Data Protection Policy 1

Transcription

1 ISC14D010 Title: Data Prtectin Act plicy review Authr: Raymnd Sctt (ISD) Date: 22 January 2015 Circulatin: ISSC 16 February 2015 Agenda: ISC14A002 Versin: Draft v2.1 Status: Open Issue T seek the cmmittee s apprval fr prpsed changes t the Data Prtectin Act plicy. Recmmendatin Recipients are invited: T apprve the revised plicy Resurce implicatins N change t service is required and therefre there is n impact n resurces. Risk implicatins The lcal plicy is ffered t help the University align its practice t the Data Prtectin Act. The prpsed changes are made t help reduce the risk f nn-cmpliance and t make the plicy mre accessible. Equality and diversity New services will be subject t Equality Impact Assessment as they are implemented. Timing f decisins Once apprval is btained the revised plicy can be put int effect and published. Further infrmatin Raymnd Sctt (ISD), x3651 r.sctt@uea.ac.uk Backgrund The Data Prtectin Act plicy is subject t regular review. This paper cntains the updated plicy shwing tracked changes fr which a summary f the specific and general changes are listed belw. Discussin The fllwing changes are have been made t the dcument: Sme material which nly restates the legislatin has been remved. Data Prtectin Plicy 1

2 Clarified the circumstances under which the University will disclse student qualificatin details t third parties. [Sectin 5.5] Added an expectatin that thse handling persnal data will cmplete DPA training. (ISD has made available a shrt nline DPA curse t supprt this change.) [Sectin 5.7] In line with ther infrmatin cmpliance plicies, set the review cycle t 24 mnths. [Sectin 9]. Attachments Data Prtectin Act plicy v2.1 DRAFT Data Prtectin Plicy 2

3 Data Prtectin Plicy Authr: David Palmer (ISD) Date: 13 May January 2015 Versin: 12.1 This dcument defines the University f East Anglia s (UEA) plicy n data prtectin, and is based n the fllwing principles. The University will be cmpliant with all relevant legislatin, particularly the Data Prtectin Act 1998, and will base its plicies and practices n cmpliance with the eight Data Prtectin principles cntained therein Ensuring cmpliance is a crprate respnsibility f the University requiring the active invlvement, f, and appreciatin by, all staff at all levels f the rganisatin The University will strive t ensure best practice in regards data prtectin prcesses and prcedures The University will strive t imprve practices and prcedures utilising external guidance, mnitring f jurisprudence in the areas, and adpting examples f best practice elsewhere The University will prvide supprt and services t enable staff handling persnal data t remain cmpliant with the legislatin, including prvisin f mandatry nline and ptinal face t face training. Versin histry Versin Date Nte /05/12 First draft, adapted frm Data Prtectin Briefing Paper /06/12 Apprved by ISSC /6/13 Apprved by ISSC /1/15 Reviewed by ISD SPC team 1. Intrductin At UEA, persnal data are held abut students, staff and the public. UEA needs t hld infrmatin abut its students and staff fr reasns which include, but are by n means limited t, the fllwing: the recruitment, emplyment and payment f staff the recruitment f students the administratin f curses and examinatins student welfare Data may als be held n ther individuals, such as visitrs t UEA, suppliers, emplyees f ther rganisatins wh are invlved in research cntracts, and s n. The Data Prtectin Act 1998 (DPA) places respnsibilities and bligatins n rganisatins which prcess data abut living individuals. It als gives legal rights t individuals in respect f persnal data held abut them by thers. The DPA may be fund n the internet at /29/cntents Data Prtectin Plicy 3

