Privacy Policy

1 Policy Statement

WorldStudentAdvisors operates a structured and compliance-led approach to the processing of personal data, ensuring that all information is handled lawfully, fairly, and transparently.

The organisation maintains appropriate technical and organisational controls to protect personal data and to ensure alignment with UK data protection legislation and the compliance expectations of university partners and UKVI.

This policy forms part of the wider WorldStudentAdvisors compliance framework and should be read in conjunction with the Code of Conduct and Anti-Bribery and Anti-Corruption Policy.

2 Scope

This policy applies to:

• The Managing Director
• All employees, consultants, and contractors
• Overseas representatives, agents, sub-agents, and referral partners
• Any third party acting on behalf of WorldStudentAdvisors

This policy applies to all personal data processed by WorldStudentAdvisors in the United Kingdom and across all international operations.

3 Legal & Regulatory Framework

WorldStudentAdvisors processes personal data in accordance with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Applicable international data protection legislation
• Contractual obligations with university partners

This policy is aligned with:

• British Council National Code of Ethical Practice for UK Education Agents
• British Council Agent Quality Framework (AQF)
• UKVI expectations relating to compliance, transparency, and data handling within international student recruitment

4 Governance & Accountability

WorldStudentAdvisors operates a UK Head Office-led governance structure with defined oversight of all data processing activities.

• The UK Head Office retains responsibility for compliance, control, and oversight
• Data processing activities undertaken by regional operations are conducted under UK Head Office authority
• Accountability for data protection remains with WorldStudentAdvisors as Data Controller

The Managing Director holds overall responsibility for ensuring compliance with this policy.

5 Data Collection & Processing Activities

WorldStudentAdvisors collects and processes personal data necessary to support student recruitment, counselling, and application management. Categories of data include:

• Identity and contact data
• Academic and application data
• Immigration and financial documentation (where required)
• Technical and usage data

Data is collected through:

• Website and enquiry forms
• Direct communication channels (email, telephone, WhatsApp)
• Structured counselling and case management processes

All data collection is limited to what is necessary and proportionate for defined purposes.

6 Lawful Basis for Processing

Personal data is processed under one or more of the following lawful bases: Consent, Contractual necessity, Legal obligation, or Legitimate interests.

Processing is undertaken strictly for defined purposes, including:

• Provision of student advisory services
• Application preparation and submission
• Visa and documentation support
• Compliance with partner and regulatory requirements
• Service monitoring and improvement

All processing activities are conducted within a controlled and auditable case management framework.

7 Data Sharing & Third-Party Controls

WorldStudentAdvisors does not sell or commercially exploit personal data. Data may be shared, where necessary and proportionate, with:

• University partners
• Government and immigration authorities (including UKVI)
• Approved service providers supporting operational delivery

All third parties are subject to due diligence, operate under contractual data protection obligations, and are restricted to processing data for defined purposes only. WorldStudentAdvisors retains responsibility for data processed by third parties acting on its behalf.

8 International Data Transfers

Given the international scope of operations, personal data may be transferred outside the UK or EEA. Where this occurs, WorldStudentAdvisors ensures appropriate safeguards are implemented, including:

• Standard Contractual Clauses (SCCs)
• Data processing agreements
• Controlled and limited transfer mechanisms

9 Data Security & Control Measures

WorldStudentAdvisors implements proportionate security controls, including:

• Secure systems and controlled access permissions
• Encryption and secure storage protocols
• Staff training in data protection and confidentiality
• Ongoing monitoring and internal review

Access to personal data is restricted to authorised personnel with a defined business need.

10 Data Retention & Record Keeping

Personal data is retained only for as long as necessary to:

• Deliver services
• Meet legal and regulatory obligations
• Support audit, compliance, and reporting requirements

Records are maintained in a structured and traceable manner to support audit and verification processes.

11 Your Rights

As a data subject, you have the following rights:

WorldStudentAdvisors will respond to all requests in accordance with applicable data protection legislation and within required statutory timeframes.

12 Incident Reporting & Breach Management

Any actual or suspected data breach must be reported immediately to the Managing Director. WorldStudentAdvisors will assess the nature and impact of the breach, take appropriate remedial action, and notify relevant authorities where required. All incidents are documented and reviewed as part of ongoing compliance monitoring.

13 Monitoring & Assurance

WorldStudentAdvisors maintains ongoing oversight of data protection through:

• Internal monitoring of data handling practices
• Review of access controls and system usage
• Case file audits and documentation checks
• Feedback from partners and stakeholders

Findings are used to strengthen controls and ensure continuous improvement.

14 Policy Review

This policy is subject to periodic review to ensure continued alignment with UK legislation, UKVI and university partner expectations, and sector best practice.

15 Contact & Data Protection Enquiries

All data protection enquiries, including Subject Access Requests (SARs), should be directed to: