For the avoidance of doubt, the College is the “Data Controller” and its employees, suppliers, contractors and students are the “Data Subjects”. A “Data Processor” is any party, be they internal or external to the College that processes the data on behalf of the college. For example, data is taken from the student records and a process run on that data to enable reporting to the Department of Education on student numbers. The College’s designated “Data Protection Officer” is the Finance Director. Personal information and data are deemed to have the exact same meaning and relate to personal facts associated with a living individual.
To comply with the law, personal information must be collected and used fairly, stored safely, and not disclosed to any other person or organisation unlawfully. To do this, the college must comply with the General Data Protection Regulation which is set to replace the Data Protection Act 1998. The College’s General Data Protection Policy details the College’s approach to Data Protection.
All staff, students, and other persons about which the College legitimately holds data are entitled to:
These principals are enshrined in the General Data Protection Regulation and the College treats security of data as a top priority. Provisions have been put in place to ensure that risks associated with holding data have been minimised.
The Regulation also includes information on rights of the data subjects. These are:
A data register has been established which details all the type of data the college holds together with the security measures in place to ensure the data is protected.
The register gives a description of the data / service held, the categories of data included (name, address etc) and the reason why such data is retained. For example, collecting and retaining student information is a legal or contractual requirement whilst they are at college. Where data is transferred to a third party this will be logged on the register, alongside the method of transfer and the format in which it is sent. The collection and retention of data on individuals, be they students or staff, is a necessary part of the operation of the College. This may fulfil both a legal and contractual duty but also assists in the safeguarding of our students. The data register records how that data is secured. That may be through encryption of the data before it is processed, physical security (for example sensitive, paper based information may be stored in locked cabinets) or through restricted user access where that is appropriate and possible. As part of the College’s ongoing commitment to data security, the Data Register will be scrutinized by the Risk Management Team so that any associated risks can be discussed and procedures put in place to ensure the information is as secure as possible. The current security measures and the implementation of any new procedures will help to mitigate the risk posed by retaining data. Whilst the risk of data loss cannot be completely eliminated, these procedures are designed to provide comfort to Data Subjects that information is being treated with the utmost care.
In the digital world, the College needs to continue to evolve to meet the challenges of data privacy. Stakeholders may request data to be divulged in different formats than currently available and the College has to be able to respond to those changes in a timely manner. In any project that involves data collection or processing, applying the Privacy By Design principles ensures that the approach recognises the importance of promoting privacy and data protection compliance from the outset. Privacy by Design might include projects such as building new IT storage systems, sharing information with a third party (such as a local authority) or merely manipulating current data into another form and storing that data in a different way. Using the Privacy by Design approach helps the College to meet its obligations under the GDPR act but also demonstrates to Data Subjects that the security of their information has been assessed and any risks associated with holding that data has been minimised. It also means that data protection is addressed early and designs for systems can be altered to give comfort around data security.
Under this policy, staff must ensure that when they determine the need collect data they answer a number of questions early. For example, what data do I actually need (don’t collect information that is not required), why are we collecting the data, how will it be stored, who will have access to that information, what safeguards are in place to reduce the risk of data breach?
The Privacy Impact Assessment is an integral part of the Privacy By Design approach. This helps identify risks of a process and aid decisions and design to eliminate, reduce or accept associated risk elements.
Below are a range of questions, taken from guidance issued by the Information Commissioner, which should be considered as part of any project to determine whether a Privacy Impact Assessment would be worthwhile.
If it is deemed necessary to carry out a Privacy Impact Assessment there are a number of basic steps to follow:
Possible risks with a project might range from physical safety to distress caused to loss of material assets – ie financial loss as a result of data being compromised. Other risks might include:
If, having carried out a Privacy Impact Assessment and despite mitigating processes being put in place, the risk to privacy is unacceptable, the viability of the project must be called into question.
Under GDPR the College must report certain types of personal data beach to the relevant authority within 72 hours of learning of the breach. For certain types of breach, where a Data Subject’s rights and freedoms might be compromised, all those affected must be informed.
The College has a procedure in place specifically related to data breaches and the recording thereof which includes:
Staff, students, and other College users have the right to access any personal data that is being held about them, either on computer or paper-based files.
Staff can view their own computer based personal data via Columbus by clicking on the menu link ‘My Personal Information’. Staff requiring access to view their own paper records should contact the Human Resources Manager.
Students can view their own computer based personal data through the Colleges Online Learning Platform. Students who wish to see their paper records should see their Pastoral Manager. The College aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within one month in term time, or six weeks outside of term time, unless there is good reason for delay. In such cases the reason for delay will be explained in writing to the person making the request. The College will not make any charge for providing this information.
The individual is not entitled to access information about another person.
The College will provide all information it holds on a data subject in a readily recognizable format, such as a pdf.
Under GDPR, staff and students have the right to request that information held about them is removed from College systems. The College will abide by any such requests if it is made in writing, and signed by the individual. The College will remove all data pertaining to an individual, except where it has a legal, contractual or public interest duty to retain information or where such information is required to enable the College to meet funding conditions.
Upon receipt of such a request, the College will advise the individual that such a course may have implications in the future should the individual request data that has been destroyed. The College will also advise which information it will retain where it is obliged to retain such information in order to comply with other legislation (e.g. HMRC).