Data Protection Policy
Introduction
- In undertaking the business of The University of Buckingham (the University, us, we), we all create, gather, store and process large amounts of data on a variety of data subjects such as on students (both potential, current and former), staff, customers/suppliers and members of the public. Our use of personal data ranges from CCTV footage, financial transactions with commercial customers through to the processing a student’s details throughout their journey, from application through to graduation an beyond when they become alumni.
- Some of the data we create/collect and process will include personal and/or special categories of data of a sensitive nature (i.e.: data concerning a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health or sexual life). Data may also be processed relating to criminal convictions or offences.
- As our recording and use of data continues to increase, it is more important than ever that every member of University staff understands the law in relation to data protection and staff responsibilities in ensuring that data is secured and protected in line with the law.
- Data protection is an important part of the University’s overall information security arrangements. All information must be handled safely and securely according to agreed policy. In addition to good practice, some data sets are subject to external legislation and it is vital that staff recognise both categories in their handling of University information and data.
- Data protection legislation has existed in the UK for many years with the Data Protection Act (1998) being the current iteration. From 25 May 2018, the primary legislation relating to data protection will be the General Data Protection Regulations (GDPR).
- As the University processes the personal data of staff, students and other individuals, it is defined as a Data Controller for the purposes of the GDPR. This Policy is designed to ensure that the University processes personal data in accordance with the GDPR.
- The GDPR applies to all data relating to, and descriptive of, living individuals defined in the Regulations as ‘personal data’. Individuals are referred to as ‘data subjects’. For further definitions of terms used please see the guidance on the Information Commissioner’s website (ico.org.uk).
- The GDPR places obligations on the University and the way it handles personal data. In turn the staff and students of the University have responsibilities to ensure personal data is processed fairly, lawfully and securely. This means that personal data should only be processed if we have a valid condition of processing (e.g. consent obtained from the data subject, or a contract with them) and we have provided information to the individuals concerned about how and why we are processing their information (i.e. a privacy notice). There are restrictions on what we are allowed to do with personal data such as passing personal information on to third parties, transferring information outside the EU or using it for direct marketing.
- The University is committed to protecting the rights and freedoms of individuals with respect to the processing of their personal data.
Purpose of Policy
- This policy sets out the responsibilities of the University, its staff and its students to comply fully with the provisions of the GDPR. It is accompanied by a list and links to other, associated policies and a Data Protection Guidance Handbook which provides information and guidance on different aspects of data protection and data security. This policy, its associated policies and the Guidance Handbook form the framework from which staff and students should operate to ensure compliance with data protection legislation.
Scope
- The policy applies to all staff and students, and all items of personal data that are created, collected, stored and/or processed through any activity of the University, across all areas including all schools, departments and professional services.
Background
Data Protection principles
- The University is required to adhere to the six principles of data protection as laid down in the GDPR, which means that information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. The six principles are:
a) Personal data shall be processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’).
b) Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in any manner incompatible with those purposes. Further processing for archiving, scientific or historical research or statistical purposes is permissible (‘purpose limitation’)
c) Personal data shall be adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed (‘data minimisation’).
d) Personal data shall be accurate and where necessary kept up to date (‘accuracy’).
e) Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose (‘storage limitation’).
f) Personal data shall be processed in a manner that ensures appropriate security including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Personal Data
- Personal data is information about a living individual, who is identifiable from that information or who could be identified from that information when combined with other data which the University either holds or is likely to obtain. GDPR also refers separately to ‘special categories’ of personal data which includes particularly sensitive personal information such as health details, racial or ethnic origin or religious beliefs. Further information and guidance on personal data, including a full list of ‘special categories’ of personal data, is provided in section 3 of the Data Protection Guidance Handbook.
- The definition of ‘processing data’ includes obtaining/collecting, recording, holding, storing, organising, adapting, aligning, copying, transferring, combining, blocking, erasing and destroying the information or data. It also includes carrying out any operation or set of operations on the information or data, including retrieval, consultation, use and disclosure.
