Data Protection Policy

Similar documents
Data Management and Protection Policy

Data Protection. Policy

General Optical Council. Data Protection Policy

DATA PROTECTION POLICY 2016

Human Resources. Data Protection Policy IMS HRD 012. Version: 1.00

Queen s Croft High School DATA PROTECTION POLICY AND PRIVACY NOTICE

Data Protection Policy

This personal information must be dealt with properly, with appropriate safeguards in place to ensure the rights and freedoms of data subjects.

SHENLEY BROOK END SCHOOL

Records Management policy

POLICY ON INFORMATION, SECURITY & DATA PROTECTION

Data Protection Policy

Data subject access policy

Project Title. Project Number. Privacy Impact Assessment

VMS Software Ltd- Data Protection Privacy Policy

DATA PROTECTION POLICY WINCHESTER CITY COUNCIL. Data Protection Policy

Data Protection Policy

Data Protection Policy & Procedures

RAW MARKETING DATA PROTECTION POLICY

DATA PROTECTION POLICY

Data Protection Policy

LSEG Recruitment Privacy Notice

Data Protection Policy Approved by: COG Approved: 9 August 2017 Review date: August 2019 Version: Statement of Intent

Data protection (GDPR) policy

Privacy Impact Assessment: Standard Operating Procedure

DATA PROTECTION POLICY

Data Protection Policy

DATA PROTECTION POLICY 2018

Information Sharing Policy

DATA PROTECTION POLICY

The current version (July 2018) is derived from, and supersedes, the version published in February 2017 and earlier versions.

DATA PROTECTION POLICY

SAFFRON WALDEN COMMUNITY CHURCH DATA PROTECTION POLICY. Adopted: [ ]

Regulates the way data controllers process personal data

2.1.2 Gender, age, date of birth, marital status and nationality;

Data Protection Policy and Handbook. Scottish Information Commissioner

Data Protection Policy

EARLS HALL BAPTIST CHURCH DATA PROTECTION POLICY

GENERAL DATA PROTECTION REGULATION Guidance Notes

Data Protection Policy

Data Protection. Document Detail Type of Document (Stat Policy/Policy/Procedure) Category of Document (Trust HR-Fin-FM-Gen/Academy) General

UK Research and Innovation (UKRI) Data Protection Policy

Data Protection Policy for the Grimsby Institute of Further & Higher Education

St Mark s Church of England Academy Data Protection Policy

Scottish Charity Number SC Dingwall Baptist Church DATA PROTECTION POLICY

Baptist Union of Scotland DATA PROTECTION POLICY

General Personal Data Protection Policy

RECRUITMENT PRIVACY NOTICE

Brasenose College Data Protection Policy Statement v1.2

Data Protection Policy

LAST UPDATED June 11, 2018 DATA PROTECTION POLICY. International Foundation for Electoral Systems

HR Garda Vetting Privacy Notice. Kerry County Council Comhairle Contae Chiarraí

Swansea University Recruitment Privacy Policy

Section a What this Policy is for Policy Statement. 2. Why this policy is important... 3

Introduction Why is data protection important? How does it apply to volunteers? What volunteers need to do?...

Hendre Infants School DATA PROTECTION POLICY. Nurture, Believe, Achieve Headteacher: A. J. Brett-Harris

GDPR digest ARE YOU GDPR READY? {More than a MORTGAGE CLUB}

We reserve the right to update this privacy notice at any time. Please check our website from time to time for any changes we may make.

