Data Protection Policy

Transcription

1 Data Protection Policy April 2014 Author: Jennifer McLaren, Assistant Principal, Curriculum Support & Finance Impact Assessment Date: 15 February 2010 Date: April 2014

2 Contents 1 Purpose Policy Status Scope Principles Responsibilities Access to Data Retention of Data Data Transfer Data Security Contact Review... 5 Appendix 1.6 1

3 1 Purpose This Policy details the College s response to the Data Protection Act 1998 (DPA). Further information on the Data Protection Act Guidance can be found under Appendix 1. 2 Policy West Lothian College is committed to protecting the rights and freedom of individuals with respect to the processing of their personal data. 3 Status This Policy has been approved by the College s Board of Governors. Any breach of the Policy will be taken seriously and may result in disciplinary action being taken under the College s Disciplinary Policy. 4 Scope 4.1 The College holds personal information about individuals such as its employees and students. These and others are defined as data subjects in the Act. Information concerning data subjects must be processed in accordance with this Policy, and with the terms of the College s notification to the UK Information Commissioner. This notification sets out the purposes for which the College holds and processes personal data and can be viewed at or by requesting a printed copy from Assistant Principal, Curriculum Support & Finance, West Lothian College, Almondvale Crescent, Livingston, EH54 7EP. 4.2 Any breach of the policy may result in the College and the individual processing the data being liable in law for the breach. 4.3 This Policy applies regardless of where data might be held and includes data held in an electronic format. 5 Principles All data users must comply with the eight Data Protection Principles. 5.1 The data must be processed fairly and legally. The data subject must give their permission to process the information or the processing is necessary for legal or contractual reasons. The data subject should know why the information is being processed and the processing should not lead to any form of discrimination. 2

4 5.2 The data must be processed for limited purposes and in an appropriate way. The information must not be collected unless there is a specific reason for doing so. The data subject must be informed of the reason for holding and processing the information and information must not be used for any other unrelated reason. 5.3 The data must be relevant and sufficient for the purpose that is held. Information just not be collected because it might be useful in the future, it must relate to the current purpose. Importantly, in order to be relevant, it should not include personal remarks. These comments would need to be disclosed if a data subject asks to see their personal information. 5.4 The data must be accurate. Data users should record data accurately and should take reasonable steps to check the accuracy of information. Periodically the storage systems should be purged of out of date and inaccurate data. 5.5 Data must be kept for only as long as it is necessary. Some data such as that required by Inland Revenue has prescribed limits. Other data such as unsuccessful applicants to study at the College should be kept for a short period and then destroyed. 5.6 The data must be processed in accordance with the data subject s rights. The data subject has a right of access to information held about them. They have a right to prevent processing that is likely to cause damage to themselves or anyone else. Information cannot be used for direct marketing if the data subject asks not to. There is a right for data subjects to correct, block, endorse or destroy inaccurate opinions based on incorrect data. There may be exceptions to these rights, but these are limited. 5.7 The data must be secure, ensuring that it is protected against unauthorised or illegal data processing. 5.8 The data must only be transferred to other countries that have suitable data protection controls. 6 Responsibilities 6.1 The College Board of Governors have the ultimate responsibility for the application of this Policy. 6.2 Responsibility for the day-to-day direction of the Policy has been delegated to the College Principal. 6.3 The Assistant Principal, Curriculum Support & Finance has responsibility for the management of the Policy. 3

