Legal Compliance & Policy

Applying legal knowledge, policy drafting and compliance practice to digital learning environments, data governance and organisational systems.
Two people reviewing a policy document together at a desk - representing collaborative policy drafting and legal compliance work

GDPR · Data Privacy · WCAG Accessibility Regulations · Cyber Essentials · Academic Integrity · LLM · LLB · Bar Vocational Course

Legal Background

Before moving into education and learning technology, I qualified as a barrister - completing an LLB (University of Sheffield, 2005), a Bar Vocational Course PGDip (Northumbria University, 2007), and an LLM Master of Laws (Northumbria University, 2008), and being called to the Bar in 2008. Work experience included positions at Nabarro LLP and Irwin Mitchell LLP.

That foundation means that when legal and regulatory questions arise in professional contexts - around data protection, accessibility legislation, academic integrity, or intellectual property - I engage with them from a position of genuine understanding rather than policy checklists. I can read regulatory source material, identify practical implications, and translate those requirements into guidance and design decisions - while recognising when specialist legal, data protection or information security advice is required.

Legal Qualifications
  • LLM - Master of Laws, Northumbria University, 2008
  • Bar Vocational Course (PGDip) - Inns of Court School of Law (Northumbria), 2007
  • LLB - Bachelor of Laws, University of Sheffield, 2005

Work experience: Nabarro LLP, London (Business Researcher, 2007–08); Irwin Mitchell LLP (Personal Injury Assistant, 2005–06).

GDPR & Data Privacy in Practice

Dataverse entity relationship diagram showing connected tables for the UCL STEaPP engagement tracker - designed with GDPR data minimisation and appropriate access controls from the outset

Dataverse data model for the UCL STEaPP Engagement Tracker - designed with data minimisation and GDPR compliance built in from the outset.

IKON Training: First Data Privacy Policy (2022–23)

As part of the IKON Training digital transformation project, I drafted the organisation's first formal data privacy policy. This was not a retrospective compliance exercise - it was built into the project requirements from the outset, because the new TMS would for the first time centralise learner registration data, delegate information and client records in a structured digital system.

Key areas covered: what personal data was collected and why; lawful basis for processing under UK GDPR; data retention periods; third-party processor relationships (Arlo, SurveyMonkey, SharePoint); and learner rights under data protection law.

GDPR Designed Into the Database

The database schema for the TMS was built with GDPR compliance from the start - designing retention-aware structures, avoiding unnecessary personal data collection, and building in the ability to export or delete individual records in response to subject access or erasure requests.

Cyber Essentials & Mobile Device Policy

When the TMS implementation required trainers to use personal mobile devices via the Arlo mobile app, this created a combined GDPR and Cyber Essentials policy challenge. I updated the organisation's Cyber Essentials policy to cover personal device use for work purposes, and developed the communications and guidance needed to manage both the change management and compliance requirements simultaneously.

UCL: Data Governance in the Engagement Tracker

The UCL STEaPP Moodle Engagement Tracker (built 2026) handles real learner data - names, access dates, activity completion records. The system was designed from the outset with data minimisation and appropriate access controls, with documentation that explicitly addresses data protection considerations - including the distinction between legitimate operational monitoring and surveillance, which the system is designed to avoid. See the UCL Engagement Tracker page for technical detail.

Accessibility Legislation & WCAG Compliance

Public Sector Bodies Accessibility Regulations

As a Learning Technologist at UCL - a public sector body - I work directly within the scope of the Public Sector Bodies (Websites and Mobile Applications) Accessibility Regulations 2018. These regulations set WCAG 2.1 Level AA as the formal legal minimum; current government guidance expects WCAG 2.2 AA, which is the standard I build against in practice.

My approach is to build accessibility into the design process rather than adding it retrospectively. Every Moodle course page developed for the STEaPP Online MSc is checked against WCAG criteria during development: colour contrast ratios, semantic heading structure, keyboard navigability, meaningful alt text, caption availability and plain-language instructions.

AI Accessibility Agent at UCL (2025)

The most direct compliance intervention at UCL was the deployment of an AI-powered alt text generation agent in Moodle, built in Microsoft Copilot Studio with the full support and approval of the UCL Digital Accessibility team. The underlying challenge - inconsistent image descriptions in Moodle course materials across a large digital learning environment - represented both a WCAG failure and an accessibility regulation compliance risk at institutional scale.

The agent's responsible use guidelines were written in direct reference to the Public Sector Bodies Accessibility Regulations obligations. See the AI for Learning & Assessment page for full details.

Microsoft Copilot Studio interface showing the AI accessibility agent built for UCL STEaPP - designed to generate alt text descriptions for images in Moodle course materials

The AI accessibility agent in Copilot Studio - built to generate contextually appropriate alt text at the point of course authoring, developed in full collaboration with the UCL Digital Accessibility team.

Academic Integrity in an AI Context

A significant strand of work at UCL concerns the relationship between AI tools and academic integrity - not simply as a policy question, but as a design challenge. Regulatory requirements around academic conduct exist alongside rapidly changing learner and staff behaviours around AI use.

My approach has been to use UCL's academic integrity policies as a design constraint: assessment tasks, Moodle activities and staff guidance materials are all designed with explicit awareness of what constitutes acceptable use, how to help students understand that boundary, and how to reduce the incentive for inappropriate AI substitution through task design rather than prohibition. This is documented in more detail on the AI for Learning & Assessment page.

Legal Knowledge Applied to Digital Practice

The combination of legal training and learning technology practice produces a distinctive capability: engaging with regulations on their own terms, translating them into plain-language guidance, and embedding compliance requirements into the design of systems and processes.

Data Protection
  • UK GDPR requirements
  • Data privacy policy drafting
  • Database design for compliance
  • Data minimisation and retention
  • Subject access and erasure rights
  • Third-party processor due diligence
Accessibility Law
  • Public Sector Bodies Accessibility Regulations
  • WCAG 2.2 AA compliance
  • Equality Act 2010 considerations
  • Accessible design in Moodle
  • AI-supported accessibility improvement
  • Cyber Essentials policy
Professional & Academic
  • Academic integrity frameworks
  • AI acceptable use policy
  • Intellectual property in learning materials
  • Regulatory analysis and plain-language drafting
  • Governance documentation for non-technical audiences

For CMALT evidence covering legal rights in digital learning contexts, see the CMALT Wider Context section.