4 The University must have plicies and prcedures in place t ensure that we are cmpliant with ur bligatins under the Act that extend acrss the breadth f the staff and activities f the University. 2. Scpe This plicy applies t: All students and staff emplyed by, r studying at UEA Any nn UEA staff with any degree f access and/r use f persnal data held by the University All University activities that invlve the prcessing f persnal data as defined by the Data Prtectin Act Definitins The fllwing definitins apply t this plicy: thethe Act: Data Prtectin Act (DPA) Data Security Breach: Any ccurrence f any unauthrised r unlawful prcessing f persnal data held by UEA, r the accidental lss, destructin f r damage t any such persnal data. Data Subject: A living individual wh is the subject f persnal data. Data Cntrller: A persn r rganisatin which cntrls the purpses and manner in which data are prcessed. UEA is a data cntrller, and the pintpints f cntact isare the University's Infrmatin Plicy and Cmpliance Manager.Managers (IPCMs). Data Prcessr: Any persn r persns that prcess infrmatin n behalf f a data cntrller. Data: All infrmatin in digital frmat, r manual data within a relevant filing system.infrmatin CmmissinerCmmissiner s Office (ICO): The supervisry authrity, reprting directly t Parliament, that enfrces and versees the DPA, and ther infrmatin related legislatin. The Infrmatin Cmmissiner maintains a public register f data cntrllers. The prcess f adding an entry t the register is called ntificatin. UEA's ntificatin cvers the classes f data which are prcessed, and is updated frm time t time and ther infrmatin related legislatin. Infrmatin life cycleipcms: The time span that infrmatin prcessed by the University remains live and relevant t the University (inclusive f its dispsal r destructin) and fr which the University has bligatins under this, r any ther plicy. IPCM: Infrmatin Plicy and Cmpliance Manager.Managers Persnal Data: Data which relate t a living and identifiable individual, including cmputeriseddigital data and sme manual data (iei.e. paper based recrds, micrfiche, etc). When the DPA was first passed int law, it cvered data.) held in a " relevant filing system", which is defined in the DPA as a "set f infrmatin" which "is structured, either by reference t individuals r by reference t criteria relating t individuals, in such a way that specific infrmatin relating t a particular individual is readily accessible". Hwever, the Freedm f Infrmatin Act 2000 (FOIA) mdifies and extends the DPA t apply t "unstructured persnal data". system. Unstructured persnal data are any persnal data which fall utside the definitin f the relevant filing system given abve. Data Prtectin Plicy 3

5 The difference may be illustrated as fllws. Persnnel recrds are clearly part f a "structured filing system" as they are arranged by surname r emplyee number. Hwever, a member f staff may serve n a university cmmittee, and that persn's name will appear in the minute bk f that cmmittee. The minute bk is nt structured by names, but by the dates f cmmittee meetings. Under the mdificatin t the DPA, such data nw fall within its remit. Prcessing: An actin f any srt taken in regards persnal data during the lifecycle f that persnal data. This will include but is nt limited t: creating, btaining, string, adapting, transferring, transmitting, dispsal and destructin. Relevant filing system: Manual infrmatin held in a structured and systematic filing system. Nte the Freedm f Infrmatin Act 2000 (FOIA) mdifies and extends the DPA fr public authrities (including the University) t apply t "unstructured persnal data". Unstructured persnal data are any persnal data which fall utside the definitin f the relevant filing system given abve.relevant filing system: Any set f infrmatin relating t individuals t the extent that, althugh the infrmatin is nt prcessed by means f equipment perating autmatically in respnse t instructins given fr that purpse, the set is structured, either by reference t individuals r by reference t criteria relating t individuals, in such a way that specific infrmatin relating t a particular individual is readily accessible. Sensitive Persnal Data: The DPA recgnises that certain types f persnal data shuld be treated with particular regard. Such data include racial r ethnic rigin; plitical pinins; religius beliefs; membership f a trade unin; physical r mental health r cnditin; sexual life; and criminal ffences. Subject Access request (SAR): The means by which any individuala data subject exercises thetheir right, pursuant t sectin 7 f the Data Prtectin Act f any individual t see a cpy f the infrmatin an rganisatin hlds abut them. A SAR can include the fllwing elements: a request t be tld whether any persnal data is being prcessed; a request t be given a descriptin f the persnal data, the reasns it is being prcessed, and whether it will be given t any ther rganisatins r peple; a request t be given a cpy f the infrmatin cmprising the data; and a request t be given details f the surce f the data (where this is available). 4. Aims The aims f the Data Prtectin Plicy are t: Set ut the bligatins f the University in regards data prtectin Establish the guiding principles fr the University s actins in this area Prvide a Plicy framewrk t ensureenable lcal cmpliance with the Act 5. Plicy statements 5.1. Ntificatin The University will cmply with the ntificatin bligatins placed upn it by the Act and assciated regulatins; specifically renewing ntificatin with the ICO yearly, and ensuring that the ntificatin is current and accurate. T further the latter, the University will Data Prtectin Plicy 5

