DATA PROTECTION POLICY

Transcription

1 Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection Act [DPA] Impact Assessment August 2010 DATA PROTECTION POLICY To be reviewed at least every 3 years As a result of the Colleges Incorporation on 1 April 1993, the College became wholly responsible for compliance with the data protection act. The original Data Protection Act 1984 has now been superseded by the Data Protection Act 1998, which significantly extends the scope of data protection law. To comply with the law information must be collected and used fairly, stored safely and not disclosed to any person unlawfully. Data held in electronic form continues to be covered by the new Act. However, manual files structured to enable specific information about a particular individual to be readily accessible will now also be caught and be regarded as relevant filing systems. Card index files, concertinas, files and ring binders containing information about individuals and arranged or divided, for example alphabetically, are covered by the Act, requiring 1 compliance with the obligations below. The legislation compels the College to take specific measures to ensure that all information [personal data] held about living individuals, held in a relevant filing system, is processed according to the eight data protection principles. 2.0 Specific Obligations Under The 1998 Act 2.1 The main obligations The College has two principal obligations under the new law: 1 NOTE : There is a transitional relief period whereby manual filing systems in place and processing already underway before 24 th Oct 1998 are exempt from compliance until the 23 rd Oct 2001 by when all relevant filing systems will have to comply with the regulations. Page 1 of 17

2 Not to process data until it has registered with the Office of the Data Protection Commissioner. The registration process is known as Notification To comply with the eight data protection principles set out in the new Act, which govern how data should be processed, how they should be updated, and the rights of the individuals whose data are held. These are: [1] Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 of the 1998 Act is met or in the case of sensitive personal data, at least one of the conditions in Schedule 3 of the 1998 Act is also met [See Appendix A]. [2] Personal data shall be obtained only for one or more specific and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or purposes. [3] Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. [4] Personal data shall be accurate and, where necessary, kept up-todate. [5] Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. [6] Personal data shall be processed in accordance with the rights of data subjects under this act. [7] Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. [8] Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. 2.2 Notification of data held and processed Page 2 of 17

3 Notification is the process by which the College [the data controller] informs the Data Protection Commissioner about the processing of personal data carried out by the College. Once the College has notified, the information about our College is then made available in a public register. Notification is a statutory requirement and failure to do so is a criminal offence. The notification period is for one year and the College will have to renew its register entry annually otherwise it will expire. We will be informed in writing just before the expiry date of our register entry. Once the College has notified we must keep the notification up to date. If any part of the register entry becomes inaccurate or incomplete the college must take action to notify changes within 28 days of the event. The Data Protection Officer Mike Pilling [Network Services Manager] should be contacted if a change in any register entry is required. 2.3 Rights of access to information The principal purpose of notification and the public register is transparency and openness. It is a basic principle of data protection that the public should know or be able to find out who is carrying out processing of personal data. All staff, students and other users are entitled to know: what information the College holds and processes about them and why how to gain access to it how to keep it up to date what the College is doing to comply with its obligations under the 1998 Act. We must be prepared to answer the following kind of query: Do you hold data about me? Please supply copies of all data you hold about me For what purpose do you hold data about me? To whom do you disclose data about me? Page 3 of 17

4 The College will therefore provide copies of the College s registrations under the DPA 1998 and its, for reference in the College Library. Staff, students and other users of the College have the right to access any personal data that is being kept about them either on a computer or in any relevant filing system. Any person who wishes to exercise this right should complete the college "Data Subject Access Request" form [See Appendix B] and give it to the their manager or personal tutor. Selby College will make a charge of 10 on each occasion that access is requested, although the College has discretion to waive. The College aims to comply with requests for access to personal information as quickly as possible but will ensure that it is provided within 40 days unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the data subject making the request Exemptions There are a number of exceptions where exemptions from the Act apply. One such exemption is that of personal references. A data subject does not have the right to obtain from the College the details of a confidential reference that we have given. In the case where we have received a reference from a third party regarding a data subject we can disclose this information if it is was deemed reasonable to do so, but we may decide to seek consent from the third party who provided the reference Third party access to information Under normal circumstances third party access to an individual s personal information would not be permitted. The College in this instance would not be processing the personal data of the student/staff member fairly and lawfully in supplying information to a third party [Data Protection Principle 1]. However, if the third party was in fact the police, the College could disclose information about a data subject if we were satisfied that by withholding information we were likely to prejudice a criminal investigation. To comply with the Act we should not provide information to the police if there is no indication from the police as to why they wanted the information. 2.4 Data Subject Consent Page 4 of 17

