The University is committed to protecting the rights and freedoms of all individuals in relation to the processing of their personal data and provides the Data Protection Policy for everyone to follow.
- The Scope of this policy
- Personal data
- Special category data
- Confidential data
- Legal Framework
- Responsibilities of staff and students
- Personal Data in the public domain
- Lawful basis for processing personal data
- Addition conditions for Special Category Data
- Data Protection Act Principles
- Data Security
- Keeping personal data secure
- Prohibited activities
- Right to access information
- Research - special considerations
- Implications of breaching this policy
The Scope of this Policy
We need to comply with the Data Protection Act (as amended from time to time) in relation to all personal data that is processed by the University. To ensure this happens, it has developed this policy which sets out the obligations of staff in this respect.
This policy and the Data Protection Act apply to all personal data handled by the University, both that held in paper files and data held electronically. So long as the processing of the data is carried out for University purposes, it also applies regardless of where data is held, (for example, it covers data held on campus and on mobile devices such as electronic notebooks or laptops) and regardless of who owns the PC/device on which it is stored.
'Processing' data is widely defined and includes every plausible form of action that could be taken in relation to the data such as obtaining, recording and keeping, or using it in any way; sharing or disclosing it; erasing and destroying it.
Data which relates to a living individual who can be identified from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller. The University is the data controller.
Examples of personal data are the name and address of an individual or a student ID number which when put with other information held by the university could identify a student, staff member or participant in a researcher's survey. The majority of staff (including all line managers) will, therefore, handle personal data at least occasionally.
Special Category Data (previously called Sensitive Personal Data)
Some personal data are more sensitive in nature and therefore requires a higher level of protection. The legislation refers to the processing of certain data as ‘special categories of personal data’. This means personal data about an individual’s:
- race or ethnic origin of the data subject
- their political opinions
- their religious beliefs or philosophical beliefs
- whether they are a member of a trade union
- their physical or mental health or condition
- their sexual life
- sexual orientation
- biometric data (where this is used for identification purposes)
- any commission or alleged commission by them of any offence
- any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.
Staff working in certain research areas (e.g. Psychology/Health), or in certain roles (e.g. Student Disability Advice Service, HR, SREO) will have regular access to special category data, others are likely to do so only rarely if at all.
Data given in confidence or data agreed to be kept confidential (in other words, a secret between two parties) and that is not in the public domain.
Some confidential data will also be personal data and/or sensitive personal data and therefore come within the terms of this policy. Staff working in certain functions and in senior management roles will handle confidential data regularly.
The University also handles research data which comprises materials collected or created for the purposes of analysis to generate original research results. Some research data will contain personal data and/or sensitive personal data and in all such cases, the provisions of this policy apply. For information on how to deal with other aspects of research data see Research Data Management.
The University needs to collect and keep certain types of information about the people with whom it deals. This includes information relating to its staff, students and other individuals. It needs to process 'personal data' for a variety of reasons, such as to recruit and pay its staff, to record the academic progress of its students and to comply with statutory obligations (for example, health and safety requirements).
The Data Protection Act applies to all 'personal data' processed by the University and to comply with the law all personal data must be collected and used fairly, stored safely and not disclosed to anyone else unlawfully.
Responsibilities of staff and students
All staff and students must:
- Be mindful of the fact that individuals have the right to see their 'personal data' (and this may include for example information received from prospective students or staff written in connection with an application to the University or any comments written about them in emails). They should not, therefore, record comments or other data about individuals which they would not be comfortable with the individual seeing, either in emails or elsewhere.
- Immediately report the matter to their line manager and bring it to the Data Protection team's attention, if they find any lost or discarded data which they believe contains personal data, (for example, may include a memory stick).
- Immediately report the matter to their line manager and bring it to the Data Protection team's attention, if they become aware that personal data has been accidentally lost or stolen or inadvertently disclosed (for example, if their laptop is stolen or their phone is lost and it has personal data stored on it),
- Hold the contents of any personal data which comes into their possession securely.
- Ensure that any personal data they provide to the University (for example, their contact details) is accurate.
- Notify the University promptly of any changes to their personal data (for example, change of address or emergency contact details).
- Only ever obtain or use personal data relating to third parties for approved work or study-related purposes.
Staff and students who process 'personal data' must:
- Ensure that they only ever process personal data in accordance with requirements of the Data Protection Act and in particular:
- ensure that they have a valid lawful basis in order to process the data before commencing the processing; and
- only process ‘special category data’, if the processing meets one of the additional conditions for special category data; and
- follow the 6 Data Protection principles. The best way to ensure compliance is through familiarisation with this policy and the guidance we provide. Key points insofar as compliance is concerned include:
- Fair processing - for example, ensure that the individual consents to their data being used and knows what it will be used for, and ensure that it is not subsequently used for something else
- Data Security - ensure any personal data which is held is always kept and disposed of securely, (taking into account any cybersecurity considerations).
- Non-disclosure - ensure personal data is not disclosed to any unauthorised third party.
- Familiarise themselves with the guidance and other information published on our Data Protection site and follow it at all times.
- If they are going to be working remotely or using a mobile device to store data (for example, a laptop, tablet or mobile phone), it is vital that they are familiar with our Remote Working & Use of Mobile Device Guidance, and comply with it and the University's IT Security Policy as special considerations apply.
