1. Introduction

a. The University of Bath (the "University") is the owner of an electronic Access Control system based on ACS xPLAN V9 software which controls access to buildings both on and off campus including accommodation properties; the system allows remote access to authorised users of various buildings linked to the system via the University IP network.

b. The locked doors are accessed by using the University Library card which acts as identification to the proximity readers fitted to each door and allows access to authorised users.

c. Controlled doors are located in various areas around the campus and off campus including the following buildings:

  1. Accommodation
  2. Academic
  3. Laboratories
  4. Offices
  5. Storage facilities
  6. Service buildings
  7. Bars
  8. Students’ Union

d. The system allows the University to:

  1. Register users
  2. Allocate doors and/or door groups to users
  3. Allocate time profiles to users
  4. Allocate time profiles to doors
  5. Record usage of user cards by automatically logging the time/date and door location each time the card is used
  6. Remotely lock/unlock doors
  7. Maintain passport-style photographic images of each user

e. In some more vulnerable or high risk buildings, following consultation with management, staff and trade unions, additional Access Control measures will be used. These will include PIN and/or biometric entry. With biometric entry the user will first present the Access Control card before presenting a finger to a biometric reader before access is granted.

Such a system does not store the fingerprint but reads and stores a number of points where fingerprint ‘loops’ and ‘whirls’ meet; the system will then check the Access Control card with the digit id and allow access if they are compatible.

Before a user is enrolled on the system they will be requested to sign a notice as shown at appendix A.

f. The University also uses Traka, an intelligent key management system which ensures only authorised users are allowed access to key cabinets around campus that store keys.

g. Traka cabinets can be accessed using the University Library card which acts as identification to the readers fitted to each Traka cabinet and allows access to authorised users.

h. Traka cabinets are located in various buildings around the campus and off campus including the following buildings:

  • Accommodation
  • Academic
  • Laboratories
  • Offices
  • Storage Facilities
  • Service Buildings
  • Bars
  • Students’ Union

i. The system allows the University to:

  • Register users
  • Give access to traka cabinets
  • Give access to key bunches in cabinets

2. Objectives for the use of the system

a. The objectives for the use of electronic Access Control system are to:

  1. assist in providing a safe and secure environment for the benefit of those who might visit, work or live on the campus
  2. reduce the likelihood of opportunist crime
  3. reduce the fear of crime by reassuring students, staff and visitors that they are in a secure environment
  4. deter and detect criminal activity
  5. assist in identifying, apprehending and prosecuting offenders in relation to crime and anti-social behaviour
  6. provide the Police and University investigators with evidence upon which to take criminal, civil and disciplinary action respectively
  7. limit the number of keys in issue and reduce the requirement for manual locking/unlocking of buildings

The objectives for the use of the electronic Traka system are to:

  1. Assist in providing a safe and secure place to secure keys to areas around the University.
  2. Reduce the chance of keys being lost or stolen.
  3. Reduce the fear of crime by reassuring students, staff and visitors that they are in a secure environment.
  4. Deter and detect criminal activity.
  5. Provide the Police and University investigators with evidence upon which to take criminal, civil and disciplinary action respectively.
  6. Limit the number of keys in issue.

3. Procedural and administrative notes

a. The Information Commissioner requires a Code of Practice as set out in this document.

b. The Head of Security Services of the University retains responsibility for the system and delegates the day to day management to the Security Manager and Security Technical Support Officer.

c. The Police may make application for the data which will only be released upon receipt of the relevant GDPR form.

d. The University will only investigate data for use in a staff disciplinary case when;

  • There is, in the opinion of the investigating manager, a suspicion of gross misconduct, or
  • In a formal investigation of misconduct, where there is a difference in the accounts of the staff member against whom allegations had been raised and an individual witness, and the Access Control evidence could verify which is most accurate

In these situations the investigating manager or HR Business Partner/Advisor will formally request access to data from Security Services or his deputy, where these may prove or disprove suspected potential gross misconduct/misconduct. Where access is given, the confidentiality of this data and who is able to access it will be closely controlled.