6 cnduct a cmprehensive review f its ntificatin n later than every 5 years, and mre frequently shuld the activities r data hldings f the University s demand. Data Prtectin Plicy 6

7 5.2. Persnal data held by UEA Data are cllected frm students at varius stages. Examples include, but are nt restricted t: data n applicatins (ften transferred t UEA frm UCAS) registratin data applicatins fr financial aid data held by the Dean f Students Office in cnnectin with student welfare Data are als added subsequently t students recrds, fr example: marks statements changes f address final degree results medical certificates cncessin r intercalatin requests The Human Resurces Divisin cllects data n staff and creates a Persnnel File fr every member f staff. Sme f this infrmatin will als be held by individual administrative units within the University. Such data will include: applicatins fr psts at UEA terms f appintment annual review prmtins The types f persnal infrmatin prcessed by the University are utlined in ur registratin dcument, listed in the public register f data cntrllers available frm the ICO website 1 All staff and students shuld ensure that any infrmatin that they prvide t UEA in cnnectin with their emplyment r study is accurate and up t date. UEA has ultimate respnsibility fr ensuring the persnal infrmatin it hlds is accurate and up t date. Upn graduatin, sme infrmatin is passed t the Alumni Assciatin t allw them t cntact graduates abut UEA events, prducts, services and fr survey purpses. Central systems als retain basic graduate student data regarding academic prgress t verify awards and t prvide a recrd f lifelng learning Prcessing bligatins general Data Prtectin principles in general Under the DPA, persnal data must be prcessed in accrdance with the fllwing eight Data Prtectin Principles. These principles are cntained within Schedule 1 f the Act and 2. These are the fundamental bligatins impsed by the Act in regards the prcessing f persnal data. The term prcessing has a very wide applicatin which includes the mere fact f hlding data abut a living individual, as well as the alteratin, disclsure and destructin f persnal infrmatin. The eight Data Prtectin Principles state that data must: 1. be btained and prcessed fairly and lawfully and nly if certain cnditins are met 2. be btained fr specified and lawful purpses 3. be adequate, relevant and nt excessive fr thse purpses 4. be accurate and up t date 1 the ic/what we d/register f data cntrllers/ 2 rganisatins/guide t data prtectin/data prtectin principles/ Data Prtectin Plicy 6

8 5. nt be kept fr lnger than is necessary 6. be prcessed in accrdance with the rights f data subjects 7. be kept safe frm unauthrised access, lss r destructin 8. nt be transferred t cuntries utside the Eurpean Ecnmic Area (EEA), unless t cuntries with equivalent levels f data prtectin. The First Principle Fair prcessing 3 The requirement fr fair prcessing is set ut in the first data prtectin principle and is the mst imprtant principle in regards the prcessing f persnal data. In essence, this principle demands, and it is UEA plicy that, allall persnal data fr which UEA is data cntrller will be prcessed fairly and lawfully, with apprpriate ntice prvided and in line with the expectatins f the relevant data subjects, and that all data subjects will have adequate ntice f any prcessing undertaken by UEA.. If any unit is planning t cllect persnal data frm anyne, cnsent t stre and handle the infrmatin must be btained frm the individualdata subjects at the time f the data cllectin. This can be dne by means f a privacy ntice. Advice n writing privacy ntices is available frm the IPCMIPCMs. When a student registers at the beginning f his r her curse, he r she is issued with athey agree t the terms f the University s student data prtectin ntice 4. The ntice sets ut the types f data which are being cllected and the uses t which these will be put, including transfers t ther rganisatins such as the Higher Educatin Statistics Agency. It als infrms the student that, by signing the registratin frm, he r she cnsents t the prcessing f thse data, fr purpses cnnected with the legitimate activities f UEA. This ntice is reviewed befre the start f each academic year t ensure all data prcessing activities are included and explained. Fr staff, a data prtectin ntice is included n applicatin frms fr emplyment at UEA which sets ut the data which are cllected, the uses t which they will be put, and seeks cnsent fr their prcessing. There is als a ntice fr successful applicants 5, when they jin UEA. Particular attentin is drawn t the cllectin f data n Ethnic Origin and Disability, since these are amng the types f sensitive data defined in the DPA. Explicit and infrmed cnsent must be btained fr theany prcessing f sensitive data, and this is made clear in the ntices issued t staff and students, which explain that, by prviding these data,ensure the staff member r student cnsents tagrees with the prcessing f his r hertheir data within carefully defined limits. We cannt frce an individual t prvide these, r ther types f sensitive data, and he r she isthey are quite at liberty t refuse t prvide them n the applicatin r registratin frm (which means, effectively, that cnsent fr their prcessing has been withheld). The Seventh Principle Data Security rganisatins/guide t data prtectin/principle 1 fair and lawful/ rganisatins/guide t data prtectin/principle 7 security/ Data Prtectin Plicy 8