Network Rail internal privacy notice

Data Protection Policy No. E11

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

Data Protection Policy

Broad Run Investment Management, LLC

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents

Data Protection Audit Self-assessment toolkit

PRIVACY NOTICE for Welsh St Donat s Community Council, May 2018

Data Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents

NEW LIFE BAPTIST CHURCH NORTHALLERTON DATA PROTECTION POLICY. Adopted: 20 June 2018 To be reviewed: June 2021

PRIVACY NOTICE Potential Staff / Graduate Recruitment May 2018

Functional area. F Hallinan, C Abad, W Andrews Approver (s) Version 001 Effective date 25 May Privacy Notice for Emergency Contacts

PRIVACY NOTICE FOR JOB APPLICANTS

Data Protection Act Policy And Operational Procedures For the Trust, Its Academies, And Essa Nursery

Data Protection/ Information Security Policy

Breakthrough Data Protection Policy Approved by Lead Organisation: November 2017 Next Review Date: November 2018

DATA PROTECTION POLICY

DATA PROTECTION POLICY

THE COMPETITION AND CONSUMER PROTECTION COMMISSION JOB APPLICANT PRIVACY NOTICE 1. INTRODUCTION... 2

Brasenose College is committed to protecting the privacy and security of personal data.

The Society of St Stephen s House Site Security and Monitoring Privacy Notice

University for the Creative Arts Application Declaration. Data Protection Privacy Notice

SCHOOLS DATA PROTECTION POLICY. Guidance Notes for Schools

TECHNICAL RELEASE TECH 05/14BL. Data Protection Handling information provided by clients

Data Protection Policy

DATA BREACH NOTIFICATION POLICY. Last Updated: Review Date:

RECORD OF PROCESSING ACTIVITIES ST CUTHBERT S CATHOLIC HIGH SCHOOL

UoW takes measures to enable data to be restored and accessed in a timely manner in the event of a physical or technical incident.

Ernst & Young Data Protection Binding Corporate Rules Programme

Data Protection Policy

DATA PROTECTION POLICY

Tourettes Action Data Protection Policy

Data Protection Policy. UK Policy May 2018

RSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company )

Data Breach Notification Policy

Gwybodaeth Dan Reolaeth. Gwynedd Council DATA PROTECTION POLICY FINAL 2.0. September Information Management Service. Approved

THE PORTSMOUTH GRAMMAR SCHOOL

BROOKS PERSONAL TRAINING

DATA PROTECTION POLICY AND PROCEDURE

GDPR DATA PROCESSING NOTICE FOR FS1 RECRUITMENT UK LTD FOR APPLICANTS AND WORKERS

Information Governance Clauses Clinical and Non Clinical Contracts

APCC Policy Statement

Transcription:

Data Protection Policy University of London Data Protection UoL website link: http://www.london.ac.uk/238.html Email: records.managament@london.ac.uk

Contents 1 Policy statement... 3 2 Introduction and scope... 3 3 Definitions... 4 4 The University will obtain consent when collecting personal data... 4 5 The University will inform people what is being done with their data... 5 6 The University will keep personal data safe and secure... 6 7 The University will serve the rights of individuals under the Act... 7 8 The University will ensure staff are appropriately trained in managing personal data... 8 9 The University will ensure that records containing personal data are effectively managed... 9 10 Third party access to personal data... 9 11 Complaints... 10 12 Version control... 10 13 Appendix A The Data Protection Principles... 11

1 Policy statement The University is committed to complying with the Data Protection Act 1998 as an academic institution, an employer and as a service provider. In order to do this the University will: obtain consent when collecting personal data or rely on appropriate legal grounds for processing personal inform people what is being done with their data keep personal data safe and secure observe the rights of individuals under the Act ensure staff are appropriately trained in managing personal data ensure that records containing personal data are effectively managed 2 Introduction and scope The Data Protection Act 1998 requires the University to register as a Data Controller with the Information Commissioner and manage the personal data it processes according to eight principles. The Information Commissioner s Office website contains a wide range of policy and guidance around Data Protection: https://ico.org.uk/ This policy covers all the central University Academic Bodies and Activities. Further details on the structure of the University at the following link: http://www.london.ac.uk/structure.html

3 Definitions The Data Protection Act 1998 governs the processing of personal data. All these terms are defined in the 1998 Act: Personal data are data which can identify living individuals. As well as images, names and contact details it can also include numerical or statistical information from which an individual s identity can be derived. Sensitive personal data are personal data relating to the racial or ethnic origin, health, sexual life, trade union membership, criminal records or religious belief. This data requires a greater level of consideration when being collected, processed or transferred. A Data Subject is the individual who is the subject of personal data. A Data Controller determines the purposes for which personal data are processed. The controller is ultimately responsible for the personal data, whether they pass the data to a processor or not. This includes the responsibilities of responding to Subject Access Requests and complaints from data subjects. A Data Processor is any individual or organisation who processes personal data on behalf of and according to the purposes defined by the data controller. 4 The University will obtain consent when collecting personal data The University collects personal data in the course of registering students, employing staff or providing services to customers. The University has to satisfy at least one of the conditions in the Act for the processing of personal data and ensure that the processing is fair. If further processing beyond the purposes the data has been collected for then consent should be sought again, unless another condition or exemption in the Data Protection Act applies. Consent should be obtained using an opt in by the data subject rather than an opt out. The University will not assume consent has been given simply by the absence of an objection.

5 The University will inform people what is being done with their data Individuals providing their personal data to the University should be aware who the data controller is and what will be done with their data. Appropriate collection notices or fair processing notices will be provided by University services. In order to process personal data, a data controller such as the University has to inform the Information Commissioner and comply with the Act s notification (registration) procedure. The University s notification covers ALL processing activities. The University s Legal Services team deals with the Information Commissioner s office regarding the notification. All new projects or services in the central University s Institutes and Activities involving the processing of personal data should be reported to the Legal Services team to ensure that they are covered by our current notification. The University s notification (registration number: Z5419651) covers all the central University administrative offices based at Senate House (including the Library) and at Stewart House, as well as the Institutes of the School of Advanced Study, Intercollegiate Halls of Residence, Student Central, University of London Computer Centre, The Careers Group and the University s business services. Individual Colleges of the University are separate legal entities and therefore have their own notifications. Colleges should be consulted concerning data protection matters relating to personal data held at those institutions. The published register of Data Controllers is available online at the Information Commissioner s website.

6 The University will keep personal data safe and secure The seventh principle of the Data Protection Act requires that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. The University will manage the personal data it processes in a secure way. This applies to paper and electronic records systems. Systems should be access controlled, staff appropriately trained and security processes should be developed and understood. Appropriate monitoring and reporting on data security risks, initiatives and developments will be undertaken by the University s internal management groups. In the event that the University engages a third party as a data processor for its personal data, a specific written contract with the supplier providing assurance of security provision should be in place. The University will not rely on supplier set terms and conditions. Transfers of personal data outside the European Economic Area (EEA) will be managed according to the eighth principle of the Data Protection Act.

7 The University will serve the rights of individuals under the Act Individuals our students, staff and customers have a number of rights under the Act. These include a right to prevent processing likely to cause damage or distress, and a right to prevent processing for the purposes of direct marketing. The Subject Access Right requires the University to supply data subjects with information about the data which they hold on them (including copies of the data) if requested to do so. Requests must be made in writing. The information requested must be supplied promptly, and no later than 40 days after the receipt of the request or, if later, receipt of the applicable fee. The University charges 10 (the maximum currently permitted) for this service. The 40 day deadline is a statutory requirement, and staff are reminded of the need to ensure that subject access requests are completed within this timescale. The application form for making a subject access request is also available at http://www.london.ac.uk/data protection.html, alongside guidance for staff on the procedure for dealing with requests for personal information under the Act.

