1. Introduction
a. The University of Bath (the "University") is the owner of an electronic Access Control system based on ACS xPLAN V9 software which controls access to buildings both on and off campus including accommodation properties; the system allows remote access to authorised users of various buildings linked to the system via the University IP network.
b. The locked doors are accessed by individuals presenting their Library card or visitor card which acts as identification to the proximity readers fitted to each door and allows access to authorised users.
c. Access controlled doors are located in various areas around the campus and off campus including the following buildings:
i. Accommodation
ii. Academic
iii. Laboratories
iv. Offices
v. Storage facilities
vi. Service buildings
vii. Bars
viii. Students’ Union
d. The system allows the University to:
i. Register users
ii. Allocate doors and/or door groups to users
iii. Allocate time profiles to users
iv. Allocate time profiles to doors
v. Record usage of user cards by automatically logging the time/date and door location each time the card is used
vi. Remotely lock/unlock doors
vii. Maintain passport-style photographic images of each user
e. In some more vulnerable or high risk buildings, following consultation with management, staff and trade unions, additional Access Control measures will be used. These will include PIN and/or biometric entry. With biometric entry the user will first present the Access Control card before presenting a finger to a biometric reader before access is granted.
Such a system does not store the fingerprint but reads and stores a number of points where fingerprint ‘loops’ and ‘whirls’ meet; the system will then check the Access Control card with the digit id and allow access if they are compatible.
Before a user is enrolled on the system they will be requested to sign a notice.
f. The University also uses an additional Access Control system in two off campus buildings. The Access Control system is a Salto system and operates in a similar way to xPLAN controlling access to the buildings. Access to the Salto system is restricted to authorised users.
g. The University also uses Traka, an intelligent key management system which ensures only authorised users are allowed access to key cabinets around campus that store keys.
h. Traka cabinets can be accessed using the University Library card or departmental visitor card which acts as identification to the readers fitted to each Traka cabinet and allows access to authorised users.
i. Traka cabinets are located in various buildings around the campus and off campus including the following buildings:
i. Accommodation
ii. Academic
iii. Laboratories
iv. Offices
v. Storage facilities
vi. Service Buildings
vii. Bars
viii. Students’ Union
j. The system allows the University to:
i. Register users
ii. Give access to Traka cabinets
iii. Give access to key bunches in cabinets
iv. Record usage of Traka cabinet access by automatically logging the time/date and Traka cabinet location/key bunch number each time the cabinet is used
k. Keys removed by individuals from the Traka cabinets should be returned daily and should not be removed from site unless permission has been granted by Campus Infrastructure or Security. Keys should be stored securely when removed from the cabinets.
l. The University also has a number of manual digital locks which are installed and maintained by Campus Infrastructure. These digital locks have a PIN which is set, stored and communicated by the departments controlling the room on which the digital lock is installed. Departments can communicate their digital lock PIN codes to Security who maintain a central list. In the event of access being required to a room controlled by a digital lock, Security Officers will contact the department.
2. Objectives for the use of the system
The objectives for the use of electronic Access Control system are to:
i. Assist in providing a safe and secure environment for the benefit of those who might visit, work or live on the campus.
ii. Reduce the likelihood of opportunist crime.
iii. Reduce the fear of crime by reassuring students, staff and visitors that they are in a secure environment.
iv. Deter and detect criminal activity.
v. Assist in identifying, apprehending and prosecuting offenders in relation to crime and anti-social behaviour
vi. Provide the Police and University investigators with evidence upon which to take criminal, civil and disciplinary action respectively
The objectives for the use of the electronic Traka system are to:
i. Assist in providing a safe and secure place to secure keys to areas around the University.
ii. Reduce the chance of keys being lost or stolen.
iii. Reduce the fear of crime by reassuring students, staff and visitors that they are in a secure environment.
iv. Deter and detect criminal activity.
v. Provide the Police and University investigators with evidence upon which to take criminal, civil and disciplinary action respectively.
vi. Limit the number of keys in issue.
3. Procedural and administrative notes
a. The Information Commissioner requires a Code of Practice as set out in this document.
b. The Head of Security Services of the University retains responsibility for the system and delegates the day to day management to the Security Manager, Senior Security Officers and Security Technical Support Officers.
c. The Police may make application for the data which will only be released upon receipt of the relevant GDPR form.
d. The University will only investigate data for use in a staff disciplinary case when;
i. There is, in the opinion of the investigating manager, a suspicion of gross misconduct, or
ii. In a formal investigation of misconduct, where there is a difference in the accounts of the staff member against whom allegations had been raised and an individual witness, and the Access Control or Traka evidence could verify which is most accurate
In these situations the investigating manager or HR Business Partner/ Advisor will formally request access to data from the Head of Security Services or their Deputy, where these may prove or disprove suspected potential gross misconduct/misconduct. Where access is given, the confidentiality of this data and who is able to access it will be closely controlled.
