Rose Bruford College (“the College”) is committed to developing data protection by default and by design and supports the data protection rights of all those with whom it works, including, but not limited to, staff, students, visitors, alumni and research participants. This policy sets out the accountability and responsibilities of the College, its staff and its students to comply fully with the provisions of the General Data Protection Regulation (“the GDPR”) and the Data Protection Act 2018 (“the DPA”) and recognises that handling personal data appropriately and in compliance with data protection legislation enhances trust, is the right thing to do and protects the College’s relationship with all its stakeholders.
The College holds and processes personal data about individuals such as employees, students, and alumni, defined as ‘data subjects’ by the law. Such data must only be processed in accordance with the GDPR and the DPA.
The College has appointed the Academic Registrar as Data Protection Officer (DPO) to monitor and advise on compliance with the GDPR and the DPA. However, responsibility for compliance and the consequences of any breaches cannot legally be transferred to the DPO but instead remains the responsibility for compliance in the business area or the individual member of staff within the College. Information and advice can be obtained from the DPO at [email protected].
This policy covers the following areas:
- Purpose of the policy
- Scope of the policy
- Status of the policy
- Responsibilities under the policy
- Data protection by design and default
- Responsibility of management and data users
- Handling of personal data by students
- Data subject rights
- Internal data sharing
- Transfers of personal data outside the EEA
- Direct marketing
- Data protection training
- Data protection breaches
2. Purpose of Policy
This policy sets out the responsibilities of the College, its staff and its students to comply fully with the provisions of GDPR and the DPA. This policy forms the framework which everybody within the College processing personal data should follow to ensure compliance with data protection legislation.
This policy applies to all staff and students in all cases where Rose Bruford College is the data controller or a data processor of personal data. The policy applies in these cases regardless of who created the data, where it is held, or the ownership of the equipment used.
4. Status of the Policy
The policy has been approved by the Senior Management Committee. This policy does not form part of the formal contract between the College and staff or students, but compliance with it is a condition of employment and of the Student Contract to abide by the College’s rules and policies. Any failure to follow the policy can therefore result in disciplinary proceedings.
5. Responsibilities under the Policy
The College as data controller, has a corporate responsibility to implement and comply with data protection legislation. In determining the purposes for which, and the manner in which personal data is processed, the College must adhere to the six Data Protection Principles (“the Principles”) as set out in Article 5 of the GDPR. These six principles are:
These six principles are:
(1) processed lawfully, fairly, and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
(2) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(3) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(4) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(5) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
(6) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
6. Data Security
All users of personal data within the College must ensure that personal data are always held securely and are not disclosed to any unauthorised third party either accidentally, negligently or intentionally. The Information Security Policy can be accessed here.
7. Privacy Notices
When the College collects personal data from individuals, the requirement for ‘fairness and transparency’ must be adhered to. This means that the College must provide data subjects with a ‘privacy notice’ to let them know how and for what purpose their personal data are processed. Any data processing must be consistent or compatible with that purpose. The College’s privacy notices can be accessed here (hyperlinks to be added):
8. Conditions of Processing/Lawfulness
In order to meet the ‘lawfulness’ requirement, processing personal data must meet at least one of the following conditions:
- The data subject has given consent.
- The processing is required due to a contract.
- It is necessary due to a legal obligation.
- It is necessary to protect someone’s vital interests (i.e. life or death situation).
- It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- It is necessary for the legitimate interests of the controller or a third party.
9. Data Retention
Personal data must not be kept longer than necessary for the purposes for which it was originally collected. This applies to all personal data, whether held on core systems, local PCs, laptops or mobile devices or held on paper. If the data is no longer required, it must be securely destroyed or deleted. The College is currently reviewing its data retention schedule.
10. Data Protection by Design and Default
Under the GDPR and the DPA, the College has an obligation to consider the impact on data privacy during all processing activities. This includes implementing appropriate technical and organisational measures to minimise the potential negative impact processing can have on the data subjects’ privacy. These include encryption, password protection, virus and malware protection and mandatory staff training.
11. Data Protection Impact Assessment (DPIA)
When considering new processing activities or setting up new procedures or systems that involve personal data, privacy issues must always be considered at the earliest stage.
A DPIA must be carried out where data processing is likely to result in a high risk to individuals. DPIAs should also be carried out where there is a new major project that requires personal data processing.
12. Responsibilities of Management and Data Users
All members of staff have a responsibility to ensure compliance with the GDPR, the DPA and this policy and to develop and encourage good information handling practices within their areas of responsibility.
All users of personal data within the College have a responsibility to ensure that they process the data in accordance with the Principles and the other conditions set down in the legislation.
13. Handling Research Data
Before commencing any research that will involve obtaining or using personal data and special categories of personal data, the researcher must give proper consideration to this policy and ensure compliance with the policy. The researcher must ensure that the fairness, transparency and lawfulness principle is complied with and that privacy by design and default is applied. This means that wherever feasible, research data must be anonymised or pseudonymised at the earliest possible time.
14. Handling of Research Data by Students
The use of personal data by students is governed by the following:
- Where a student collects and processes personal data in order to pursue a course of study with the College, and this course of study is not part of a College-led project, the student rather than the College is the data controller for the personal data used in the research. If the data are extracted from a database already held by the College, the College remains the data controller for the database, but the student will be the data controller for the extracted data.