9 Adequate data security is essential t meet the requirements f the 7 th Data Prtectin principle. Where anyne subject t this Plicy is in pssessin f persnal data they whether in electrnic r paper frmat they must: Ensure that the persnal data is technically stred and handled in line with apprved UEA infrmatin security plicies 7 and prcesses. Ensure that rganisatin measures are in place t guard against unauthrised r unlawful damage r destructin f the persnal data. Such measures culd include: restricting physical and cmputer based access t the data t minimum number f persns pssible, ensuring that all digital persnal data is passwrd prtected wherever it may reside, ensuring that any persnal data are nt left in the pen either in paper frm, r n a screen in digital frm, ensuring that access t the area in which the persnal data is stred is restricted t nly thse persns wh need t be there, minimise the need fr transfer f the data, if. If transfer is required, ensure that UEA data security prtcls are in place and bserved. Take steps t prvide an adequate level f training in DPA and infrmatin security is prvided t anyne with access t the persnal data, inclusive f anyne utside f UEA that may have access t the data. The IPCMThe Security, Plicy and Cmpliance team will wrk with apprpriate units within ISD t ensure that all technical security requirements are met and will wrk with the apprpriate internal authrity t ensure that apprpriate rganisatinal measures are in place. Other prcessing bligatins Staff shuld ensure that persnal data are: prcessed nly fr the purpses fr which they were cllected (nte that simply hlding data n file cunts as prcessing) nt divulged t third parties withut the subject s cnsent relevant, accurate and up t date adequate but nt excessive fr the stated purpse dispsed f as cnfidential material when they are n lnger needed fr the purpses fr which they were cllected and in line with UEA recrds management plicy 8 and practices nt transferred utside the EEA unless there are adequate measures in place that ensure a level f prtectin equivalent t that affrded by the Act Data Prtectin Plicy 9

10 5.4. Data Sharing Infrmatin shuld nt be transferred t any 3 rd party (i.e. utside UEA) withut cnsent f the data subject(s) unless such a transfer is authrised by the Act itself, by ther statute, r by the UEA Student Data Prtectin Ntice 9 r UEA Staff Data Prtectin Ntice 10. The Act authrises release t 3 rd parties withut ntice t the data subject under certain limited circumstances such as. Detectin r preventin f crime, apprehensin f ffenders Prtectin f the vital interests f the data subject Pursuant t a cntract t which the data subject is a party Pursuant t a legal bligatin impsed upn UEA Where necessary fr the pursuit f the legitimate interests f UEA r any 3 rd party save where such prcessing is unwarranted by prejudice t the rights, freedms r legitimate interests f the data subject AnySuch prpsed data sharing that des nt meet the abve cnditins must be reviewed by the IPCMIPCMs wh has the respnsibility f determining whether, n the facts f the case, a data prcessing agreement is warranted. This review shuld ccur as early as pssible in any prject r instance nted abve. As a general rule, ne ff, ad hc data sharing events will nt require an agreement whilst any nging data sharing will require such an agreement. Where persnal data is t be shared with any party external t the university, a data sharing agreement must be in place t gvern the sharing. Thse planning t share data must fllw guidance prvided by the ICO 11. The IPCMs will prvide templates t aid the creatin f final agreements. Alternatively, the receiving rganisatin may prvide their wn agreement which shuld be reviewed t ensure it means the standards f the current university apprved template. The IPCMs will maintain a register f data sharing agreements. If a data prcessing agreement is warranted, the IPCMIPCMs will wrk with the relevant line manager with peratinal respnsibility fr the data sharing t draft and agree an agreement that assures that the University meets its cmpliance bligatins. Where persnal data is t be shared within the University between departments, sharing must cmply with the data prtectin principles Specific UEA related prcessing plicies Student attendance and qualificatin verificatin rganisatins/guide t data prtectin/data sharing/ Data Prtectin Plicy 10

