Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

Transcription

1 PROVIDER NAME: POLICY AREA: College of Computing Technology (CCT) Standard 10: Information Management, Student Information System & Data Protection Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0 Date: September 2015 Policy Statement CCT recognises the importance of keeping accurate, secure, and up-to-date student records. In order to maintain a high standard, the student record system is subject to ongoing monitoring. CCT acknowledges its obligations under the Data Protection Act 1988 as amended by the Data Protection Amendment Act, 2003) The purpose of this policy is to ensure that the administration system used at CCT, facilitates the effective management, maintenance and security of required student records. Staff Involved All full time and part time administration staff within CCT, Lecturers, Faculty Heads, Registrar, Head of Academics, QA Officer, Faculty Coordinators Procedure Outline / Method(s) used to carry out this procedure Responsibility of Evidence generated by this procedure to ensure its effectiveness 1. Storage of Student, Staff, and Financial Records All student, staff and financial paper records are stored in appropriate filing cabinets within designated and locked offices. Particularly sensitive records and documents (such as examination papers) are secured and stored in fireproof, lockable, steel filing cabinets, within a designated secure room and location at CCT. All student, staff, and financial electronic records are stored and filed appropriately on a shared secure drive with appropriate authorisation in place, and using a secure Student Information Management System called the MIT Education System. MIT is an Irish specialist student management information system provider based in Waterford, and the MIT main servers are secured, hosted and maintained in Waterford. All computerised files are held on industry standard servers located internally, with additional data located on a secure enterprise cloud platform. Both internal and external data is backed up 1 using dual methods of complete and incremental, to an encrypted local hard disk drive, and externally to a cloud storage system, on a weekly basis, by designated IT administration personnel at CCT. Data Processors and Data Controllers will have access to all maintained learner information. See section CCTP701 Head of Administration, Faculty Coordinators, Head of Admissions, QA Officer, Faculty Heads, College Registrar, Attendance Officer, College Director, Librarian Minutes from Operation Committee Meeting Communication between Data Controller and MIT 1 The meaning and purpose of this process is based on the definition available in the Data Protection Act 1988 as follows: "back-up data" means data kept only for the purpose of replacing other data in the event of their being lost, destroyed or damaged

2 for more information on Data Processors and Data Controllers. 2. Breakdown of which departments manage and maintain general data - Learner College Application and Admissions Records Data managed and maintained by Head of Admissions, Admissions Department - Learner Disability Data managed and maintained by Head of Administration on hard copy learner files, and within the MIT Student Management Information System - Learner Fees information - managed and maintained by Head of Administration (and Admin Officers) within the MIT Student Management Information System - Learner Progress records managed and maintained by Faculty Heads with Faculty Coordinators - Major breach of discipline records managed and maintained by College Registrar and QA Officer - Examinable material managed and maintained by Faculty Heads, Faculty Coordinators, College Registrar, and QA (Exams) Officer - Examination records managed and maintained by Faculty Heads, Faculty Coordinators, College Registrar, and QA (Exams) Officer - All Staff Records, including documentation pertaining to recruitment, job application, contracts, evaluation, discipline, and salary - managed and maintained by College Director's Office - College Finance data - managed and maintained by College Director's Office Head of Administration 3. Data pertaining to learner special support needs CCT is committed to supporting students with identified special support needs. These records are kept on student file and reviewed by the academic staff only on a strictly need-to know basis. Students are made aware, when seeking support of those members of staff who will be given access to this information. 4. Duration of maintained and stored learner files Learner files in hard copy format are maintained in current storage in the Main Administration Office for a maximum of one year after graduation. After one year, the learner hard copy file is taken from current file storage, and placed in the College s academic archive (located in a separate office at CCT's campus), for a further three year period. This data is maintained only for the purpose of information which may be required by the learner in the 3 year period after graduation. After this three year period of archive storage, CCT maintains soft copies of data including in particular: student name, student number, PPS number, GNIB number (if applicable), Course(s) and period of study at CCT, general results by module and stage, and overall attendance records. All hard copy data is then appropriately destroyed at this point, by an appointed company with expertise in this area. Soft copies of student files are maintained, but the following information (student name, student number, PPS number, GNIB number (if applicable), Course(s) and period of study at CCT, general results by module and stage, and overall attendance records), is archived in a legacy module(s) of the MIT Student Information System, after a three year period following Graduation, purely for the purpose of information which may be required by the learner in the 3 year period after graduation. 5. Duration of maintained Completed Learner Assessment Scripts & QA system committee meetings Both soft and hard copy of records of meeting minutes, committee and exam board meetings, external examiners reports, Broadsheets of results of cohorts of learners, are maintained in secure storage for a maximum period of five Minutes from committee meetings