Access Control and Traka data must not be used to generally monitor staff activity.
e. Likewise, the data will only be sought as evidence if in the opinion of the investigator the matter is a serious student discipline case e.g. assault, criminal damage, theft, burglary, misuse of access control card or other serious breach of the Discipline Regulations likely to be heard by the Student Discipline Manager or other higher authority. In these situations the investigator will formally request access to data from the Head of Security Services or their Deputy, where these may prove or disprove suspected potential breach. Where access is given, the confidentiality of this data and who is able to access it will be closely controlled.
4. General Data Protection Regulations (GDPR)
a. Data for access control can only be viewed by a limited number of persons with access to the xPLAN V9 and Salto systems software. Both the xPLAN V9 and Salto systems software are is password protected.
b. Persons having access are:
i. All Security Services staff
ii. Library systems staff x 2 for maintenance purposes
iii. Certain members of Digital, Data and Technology (DD&T) staff for maintenance purposes
iv. University contracted Access Control engineers for maintenance and installation purposes.
c. Data for Traka can only be viewed by a limited number of persons with access to the Traka software. The software is password protected.
d. Persons having access are:
i. all Security Services staff
ii. certain members of Campus Infrastructure staff
e. The University is committed to complying with the requirements of GDPR and will operate the system in accordance with the seven GDPR principles. The University will include the Access Control and Traka systems in the University's GDPR notification. The Head of Security Services will be responsible for ensuring that the notification covers the purposes for which the system is used.
f. The standards, which must be met if the requirements of GDPR are to be satisfied, are based on the seven GDPR principles which are:
i. Lawfulness, fairness and transparency
ii. Purpose limitation
iii. Data minimisation
iv. Accuracy
v. Storage limitation
vi. Integrity and confidentiality (security)
vii. Accountability
g. All members of staff involved in operating the systems will be made aware of the objectives of the scheme as set out in section 2 of this Code and will be permitted only to use the systems to achieve those objectives.
h. The University recognises the importance of strict guidelines in relation to access to and disclosure of data and all members of staff should be aware of the restrictions relating to this which are set out in this Code and to the rights of individuals under GDPR.
5. Administration
a. It will be the responsibility of the Head of Security Services or in their absence their Deputy to:
i. Be responsible for compliance with GDPR.
ii. Take responsibility for control of the data and make decisions on how these can be used.
iii. Ensure the system is secured and only viewed by authorised persons.*
*Authorised persons are:
i. Security Services staff
ii. Library systems staff x 2
iii. DD&T staff
iv. University contracted Access Control engineers
v. Campus Infrastructure staff (only for Traka software)
b. It will be the responsibility of the Security Manager to:
i. Clearly communicate the specific purposes of the passing of data and objectives to all Security staff.
ii. Ensure that all GDPR forms received from the Police or other investigatory bodies are filed for future reference.
c. It will be the responsibility of the individual operating officer to:
i. Comply with the objectives outlined above.
ii. Seek guidance from the Security Manager or Head of Security Services before divulging any information from the system.
6. Storing and viewing data
a. All access control data is stored on the University servers and accessed via the xPLAN V9 and Salto systems software.
b. All Traka data is stored on the University servers and accessed via the Traka software.
c. In the event of the Police requiring data they must supply the appropriate GDPR form.
d. Requests for data by University staff for disciplinary investigations must follow the guidelines in section 3.
e. All data for access control is deleted after 12 months.
f. Usage data for Traka is checked monthly and any data relating to staff no longer needing to use Traka is deleted.
g. History data for Traka is deleted after 12 months.
h. The Head of Security Services will consult with Senior University Management or their Deputy and with representatives from the Trade Unions and Students’ Union annually to agree how long access control and Traka data can be stored for.
7. Disclosure
The following guidelines will be adhered to in relation to disclosure of data:
a. Will be in line with the above objectives.
b. Will be controlled under the supervision of the Head of Security Services or their Deputy.
c. A logging spreadsheet will be maintained itemising the date, time(s) and data passed to an investigating officer together with the reason for the disclosure. Each entry on the spreadsheet will be maintained for 7 years and then removed.
i. The appropriate disclosure documentation from the Police will be filed for future reference.
ii. The method of disclosing data should be secure to ensure they are only seen by the intended recipient.
d. Any other requests for data should be routed via the Head of Security Services or their Deputy, as disclosure of these may be unfair to the individuals concerned or fall outside the Codes of Practice.
e. The University has discretion to refuse any third party request for information unless there is an overriding legal obligation such as a court order or information access rights. Once the data has been disclosed to another body, such as the Police, then they become the data controller for their copy of that data. It is their responsibility to comply with GDPR in relation to any further disclosures.
8. Use of the system
a. All Security staff and other authorised users* (see section 5) must read this Code of Practice prior to being instructed in the operation of the system.
A log of all system users is kept and updated annually by the Security Technical Support Officers.
9. Complaints
a. Complaints received in relation to the use of the Access Control system should be made to the Head of Security Services who will investigate the allegation or complaint and then follow the normal University grievance procedures as outlined on the Human Resources website.
b. Complaints in relation to the disclosure or supply of data should be made in writing to the Head of Security Services.
10. Changes to the code
a. Any changes to this Code will only take place after consultation with the Students’ Union and Trade Unions Representatives.
b. The changes will then have to be ratified by University Senior Management.