11 Third parties may cntact the University t cnfirm whether r nt a named individual has attended the University, and whether r nt they btained a particular qualificatin. These queries shuld be directed t Student Recrds fr a respnse in the first instance. In general, the University will seek cnsent frm the individual fr cnfirmatin f attendance and verificatin f qualificatins t third parties wherever pssible befre a respnse is prvided. There may be special circumstances under which the University will release infrmatin withut first btaining cnsent. These queries must be referred t the IPCMs. Ptential fraudulent claims: Where an individual has made a false claim regarding attendance, emplyment r qualificatins gained at UEA, and the University has n recrd f that individual having attended the institutin, the enquirer will be infrmed. Other types f request: Where the University can cnfirm emplyment, student attendance r qualificatins, and has nt btained explicit cnsent, the University will nly disclse that infrmatin t verified and legitimate enquirers under certain limited circumstances where there is significant advantage t the data subject in s ding. Sme circumstances under which the University will cnfirm attendance and qualificatins absent explicit cnsent are listed in the student privacy ntice. Each case will be cnsidered by the IPCMs n its wn merits. References It is relatively cmmn fr staff r students t request access t persnal references written at the time f their applicatin fr emplyment r study at UEA, r fr emplyment r study elsewhere. This is an area where a specific exemptin is written int the DPA: cnfidential references given by UEA (the Data Cntrller) are exempt frm disclsure under the subject access prvisins. (see subject access sectin). Thus, students and staff f UEA cannt apply t see references prvided by UEA staff and sent t anther rganisatin. They may, hwever, apply t the rganisatin t which the reference has been sent. Similarly, they may apply t UEA t see references which have been received by UEA and which may be held in (say) a Persnnel File. These references received by UEA are treated as any ther items in a file, and we wuld fllw the nrmal prcedure regarding handling subject access requests by data subjects. It is wrth bearing in mind that annymisatin is unlikely t be effective where references are cncerned, and it is very likely that we wuld seek the cnsent f the authr befre releasing them, befre deciding whether r nt it was reasnable t release the reference "in all the circumstances".. The Infrmatin Cmmissiner has advised that, where a reference has had an adverse effect n the subject f the reference, the subject's right f access will nrmally utweigh any ther circumstances, even if the reference was given in cnfidence, and the authr has expressly refused his r her cnsent t its disclsure. Research Data Prtectin Plicy 11

12 The Act allws certain exemptins in the case f persnal data which are cllected and prcessed fr research purpses, r fr histrical r statistical purpses. If the prcessing is nly fr the purpses f research (, and is nt used t supprt decisins abut individuals), and des nt (and is nt likely t) result in substantial damage r distress t any data subject then the data can be kept indefinitely. the data can be repurpsed. That is, used fr research purpses ther than thse fr which it was riginally cllected subject access des nt have t be granted, as lng as the results f the research are annymised. This is f curse very cmmn in the case f medical research papers which ften refer t Ms A, Mr B, et al. Care shuld be taken if a key is retained which enables annymised data t be decded and therefre attributed t individuals. An apprpriate level f care wuld exist if the key was nly knwn t thse individuals directly invlved in the research, and kept securely, and separate frm the usual lcatin f the annymised data. Care shuld als be taken when students are cnducting research invlving persnal data as part f their studies. In such cases, UEA may be the data cntrller and respnsible fr the student s adherence t the DPA. Many research prjects invlving human subjects must first be apprved by an Ethics Cmmittee, and ne. The IPCMs is a member f the cnditins f such apprval is that the University s Research Ethics Cmmittee (UREC) and will prvide advice f the IPCM has been sught. As part f this rle, the IPCM may askn data prtectin matters t see a cpy f the research prtclthe Cmmittee as apprpriate. Examinatins The DPA cntains a specific exemptin fr "persnal data cnsisting f marks r ther infrmatin prcessed by a data cntrller fr the purpse f determining the results f an academic, prfessinal r ther examinatin r f enabling the results f any such examinatin t be determined". When a subject access request is made befre the day n which the results f the examinatin are annunced, such data may be withheld until five mnths frm the date f the request, r the end f frty days beginning with the date f the annuncement f the examinatin results, whichever is the earlier. sner. The purpse f this prvisin is t prevent the release f examinatin marks until the assessment prcess is cmplete. Infrmatin recrded n an examinatin script by an examinatin candidate is specifically exempt frm the prvisins f the DPA. Hwever, cmments written n the scripts by examiners are nt exempt. Students may apply t see these cmments in the same way that they may apply t see ther data, althugh such cmments may nt be released until the results f the examinatin are knwn. Examiners shuld endeavur t prvide cmments in such a way as t make them easily severable frm the script itself, preferably by use f a separate cver sheet. Accrding t UEA's custm and practice, Pass Lists shwing undergraduate degree results may be psted n ntice bards and in Registry receptin. The degree results are listed using registratin numbers nly; students names d nt appear n the Lists. The University will infrm students by way f the Student Data Prtectin Ntice that degree results will be published in this manner. Data Prtectin Plicy 12