5 A data subject is an individual who is the subject of personal data held by the College and can include students and staff. The College can only hold and process certain classes of data with the consent of the individual. The 1998 Act distinguishes between ordinary personal data such as name, address and telephone number and sensitive personal data including information relating to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life and criminal convictions. Under the new 1998 Act the processing of such data is subject to much stricter conditions. If the data are sensitive then express consent to hold and process the data must be obtained, which normally means consent in writing. In our case the standard Selby College Learning Agreement acts as a consent form and by signing the form the student gives express consent for us to hold and process the sensitive data collected on the form. As for College staff it is a condition of employment that they agree to the college holding and processing personal data including information about previous criminal convictions. Therefore, all prospective staff and students will be asked to sign a Consent To Process form of some kind, regarding particular types of information, when an offer of employment or a course place is made. A refusal to sign such a form can result in the offer being withdrawn. The College will also ask for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as asthma or diabetes. The College will only use the information in the protection of the health and safety of the individual, but will need consent to process in the event of a medical emergency, for example. Some jobs or courses will bring the applicants into contact with children, including young people between the ages of 16 and 18. The College has a duty under the Children s Act and other enactments to ensure that staff are suitable for the job, and students for the courses offered. The College also has a duty of care to all staff and students and must, therefore, make sure that employees and those who use the College facilities do not pose a threat or danger to other users. 3 Responsibilities of staff and students The purpose of this section is to make all staff and students aware of their responsibilities towards all personal data held by the college and to indicate the practical steps to be taken to comply with the act. Page 5 of 17

6 3.1 Staff Responsibilities This policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and policies made by the College. Any failures to follow the policy can therefore result in disciplinary proceedings. Regarding the processing of personal data by the college, staff should ensure that any data, which it is proposed to process, are covered by the College s notification under the Data Protection Act The processing of personal data that have not been notified is a criminal offence. To help staff the College will provide copies of the College s notifications under the DPA 1998, for reference in the College Library. All staff are responsible for checking that any information they provide to the College in connection with their employment is accurate and up to date and that any changes at a later date are notified. All staff are responsible for checking the accuracy of information held and keeping this information up to date. Any member of staff, who considers that the policy has not been followed in respect of personal data about themselves, should raise the matter with the designated data controller initially. If the matter is not resolved it should be raised as a formal grievance. Staff are responsible for ensuring that any person from whom personal data are obtained are not deceived or mislead as to the purpose for which such data are held, used or disclosed. Staff must ensure that an indication of the purpose[s] should appear on any form used to collect data, and where necessary, an explanation as to why the data are being collected. No unfair pressure should be used to obtain any personal data. 3.2 Student Responsibilities Students must ensure that all personal data provided to the College are accurate and up to date. They must ensure that changes of address etc are notified to the appropriate person normally their tutor. Students who use the College computer facilities may, from time to time, process personal data. If they do they must notify their personal tutor who will notify the data controller. Any student who requires further clarification about this should contact their personal tutor who will liaise with the Data Controller. Page 6 of 17

7 4. Data Security All staff should observe strict control of all databases of information [computerised or manual] on living individuals, whether they be staff, students, members of the public, suppliers, customers etc. The College must notify all relevant filing systems and databases or it could face legal action. Failure of any member of staff to inform College management of the existence of a database or manual filing system could result in disciplinary action. The holding of a College-related database outside the College also falls within these restrictions. The removal of College-Related personal data on a computer to off-site locations or the holding of College-related personal data on a computer outside College will only be permitted in strictly controlled circumstances. It is not permitted to hold any College-related data off-site on a computer or other relevant filing system without prior approval from college management. Great care must be taken not to disclose personal data either intentionally or accidentally. This can be helped by: Only allowing authorised access to computers [i.e. by not disclosing passwords] Switching off [or logging off] computer systems when you are not using them Keeping doors to rooms containing manual filing systems or computerised databases locked, when not in use Preventing unauthorised information being obtained from computer screens Not disclosing personal information over the telephone without following established procedures Only disclosing personal information to which an individual is entitled after first verifying the true identity of the person requesting the information Ensure proper disposal of waste materials such as computer printouts containing personal data Not removing any data/information from the college without prior authorisation Page 7 of 17