- Be mindful of the scope of Data Protection regulations. This includes that fact that 'personal data' is widely defined, (and so will cover for example comments made about an individual in an email to someone else), and the fact that it covers data held on remote devices (such as tablets and on mobile phones) regardless of who owns the actual device and where the device is stored.
- Seek advice whenever a new or novel form of processing personal data is contemplated or if any data protection related concerns ever arise.
Personal data in the public domain
We hold certain information about staff and students in the public domain. Personal data classified as being in the 'public domain' refers to information which will be publicly available worldwide and may be disclosed to third parties without recourse to the data subject.
Our practice is to make the following items of data freely available unless individuals have objected:
- names of members of Council and Senate
- staff workplace email addresses and telephone numbers
- student university email addresses
- academic staff biographies and curricula vitae where supplied
- names and academic qualifications of academic and support staff where appropriate
- any additional information relating to data subjects which they have agreed to be placed in the public domain and which may be in automated and/or manual form.
Similarly, as part of its regular business activities, the University may process personal information about third parties which is already in the public domain where such processing is carried out in accordance with the Data Protection Act principles set out below and is unlikely to cause any damage or distress to the data subject.
Data Protection Act principles
Anyone using personal data must comply with the 6 Data Protection Principles contained in the Data Protection Act 2018 as they define how personal data can be legally processed: In summary these state that personal data shall:
- Be obtained and processed fairly, lawfully and transparently.
- Be processed for specified explicit and lawful purposes and shall not be processed in any manner incompatible with these purposes.
- Be adequate, relevant and not excessive for those purposes.
- Be accurate and kept up to date.
- Not be kept for any longer than is necessary.
- Be processed in a secure manner.
Keeping personal data properly secure is key in complying with the Data Protection Act. All staff are therefore responsible for ensuring that if they keep personal data, it is kept securely and is not disclosed (either orally or in writing or accidentally) to any unauthorised party.
Please see the guidance on Disclosing Data for further information on this point.
Keeping personal data secure
This includes, as a minimum:
- Ensuring that any personal data recorded in paper form or hard copy documents are kept in locked filing cabinets or locked drawers or in locked offices.
- Ensuring that the same measures are taken in regards to any discs or memory sticks or similar devices on which personal data is held, for example, they must also be kept in a secure and locked location.
- Ensure that if any personal data is held on a Mobile Device that it is properly password protected and where appropriate encrypted.
- Ensuring special care is taken whenever data is transferred from one place to another to ensure the security of the data is paramount, (for example, to avoid losing memory sticks in transit or to avoid sensitive personal data being transferred to a PC which is not password protected and encrypted).
The following activities are strictly prohibited:
- using data obtained for one purpose for another supplemental purpose (for example, using contact details provided for HR-related purposes for marketing purposes)
- disclosing personal data to a third person outside the University without the consent of the data subject.
Right to access information
Individuals have the right to access any personal data that relates to them which the University holds. Any person who wishes to exercise this right should see the Subject Access Rights Page for details on how to do so.
Research - special consideration
Before commencing any research which will involve obtaining or using personal data, the researcher (whether a student or member of staff) and their academic supervisor or Head of Group must give proper consideration to this policy and the guidance contained on our Data Protection webpages and our Research Data Policy and how these will be properly complied with.
In particular, they will need to consider the type of personal data which may be collected, the applicable lawful basis for the processing, whether any special category data is to be processed and if so what additional condition for special category data will be relied on and what additional safeguards required, how ethical consent is to be recorded, the extent to which such data may legitimately be required for the academic objective, how the data will be securely stored, and the duration for which it will be retained.
Personal data obtained or used for research should be limited to the minimum amount of data which is reasonably required to achieve the desired academic objectives and wherever possible any such personal data should be made anonymous so that the data subjects cannot be identified.
For more information refer to the Research Data Policy.
Implications of breaching this policy
It is a condition of employment in the case of staff and enrolment in the case of students that staff and students will abide by the policies and rules of the University. Any breach of this policy will be considered to be a disciplinary offence and may lead to disciplinary action. A serious breach of the Data Protection Act may also result in the University and/or the individual being held liable in law.
Compliance with the Data Protection Act is the responsibility of all members of the University. Any questions about this policy or any queries concerning data protection matters should be raised with the Data Protection team
Data protection notification
The Information Commissioner maintains a public register of organisations that use personal data. The University has an entry on this register which specifies the main types of data we hold (for example, personal details, education and training info), the main purposes for which we use the data (for example, HR administration, student and staff support services, education and research, and so on) and those to whom it may be disclosed (for example, funding councils, central government).
The University's Registration Number is Z6290890. Our registration is renewable annually, although we can make additions or changes to it at any time, (for example, if we start to process a new type of data).
In practice, most routine uses of personal data by staff will be covered by our Registration. However, if you are processing any data (for example, maintaining a database or running a research project involving the use of personal data) and think it may involve us handling new personal data for the first time or using personal data for a new purpose, please email the Data Protection team for advice, and so that our Registration can be amended if necessary.
The University's current Registration can be viewed via the search facility on the Information Commissioner's website.