5 6.4 The College Management Team has responsibility for the operation and promotion of the Policy within their own areas. Departmental Managers and Centre Heads will ensure adherence to this policy. 6.5 All College staff have responsibility for operating within the Policy. 6.6 The HR Manager will ensure all staff are advised of data protection requirements at induction. 7 Access to Data The Act gives data subjects rights to access personal data held about them by the College. The College is keen to allow such access, and will facilitate a process that will allow access without recourse to formal subject access requests, as defined under the Act. All requests must be in writing, and the Assistant Principal, Curriculum Support & Finance, must be notified of all requests in order that a record can be kept. The College will normally charge the prescribed maximum fee ( 10) for subject access requests. 8 Retention of Data Data must only be kept for the length of time necessary to perform the processing for which it was collected. This applies to all forms of personal data. 9 Data Transfer Should data be transferred internally, the recipient must only process the data in a manner consistent with the College s notification with the UK Information Commissioner, and for the original purpose for which the data was collected. 9.1 The College acknowledges that data transfer may be necessitous to statutory organisations to ensure the protection of children and adults who may be vulnerable. 4

6 10 Data Security All users of data must ensure that they hold the data securely. They must ensure that it is not disclosed to any unauthorised third part in any form. 11 Contact The College has notified the UK Information Commissioner that it processes data. Questions relating to the terms of notification and other matters relating to Data Protection can be directed to the Assistant Principal, Curriculum Support & Finance 12 Review This Policy will be subject to annual review by the Assistant Principal, Curriculum Support & Finance. 5

7 Appendix 1 Data Protection Act Guidance This paper aims to give a brief outline of the legislation surrounding the Data protection Act The act applies to anyone who handles or has access to information about individuals. The law gives rights to individuals to have access to the information held about them by an organisation. The act requires that information must be handled properly and follow the eight principles of good practice outlined below. Definitions Data is recorded information whether electronically stored or paper based filing systems. Data Controller are people within organisations who hold and use personal information they decide how and why the information is used. Data Subjects are people the information is about. All have certain rights in relation to their personal information. Data Users are employees whose work involves processing personal information. A data user has a legal duty to protect the information they handle. Personal is the information that is about an identifiable individual. The information can be factual such as a name, address, student attendance, or it can be an opinion or can include addresses. Processing is any activity that involves the data. Sensitive Personal Data includes information about someone s racial or ethnic origin, health, religious beliefs or criminal convictions. This type of information can only be processed under strict conditions, and in most cases, means obtaining permission from the individual concerned. Consent of Data Subjects Typically the data subjects explicit consent will be a pre-requisite for the processing of sensitive personal data. For many purposes data subjects consent will be obtained upon entry to the College. This consent may cover all processing of the subject s personal data. New processing must be judged against existing consent, the data subject s right to know how their data is being processed and the College s notification to the UK Information Commissioner. There may be cases where the College will wish to secure consent for the processing of personal data in order to comply with the Act. The Act specifies 6

8 explicit consent in the case of sensitive personal data and consent for personal data as a possible condition to be satisfied for processing. Explicit consent implies the written consent of the data subject. When seeking consent it is essential that details of the purpose and processing of the personal data are made available to the data subject. Rights of Data Subjects Data subjects have a right to be informed about the personal data the College holds on them, the purpose(s) for which it is being used and the recipients or classes of recipient to whom the data might be disclosed. The data subject also has a right of access to the data and information about the source of the data. Examinations There are specific references in the Act to subject access rights to personal data generated from the examinations process. An examination is defined as any process for determining the knowledge, intelligence, skill or ability of a candidate. Information recorded by candidates on examination scripts is expressly exempted from the data subject access rules. This means that the College is under no obligation to permit examination candidates to have access to either original scripts or complete copies of the scripts. However, it is important to note that the College may be obliged to make available information recorded on the scripts by persons other than the candidates, e.g. the examiners' comments. The Act sets out special conditions, which apply to subject access requests for examination marks and information, which contributes, to the determination of marks. The latter category could include internal and external examiners comments, minutes of special circumstances and minutes of exam board meetings in so far as they include information, which has contributed to the determination of a mark. So for access requests in this category the prescribed period is five months from the request or 40 days from the announcement of the result, whichever is the earlier. Data Security Data subjects have a right to apply for compensation if they have been damaged by a disclosure of their data. The College has an obligation under the Act to ensure that a framework for ensuring an adequate level of security is in place. Handling Enquiries Any request from an individual must be made in writing. 7