1. Introduction

a. The University of Bath (the "University") is the owner of an electronic Access Control system based on ACS xPLAN V9 software which controls access to buildings both on and off campus including accommodation properties; the system allows remote access to authorised users of various buildings linked to the system via the University IP network.

b. The locked doors are accessed by using the University Library card which acts as identification to the proximity readers fitted to each door and allows access to authorised users.

c. Controlled doors are located in various areas around the campus and off campus including the following buildings:

  1. Accommodation
  2. Academic
  3. Laboratories
  4. Offices
  5. Storage facilities
  6. Service buildings
  7. Bars
  8. Students’ Union

d. The system allows the University to:

  1. Register users
  2. Allocate doors and/or door groups to users
  3. Allocate time profiles to users
  4. Allocate time profiles to doors
  5. Record usage of user cards by automatically logging the time/date and door location each time the card is used
  6. Remotely lock/unlock doors
  7. Maintain passport-style photographic images of each user

e. In some more vulnerable or high risk buildings, following consultation with management, staff and trade unions, additional Access Control measures will be used. These will include PIN and/or biometric entry. With biometric entry the user will first present the Access Control card before presenting a finger to a biometric reader before access is granted.

Such a system does not store the fingerprint but reads and stores a number of points where fingerprint ‘loops’ and ‘whirls’ meet; the system will then check the Access Control card with the digit id and allow access if they are compatible.

Before a user is enrolled on the system they will be requested to sign a notice as shown at appendix A.

2. Objectives for the use of the system

a. The objectives for the use of electronic Access Control system are to:

  1. assist in providing a safe and secure environment for the benefit of those who might visit, work or live on the campus
  2. reduce the likelihood of opportunist crime
  3. reduce the fear of crime by reassuring students, staff and visitors that they are in a secure environment
  4. deter and detect criminal activity
  5. assist in identifying, apprehending and prosecuting offenders in relation to crime and anti-social behaviour
  6. provide the Police and University investigators with evidence upon which to take criminal, civil and disciplinary action respectively
  7. limit the number of keys in issue and reduce the requirement for manual locking/unlocking of buildings

3. Procedural and administrative notes

a. The Information Commissioner requires a Code of Practice as set out in this document.

b. The Head of Security Services of the University retains responsibility for the system and delegates the day to day management to the Security Manager and Security Technical Support Officer.

c. The Police may make application for the data which will only be released upon receipt of the relevant Data Protection form.

d. The University will only investigate data for use in a staff disciplinary case when there is, in the opinion of the investigating manager, a suspicion of gross misconduct, and not to generally monitor staff activity. In these situations the investigating manager or HR Manager/Advisor will formally request access to data from Security Services or his deputy, where these may prove or disprove suspected potential gross misconduct. Where access is given, the confidentiality of this data and who is able to access it will be closely controlled.

e. Likewise the data will only be sought as evidence if in the opinion of the investigator the matter is a serious student discipline case e.g. assault, criminal damage, theft, burglary, misuse of access control card or other serious breach of the Discipline Regulations likely to be heard by the Head of Student Services and Head of Security Services or other higher authority. In these situations the investigator will formally request access to data from the Head of Security Services or his deputy, where these may prove or disprove suspected potential breach. Where access is given, the confidentiality of this data and who is able to access it will be closely controlled.

4. Data protection

a. Data can only be viewed by a limited number of persons with access to the xPLAN V9 software via the Library departmental file directory. The software is password protected.

b. Persons having access are:

  1. all Security Services staff
  2. Library systems staff x 2 for maintenance purposes
  3. certain members of Computing Services staff for maintenance purposes
  4. University contracted Access Control engineers for maintenance and installation purposes.
  5. Department Technical Services x 4

c. The University is committed to complying with the requirements of the Data Protection Act 1998 (DPA) and will operate the system in accordance with the eight Data Protection principles. The University will include the Access Control system in the University's Data Protection notification. The Head of Security Services will be responsible for ensuring that the notification covers the purposes for which the system is used.

d. The standards, which must be met if the requirements of the Data Protection Act 1998 are to be satisfied, are based on the eight data protection principles which are:

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless: (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

  4. Personal data shall be accurate and, where necessary, kept up to date.

  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

e. All members of staff involved in operating the system will be made aware of the objectives of the scheme as set out in section 2 of this Code and will be permitted only to use the system to achieve those objectives.

f. The University recognises the importance of strict guidelines in relation to access to and disclosure of data and all members of staff should be aware of the restrictions relating to this which are set out in this Code and to the rights of individuals under the Data Protection Act.

5. Administration

a. It will be the responsibility of the Head of Security Services or in their absence his/her deputy to:

  1. Be responsible for compliance with the Data Protection Act.
  2. Take responsibility for control of the data and make decisions on how these can be used.
  3. Ensure the system is secured and only viewed by authorised persons.

Authorised persons are:

  • Security Services staff
  • Library systems staff x 2
  • Computing Services staff
  • University contracted Access Control engineers.

b. It will be the responsibility of the Security Manager to:

  1. Clearly communicate the specific purposes of the passing of data and objectives to all Security staff.
  2. Ensure that all Data Protection forms received from the Police or other investigatory bodies are filed for future reference.

c. It will be the responsibility of the individual operating officer to:

  1. Comply with the objectives outlined above.
  2. Seek guidance from the Security Manager or Head of Security Services before divulging any information from the system.

6. Storing and viewing data

a. All data is stored on the University servers and accessed via the xPLAN V9 software.

b. In the event of the Police requiring data they must supply the appropriate Data Protection form.

c. Requests for data by University staff for disciplinary investigations must follow the guidelines in section 3.

d. All data is deleted after 12 months.

7. Disclosure

The following guidelines will be adhered to in relation to disclosure of data:

a. Will be in line with the above objectives.

b. Will be controlled under the supervision of the Head of Security Services or his/her deputy.

c. A log book/sheet will be maintained itemising the date, time(s) and data passed to an investigating officer together with the reason for the disclosure.

i. The appropriate disclosure documentation from the Police will be filed for future reference. ii. The method of disclosing data should be secure to ensure they are only seen by the intended recipient.

b. Any other requests for data should be routed via the Head of Security Services or his/her Deputy, as disclosure of these may be unfair to the individuals concerned or fall outside the Codes of Practice.

c. The University has discretion to refuse any third party request for information unless there is an overriding legal obligation such as a court order or information access rights. Once the data has been disclosed to another body, such as the Police, then they become the data controller for their copy of that data. It is their responsibility to comply with the Data Protection Act in relation to any further disclosures.

8. Use of the system

a. All Security staff and other authorised users (see section 5) must read this Code of Practice prior to being instructed in the operation of the system.

9. Complaints

a. Complaints received in relation to the use of the Access Control system should be made to the Head of Security Services who will investigate the allegation or complaint and then follow the normal University grievance procedures as outlined on the Human Resources website.

b. Complaints in relation to the disclosure or data supply should be made in writing to the Head of Security Services.

10. Changes to the code

a. Changes will be ratified by the University Secretary.

Document control

Owner: Head of Security Services
Approval date: February 2018
Approved by: University Secretary