This website uses cookies to ensure you get the best experience on our website. Learn more
DenyAccept
It's National Careers Week - Win a Morrisby Careers+ licence worth £995! Enter here

Data Protection Policy

February 25, 2026

Definitions

  • Morrisby - Morrisby Limited, trading as The Morrisby Organisation, a limited company registered in England under 1183700 , whose registered and trading address is Gaddesden Place, Great Gaddesden, Hertfordshire, HP2 6EX, UK.
  • Candidate - someone who is using our services for career guidance purposes.
  • Adviser - someone who manages Candidate accounts on behalf of a school/centre.

1. Objective

This document outlines how Morrisby protects and manages personal data, covering our approach to data security, retention, and compliance with the UK GDPR. It is intended to provide clear assurance to schools, partners, and individuals about how we safeguard and process information responsibly.

2. ICO Registration

Morrisby is registered with the Information Commissioner's Office (ICO) under registration number Z5657144. This reflects our commitment to data protection and accountability in accordance with the UK GDPR.

3. Security

Morrisby is committed to safeguarding personal data through a comprehensive security framework that aligns with the UK General Data Protection Regulation (UK-GDPR). Our approach encompasses technical, organisational, and procedural measures to ensure the confidentiality, integrity, and availability of data. These measures collectively ensure that Morrisby maintains a robust security posture, protecting personal data against unauthorised access, alteration, disclosure, or destruction.

Information Security Governance

  • ISO 27001 Certification: Morrisby holds ISO 27001 certification, demonstrating our adherence to internationally recognised information security standards.
  • Data Protection Officer (DPO): We have appointed a DPO, Lesley Cooley, responsible for overseeing our data protection strategy and compliance.

Technical Safeguards

  • Encryption: All personal data is encrypted both at rest and in transit, utilising robust encryption protocols to prevent unauthorised access.
  • Access Controls: Access to personal data is restricted to authorised personnel based on role-specific requirements, ensuring that only those with a legitimate need can access sensitive information.
  • System Monitoring: We employ 24/7 managed Security Information and Event Management (SIEM) systems for proactive monitoring and threat detection.
  • Penetration Testing: Annual penetration tests are conducted by CREST-certified professionals to identify and remediate vulnerabilities.
  • Vulnerability Management: Daily automated scans are performed to detect potential security issues, with patches and updates applied promptly to maintain system integrity.
  • Backups: Regular encrypted backups are maintained to ensure data integrity and support disaster recovery. Backup procedures are routinely tested, and backup data is stored securely in geographically separate locations.
  • Firewall Protection: Our systems are safeguarded by tightly configured firewalls to prevent unauthorised access.
  • Malware Protection: We implement comprehensive antivirus and malware protection across all systems.
  • Password Policies: Strong password policies are enforced for all employees, including complexity requirements and regular updates.
  • Account Lockout Mechanisms: User accounts are configured to lock after a predefined number of unsuccessful login attempts to mitigate brute-force attacks.

Organisational Measures

Employee Training: All staff members receive regular training on data protection policies and procedures to ensure awareness and compliance.

  • Data Minimisation: We collect and process only the data necessary for specified purposes, adhering to the principle of data minimisation.
  • Data Retention and Disposal: Personal data is retained only for as long as necessary, in line with our Data Retention Policy. Upon reaching the end of the retention period, data is securely deleted or anonymised to prevent reconstruction. Please see Data Retention for full details.

Incident Response

  • Breach Management: In the event of a data breach, we promptly assess the risk to individuals' rights and freedoms. If required, we report the breach to the Information Commissioner's Office (ICO) and notify affected parties in accordance with regulatory requirements.

Breach

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, Morrisby shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO (more information on the ICO website), and the customers or individuals affected.

4. Data Retention

Data retention is defined as the retention of data for a specific period of time and for backup purposes.

We shall not keep any personal data longer than necessary, but acknowledge that this will be dependent on the different types of documents and data that we have responsibility for. As such, our general data retention period shall be for a period of 5 years. Our specific data retention periods are set out below.

Morrisby Profile Candidates - Data allowing us to provide a personalised careers guidance service to the candidate. Full details can be found in our privacy policy - we hold candidates' data until their 22nd birthday or until 5 years has passed since their last login, whichever is longer. A five year span is reasonable given the time it takes for a career decision to reach fruition.

Morrisby Candidates without Morrisby Profile - Data allowing us to provide a personalised careers guidance service to the candidate. Full details can be found in our privacy policy - we hold candidate data until the end of the academic year in which they turn 18.

Advisers - Data required to maintain the Manager account for the adviser. Full details can be found in our privacy policy - maintained as long as the account is active. Accounts are reviewed annually.

Customer/business contacts - Name; At-work email address; At-work phone number; Job title - retained while they are customer, after which the data subject usually becomes a prospective customer

Prospective customer contact - Name; Job title; At-work email address - 5 years, or until we have identified that the prospective customer no longer has an interest in our services.

Employees - Any data required for the purposes of employment - 24 months after employment has finished, or longer where legal obligations necessitate it.

Contractors - Any data required for the purposes of employment - 24 months after the last time the contractor is employed by us, or longer where legal obligations necessitate it.

Potential employees - CVs and covering letters - 6 months after an application has run its course, or longer where legal obligations necessitate it. If the data subject becomes an employee then the data retention policy for employees then applies.

From time to time, it may be necessary to retain or access historic personal data under certain circumstances such as if we have contractually agreed to do so or if we have become involved in unforeseen events like litigation or business disaster recoveries.

5. GDPR Compliance

Morrisby complies with the UK General Data Protection Regulation (UK-GDPR) and the Data Protection Act 2018. We are committed to the lawful, fair, and transparent processing of personal data. This includes:

  • Lawful Basis: We only collect and process personal data where a clear legal basis exists, such as consent, contractual necessity, or legitimate interest.
  • Data Subject Rights: Individuals have the right to access, rectify, erase, restrict, and object to the processing of their personal data. We also support the right to data portability.
  • Transparency: Our privacy notices clearly outline how and why personal data is collected, used, and retained.
  • Accountability: We maintain detailed records of processing activities and conduct regular reviews to ensure ongoing compliance.
  • Third Parties: All data processors acting on our behalf are contractually required to meet GDPR standards.

These principles are embedded in all our systems and processes to ensure that personal data is handled responsibly and in accordance with the law.

Our Role as a Data Controller and Data Processor

For schools and organisations where the students enter their data for themselves, We are the data controller for candidate personal data and we control which information is collected and processed. So, rather than being a data processor for the school, we would be acting as a data controller.

For schools and organisations making use of MIS integration or our student import feature, the school is also acting as a data controller, so Morrisby and the school are joint data controllers. In this situation, there is a data sharing document that schools must agree to our Data Sharing Agreement.

Lawful purposes

  1. All data processed by Morrisby must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests (see ICO guidance for more information).
  2. Morrisby shall note the appropriate lawful basis in the Register of Systems.
  3. Where consent is relied upon as a lawful basis for processing data, evidence of opt-in  consent shall be kept with the personal data.
  4. Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in Morrisby’s systems.

Data Protection Impact Assessments (DPIAs)

We conduct DPIAs when introducing new technologies or processing activities that may pose a high risk to individuals' rights and freedoms. This ensures privacy risks are identified and mitigated early.