- Once a thesis containing personal data is submitted for assessment, the College becomes data controller for that personal data.
Academic and academic-related staff must ensure that students they supervise are aware of the following:
- A student should only use personal data for a College-related purpose with the knowledge and express written consent of an appropriate member of academic staff (normally, for a postgraduate, this would be the supervisor, and for an undergraduate, the person responsible for teaching the relevant class/course).
- The use of College-related personal data by students should be limited to the minimum consistent with the achievement of academic objectives wherever possible, data should be anonymised so that students are not able to identify the subject.
15. Data Subject Rights
The GDPR and the Act contain eight data subject rights the College must comply with – the rights to information (see Privacy Notices), subject access, to rectification, to object, to erasure, to portability, to restrict processing and in relation to automated decision-making and profiling. These rights can be restricted for personal data used in research.
16. Subject Access Requests and the right to data portability
Individuals have the right to request to see or receive copies of any information the College holds about them, and in certain circumstances to have that data provided in a structured, commonly used and machine-readable format so it can be forwarded to another data controller. The College must respond to these requests within four weeks.
Individuals receiving a subject access request must notify the Academic Registrar immediately.
17. Right to erasure, to restrict processing, to rectification and to object
In certain circumstances, data subjects have the right to have their data erased. This only applies
- where the data is no longer required for the purpose for which it was originally collected, or
- where the data subject withdraws consent, or
- where the data is being processed unlawfully.
In some circumstances, data subjects may not wish to have their data erased but rather have any further processing restricted.
If personal data is inaccurate, data subjects have the right to require the College to rectify inaccuracies. In some circumstances, if personal data are incomplete, the data subject can also require the controller to complete the data or to record a supplementary statement.
Data subjects have the right to object to specific types of processing such as processing for direct marketing, research or statistical purposes. The data subject needs to demonstrate grounds for objecting to the processing relating to their particular situation except in the case of direct marketing, where it is an absolute right.
Individuals receiving any of these requests should not act to respond but instead should contact the Registrar (Data Protection Officer) immediately.
18. Rights in relation to automated decision making and profiling
In the case of automated decision making and profiling that may have significant effects on data subjects, they have the right to either have the decision reviewed by a human being or to not be subject to this type of decision making at all. These requests must be forwarded to the Data Protection Officer immediately.
19. Data Sharing
When personal data is transferred internally, the recipient must only process the data in a manner consistent with the original purpose for which the data was collected. If personal data is shared internally for a new and different purpose, a new privacy notice will need to be provided.
When personal data is transferred externally, a legal basis must be determined, and a data-sharing agreement between the College and the third party must be signed, unless disclosure is required by law, such as certain requests from the Department for Work and Pensions or Inland Revenue, or the third party requires the data for law enforcement purposes.
20. Transfers of Personal Data Outside the EEA
Personal data can only be transferred out of the European Economic Area when there are safeguards in place to ensure an adequate level of protection for the data. For transfers of personal data to a receiving party in the United States of America, the Privacy Shield Agreement between the European Union and the United States of America provides sufficient protection. Before transferring data, the Privacy Shield website should be consulted to determine whether the receiving party is on the Privacy Shield List. Staff involved in transferring personal data to other countries must ensure that an appropriate safeguard is in place before agreeing to any such transfer.
21. Direct Marketing
Direct marketing does not only cover the communication of material about the sale of products and services to individuals but also the promotion of aims and ideals. For the College, this will include notifications about events, fundraising, selling goods or services. Marketing covers all forms of communications, such as contact by post, fax, telephone and electronic messages, whereby the use of electronic means such as emails and text messaging is governed by the Privacy and Electronic Communications Regulations 2003. The College must ensure that it always complies with relevant legislation every time it undertakes direct marketing and must cease all direct marketing activities if an individual requests it to stop.
22. Data Protection Training
All staff must complete the revised data protection training on Cylix on an annual basis.
23. Data Protection Breaches
The College is responsible for ensuring appropriate and proportionate security for the personal data that it holds. This includes protecting the data against unauthorised or unlawful processing and against accidental loss, destruction or damage of the data. The College makes every effort to avoid data protection incidents, however, it is possible that mistakes will occur on occasions. Examples of personal data incidents might occur through:
- Loss or theft of data or equipment
- Ineffective access controls allowing unauthorised use
- Equipment failure
- Unauthorised disclosure (e.g. email sent to the incorrect recipient)
- Human error
- Hacking attack
Any data protection incident must be brought immediately to the attention of the College’s Academic Registrar (Data Protection Officer), who will investigate and decide if the incident constitutes a data protection breach. If a reportable data protection breach occurs, the College is required to notify the Information Commissioner’s Office as soon as possible and not later than 72 hours after becoming aware of it. Any member of the College community who encounters something they believe may be a data protection incident must report it immediately to the Data Protection Officer at [email protected]. The Academic Registrar will advise on the level of the breach and whether the data subject should be notified.
24. College Contacts
The College named Data Protection Officer details is the Academic Registrar who can be contacted on [email protected].
This policy was agreed upon by the Senior Management Committee on 8th June 2018.
Cookies and logging of IP addresses are used to enable Rose Bruford College to monitor site traffic and repeat visitor statistics. These statistics will not include information that can be used to identify any individual. Such information is anonymous and held on a temporary basis.
Rose Bruford College will at all times comply with the requirements of the Data Protection Act 1998.