13 Marketing infrmatin Certain cmmunicatins with staff, students and ther parties may fall within the scpe f the Privacy and Electrnic Cmmunicatins Regulatins 2003 (PECR). PECR cmplements the DPA and applies t unslicited electrnic cmmunicatins (in any frmat) which cntain: advertising r marketing material fr gds r services prmtin f the rganisatin s aims and ideals prmtin f events f public meetings appeals fr funds r supprt PECR als applies t the ckies used n the University website t track infrmatin abut users f the site. Such cmmunicatins shuld nt be sent withut first btaining cnsent frm the recipients. Cnsent can be explicitly prvided r may in certain circumstances be implied by a subscriptin t a service. The University must always ffer the ptin t pt ut f marketing messages and must stp sending marketing cmmunicatins t anyne wh raises an bjectin r chses t pt ut f receiving them. The IPCMs shuld be cnsulted prir t cmmencing any marketing campaign invlving persnal data System and Prcess Assessment Any system, prject, prcess, r infrmatin hlding within the University that invlves persnal data must be cmpliant with ur bligatins under the Act and an assessment and evaluatin f cmpliance will be necessary. Examples include CCTV, Student Infrmatin System, CRM, Car Parking Enfrcement and s n. Privacy Impact Assessment in the case f majr systems, a full, r truncated Privacy Impact Assessment may be required. This will nly be required in the case f majr initiatives invlving substantial amunt f persnal data r particularly sensitive r ptentially risky prcessing f data. The ICO prvides brief guidance 12 n this prcess. A UEA generatedspecific checklist 13 f data prtectin cmpliance shuld be cmpleted at the cmmencement f any prject r system t identify data prtectin issues, risks and prcesses that need t be addressed. The checklist is available frm the Strategy, Plicy and Cmpliance team within ISD 14. Fr ther smaller prcessing issues, advice and guidance will be available frm the IPCM with assistance frm ther members f the Strategy, Plicy and Cmpliance team. IPCMs. Where such advice and guidance is given, every pprtunity will be explred t expand the knwledge and awareness f the individual r rganisatinal unit seeking the advice and guidance cal_applicatin/privacy_impact_assessment_overview.ashx rganisatins/guidet data prtectin/privacy by design/ 13 checklist 14 checklist Data Prtectin Plicy 13

