The Prevent Duty.

CCTV

For safeguarding and crime prevention purposes, we may operate CCTV systems that cover your work areas. Please refer to our CCTV policy for more information.

Who else has access to my my data?

about the safeguards in place. The data will only be transferred outside the EEA if one of the conditions set down in the Data Protection Act has been met, or in compliance with the conditions of transfer outlined in the General Data Protection Regulation.

ACM will make some disclosures of personal data to third parties where appropriate. These third parties include:

● Higher Education Statistics Agency (HESA)
● UK Visas and Immigration
● HM Revenue and Customs (HMRC)
● Pension schemes
● Research sponsors/funders
● Trade unions
● Potential employers (where a reference is requested)
● Benefits Agency as required by the Social Security Administration Act 1992
● Child Support Agency as required by the Child Support Information Regulations2008 (no.2551)
● The courts, the police and other organisations with a crime prevention or lawenforcement function (subject to the proper entitlements).
● Communications Platforms to facilitate marketing and communications of ACMservices (governed by GDPR compliant data sharing agreements):
- ○ Facebook for re-marketing of ACM services to you via its channels;
- ○ Clickatell for SMS (text message) services; and
- ○ Mailchimp and Mandrill for campaign and transactional email services
● The emergency services, where there is necessity.

● ACM’s insurers and legal advisers for the purpose of providing insurance cover or in the event of a claim;
● Employers who request a reference from ACM (for relevant staff and students).
● If you leave ACM owing money to ACM, we may at our discretion pass thisinformation to a debt collection agency.
● We may disclose information for the purpose of verifying data about you held byACM.
● We may disclose data about you for the purpose of a third party administeringCPD services for you.
● We may disclose information if there are concerns regarding vulnerability andsusceptibility to radicalisation as part of our responsibilities under the Counter Terrorism and Security Act 2015.
Personal data may also be disclosed when legally required or where there is a legitimate interest, either for ACM or the data subject, taking into account any prejudice or harm that may be caused to the data subject.

ACM may also use third party companies as data processors to carry out certain administrative functions on behalf of ACM. If so, a written contract will be put in place to ensure that any personal data disclosed will be held in accordance with GDPR legislation.

How long do you keep data for?

HR hold individual files for all members of staff. Data we hold that is only relevant to current employees (such as bank information and emergency contact information) will be deleted within 2 months of you leaving our employment. Some other relevant correspondence in relation to member of staff’s employment will be held on file and retained for six years after an employee has left ACM, after which time it will be securely disposed of. Basic information about a member of staff (appointment, dates of service etc) will be retained indefinitely, along with any other data we are required to hold indefinitely for legal/statutory reason.

A full schedule concerning data retention and disposal is available via the policies section of our website.

What are my rights regarding the personal data you hold relating to me?

An individual has the right to be informed about data collection via a Fair Processing Notice. This is that notice.

You have the right to be forgotten. Where there is not a legal / statutory obligation for ACM to hold data about you, you have the right to be forgotten.

You have the right to restrict processing.
You have rights in relation to automated decision making and profiling.

You also have the right to object / withdraw consent from the processing of your personal data by ACM at any time , if your consent was sought initially to use your personal data.

The Office of the Information Commissioner Wycliffe House
Water Lane
Wilmslow

Cheshire SK9 5AF

How do I exercise my rights under GDPR?

Postal Address:
Data Protection Officer
The Academy of Contemporary Music Rodboro Buildings
Bridge Street

Guildford Surrey
GU1 4SB United Kingdom

Telephone: +44 (0) 1483 500 800 Email: dpaofficer@acm.ac.uk

What are my responsibilities?

Policy 020: Data Access and Protection

Policy_020: Data Access and Protection

Purpose and Scope

1.1 This policy describes how the Academy of Contemporary Music (ACM) meets its data protection obligations.

1.2 It is intended to explain in an open and accessible manner the provisions adopted by ACM to meet its data protection obligations.

1.3 This policy applies to staff, students, prospective students, alumni, and anyone else about whom ACM may have reason to collect and process data. It is designed to ensure their fair, lawful and equitable treatment in relation to the use of personal data kept by the ACM.

Policy Statement

Data Protection

2.1 The Academy of Contemporary Music (ACM) needs to obtain and process certain information about our students to allow us to register students, organise programmes, and to carry out other essential activities.