- The University, as data controller, remains responsible for the control of the personal data that it collects even if that data is later passed onto another organisation or is stored on systems or devices owned by other organisations or individuals (including devices personally owned by members of staff).
- Staff developing new projects or processes or revising existing processes need to take data protection into account as part of this process and may need to carry out a data protection impact assessment if the activity is deemed to be a high risk of intrusion into the privacy of individuals (see section xii) below.
- In the event that there is a data protection breach this will usually have to be reported to the Information Commissioner’s Office no later than 72 hours after the breach is discovered.
Associated Policies
- There are a number of University policies which contain provisions that are relevant to data security such as the Policy on the Use of University Computers and Social media Networks. Where there is a conflict between policies, the provisions of the GDPR take precedence and the policies should be interpreted so as to give effect to the provisions which most closely reflect the aims of the GDPR. The Data Protection Officer should be consulted if there is any ambiguity which cannot be resolved.
Policy
The Policy is set out in the following sections:
iv. Conditions of Processing and Consent
vi. Record of Processing Activities
ix. Subject Access Requests and Data Subject Rights
xi. Transfers of Personal Data Outside the EU
xii. Data Protection Impact Assessments and Data Protection by Design
i. General
- The University is responsible for demonstrating compliance with the six data protection principles (see paragraph 12).
- Compliance with the GDPR, and adhering to these principles is the responsibility of all members of the University. Any deliberate breach of this policy may lead to disciplinary action being taken, access to University facilities being withdrawn, or even criminal prosecution.
- The University is required to keep a record of its data processing activities as a summary of the processing and sharing of personal information and the retention and security measures that are in place. For more information about these records see section vi Records of Processing Activities.
ii. Data Security
22. All University users of personal data must ensure that all personal data they hold is kept securely. They must ensure that it is not disclosed to any unauthorised third party in any form either accidentally or otherwise. Data Security should be undertaken in line with the University’s Policy on Use of University Computers and Social Networks. Links to these policies are provided above and guidance on data security is included in section 4 of the Data Protection Guidance Handbook.
iii. Data Retention
- Individual areas within the University are responsible for ensuring the appropriate retention periods for the information they hold and manage. Retention periods will be set based on legal and regulatory requirements, sector and good practice guidance. A useful source of guidance is available at the JISC Higher Education Business Classification Scheme and Records Retention Schedules (http://bcs.jiscinfonet.ac.uk/he/default.asp).
- Personal data must only be kept for the length of time necessary to perform the processing for which it was collected. Once information is no longer needed is should be disposed of securely. Paper records should be shredded or disposed of in confidential waste and electronic records should be permanently deleted.
- If data is fully anonymised then there are no time limits on storage from a data protection point of view (see paragraph 59).
iv. Conditions of Processing and Consent
- In order for it to be legal and appropriate for the University to process personal data at least one of the following conditions must be met:
a) The data subject has given his or her consent
b) The processing is required due to a contract
c) It is necessary due to a legal obligation
d) It is necessary to protect someone’s vital interests (i.e. life or death situation)
e) It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
f) It is necessary for the legitimate interests of the controller or a third party and does not interfere with the rights and freedoms of the data subject (this condition cannot be used by public authorities in performance of their public tasks).
- All processing of personal data carried out by the University must meet one or more of the conditions above. In addition the processing of ‘special categories’ of personal data requires extra, more stringent, conditions to be met in accordance with Article 9 of the GDPR. To process personal data about criminal convictions or offences, conditions must be met under Article 10 GDPR.
- The University is a privately funded charitable institution and, as such does not fall within the definition of Public Authority for the purposes of the GDPR. It is a legitimate interest of the University to raise funds through marketing, including direct marketing and fundraising activities. The University may contact prospective, current and former students for the purpose of direct marketing and fundraising. The University may also contact individuals who have expressed an interest or who have been identified by information which is publicly available as a potential donor or customer. This means that the University may use personal data that it has collected in accordance with this Policy to contact individuals about events that they have registered for, products that they have purchased (or that have been purchased for them), reminders regarding courses, to tell them about the University’s products available from time to time and to raise funds for approved projects. The direct marketing communications may be provided through Social Media Channels, email, post or such other means as the University chooses.