14 5.7. Training and Awareness Training and awareness is essential fr the University t be in a psitin t meet its bligatins under the Act. All staff wrking with persnal data must, at minimum, cmplete the nline data prtectin training mdule as sn as pssible after cmmencement f their duties. ISD has primary respnsibility fr ensuring that adequate and apprpriate training and awareness exist within the University, with the IPCMIPCMs taking the lead rle within ISD. All emplyees, upn btaining emplyment with the University, will receive general infrmatin n the Act and ur bligatins thereunder as a cmpnent f the inductin dcumentatin and prcess. The IPCMIPCMs is respnsible fr creating and maintaining bth web based and print material fr reference and awareness. This pst is als respnsible fr presenting scheduled training t staff via nline training mdules, the CSED training prgramme, scheduled training t the student ppulatin, particularly PGR students, and prviding ad hc training where apprpriate. The IPCMIPCMs, in cnjunctin with relevant University units, will identify thse rles requiring particular training and awareness f data prtectin respnsibilities and will wrk with relevant unit t ensure that adequate and apprpriate training is prvided. Mnitring f the effectiveness f training and awareness activities shuld be undertaken and maintained cnsistently by the IPCMs Data Breach Management It is the respnsibility f all UEA staff t avid data security breaches, but where ne des ccur, the affected unit, Faculty r individual must and will reprt the breach t the IPCMIPCMs at the earliest pssible pprtunity. Any persnal data breaches will be handled in accrdance with current guidance frm the ICO and investigatin f any breach will initially be the respnsibility f the IPCMIPCMs. Any breach will be immediately reprted t the Assistant Directr, Strategy, Plicy and Cmpliance within ISD and any decisin regarding the ntificatin f either the ICO r affected parties f any breach will be taken n his r her authrity. The general prcedure in the case f a data security breach will fllw ICO guidelines and fcus n the prper cmpletin f fur stages f breach management: Cntainment and recvery Assessment f nging risk Ntificatin f breach Evaluatin and respnse It is the respnsibility f the IPCMIPCMs t ensure that all fur stages are addressed. The Assistant Directr Strategy, Plicy and Cmpliance has the respnsibility f signing ff that each stage has been successfully undertaken and cmpleted Data Subject access requests (SAR) Persns abut whm UEA hlds data (Data Subjects) may make a request (a Subject Access Request) t see thse data, and t receive r view cpies f thse data in permanent intelligible frm (print uts r phtcpies). Students, staff r any individuals external t Data Prtectin Plicy 14

15 UEA wh wish t make a Subject Access Request shuld be directed t the apprpriate request page 15 within the Data Prtectin web pages fr the University. The IPCM, with the assistance f ther members f the Strategy, Plicy and Cmpliance team,ipcms has the respnsibility t c rdinate the request centrally. Requests must be made in writing preferably n the standard applicatin frm and accmpanied by the standard fee f 10. Persns making a subject access request will als be required t cnfirm their identity. The DPA prvides that UEA must respnd t a frmalvalid request within 40 calendar days. The detail f the prcesses and prcedures t be fllwed in administering a Subject Access request are set ut in the Data Prtectin SAR Operatins Manual, available frm the Strategy, Plicy and Cmpliance team. 6. Ownership The Strategy, Plicy and Cmpliance team within ISD have wnership f this Plicy. 7. Respnsibilities Within this plicy, the fllwing individuals have the fllwing respnsibilities: Respnsibility Administratin f subject access requests, training and awareness f staff, advice n drafting data sharing agreements, respnse t data prtectin inquiries frm staff & students, investigatin and management f data security breaches Overall respnsibility fr Data Prtectin Plicy, authrisatin f actins related t a data security breach, management and versight f IPCMIPCMs Strategic liaisn regarding data prtectin with ther UEA units, ISD apprval f data prtectin plicies Institutinal apprval f Data Prtectin plicies Persnal data t be handled in line with University plicy, best practice, and the Act Owner Infrmatin Plicy and Cmpliance Manager (IPCMIPCMs) Assistant Directr Strategy, Plicy and Cmpliance Directr f Infrmatin Services Infrmatin Strategy and Services Cmmittee StaffAll staff and students handling persnal data 8. References This data prtectin plicy is supprted within the cntext f the fllwing pieces f legislatin, prfessinal standards, and University dcuments: Data Prtectin Act 1998 Data Prtectin and Freedm f Infrmatin Fees Regulatins 2004 Freedm f Infrmatin Act Data Prtectin Plicy 15

16 Envirnmental Infrmatin Regulatins 2004 Privacy and Electrnic Cmmunicatins Regulatins 2003 Prtectin f Freedms Act 2012 ICO guidance and cdes f practice 16 UEA Freedm f Infrmatin Plicy UEA Envirnmental Infrmatin Regulatins Plicy UEA Recrds Management Plicy and supprting departmental recrds retentin schedules (RRSs) 9. Review Annual; by IPCM in cnsultatin with the Every tw years; by Assistant Directr Strategy, Plicy and Cmpliance in cnsultatin with the IPCMs and with the Directr f Infrmatin Services rganisatins/guide t data prtectin/ Data Prtectin Plicy 16