2.2 ACM has a need to obtain and use certain items of personal data in order to discharge our responsibilities and fulfil our obligations to educate and support our students, which could not be fulfilled without holding and using this personal data.

2.3 ACM holds and processes personal data for recruitment, admission, enrolment, the administration of programmes of study and student support and associated funding arrangements, monitoring student performance and attendance, supervision, assessment and examination, graduation, alumni relations, advisory, pastoral, health and safety, management, research, statistical and archival purposes.

The Six Principles

2.4 The General Data Protection Regulations (GDPR) ensures that Data Controllers treat data subjects and data items with an enhanced level of consideration in relating to ensuring the privacy and fair processing of the data it holds. ACM ensures that the following principles are embedded within our privacy operations:

1. Lawfulness, fairness and transparency:

Data is processed lawfully, fairly and in a transparent manner in relation to individuals.

2. Purpose limitations:

Data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

3. Data minimisation:

Data held is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

4. Accuracy:

Data is accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

5. Storage limitations:

Data kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.

6. Integrity and confidentiality

Data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

General Data Protection Regulation (GDPR)

2.5 The EU GDPR replaces the Data Protection Directive 95/46/EC and is designed to standardise data privacy laws across Europe, with the intention to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.

2.6 The following Higher Education Statistics Agency (HESA) statutory data returns include personal data as defined in the DPA and GDPR:

Alternative Provider student record;
The Graduate Outcomes survey (first collection 2018/19)
Staff record;
Student contact details may be passed to survey contractors to carry out the National Student Survey (NSS) on behalf of government agencies.

The lawful basis under the DPA and the GDPR for collecting personal data for these returns is described in the relevant Collection Notice as required by GDPR Article 13.

Collection Notices

2.7 For the purposes of data protection legislation, ACM is a Data Controller and staff, students, prospective students, alumni and others about whom we collect and process information is a Data Subject. The DPA (Principle 1) and GDPR (Article 13) require data controllers to provide information to data subjects whose data is collected that identifies data controllers and describes their purposes for processing personal data, including transfers and disclosures to other data controllers.

2.8 HESA’s Collection Notices provide this information for students, staff and graduates on behalf of HESA, HESA Services Ltd, and the other organisations who are data controllers in common of HESA datasets. ACM ensures that students and staff are informed that their personal data will be submitted to HESA, and make the HESA Collection Notices available to all relevant data subjects.

The HESA Collection Notices are published at: www.hesa.ac.uk/about/regulation/data-protection/notices

Specific data protection guidance in relation to the HESA Graduate Outcomes survey can be found here: www.hesa.ac.uk/innovation/outcomes/providers/data-protection.

Fair Collection and Processing

2.9 The specific conditions contained in Schedules 2 and 3 of the DPA regarding the fair collection and use of personal data will be fully complied with.

2.10 Individuals will be made aware that their information will be collected, and the intended use of the data specified either on collection or at the earliest opportunity following collection.

2.11 Personal data, that is data which can be connected to a specific individual, will be collected and processed only to the extent that it is needed to fulfil business needs or legal requirements.

2.12 Personal data held will be kept up to date and accurate.

2.13 Retention of personal data will be appraised and risk-assessed to determine whether business needs and legal requirements are met, with appropriate retention schedules applied.

2.14 Personal data will be processed in accordance with the rights of the individuals about whom the personal data are held.

2.15 Individuals whose personal information is held on an ACM database will be provided with the option to ‘opt out’ of receiving future communications.

2.16 A “cease processing” request from a data subject (often relating to unwanted communications) will be acknowledged within 3 working days, with a final response within 21 days. The final response will state whether ACM intends to comply with the request and to what extent, or will state the reasons why it is felt the requestor’s notice is unjustified.

2.17 Staff will advise the nominated ACM Data Protection Officer, in the event of any intended new purposes for processing personal data. The Data Protection Officer will then arrange for a Privacy Impact Assessment to be conducted.

Security

2.18 ACM will take all reasonable technical measures to ensure the security of its network and data stored by means of its IT facilities. See also our Acceptable Use of IT and E-Safety Policy and Procedure.