3 years (or longer up to the point of a Programmatic and/or Institutional Statutory Review). Soft copies are backed up and secured on CCT s cloud based system. Hard copies are filed securely in the College Registrar s office. Once the review process of 21 days has lapsed, hard and soft copies of learner assessment scripts are archived and stored in a secure holding within the CCT building. These records are held for 6 months following graduation. They are then appropriately destroyed with soft copies of results maintained for longer (as mentioned above). 6. Storage and Maintenance of Learner Attendance records Attendance records are kept in two forms: a hard copy of all attendance sheets is retained in a designated office with locked, fireproof filing cabinets. An electronic spreadsheet is kept active by the CCT Attendance Office, on a secure computer and backed up every week on an external hard drive. Learner's ongoing attendance rate is kept for the duration of the programme, with final stage attendance rate kept for the period reflected in Section Responsibility for maintenance of all data and records at CCT The Head of Administration and College Director are ultimately responsible for the maintenance of CCT records. CCT understands that it is liable for the data it holds on individuals under the 1988 Data Protection Act (as amended by The Data Protection Amendment Act, 2003). 7.1 Data Controllers CCT will appoint Data Controllers as required. Data Controller A "data controller" means a person who, either alone or with others, controls the contents and use of personal data Currently any individual who occupies the following roles, by the nature of their duties, are Data Controllers in the College: (i) (ii) (iii) Head of Administration College Registrar College Director Their responsibilities are outlined in Section 7 (duty of care owed by data controllers and data processors) of the Data Protection Act 1988, but general responsibilities of data controllers include: A data controller shall, as respects personal data kept by him, comply with the following provisions: (a) the data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed, fairly, (b) the data shall be accurate and, where necessary, kept up to date. (c) the data (i) shall have been obtained only for one or more specified, explicit and legitimate purposes, (ii) shall not be further processed in a manner incompatible with that purpose or those purposes, (iii) shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further processed, and shall not be kept for longer than is necessary for that purpose or those purposes.

4 7.2 Data to be collected In the context of CCT policy and Procedure, data means automated data and manual data; CCT will only collect such personal data as is required for the efficient and effective participation of the individual in the management and operation of the college and/or the programme on which s/he is enrolled. Sensitive personal data (as defined in the Data Protection Amendment Act 2006) shall not be collected or processed This includes: (a) the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject, (b) whether the data subject is a member of a trade union, (c) the physical or mental health or condition or sexual life of the data subject, (d) the commission or alleged commission of any offence by the data subject, or (e) any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings; 7.3 Personal data undergoing automatic processing shall be: a. obtained and processed fairly and lawfully; b. stored for specified and legitimate purposes and not used in a way incompatible with those purposes; c. adequate, relevant and not excessive in relation to the purposes for which they are stored; d. accurate and, where necessary, kept up to date; e. preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored. 7.4 Security of data that will be automatically processed CCT will ensure that: appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. In determining appropriate security measures where the processing involves the transmission of data over a network, a data controller (a) may have regard to the state of technological development and the cost of implementing the measures, and (b) shall ensure that the measures provide a level of security appropriate to (i) the harm that might result from unauthorised or unlawful processing, accidental or unlawful destruction or accidental loss of, or damage to, the data concerned, and (ii) the nature of the data concerned. A data controller or data processor shall take all reasonable steps to ensure that (a) persons employed by him or her, and (b) other persons at the place of work concerned, are aware of and comply with the relevant security measures aforesaid. Correspondence Data Controller with