8 Not storing/processing certain personal data on individuals unless it is absolutely required. Before processing any personal data, all staff should consider the following checklist: Do you really need to record the information? Is the information standard or sensitive? If it is sensitive, do you have the data subject s express consent? Has the data subject been told that this type of data will be processed? Are you authorised to collect/store/process the data? Have you checked with the data subject that the data is accurate? Are you sure that the data is secure? If you do not have the data subject s consent to process, are you satisfied that it is in the best interest of the student/staff member to collect and retain the data? Have you informed the designated data controller for the College that you are storing this kind of information in a relevant filing system? 5. The Data Controller and the Designated Data Controller/s The College as a body corporate is the data controller under the Act, and the Board is therefore ultimately responsible for implementation. However, the designated data controllers will deal with day-to-day matters. The designated data controller for Selby College is Mike Pilling [Network Services Manager]. 6. Examination Marks Students will be entitled to information about their marks for both coursework and examinations. However, this may take longer than other information to provide. The College may decide to withhold certificates, accreditation or references in the event that full course fees have not been paid, or all books and equipment returned to the college. Page 8 of 17

9 7. Retention of Data The College will keep some forms of information for longer than others. Because of storage problems, information about students cannot be kept indefinitely, unless there are specific requests to do so. In general information about students will be kept for a maximum of 7 years after they leave the College. This will include name and address academic achievements, including marks for coursework and copies of any reference written. All other information, including any information about health, race or disciplinary matters will be destroyed within 5 years of the course ending and the student leaving the College. The College will need to keep information about staff for longer periods of time. In general, all information will be kept 5 years after a member of staff leaves the College. Some information, however, will be kept for much longer. This will include information necessary in respect of pensions, taxation, potential or current disputes or litigation regarding the employment and information required for job references. 8. Third Party Processing If we use a third party data controller to process data on behalf of the College we must ensure that the controller complies with the data protection act. This would apply to subsidiary trading companies and franchise partners. We must obtain sufficient guarantees in respect of the processor s security measures and take reasonable steps to ensure compliance with those measures. We must ensure that the third party processor is subject to a written contract with the College. 9. Transfer of information outside the European Economic Area 10. CCTV The College will not transfer data outside of the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. For instance the United States has no Data Protection Act but individual US companies can sign up to the safe harbour scheme guaranteeing data protection CCTV Footage Page 9 of 17

10 Images of people captured by the CCTV systems operated by Selby College fall under the Data Protection Act. As with standard data people can request to see CCTV footage where their image has been captured and is stored by the college Security of CCTV Footage It is college policy that access to CCTV controls and images be physically secure and actual access to CCTV footage be limited to certain senior managers within the College Requests to access CCTV footage In the instance where a person requests to see CCTV footage they must limit the request to a certain time slot within a one hour period and will only be entitled to view footage where they personally appear. In certain circumstances it may be required to seek the approval of third parties where people other than the person requesting access also appear in the footage. This may hold up the process of providing access to CCTV footage considerably Incidents 11 Summary Where an incident has been reported and it occurred in view of CCTV systems [eg. it is suspected that crime has taken place in view of CCTV cameras] the CCTV footage in question will be viewed under controlled circumstances by at least two members of staff with authority to view CCTV Footage and operate the system. Where it is felt appropriate and where systems permit a copy of the incident footage will be made and passed to an appropriate member of the senior management team who will then be able to take appropriate action. The introduction of the new data protection law has forced the college to review the way in which data is processed. One of the purposes of this Policy is to ensure that a proper action is taken to comply with the new requirements which covers the following: To ensure that the College gives proper notification and is registered correctly To identify the manual records currently held and their contents, and determine which are likely to be caught by the new act Page 10 of 17

11 To establish how data are collected, and what consents are obtained, particularly in the case of sensitive data To review the security arrangements of third party processors such as franchise partners, and make sure that written contracts with them are put in place To remind employees of the data protection principles and make sure they are adhered to. Compliance with the 1998 Act is the responsibility of all members of the College. Any deliberate breach of the data protection policy may lead to disciplinary action being taken, or access to College facilities being withdrawn, or even a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the designated data controller. 12. Equality and Diversity Statement Selby College welcomes and celebrates equality and diversity. We believe that everyone should be treated equally and fairly regardless of their age, disability, gender, gender identity, race, religion or belief, sexual orientation and socio-economic background. We seek to ensure that no member of the College community receives less favourable treatment on any of these grounds which cannot be shown to be justified. This document is written with the above commitment, to ensure equality and diversity is at the centre of working life at Selby College. 13. Safeguarding Policy Selby College recognises its moral and statutory responsibility to safeguard and promote the welfare of students. We work to provide a safe and welcoming environment where students are respected and valued. We are alert to the signs of abuse and neglect and follow our procedures to ensure our students receive effective support, protection and justice. Selby College expects Governors, staff and volunteers working on behalf of the college to share this commitment. Page 11 of 17