- Whenever collecting data that will be used for marketing purposes directly from individuals, the University should state whether it will use the data for direct marketing purposes. Individuals must be provided with the opportunity to opt out receiving these direct marketing communications at any time.
- If data subjects tell us that they do not want to receive any further direct marketing from us, the University should not contact them further for the purpose of direct marketing. However the University will not necessarily remove their personal data from its database(s) if it considers it is necessary to retain the personal data for another legitimate purpose (e.g. because it is necessary to administer a contract or because it is a legal requirement).
- For some activities, the University may need the specific consent of individuals in order to process their data.
- Consent is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she by statement or other clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. The GDPR clarifies that silence, pre-ticked boxes or inactivity does not constitute consent.
- Anyone who has provided consent has the right to revoke their consent at any time and must be informed of that right. The process for revoking consent must be kept simple and should be no more onerous than the process for giving consent in the first place.
- Further information about obtaining consent can be found in section 5 of the Data Protection Guidance Handbook.
v. Privacy Notices
- Under the ‘fair and transparent’ requirements of the first data protection principle, the University is required to provide data subjects with ‘privacy notices’ to let them know what it does with their personal data.
- Privacy notices are published on the University website and are therefore available to individuals from their first point of contact with the University. Any processing of personal data beyond the scope of the University’s Privacy Notice will require a separate privacy notice and the Data Protection Officer should be notified of the proposed activity beforehand to ensure such processing is in accordance with this policy and the GDPR.
- Further information on what information should be included in a privacy notice is provided in section 5 of the Data Protection Guidance Handbook.
vi. Records of Processing Activities
- As a data controller, the University is required to maintain a record of processing activities which covers all the processing of personal data carried out by the University. Amongst other things this record contains details of why the personal data is being processed, the types of individuals about which information is held, who the personal information is shared with and when personal information is transferred to countries outside the EU.
- Staff embarking on new activities involving the use of personal data that is not covered by one of the existing records of processing activities should inform the Data Protection Officer (data-protection@buckingham.ac.uk) before starting the new activity.
vii. Children
- Under GDPR there are restrictions that apply to the processing of personal information relating to children. Although the University does not generally process the data of children, there may be circumstances when it is necessary to do so. If it is deemed necessary within any school or department of the University to process the personal data of children, the Data Protection Officer should be consulted prior to the processing activities to ensure that necessary steps are taken to ensure that such processing is in accordance with the GDPR.
viii. Research
- Data collected for the purposes of research is covered by the GDPR. It is important that staff collecting data for the purpose of research or consultancy incorporate an appropriate form of consent on any data collection form.
- Further information and guidance on data protection and research is provided in section 6 of the Data Protection Guidance Handbook.
ix. Subject Access Requests and Data Subject Rights
- The GDPR gives data subjects the right to access personal information held about them by the University. The purpose of a subject access request is to allow individuals to confirm the accuracy of personal data and check the lawfulness of processing to allow them to exercise rights of correction or objection if necessary. However, individuals can request to see any information that University holds about them which includes copies of email correspondence referring to them or opinions expressed about them.
- The University must respond to all requests for personal information and information will normally be provided free of charge and within 30 days of the date of request.
- References are disclosable to the person about whom they are written under the subject access provisions of the GDPR. This includes references received by the University from external sources and confidential references given and received internally (e.g. as part of advancement and promotions procedures). In order to maintain confidentiality and to prevent the unauthorised disclosure of information, staff should not provide references unless satisfied that the person who is the subject of the reference has consented.
- The University is not required to disclose examinations scripts, however students are entitled to access any marks or comments annotated on the script. Students are entitled to their marks for both coursework and examinations. Unpublished marks must be disclosed within 5 months of a subject access request.
- Information and guidance about handling subject access requests can be found in section 7 of the Data Protection Guidance Handbook.
- Data subjects have a number of other rights under the GDPR. These include:
- Right to Object – Data subjects have the right to object to specific types of processing which includes processing for direct marketing. The data subject needs to demonstrate grounds for objecting to the processing relating to their particular situation except in the case of direct marketing where it is an absolute right (see section xiii on direct marketing). Online services must offer an automated method of objecting. In some cases there may be an exemption to this right for research or statistical purposes done in the public interest.
- Right to be forgotten (erasure) – Individuals have the right to have their data erased in certain situations such as where the data is no longer required for the purpose for which it was collected, the individual withdraws consent or the information is being processed unlawfully. There is an exemption to this for scientific or historical research purposes or statistical purposes if the erasure would render impossible or seriously impair the achievement of the objectives of the research. Individuals can ask the controller to ‘restrict’ processing of the data whilst complaints (for example, about accuracy) are resolved or the processing is unlawful.
- Rights in relation to automated decision making and profiling – The right relates to automated decisions or profiling that could result in significant affects to an individual. Profiling is the processing of data to evaluate, analyse or predict behaviour or any feature of their behaviour, preferences or identity. Individuals have the right not to be subject to decisions based solely on automated processing. When profiling is used, measures must be put in place to ensure security and reliability of services. Automated decision-taking based on sensitive data can only be done with explicit consent.
- Right to Rectification – The right to require a controller to rectify inaccuracies in personal data held about them. In some circumstances, if personal data are incomplete, an individual can require the controller to complete the data, or to record a supplementary statement.
- Right to Portability – the data subject has the right to request information about them is provided in a structured, commonly used and machine readable form so it can be sent to another data controller. This only applies to personal data that is processed by automated means (not paper records); to personal data which the data subject has provided to the controller, and only when it is being processed on the basis of consent or a contract.
- The availability of rights largely depends on the legal justification for processing. The table below summarises when rights are available.
Legal Justification | Right to: | ||||
Object | Erasure | Automated Decision Making | Rectification | Portability | |
Consent | No (but can withdraw consent) | Yes | No (but can withdraw consent) | Yes | Yes |
Contract | No | Yes | No | Yes | Yes |
Legal Obligation | No | No | No | Yes | No |
Vital Interest | No | Yes | No | Yes | No |
Public Task | Yes | No | Yes | Yes | No |
Legitimate Interests | Yes | Yes | Yes | Yes | No |
- Any requests made to invoke any of the rights above must be dealt with promptly and in any case within one month of receiving the request. Members of staff should consult the Data Protection Officer for advice if they encounter any difficulty in complying with a request. It is possible to extend the time for compliance by a further two months where requests are complex or numerous in which event it is necessary to inform the individual within one month of the receipt of the request and explain why the extension is necessary.
x. Data Sharing
- Certain conditions need to be met before personal data can be shared with a third party or before an external data processor is used to process data on behalf of the University.
- As a general rule personal data should not be passed on to third parties, particularly if it involves special categories of personal data. It is however permissible or necessary in certain circumstances. Any transfers of personal data must meet the data processing principles, in particular it must be lawful and fair to the data subjects concerned (see paragraph 12). More particularly:
- It must meet one of the conditions of processing (see section iv). Legitimate reasons for transferring data (e.g. legal requirement);
- The University must be satisfied that the third party will meet all the requirements of GDPR particularly in terms of holding the information securely;
- where a third party is to process personal data on behalf of the University, a written contract must be in place containing appropriate Data Protection safeguards.
- Staff should consult with the Data Protection Officer if they are entering into a new contract that involves the sharing or processing of personal data or if they have any concerns about the Data Protection safeguards in existing contracts.
- Staff who receive requests for personal information from third parties such as relatives, police, local councils etc. should consult the section 9 of the Data Protection Guidance Handbook on Requests for Personal Information from Third Parties.
xi. Transfers of Personal Data Outside the EU
- Personal data can only be transferred out of the European Union under certain circumstances. The GDPR lists the factors that should be considered to ensure an adequate level of protection for the data and some exemptions under which the data can be exported. In many cases the University will require consent of the data subjects before personal information can be transferred out of the EU.
- Information published on the internet must be considered to be an export of data outside the EU. This covers data stored in the cloud unless the service provider explicitly guarantees data storage only takes place within the EU. Presently the University does not utilise any cloud storage outside of the EU.
- The Information Commissioner’s Office Guidance on the use of Cloud Computing should be consulted before any use of external computing resources or services via a network which may involve personal data takes place.
- Staff involved in transferring personal data to other countries should consult section 10 of the Data Protection Guidance Handbook.
xii. Data Protection Impact Assessments and Data Protection by Design
- Under the GDPR the University has an obligation to consider the impact on the privacy of individuals during all processing activities. This includes implementing appropriate technical and organisational measures to minimise the risk of breaching the GDPR.
- It is particularly important to consider privacy issues when considering new processing activities or setting up new procedures or systems that involve personal data. GDPR imposes a specific ‘privacy by design’ requirement emphasising the need to implement appropriate technical and organisational measures during the design stages of a process and throughout the lifecycle of the relevant data processing to ensure that privacy and protection of data is not an after-thought.
- Further information about techniques that can be used to reduce the risks associated with handling personal data including Anonymisation and Pseudonymisation see section 12 of the Data Protection Guidance Handbook on Data Protection by Design and Default.
- For some projects the GDPR requires that a Data Protection Impact Assessment (DPIA) is carried out. The types of circumstances when this is required include: those involving processing of large amounts of personal data, where there is automatic processing/profiling, processing of special categories of personal data, or monitoring of publicly assessable areas (i.e. CCTV). The DPIA is a mechanism for identifying and examining the impact of new initiatives and putting in place measures to minimise or reduce risks. Information about when and how to carry out a DPIA can be found in section 11 of the Data Protection Guidance Handbook on Data Protection Impact Assessments.
xiii. Direct Marketing
- Direct marketing relates to communication (regardless of media) with respect to advertising or marketing material that is directed to individuals e.g. mail shots for fund raising, advertising courses etc. Individuals must be given the opportunity to remove themselves from lists or databases used for direct marketing purposes. The University must cease direct marketing activity if an individual requests the marketing to stop.
- Direct marketing must also comply with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR)2 which covers marketing via telephone, text and email. For more information about direct marketing and PECR please see section 13 of the Data Protection Guidance Handbook.
xiv. Personal Data Breach
- The University is responsible for ensuring appropriate and proportionate security for the personal data that we hold. This includes protecting the data against unauthorised or unlawful processing and against accidental loss, destruction or damage of the data. The University must make every effort to avoid personal data breaches, however, it is possible that mistakes will occur on occasions. Examples of common personal data breaches include:
- Loss or theft of data or equipment on which data is stored or accessible;
- Inappropriate access controls allowing unauthorised use;
- Equipment failure;
- Unauthorised disclosure (e.g. email sent to the incorrect recipient);
- Human error; and
- Failure to maintain effective firewalls resulting in successful hacking attacks.
- If a data protection breach occurs the University is required, in most circumstances to report this as soon as possible to the Information Commissioner’s Office, and not later than 72 hours after becoming aware of it.
- If students or staff become aware of a data protection breach they must report it immediately to the Data Protection Officer. Details of how to report a breach and the information that will be required are included in section 14 of the Data Protection Guidance Handbook on Personal Data Breaches.
xv. Impact of Non-compliance
- All staff and students of the University are required to comply with this Data Protection Policy, its supporting guidance and the requirements specified in the GDPR. Any member of staff or student who is found to have made an unauthorised disclosure of personal information or breached the terms of this Policy may be subject to disciplinary action. Staff may also incur criminal liability if they knowingly or recklessly obtain and/or disclose personal information without the consent of the University for their own purposes, which are outside the legitimate purposes of the University.
- The University could be fined for non-compliance with the GDPR. There are two tiers of fines depending on the type of infringement. Further information about the fines are in section 15 of the Data Protection Guidance Handbook.
University Contacts
- The University’s named Data Protection Officer is Hahna Akhtar whose contact details are as follows:
Email: data-protection@buckingham.ac.uk
Address: Data Protection Officer, University of Buckingham, Buckingham MK18 1EG
- In the first instance all enquiries or requests for further information or guidance relating to data protection should be addressed to the Data Protection Officer.