5 7.5 Data Processor Data processor" means a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his/her employment. Data Processors at CCT is any full time staff person at CCT appointed by a Data Controller to carry out the duties of a Data Processor. Responsibilities of a data processor to ensure security of data Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller shall (a) ensure that the processing is carried out in pursuance of a contract in writing or in another equivalent form between the data controller and the data processor and that the contract provides that the data processor carries out the processing only on and subject to the instructions of the data controller and that the data processor complies with obligations equivalent to those imposed on the data controller by section 2(1)(d) of this Act, (b) ensure that the data processor provides sufficient guarantees in respect of the technical security measures, and organisational measures, governing the processing, and (c) take reasonable steps to ensure compliance with those measures. 7.6 Access to data Access to data is provided on a need to know basis. The Director and the relevant data Controllers will determine entitlement and what type of data they may access. Under the Data Protection Act 1988, all staff and students are entitled to: (i) be informed by the data controller whether the data kept by him include personal data relating to the individual, and (ii) be supplied by the data controller with a copy of the information constituting any such data Every individual registered with or employed by the college is entitled to description of the data held on him or her by the College and the purposes for which it is kept. Upon written request to a Data Controller(s) or to the Director of the College, the individual will be provided with a copy of the data held on him/her within a maximum period of 30 days. An individual making a request under this section shall supply the data controller concerned with such information as he may reasonably require in order to satisfy himself of the identity of the individual and to locate any relevant personal data or information. A data controller is not obliged or entitled to disclose to a data subject personal data relating to another individual unless that other individual has consented to the disclosure. Third Party Access to data CCT will only collect student data as is required for the efficient and effective participation of learners in the Data Processor College Director Correspondence with Data Processor, Data Controller and College Director

6 management and operation of the college and/or the programme on which s/he is enrolled. All information provided will be held by CCT and will only be used for purposes registered under the Data Protection Act. CCT will treat all learner information as confidential and will not disclose such information except as permitted by Irish Law, or by request from Irish government agencies and departments, for statutory purposes. 7.7 Correcting inaccurate data Right of rectification or erasure An individual shall, if he/she so requests in writing a data controller who keeps personal data relating to him/her, be entitled to have rectified or, where appropriate, blocked or erased any such data in relation to which there has been a contravention by the data controller of section 2 (1) of the Data Protection Act 1988; and the data controller shall comply with the request as soon as may be and in any event not more than 40 days after it has been given or sent to him. Where a data controller complies, or is deemed to have complied, with a request under subsection (1) of this section, he or she shall, as soon as may be and in any event not more than 40 days after the request has been given or sent to him or her, notify (a) the individual making the request, and (b) if such compliance materially modifies the data concerned, any person to whom the data were disclosed during the period of 12 months immediately before the giving or sending of the request unless such notification proves impossible or involves a disproportionate effort, of the rectification, blocking, erasure or statement concerned Third Party Access to learner information CCT will only collect student data as is required for the efficient and effective participation of learners in the management and operation of the college and/or the programme on which s/he is enrolled. All information provided will be held by CCT and will only be used for purposes registered under the Data Protection Act. CCT will treat all learner information as confidential and will not disclose such information except as permitted by Irish Law, or by request from Irish government agencies and departments, for statutory purposes. Monitoring Monitor (Job Title) Frequency Monitoring Method(s) College Registrar Head of Administration College Director Annually Review of all record keeping procedures, hard and soft copy Review of any Data Protection related requests from any stakeholder Review of any Data Protection incidents over the previous year

7 POLICY CONTROL SHEET Policy Title Responsible Officer(s) Maintaining Secure Learner Records Head of Administration, QA Officer, College Registrar, Faculty Heads Issuance Date September 2015 Effective Date September 2015 Last Review Date Supersedes N/A New Policy under new QA system Next Review Date August 2016 Designated Reviewer(s) Scope College Registrar, Faculty Heads Internal staff (full and part time) Revision History Revision New Policy Approval Date September 2015 Revision Description Originator Approved By New QA system Senior Management Team Faculty Heads, College Registrar References upon which the Policy section is based CCT Policy area Statutory & System Wide Basis Related CCT Policies / Forms Information Management System, Student Information System, and Data Protection The Irish Qualifications and Quality Act (Education and Training), 2012; European Standards and Guidelines for QA in the European Higher Education Area, Relevant QQI Standards and Guidelines; Data Protection Act, 1988 (as amended by the Data Protection Amendment Act, 2003). CCTP Providing Reports Required for Internal Quality Management CCTP1003 Information Management System