12 APPENDIX A Schedule 2 Conditions At least one of the following must be satisfied: - Consent Contract Legal obligation Vital interest of the data subject Public Functions. In the case of consent a student might reasonably think that the college would use the non-sensitive data collected in the college in a college context. Schedule 3 Conditions Explicit consent Vital interest of the data subject Legal Proceedings Equal opportunities monitoring. In this case of explicit consent it is wise to obtain written consent. When a student signs the Selby College Learning Agreement they give their explicit consent for us to process the sensitive data collected on the form. Page 12 of 17

13 APPENDIX B SELBY COLLEGE: DATA SUBJECT ACCESS REQUEST FORM TO: The data controller [Selby College] FROM: [For identification purposes only please provide] FULL NAME: DATE OF BIRTH: ADDRESS + POSTCODE: In accordance with my rights under the data protection act 1998, I [the above named person] wish to have access to the following data that the college may hold about me as part of an automated system or any other relevant filing system. [Please tick as appropriate] Personal details including name, address, date of birth, ethnicity etc. Political, religious or trade union information. Academic marks or course work details. Academic or employment references. Health and medical matters including learning difficulties and disabilities. Disciplinary records. Any statements of opinion about my abilities or performance. I [the undersigned] understand that I will have to pay a fee of 10 to cover the administrative cost of accessing this data. Page 13 of 17

14 Note. In accordance with Selby College data protection policy the College aims to comply with requests for access to personal information as quickly as possible and will ensure that it is provided within 40 days of request unless there is reason for delay. In such cases, the reason for delay will be explained in writing to the data subject making the request. Page 14 of 17

15 APPENDIX C Sample Case Studies Eversheds Solicitors, who provided Selby College with Data Protection consultancy, produced the case studies. The examples are not specific to Selby College but help us to understand the types of issues that we may have to deal with under the new 1998 Act. Page 15 of 17

16 APPENDIX D Data Protection Overview The Data Protection Act 1998 [DPA] applies to Selby College in that we are an organisation that stores and processes information about living individuals. Therefore all members of Selby College staff must adhere to data protection law and anyone handling data must follow the eight data protection principles Personal data must be: (1) processed fairly and lawfully (2) processed appropriately and must be for a specific limited purpose (3) relevant and not excessive in relation to the purpose for which it is held (4) accurate and up to date (5) only kept for as long as is necessary (6) processed in accordance with the rights of individuals under the act (7) kept in a secure manner (8) only transferred to other countries who have equivalent data protection controls. What data and filing systems are relevant? All filing systems where we hold information about living individuals are regarded as relevant filing systems under the DPA. This includes any filing system, not just computer systems, where information about individuals is readily accessible and includes data held in filing cabinets, folders, concertinas, card indexes, CCTV footage etc. What do I do if I am holding information about individuals? 1 Inform the College data controller [Mike Pilling, Network Services Manager] and read the College. 2 If the data held are sensitive [Ethnic origin etc.] obtain express permission from the individual concerned to hold the data. 3 Keep the data in a secure environment: a. Only allow authorised access to computers via password protection. b. Lock filing cabinets/offices. c. Do not remove data from the College without permission. d. Ensure proper disposal of old data. Page 16 of 17

17 4 Do not store any data that you would not want an individual to see [Personal opinions etc] and only store what is absolutely necessary for purpose. 5 Ensure that data is accurate [up to date]. 6 Be ready to provide copies of all data relating to an individual if requested by the data controller. 7 Ensure that individuals understand why and how we process the data we do. What rights do individuals [data subjects] have to see the data we hold about them? One of principal objectives of the data protection act is to create transparency and openness. Individuals have the right to see the data we hold about them and to understand how we use the data. Individuals can request to see the data we hold about them and under the law we have to provide access to their data [with only a few exceptions]. Page 17 of 17