Access Control data must not be used to generally monitor staff activity.

e. Likewise the data will only be sought as evidence if in the opinion of the investigator the matter is a serious student discipline case e.g. assault, criminal damage, theft, burglary, misuse of access control card or other serious breach of the Discipline Regulations likely to be heard by the Head of Student Services and Head of Security Services or other higher authority. In these situations the investigator will formally request access to data from the Head of Security Services or his deputy, where these may prove or disprove suspected potential breach. Where access is given, the confidentiality of this data and who is able to access it will be closely controlled.

4. General Data Protection Regulations (GDPR)

a. Data can only be viewed by a limited number of persons with access to the xPLAN V9 software via the Library departmental file directory. The software is password protected.

b. Persons having access are:

  1. all Security Services staff
  2. Library systems staff x 2 for maintenance purposes
  3. certain members of Computing Services staff for maintenance purposes
  4. University contracted Access Control engineers for maintenance and installation purposes.
  5. Department Technical Services x 4

c. Data for Traka can only be viewed by a limited number of persons with access to the Traka software. The software is password protected.

d. Persons having access are:

  • all Security Services staff
  • Estates staff

e. The University is committed to complying with the requirements of the GDPR and will operate the system in accordance with the seven GDPR principles. The University will include the Access Control system in the University's GDPR notification. The Head of Security Services will be responsible for ensuring that the notification covers the purposes for which the system is used.

f. The standards, which must be met if the requirements of the GDPR are to be satisfied, are based on the seven GDPR principles which are:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

g. All members of staff involved in operating the system will be made aware of the objectives of the scheme as set out in section 2 of this Code and will be permitted only to use the system to achieve those objectives.

h. The University recognises the importance of strict guidelines in relation to access to and disclosure of data and all members of staff should be aware of the restrictions relating to this which are set out in this Code and to the rights of individuals under the GDPR.

5. Administration

a. It will be the responsibility of the Head of Security Services or in their absence his/her deputy to:

  1. Be responsible for compliance with the GDPR.
  2. Take responsibility for control of the data and make decisions on how these can be used.
  3. Ensure the system is secured and only viewed by authorised persons.

Authorised persons are:

  • Security Services staff
  • Library systems staff x 2
  • Computing Services staff
  • University contracted Access Control engineers.

b. It will be the responsibility of the Security Manager to:

  1. Clearly communicate the specific purposes of the passing of data and objectives to all Security staff.
  2. Ensure that all GDPR forms received from the Police or other investigatory bodies are filed for future reference.

c. It will be the responsibility of the individual operating officer to:

  1. Comply with the objectives outlined above.
  2. Seek guidance from the Security Manager or Head of Security Services before divulging any information from the system.

6. Storing and viewing data

a. All data is stored on the University servers and accessed via the xPLAN V9 software.

b. In the event of the Police requiring data they must supply the appropriate Data Protection form.

c. Requests for data by University staff for disciplinary investigations must follow the guidelines in section 3.

d. All data is deleted after 12 months.

7. Disclosure

The following guidelines will be adhered to in relation to disclosure of data:

a. Will be in line with the above objectives.

b. Will be controlled under the supervision of the Head of Security Services or his/her deputy.

c. A log book/sheet will be maintained itemising the date, time(s) and data passed to an investigating officer together with the reason for the disclosure.

i. The appropriate disclosure documentation from the Police will be filed for future reference. ii. The method of disclosing data should be secure to ensure they are only seen by the intended recipient.

b. Any other requests for data should be routed via the Head of Security Services or his/her Deputy, as disclosure of these may be unfair to the individuals concerned or fall outside the Codes of Practice.

c. The University has discretion to refuse any third party request for information unless there is an overriding legal obligation such as a court order or information access rights. Once the data has been disclosed to another body, such as the Police, then they become the data controller for their copy of that data. It is their responsibility to comply with the Data Protection Act in relation to any further disclosures.

8. Use of the system

a. All Security staff and other authorised users (see section 5) must read this Code of Practice prior to being instructed in the operation of the system.

9. Complaints

a. Complaints received in relation to the use of the Access Control system should be made to the Head of Security Services who will investigate the allegation or complaint and then follow the normal University grievance procedures as outlined on the Human Resources website.

b. Complaints in relation to the disclosure or data supply should be made in writing to the Head of Security Services.

10. Changes to the code

a. Changes will be ratified by the University Secretary.

Document control

Owner: Head of Security Services
Approval date: October 2018
Approved by: University Secretary