2.19 Training in data protection is provided to keep staff informed of relevant legislation, guidance and best practice regarding the processing of personal information. Data protection promotes awareness of ACM’s data protection and information security policies, procedures and processes. It will also promote safe practice in the use of devices off-site, handling of personal information in shared work environments and telephone conversations with third parties requesting information about data subjects.

2.20 Individual members of staff are responsible for ensuring that all personal data to which they have access is kept secure.

2.21 Staff must report any actual, near miss, or suspected data breaches to the designated Data Protection Officer for investigation. Any areas of risk identified in an investigation will be relayed to those processing information to enable any necessary or desirable improvements to be made.

2.22 Any unauthorised use of personal data collected by ACM by staff, involving the sending of sensitive or personal data to unauthorised persons or otherwise causing a breach of data protection, will be regarded as a breach of this policy. Staff disciplinary proceedings may result from wilful or negligent breaches of data protection.

Data Sharing

2.23 ACM processes applicant and student data to meet our statutory, business and other binding obligations. These include submission of statistical and data returns to the UK government and its agencies, including local authorities, the Office for Students (OfS), other official bodies, such as the Higher Education Statistics Agency (HESA), and occasional third parties carrying out contracted activities on behalf of these bodies.

2.24 In addition to the data submissions listed above, ACM may be required to provide further information to local authorities and other government agencies. This information could include learner contact details and consequently learners may be contacted separately by these local authorities or other government agencies.

2.25 Personal data in any format will not be shared with a third party organisation without a valid business reason, a Data Sharing Agreement in place, or without the consent of data subjects affected. Data Processing Agreements will be applied to all contracts and management agreements where ACM is the data controller contracting out services and processing of personal data to third parties (data processors). These agreements will clearly outline the roles and responsibilities of both the data controller and the data processor. ACM shares students’ registration and academic information with the relevant validating or franchising partner institutions as part of such an arrangement, and with external examiners working on their behalf, in order to administer our courses, programmes and learning opportunities, guarantee its quality and award qualifications.

2.26 ACM may be obliged to share data with bodies such as the Police and Security Services, Her Majesty’s Revenue and Customs, the Home Office and UK Border Agency, the Department for Work and Pensions, Local Authorities, Health Authorities, and similar. These bodies may require the data for the purposes of:

the detection or prevention of a crime;
the apprehension or prosecution of an offender;
the assessment or collection of any tax or duty or any imposition of a similar nature; or
establishing whether a person is “fit to practice” in a professional context, for example in healthcare.

2.27 In certain circumstances, staff members at ACM may have a duty to disclose sensitive information about students under the age of 18, or vulnerable adults, to designated colleagues or appropriate government agencies under the terms of our Safeguarding Policy or the Prevent Duty.

2.28 ACM may be required to give information to the UK Border Agency about students, particularly those holding Tier 4 visas. Reporting duties include informing the UK Border Agency if a relevant student fails to register, withdraws from their course, or fails to attend classes and submit assignments.

2.29 ACM cannot release any information about data subjects over the age of 18 to their parents, or other sponsors, without consent (however the Data Protection Act allows disclosure without consent in certain specific circumstances). Where parents or sponsors pay tuition fees, this does not give them a right of access to students’ personal information. All necessary information will be issued to the student directly. It is then the student’s responsibility to pass relevant information onto their parents or sponsors.

However, students may provide consent that we in turn provide information directly to a parent or sponsor by informing Registry staff. In this event, ACM would engage directly with the third party.

2.30 Personal data will not be transferred outside the European Economic Area (EEA) unless the country or territory in question can ensure a suitable level of protection for the rights and freedoms of the data subjects in relation to the processing of their personal data.

2.31 ACM normally will not reveal personal information about students or alumni to other students or alumni except in certain specific cases of student employment with ACM, for example, students employed conducting surveys or acting as Student Ambassadors. In these situations full cognisance will be taken of data protection concerns in the relevant training and job description.

Next of Kin/Emergency Contact Details

2.32 All students are asked to provide next of kin or emergency contact details. In the event of an emergency, ACM may need to make contact with, or disclose information to, students’ next of kin or other nominated emergency contact without obtaining consent. However, this information will only be used in exceptional circumstances.

Sensitive personal data/Special categories of personal data

2.33 There are particular categories of data that are categorised as ‘Sensitive personal data’ under the DPA and ‘Special categories’ under GDPR. These are subject to stricter conditions of processing. The following data fields in the HESA record capture sensitive or special categories of personal data:

Disability
Ethnicity
Gender Identity
Religion or belief
Sexual orientation

2.34 Collection of these sensitive or special categories of data is necessary for statistical research purposes to help public authorities to meet their public-sector equality duties under the Equality Act 2010. This processing is lawful under the Data Protection (Processing of Sensitive Personal Data) Order 2000 (Schedule (9)) and GDPR Article 9(2)(j).

Extenuating Circumstances Applications

2.35 Applications for deferred assessments, consideration of extenuating circumstances, and associated documentation may contain personal and medical information which is categorised as “sensitive personal data”.

2.36 Personal sensitive data relates to racial or ethnic origins, political opinions, religious beliefs, union membership, physical or mental health (including disabilities), sexual life, and the commission or alleged commission of offences and criminal proceedings.

2.37 Since this information is considered sensitive, and it is recognised that the processing of it may cause particular concern or distress to individuals, staff and students will be asked via the Extenuating Circumstances forms to give express consent for ACM to do this.

Access

2.38 Members of staff will have access to personal data only where it is required as part of their functional remit.

2.39 All data subjects have a right to:

find out what personal data ACM holds about them, why we hold it and what we do with it, how long we keep it and to whom we may disclose it;
Ask ACM to correct inaccurate data;
Ask ACM not to process information about students that causes them substantial, unwarranted damage or distress;
Request a copy of their personal information held by ACM and know the source of the information;
request information about the reasoning behind any automated decisions

This is known as a Subject Access Request.

2.40 ACM has 40 calendar days to comply with a student’s request after receiving proof of identity, the statutory fee of £10 and any further information needed to find the information requested.

2.41 Staff are made aware that in the event of a Subject Access Request being received, their emails may be searched and relevant content disclosed, whether marked as personal or not.

2.42 Third party personal data will not be released by ACM when responding to a Subject Access Request or Freedom of Information Request (unless consent is specifically obtained, obliged to be released by law, or necessary in the public interest).

Links with the Freedom of Information Act 2000

2.43 The Freedom of Information Act 2000 (FOIA) enables greater public access to information held by public bodies and by companies receiving public funding. However, personal data continues to be protected by the Data Protection Act 1998, and is therefore exempt from disclosure under the Freedom of Information Act (Section 40).

2.44 Any FOI request for information which would involve the disclosure of third party personal information must be considered by ACM, but any decision to disclose or refuse to disclose will be made in accordance with the FOIA, and if appropriate in consultation with the person or persons whose personal information is, directly or indirectly, the subject of the request.

2.45 ACM will, as required by the FOIA, disclose information covered by the FOIA on receipt of a valid request.

Student Responsibilities

2.46 It is essential that ACM has a complete and accurate record of students’ relevant personal information and course/programme details. ACM initially collects students’ personal data from their application form. After enrolment, we request that students notify ACM promptly to let us know if any of this information changes during the course of the year.

2.47 Every student therefore has a responsibility to help ensure that the information held about them on ACM’s student record system is correct.

Addresses and student contact details

2.48 All written communication sent by ACM will be forwarded to the address held on a student’s record. During the span of a programme of study, written communications will normally be sent to a student’s term-time address; before or after a programme of study. If this address is incorrect, ACM cannot be held responsible for any problems arising from the late receipt, loss of information, or receipt of information by a third party, including Induction and Registration information or Award Certificates or transcripts.

2.49 ACM contacts students via text message and will use up to date mobile telephone numbers for that purpose.

Student Email Addresses

2.50 Enrolled students receive an ACM email Account. This is for internal access only. Students and staff should not disclose another student’s email address without their express permission. Staff email addresses should not be disclosed without permission except where the disclosure is reasonably covered by the staff member’s professional function.

2.51 ACM will, on occasion, send emails to all students containing important academic or administrative information, or information/advice that may be of benefit.

Students’ Assessed Work

2.52 Coursework and assignments (not examination scripts) are considered to be intellectual property and the personal data and therefore the property of students. Students are advised to retain a copy of all assessed work, and are expected to obtain and make a copy of their feedback as soon as it is available.

2.53 ACM will retain coursework/assignments for a period of 1 academic year after submission for consideration by the relevant Student Progression and Achievement Boards and/or Finalist Examination Boards, and in order to meet internal academic, statutory and regulatory requirements.

2.54 After this period and without further notification, coursework and assignments will be securely destroyed.

Transcripts and Degree Certificates

2.55. Please note that ACM may withhold personal information relating to academic attainment such as transcripts and certificates where a student owes tuition fees to ACM.

2.56 Where ACM has withheld a student’s transcript or degree certificate, students can request their information via a Subject Access Request (see 2.37 above). This is a request for information about you to which you are entitled under the Data Protection Act, 1998.

Retention of Information

2.57 ACM will keep a full student record for the duration of a student’s studies at ACM, plus one academic year. After this time the only documentation that ACM guarantees to keep in perpetuity is a transcript of results and a standard academic reference.

2.58 Certain materials may be held for longer periods to comply with legal requirements, for quality assurance purposes, to meet professional body requirements, or the needs of a validation body. These will be held, wherever practicably and appropriately, anonymously or with the consent of the student concerned.

2.59 Archived records are securely destroyed after the appropriate length of time, in accordance with the relevant ACM record retention schedule. Please refer to ACM’s Data Retention Policy for an in depth explanation of ACM’s approach to Data Retention.

2.60 Archive boxes should be clearly labelled with:

Contents (and whether contents are confidential)
Disposal date

Information Commissioner’s Register of Data Controllers

2.61 ACM’s entry in the Information Commissioner’s Register of Data Controllers can be seen by interested parties. This register entry describes, in very general terms, what personal data we process and why, how ACM obtains personal data and to whom we may disclose it.

2.62 ACM’s Registration Number is Z6627433.

2.63 ACM’s nominated Data Protection Officer can be contacted via:

DPAofficer@acm.ac.uk
Data Protection Officer

The Academy of Contemporary Music

Rodboro Buildings

Bridge Street

Guildford

Surrey

GU1 4SB

United Kingdom

Responsible Parties

3.1 The policy lead is responsible for the cyclical monitoring and review of the policy in liaison with the Quality Assurance and Enhancement Manager. The Data Protection Policy lead is:

ACM Data Protection Officer

3.2 All ACM staff with line management responsibility, and direct reporting staff, have a responsibility to demonstrate due regard to the Data Protection Policy.

3.3 Implementation and compliance with the Policy, overseen by the following designated staff:

Registry Manager
Human Resource staff
Quality Assurance and Enhancement Manager
Head of Information Technology
Student Finance Officers
Admissions Manager
Group Head of Facilities

Reference Points

4.1 Internal:

Quality Assurance and Enhancement Policy
Admissions
Acceptable Use of IT
Equality and Diversity
Safeguarding Policy
Prevent Duty Policy
Data Retention Policy

4.2 External:

HESA Collection Notices (https://www.hesa.ac.uk/about/regulation/data-protection/notices )
EU General Data Protection Regulation (GDPR)
Data Protection Act 1998
Freedom of Information Act 2000
Education Act 2002
Further and Higher Education Act 1992
QAA Quality Code, Chapter C: Published Information
CMA Guidance for HE Providers
ICO Guide to the General Data Protection Regulation

Date of Approval and Next Review

Version: 1.3

Approved on: 01 Sep 2025

Approved by: ACM Data Protection Officer

Next Review: August 2026

Download – POL_020_Data Access and Protection_202209

ACM

People

Key info

Study Level

Location

Subject

London

Guildford

Birmingham

Metropolis

Blue Room

Applications

Key Info

International Students

Accommodation

Services

Industry Opportunities

BlogSee all posts

Your Invite to Our Music and Games Pathways Webinars

Bring Your Band To ACM

ACM Creative Industries Futures Symposium 2026 – Call for Contributions

Events coming upSee all open days and events

Campus Tour

Campus Tour

Policy category: Middlesex Policies

Procedure 006: Extenuating Circumstances

Policy 057: Refunds and Compensation

Policy 041: Lone Workers

Procedure 002: Academic Appeals Procedure

Gender Pay Gap Reporting for 2021 / 22

Procedure 003: Complaints and Grievances Procedure

Student and Alumni Fair Processing Notice

Supplier Fair Processing Notice

Staff Fair Processing Notice

Policy 020: Data Access and Protection