1. Introduction

a. The University of Bath (the "University") is the owner of an electronic Access Control system based on ACS xPLAN V9 software which controls access to buildings both on and off campus including accommodation properties; the system allows remote access to authorised users of various buildings linked to the system via the University IP network.

b. The locked doors are accessed by using the University Library card which acts as identification to the proximity readers fitted to each door and allows access to authorised users.

c. Controlled doors are located in various areas around the campus and off campus including the following buildings:

i. Accommodation

ii. Academic

iii. Laboratories

iv. Offices

v. Storage facilities

vi. Service buildings

vii. Bars

viii. Students’ Union

d. The system allows the University to:

i. Register users

ii. Allocate doors and/or door groups to users

iii. Allocate time profiles to users

iv. Allocate time profiles to doors

v. Record usage of user cards by automatically logging the time/date and door location each time the card is used

vi. Remotely lock/unlock doors

vii. Maintain passport-style photographic images of each user

e. In some more vulnerable or high risk buildings, following consultation with management, staff and trade unions, additional Access Control measures will be used. These will include PIN and/or biometric entry. With biometric entry the user will first present the Access Control card before presenting a finger to a biometric reader before access is granted.

Such a system does not store the fingerprint but reads and stores a number of points where fingerprint ‘loops’ and ‘whirls’ meet; the system will then check the Access Control card with the digit id and allow access if they are compatible.

Before a user is enrolled on the system they will be requested to sign a notice as shown at appendix A.

f. The University also uses Traka, an intelligent key management system which ensures only authorised users are allowed access to key cabinets around campus that store keys.

g. Traka cabinets can be accessed using the University Library card which acts as identification to the readers fitted to each Traka cabinet and allows access to authorised users.

h. Traka cabinets are located in various buildings around the campus and off campus including the following buildings:

i. Accommodation

ii. Academic

iii. Laboratories

iv. Offices

v. Storage Facilities

vi. Service Buildings

vii. Bars

viii. Students’ Union

The system allows the University to:

i. Register users

ii. Give access to Traka cabinets

iii. Give access to key bunches in cabinets

iv. Record usage of Traka cabinet access by automatically logging the time/date and Traka cabinet location/key bunch number each time the cabinet is used

2. Objectives for the use of the system

The objectives for the use of electronic Access Control system are to:

i. Assist in providing a safe and secure environment for the benefit of those who might visit, work or live on the campus.

ii. Reduce the likelihood of opportunist crime.

iii. Reduce the fear of crime by reassuring students, staff and visitors that they are in a secure environment.

iv. Deter and detect criminal activity.

v. Assist in identifying, apprehending and prosecuting offenders in relation to crime and anti-social behaviour

vi. Provide the Police and University investigators with evidence upon which to take criminal, civil and disciplinary action respectively

The objectives for the use of the electronic Traka system are to:

i. Assist in providing a safe and secure place to secure keys to areas around the University.

ii. Reduce the chance of keys being lost or stolen.

iii. Reduce the fear of crime by reassuring students, staff and visitors that they are in a secure environment.

iv. Deter and detect criminal activity.

v. Provide the Police and University investigators with evidence upon which to take criminal, civil and disciplinary action respectively.

vi. Limit the number of keys in issue.

3. Procedural and administrative notes

a. The Information Commissioner requires a Code of Practice as set out in this document.

b. The Head of Security Services of the University retains responsibility for the system and delegates the day to day management to the Security Manager, Supervisory Security Officers and Security Technical Support Officers.

c. The Police may make application for the data which will only be released upon receipt of the relevant GDPR form.

d. The University will only investigate data for use in a staff disciplinary case when;

i. There is, in the opinion of the investigating manager, a suspicion of gross misconduct, or

ii. In a formal investigation of misconduct, where there is a difference in the accounts of the staff member against whom allegations had been raised and an individual witness, and the Access Control or Traka evidence could verify which is most accurate

In these situations the investigating manager or HR Business Partner/ Advisor will formally request access to data from Security Services or his deputy, where these may prove or disprove suspected potential gross misconduct/misconduct. Where access is given, the confidentiality of this data and who is able to access it will be closely controlled.

Access Control and Traka data must not be used to generally monitor staff activity.

e. Likewise the data will only be sought as evidence if in the opinion of the investigator the matter is a serious student discipline case e.g. assault, criminal damage, theft, burglary, misuse of access control card or other serious breach of the Discipline Regulations likely to be heard by the Head of Student Services and Head of Security Services or other higher authority. In these situations the investigator will formally request access to data from the Head of Security Services or his deputy, where these may prove or disprove suspected potential breach. Where access is given, the confidentiality of this data and who is able to access it will be closely controlled.

4. General Data Protection Regulations (GDPR)

a. Data for access control can only be viewed by a limited number of persons with access to the xPLAN V9 software via the Library departmental file directory. The software is password protected.

b. Persons having access are:

i. All Security Services staff

ii. Library systems staff x 2 for maintenance purposes

iii. Certain members of Computing Services staff for maintenance purposes

iv. University contracted Access Control engineers for maintenance and installation purposes.

c. Data for Traka can only be viewed by a limited number of persons with access to the Traka software. The software is password protected.

d. Persons having access are:

i. all Security Services staff

ii. certain members of Estates staff

e. The University is committed to complying with the requirements of the GDPR and will operate the system in accordance with the seven GDPR principles. The University will include the Access Control and Traka systems in the University's GDPR notification. The Head of Security Services will be responsible for ensuring that the notification covers the purposes for which the system is used.

f. The standards, which must be met if the requirements of the GDPR are to be satisfied, are based on the seven GDPR principles which are:

i. Lawfulness, fairness and transparency

ii. Purpose limitation

iii. Data minimisation

iv. Accuracy

v. Storage limitation

vi. Integrity and confidentiality (security)

vii. Accountability

g. All members of staff involved in operating the systems will be made aware of the objectives of the scheme as set out in section 2 of this Code and will be permitted only to use the systems to achieve those objectives.

h. The University recognises the importance of strict guidelines in relation to access to and disclosure of data and all members of staff should be aware of the restrictions relating to this which are set out in this Code and to the rights of individuals under the GDPR.

5. Administration

a. It will be the responsibility of the Head of Security Services or in their absence his/her deputy to:

i. Be responsible for compliance with the GDPR.

ii. Take responsibility for control of the data and make decisions on how these can be used.

iii. Ensure the system is secured and only viewed by authorised persons.*

*Authorised persons are:

i. Security Services staff

ii. Library systems staff x 2

iii. Computing Services staff

iv. University contracted Access Control engineers

v. Estates staff (only for Traka software)

b. It will be the responsibility of the Security Manager to:

i. Clearly communicate the specific purposes of the passing of data and objectives to all Security staff.

ii. Ensure that all GDPR forms received from the Police or other investigatory bodies are filed for future reference.

c. It will be the responsibility of the individual operating officer to:

i. Comply with the objectives outlined above.

ii. Seek guidance from the Security Manager or Head of Security Services before divulging any information from the system.

6. Storing and viewing data

a. All access control data is stored on the University servers and accessed via the xPLAN V9 software.

b. All Traka data is stored on the University servers and accessed via the Traka software.

c. In the event of the Police requiring data they must supply the appropriate GDPR form.

d. Requests for data by University staff for disciplinary investigations must follow the guidelines in section 3.

e. All data for access control is deleted after 12 months.

f. Usage data for Traka is checked monthly and any data relating to staff no longer needing to use Traka is deleted.

g. History data for Traka is deleted after 12 months.

7. Disclosure

The following guidelines will be adhered to in relation to disclosure of data:

a. Will be in line with the above objectives.

b. Will be controlled under the supervision of the Head of Security Services or his/her deputy.

c. A log book/sheet will be maintained itemising the date, time(s) and data passed to an investigating officer together with the reason for the disclosure.

i. The appropriate disclosure documentation from the Police will be filed for future reference.

ii. The method of disclosing data should be secure to ensure they are only seen by the intended recipient.

b. Any other requests for data should be routed via the Head of Security Services or his/her Deputy, as disclosure of these may be unfair to the individuals concerned or fall outside the Codes of Practice.

c. The University has discretion to refuse any third party request for information unless there is an overriding legal obligation such as a court order or information access rights. Once the data has been disclosed to another body, such as the Police, then they become the data controller for their copy of that data. It is their responsibility to comply with the GDPR in relation to any further disclosures.

8. Use of the system

a. All Security staff and other authorised users* (see section 5) must read this Code of Practice prior to being instructed in the operation of the system.

9. Complaints

a. Complaints received in relation to the use of the Access Control system should be made to the Head of Security Services who will investigate the allegation or complaint and then follow the normal University grievance procedures as outlined on the Human Resources website.

b. Complaints in relation to the disclosure or data supply should be made in writing to the Head of Security Services.

10. Changes to the code

Any changes to this Code will only take place after consultation with the Students’ Union and Trade Unions Representatives.

The changes will then have to be ratified by University Senior Management.

Document control

Mike Porter

Head of Security Services

27.02.2020