8 The University will ensure staff are appropriately trained in managing personal data The Legal Services team is responsible for ensuring compliance with Data Protection Act by producing policy and training, advising University departments or undertaking specific projects. The duty to comply with the Data Protection Act with its emphasis on the handling and retention of personal information is part of the terms and conditions of all members of staff http://www.london.ac.uk/4109.html. The University Records Manager will provide the following training and information for staff Data Protection: Classroom training Attendance at regular Information Compliance training sessions is a requirement for all new staff and is also open to current staff. Targeted sessions for specific departments are often carried out. Online training An online Data Protection training course is provided on the Staff Development e Learning site and is recommended for all staff. Web pages The Data Protection page of the University website will feature this policy and relevant procedures. Intranet pages The Data Protection page of the staff intranet will feature guidance and practical information for staff around Data Protection. Data Protection issues will be communicated via intranet news items to keep staff informed and maintain awareness. Response to queries / provision of advice Staff can contact the Legal Services team by phone or by email (at records.management@london.ac.uk) for advice on specific issues.

9 The University will ensure that records containing personal data are effectively managed Good records management is essential to comply with the Data Protection Act. The University will ensure that the personal data kept is: Adequate, relevant and not excessive for the purposes it has been collected for Accurate and up to date Kept only for as long as is necessary, according to the retention schedules maintained by the University The University s records management policy can be found at the following link: http://www.london.ac.uk/955.html 10 Third party access to personal data The University may be asked by a third party to disclose information regarding an individual. For example, the University may be contacted by the police or other authorities where the information is required in connection with matters such as the fraud prevention, the prevention or detection of crime or the assessment or collection of tax, or where disclosure is required by law or is necessary in connection with legal proceedings. The University will only make disclosures of this kind on receiving a certificate from the authority seeking the information to the effect it falls within a relevant exemption. Any requests from outside authorities such as the police or the courts for the disclosure of personal data should be made in writing or referred to the Legal Services team at records.management@london.ac.uk. If an employer wishes to gain proof or confirmation of the academic qualification of an employee or prospective member of staff, they should be directed to the Transcripts Office in the first instance http://www.london.ac.uk/113.html.

11 Complaints Any complaints related to Data Protection should be directed to the University s Legal Services team. The Legal Services team will respond according to the general guidelines set out in the University s complaints procedure. Any questions relating to the Data Protection Act or this policy should be directed to the Legal Services team at: records.management@london.ac.uk. 12 Version control Date Version Reason for change Author March 2002 1.0 First version Data Protection guidelines. Legal & Constitutional Adviser January 2005 2.0 Revised and updated Legal & Constitutional Adviser March 2007 3.0 Revised and updated Legal & Constitutional Adviser September 2007 4.0 Revised and updated Legal & Constitutional Adviser May 2011 5.0 Revised and updated Legal & Constitutional Adviser / Assistant to the Legal & Constitutional Adviser July 2012 5.1 Revised and updated as University of London Data Protection Policy March 2013 5.2 Updated and presented to the University s Information Compliance Group University Records Manager with comments from Legal & Constitutional Adviser / Assistant to the Legal & Constitutional Adviser University Records Manager July 2013 6.0 Approved by the Vice Chancellor s Executive Group. University Records Manager February 2015 6.1 Text updated to reflect recent organisational changes in the University University Records Manager February 2017 6.2 Minor format and text changes University Records Manager

13 Appendix A The Data Protection Principles Personal data must be processed in accordance with the eight principles listed in the Act. These are as follows: First Principle: Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless: at least one of the conditions in Schedule 2 is met, and in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met [see below] Second Principle: Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes Third Principle: Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed Fourth Principle: Personal data shall be accurate and, where necessary, kept up to date Fifth Principle: Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes Sixth Principle: Personal data shall be processed in accordance with the rights of data subjects under this Act Seventh Principle: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data Eighth Principle: Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data The ICO has produced a useful Guide to Data Protection which considers the eight principles in detail (available at: https://ico.org.uk/for organisations/guide to data protection/). Staff can find out more about the practical issues around these principles in the University s Data Protection Top Tips, available on the Staff Intranet.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback