Data Protection Policy

Similar documents
Hendre Infants School DATA PROTECTION POLICY. Nurture, Believe, Achieve Headteacher: A. J. Brett-Harris

UK Research and Innovation (UKRI) Data Protection Policy

Data Protection Policy

LEICESTER HIGH SCHOOL DATA PROTECTION POLICY

DATA PROTECTION POLICY

CHANNING SCHOOL DATA PROTECTION POLICY

ScottishPower Data Protection Policy

SCHOOLS DATA PROTECTION POLICY. Guidance Notes for Schools

GDPR P4 Privacy Policy Statement & Guidance for Employees and External Providers

Trinity is committed to protecting the privacy and security of personal data.

The Society of St Stephen s House Site Security and Monitoring Privacy Notice

Privacy Statement About this privacy policy Who are we and how to contact us

Brasenose College Data Protection Policy Statement v1.2

Data Protection Policy for Staff DJJK. Apr of 10

POLICY. Data Breach Notification Policy. Version Version 1.0. Equality Impact Assessment Status. Date approved 23 rd May 2018

Data Protection Policy

Baptist Union of Scotland DATA PROTECTION POLICY

We reserve the right to update this privacy notice at any time. Please check our website from time to time for any changes we may make.

LIFE STYLE CARE PLC. Privacy Statement for Employees. August 2018

GENERAL DATA PROTECTION REGULATION Guidance Notes

DATA PROTECTION POLICY 2018

DATA PROTECTION POLICY

Data Protection Policy. UK Policy May 2018

Data Protection Policy

SAFFRON WALDEN COMMUNITY CHURCH DATA PROTECTION POLICY. Adopted: [ ]

Data Protection Policy

Brasenose College is committed to protecting the privacy and security of personal data.

Section a What this Policy is for Policy Statement. 2. Why this policy is important... 3

Data Protection. Policy

PRIVACY NOTICE FOR JOB APPLICANTS

Scottish Charity Number SC Dingwall Baptist Church DATA PROTECTION POLICY

DATA PROTECTION POLICY VERSION 1.0

EARLS HALL BAPTIST CHURCH DATA PROTECTION POLICY

Privacy Notice (How we use school workforce information)

Training Manual. DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Data Protection Officer is Mike Bandurak

Data protection (GDPR) policy

The Data Controller for all personal data stored and processed by Horiba MIRA Ltd is:

General Optical Council. Data Protection Policy

This privacy notice applies to attendees, organisers and others involved in Merton College s conferences and events

Depending on the circumstances, we may collect, store, and use the following categories of personal information about you:

Human Resources. Data Protection Policy IMS HRD 012. Version: 1.00

The current version (July 2018) is derived from, and supersedes, the version published in February 2017 and earlier versions.

Breakthrough Data Protection Policy Approved by Lead Organisation: November 2017 Next Review Date: November 2018

Data Protection Policy Approved by: COG Approved: 9 August 2017 Review date: August 2019 Version: Statement of Intent

Data Breach Notification Policy

Data Protection. Document Detail Type of Document (Stat Policy/Policy/Procedure) Category of Document (Trust HR-Fin-FM-Gen/Academy) General

Responsible Business Alliance. Data Privacy and GDPR Compliance Policy

Orbit Recruitment Privacy Policy

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

DATA PROTECTION POLICY

NEW LIFE BAPTIST CHURCH NORTHALLERTON DATA PROTECTION POLICY. Adopted: 20 June 2018 To be reviewed: June 2021

SHENLEY BROOK END SCHOOL

DATA PROTECTION POLICY

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents

St Mark s Church of England Academy Data Protection Policy

Introduction Why is data protection important? How does it apply to volunteers? What volunteers need to do?...

Swansea University Recruitment Privacy Policy

b. by a controller not established in EU, but in a place where Member State law applies by virtue of public international law.

St Michael s CE Primary School Data Protection Policy

GDPR DATA PROCESSING NOTICE FOR FS1 RECRUITMENT UK LTD FOR APPLICANTS AND WORKERS

Information Asset Register IAR. Guidance for Schools

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

DATA BREACH NOTIFICATION POLICY. Last Updated: Review Date:

GDPR for whom it may concern

Tourettes Action Data Protection Policy

Data Protection Policy

Job applicant privacy notice (compliant with the General Data Protection Regulations (GDPR)

RAW MARKETING DATA PROTECTION POLICY

Parent / Carer Privacy Notice

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT

This personal information must be dealt with properly, with appropriate safeguards in place to ensure the rights and freedoms of data subjects.

Data Protection and Privacy Statement

Data subject access policy

Regulates the way data controllers process personal data

Data Protection Policy

Brasenose College SCR Member Only Privacy Notice (v1.2)

Project Title. Project Number. Privacy Impact Assessment

GDPR readiness for start-ups, technology businesses and professional practices Martin Cassey

DATA PROTECTION POLICY 2016

RECRUITMENT PRIVACY NOTICE

LAST UPDATED June 11, 2018 DATA PROTECTION POLICY. International Foundation for Electoral Systems

Privacy Notice. The Kind of Information We Hold About You

Data Protection Act Policy Statement Status/Version: 0.1 Review Information Classification: Unclassified Effective:

Stolle Europe Introduction Important information and who we are Controller and contact information Complaints

DATA PROTECTION POLICY

Data Protection Employee Privacy Notice

Data Protection for Landlords. David Smith Anthony Gold Solicitors

Personal Data Breach Notification Policy

PRIVACY POLICY. Your Village Pty Ltd ABN ( Steam Capital ) is committed to protecting your privacy.

Nissa Consultancy Ltd Data Protection Policy

General Personal Data Protection Policy

DATA PROTECTION POLICY

Global Privacy Policy

DATA PROTECTION POLICY

RSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company )

Information Sharing Policy

Transcription:

Data Protection Policy Contents 1. Purpose and scope... 2 2. Background... 2 3. Principles... 2 4. Aims and commitments... 3 5. Roles and responsibilities... 3 6. Breaches of data privacy legislation... 5 7. Compliance... 5 8. Further information... 6 9. Review and development... 6 10. Related policies... 6 Revision history Version Date Changes & Approvals 0.1 15 May 2018 Draft for discussion 0.2 16 May 2018 Incorporating comments from Domestic Bursar & Finance Bursar 0.3 18 May 2018 Incorporating comments from Senior Tutor 1.0 23 May 2018 Approved for publication by Governing Body

1. Purpose and scope This policy provides a framework for ensuring that the College meets its obligations under the General Data Protection Regulation (GDPR) and associated legislation 1 ( data privacy legislation ). It applies to all processing of personal data carried out for a College purpose, irrespective of whether the data is processed on non-college equipment or by third parties. Personal data means any information relating to an identifiable living individual who can be identified from that data or from that data and other data. Processing means anything that is done with personal data, including collection, storage, use, disclosure and deletion. More stringent conditions apply to the processing of special category personal data. Special category means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual s sex life or sexual orientation. This policy should be read in conjunction with the accompanying guidance, which provides further detail and advice on practical application, as well as any other documents that impose confidentiality or data management obligations in respect of information held by the College. This policy does not cover the use of personal data by members of the College when acting in a private or non-college capacity. 2. Background The processing of personal data underpins almost everything the College does. Without it, students cannot be admitted and taught; staff cannot be recruited; living individuals cannot be researched; and events cannot be organised for alumni or visitors. We are responsible for handling people s most personal information. By not handling personal data properly, we could put individuals at risk. There are also legal, financial and reputational risks for the College. For example: If we are not able to demonstrate that we have robust systems and processes in place to ensure we use personal data properly we might lose our ability to carry out research projects requiring access to personal data. Reputational damage from a breach may affect public confidence in our ability to handle personal information. The Information Commissioner s Office (ICO), which enforces data privacy legislation, has the power to fine organisations up to 4% of global annual turnover for serious breaches. 3. Principles The processing of personal data must comply with data privacy legislation and, in particular, the six data privacy principles. These principles are explained in detail in the College s Data Security Guidance. In summary, they require that personal data is: 1 This includes all legislation enacted in the UK in respect of the protection of personal data as well as the Privacy and Electronic Communications (EC Directive) Regulations 2003. Page 2

processed fairly, lawfully and in a transparent manner; used only for limited, specified stated purposes and not used or disclosed in any way incompatible with those purposes; adequate, relevant and limited to what is necessary; accurate and, where necessary, up-to-date; not kept for longer than necessary; and kept safe and secure. In addition, a new accountability principle requires us to be able to evidence compliance with these principles. 4. Aims and commitments The College handles a large amount of personal data and takes seriously its responsibilities under data privacy legislation. It recognises that the mishandling of an individual s personal data may cause them distress or put them at risk of identity fraud. As a result, it is committed to: complying fully with data privacy legislation; where practicable, adhering to good practice, as issued by the ICO or other appropriate bodies; and handling an individual s personal data in a careful and considerate manner that recognises the importance of such information to their privacy and welfare. The College seeks to achieve these aims by: ensuring that staff, students and other individuals who process data for College purposes are made aware of their individual responsibilities under data privacy legislation and how these apply to their areas of work. For example, employment contracts include a clause drawing the attention of the employee to data privacy legislation and the College s data protection policy; providing suitable training, guidance and advice. The College offers this via the University s online training course on data privacy and information security is available to all members of the collegiate University. The online course is supplemented by bespoke on-site training and presentations at departmental meetings, where appropriate. incorporating data privacy requirements into administrative procedures where these involve the processing of personal data, particularly in relation to major information systems (the concept of privacy by design ); operating a centrally coordinated procedure (in order to ensure consistency) for the processing of subject access and other rights based requests made by individuals; investigating promptly any suspected breach of data privacy legislation; reporting it, where necessary, to the ICO; and seeking to learn any lessons from the incident in order to reduce the risk of reoccurrence; and adhering to the University Policy in so far as its provisions are relevant to the College. 5. Roles and responsibilities Governing Body Governing Body has executive responsibility for ensuring that the College complies with data privacy legislation. Page 3

It is supported by Finance Committee, which is responsible for keeping under review the College s policies and compliance with legislation and regulatory requirements. Data Protection Officer (DPO) The DPO is responsible for monitoring internal compliance, advising on the College s data protection obligations and acting as a point of contact for individuals and the ICO. The DPO is responsible for: establishing and maintaining policies and procedures at a central level to facilitate the College s compliance with data privacy legislation; establishing and maintaining guidance and training materials on data privacy legislation and specific compliance issues; supporting privacy by design and privacy impact assessments; responding to requests for advice from departments; coordinating a College-wide register exercise to capture the full range of processing that is carried out; complying with subject access and other rights based requests made by individuals for copies of their personal data; investigating and responding to complaints regarding data privacy (including requests to cease the processing of personal data); and keeping records of personal data breaches, notifying the ICO of any significant breaches and responding to any requests that it may make for further information. In fulfilling these responsibilities, the DPO may also involve, and draw on support from, representatives from all parts of the College. Data Protection Leads Data Protection Leads are responsible for ensuring that the processing of personal data in their department conforms to the requirements of data privacy legislation and this policy. In particular, they must ensure that: new and existing staff, visitors or third parties associated with the Department who are likely to process personal data are aware of their responsibilities under data privacy legislation. This includes drawing the attention of staff to the requirements of this policy, ensuring that staff who have responsibility for handling personal data are provided with adequate training and, where appropriate, ensuring that job descriptions for members of staff or agreements with relevant third parties reference data privacy responsibilities. adequate records of processing activities are kept (for example, by undertaking register exercises); data protection requirements are embedded into systems and processes by adopting a privacy by design approach and undertaking privacy impact assessments where appropriate; privacy notices are provided where data is collected directly from individuals or where data is used in non-standard ways; data sharing is conducted in accordance with College guidance; requests from the DPO for information are complied with promptly; data privacy risks are included in the department s risk management framework and considered by senior management on a regular basis; and Page 4

departmental policies and procedures are adopted where appropriate. Others processing personal data for a College purpose e.g. staff, students and volunteers Anyone who processes personal data for a College purpose is individually responsible for complying with data privacy legislation, this policy and any other policy, guidance, procedures, and/or training introduced by the College to comply with data privacy legislation. For detailed guidance, they should refer to the College s Guidance on Data Protection and any relevant departmental policies and procedures. In summary, they must ensure that they: only use personal data in ways people would expect and for the purposes for which it was collected; use a minimum amount of personal data and only hold it for as long as is strictly necessary; keep personal data up-to-date; keep personal data secure, in accordance with the College s Information Security Policy; do not disclose personal data to unauthorised persons, whether inside or outside the College; complete relevant training as required; report promptly any suspected breaches of data privacy legislation, in accordance with the procedure in section 6 below, and following any recommended next steps; seek advice from the DPO where they are unsure how to comply with data privacy legislation; and promptly respond to any requests from the DPO in connection with subject access and other rights based requests and complaints (and forward any such requests that are received directly to the Information Compliance Team promptly). 6. Breaches of data privacy legislation The College will investigate incidents involving a possible breach of data privacy legislation in order to ensure that, where necessary, appropriate action is taken to mitigate the consequences and prevent a repetition of similar incidents in future. Depending on the nature and severity of the incident, it may also be necessary to notify the individuals affected and/or the ICO. A breach will occur where, for example, personal data is disclosed or made available to unauthorised persons or personal data is used in a way that the individual does not expect. Incidents involving failures of IT systems or processes must be reported to the College s IT Department within 4 working hours of discovery. The College s IT Department will liaise, as appropriate, with the University s Computer Emergency Response Team (OxCert). All other incidents must be reported directly to the DPO at the earliest possible opportunity. 7. Compliance The College regards any breach of data privacy legislation, this policy or any other policy and/or training introduced by the College from time to time to comply with data privacy legislation as a serious matter, which may result in disciplinary action. Depending on the nature of the breach, an individual may also find that they are personally liable (for example, it can be a criminal offence for a member of the College to disclose personal information unlawfully). Page 5

8. Further information Questions about this policy, data privacy matters in general and information security should be directed to the DPO at: data.protection@wadham.ox.ac.uk. 9. Review and development This policy, and supporting guidance, will apply with effect from 25 May 2018. It will be reviewed during the 2018/19 academic year to take into account outstanding ICO guidance and the final form of national legislation underpinning the GDPR. 10. Related policies This policy should be read in conjunction with related policies and regulations, including the: Information Security Policy; and Regulations relating to the use of Information Technology Facilities. Page 6

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback