Data Protection Act Procedures and Guidance

Transcription

1 Secretariat Unit Data Protection Act Procedures and Guidance Established: Revised: November 2013 Version: Approved by: Date of next review:

2 Introduction Objectives The Data Protection Act is intended to protect individuals from unwanted or harmful uses of their personal data so that their personal privacy is protected. It regulates the way in which organisations collect, use, disclose and destroy information about individuals to ensure that they do so in a responsible and accountable fashion. The Data Protection Policy and these procedures are intended to ensure that all processing of personal data carried out by, or on behalf of, Cardiff Met complies with the requirements of the Data Protection Act, 1998 (DPA), including the eight data protection Principles. In particular Cardiff Met seeks to ensure that all those processing data are aware of their obligations under the DPA and that all data subjects are made aware of their rights. Scope These procedures cover the processing of personal data (ie information about living individuals) whose use is controlled and defined in Cardiff Met s Data Protection Notification. It applies to all governors, staff, students and agents of Cardiff Met who process personal data on behalf of Cardiff Met. These procedures do not apply to processing undertaken by individuals for private ends, even in cases where Cardiff Met equipment is used for such processing. However, Cardiff Met will continue to require adherence to the principles of the data protection policy and procedures by associated or partner institutions in any case where data is shared between Cardiff Met and another institution. Responsibilities The senior manager with responsibility for data protection is the Secretary and Clerk to the Governors. Day to day responsibility for compliance, including the provision of information, advice and guidance, lies with Cardiff Met s Data Protection Officer (DPO), who is Senior Officer, Secretariat Unit. The Head of Library and Information Services is responsible for ensuring the security of all personal data held electronically. The System Manager for Cardiff Met CCTV systems is the Facilities Manager (Operations). Deans of Schools and Heads of Units are responsible for ensuring that all data processing operations within their remit comply with the DPA and that all staff are aware of the implications of the DPA in relation to their duties. All staff should ensure that any processing for which they are responsible, including any processing undertaken by students, complies with the DPA. Staff are responsible for obtaining suitable advice from relevant individuals to ensure that there is no breach of the DPA. Appropriate disciplinary action, possibly leading to

3 dismissal, will be taken in cases where a member of staff has committed a breach of the DPA, or has allowed a breach to occur. Staff should also be aware that a breach of the DPA may also represent a criminal offence for which they are personally liable. Definitions Data controller: Data subject: Notification: The person or organisation which determines and controls the processing of personal data. An individual whose personal data is processed by a data controller. A description of the processing undertaken by a data controller, as notified to the Information Commissioner s Office. Personal data: Information which relates to an identifiable living individual. Personal data may be electronic or manual and the definition would also include photographs, visual and voice recordings. Processing: Sensitive personal data: Any actions relating to personal data including the collection, recording, holding, storing, organising, retrieving, viewing, consultation, use, amendment, disclosure and disposal of the data. Data relating to ethnic origin, political opinion, religious beliefs, trade union membership, physical and mental health, sexual life or criminal record. Information Commissioner s Office (ICO) assessment Cardiff Met will co-operate with any data protection assessment instigated by the ICO. Members of staff will be expected to assist with any assessment. Legislation and other policies and procedures These procedures are to be read in the context of the following legislation: Data Protection Act, 1998 Privacy and Electronic Communications Regulations Regulation of Investigatory Powers Act, 2000 Freedom of Information Act, 2000 Human Rights Act, 1998 Elements of these procedures will also be reflected in, or be informed by, the following other Cardiff Met policies and procedures: Closed Circuit Television Systems Code of Practice Electronic Communications Policy Environmental Information Regulations Policy and Procedures Freedom of Information Act Policy and Procedures Policy on Openness Records Management Policy and Procedures Review These procedures will be reviewed annually by the DPO, as part of the annual report on information compliance.

4 Procedures Information General information about the DPA will be made available to new Cardiff Met staff in the A Z Guide and to Cardiff Met students in the Student Handbook. More detailed information will be made available on the external Cardiff Met website, including: The Data Protection Policy A copy of these procedures Staff responsibilities Information about the rights of individuals (see Appendix A) A training course will be offered to all staff. Subject rights Cardiff Met undertakes to honour the rights of all data subjects (including students and staff) as laid out in the DPA. The University will: Take steps to ensure that all data subjects are informed of their rights Carefully consider any claims by a data subject that processing is causing unwarranted damage or distress Discontinue direct marketing to any data subject who informs the University that they do not wish to receive such communications, even in cases where they had previously given their consent Ensure that any decision reached by automated means (for example, a mark given to an exam script using optical mark reader technology or the use of plagiarism detection software) will be subject to manual review at the request of the data subject. It will be the responsibility of the relevant Head of School/Unit to ensure that such reviews are conducted thoroughly and in good time (within 21 days of receipt of the request) Respond appropriately to Subject Access Requests (SAR). Notification Maintaining an accurate, up to date notification is a legal requirement. A notification informs interested parties, including the data subjects, what personal data a data controller is holding, for what purposes and to whom that data might be disclosed. Cardiff Met will maintain an accurate notification of its data processing activities with the Information Commissioner s Office (ICO) and will only process personal data, or sensitive personal data, which is described in the notification and in accordance with the notified purposes. The University will also maintain notifications for companies that are wholly owned by Cardiff Met and will inform the ICO of changes to all notifications in a timely manner. Staff must inform the DPO if they intended to collect new or different information, or to use existing information for a new purpose, so that Cardiff Met s notification can be reviewed and any changes made. It is the responsibility of the DPO to renew all Cardiff Met s notifications annually and to inform the ICO of any changes. Cardiff Met reserves the right to audit data processing being undertaken in any of its constituent Schools or Units, to ensure that processing is legitimate and that the Cardiff Met notification remains valid.

5 Cardiff Met s currently notified purposes are available at Appendix B and further details can be seen in the Register of Data Controllers on the ICO website ( Data collection Conditions for processing Personal data should only be collected once it has been established that there is a need for all the information and that a relevant condition for processing can be applied, two relevant conditions in the case of sensitive personal data. A full list of the conditions is available in Appendix C. Fair Processing Notice Whenever an individual submits information to Cardiff Met, no matter by what means, they need to be clearly informed as to: The identity of the data controller this will usually be Cardiff Met and the identity of any representatives who will process the information on behalf of Cardiff Met The reason(s) for the processing and/or the uses of the information Whether the information will be disclosed to a third party Any other details relating to the processing that are relevant it may, for example, be appropriate to inform the individual how the data will be stored if this is not obvious All staff are responsible for ensuring that the forms, or other methods, that are used to collect personal data (whether electronic or manual) include an appropriate fair processing notice and, where necessary, a consent statement. Sensitive personal data Sensitive personal data should not be collected unless there is a proven need for the information. Circumstances in which sensitive data may be processed include: The compilation of monitoring data The provision of pastoral support Collecting trade union subscriptions The provision of health, occupational health and counselling services Admissions and recruitment processes (in relation to criminal record information) In most cases it will only be possible to collect and process sensitive personal data if the explicit consent of the data subject has been obtained. If the processing is relying on explicit consent the data subject needs to be clearly and completely informed of the reasons for the processing and any potential consequences of the processing. They then need to positively indicate their consent. Failure to respond or failure to object cannot be regarded as explicit consent. Data accuracy Cardiff Met will take steps to ensure the accuracy of all the personal data that it holds, so far as it is practical to do so.

6 Staff, students and other data subjects have a responsibility to ensure that they inform Cardiff Met of any changes to their details. If it is informed that data is inaccurate Cardiff Met will, in most cases, correct or erase that data subject to confirmation of the identity of the individual concerned. Data security Cardiff Met is committed to holding personal data securely and will take appropriate measures, with regard to the sensitivity of the data, to safeguard both paper and electronic data against unauthorised access, accidental loss, accidental corruption or accidental disclosure. All staff who process personal data as part of their role at Cardiff Met have a responsibility for ensuring that data are kept securely and that appropriate measures are taken to protect the data. Paper records Appropriate physical measures must be taken to protect personal data when it is to be processed as hard copy, particularly if it is to be processed outside Cardiff Met. Measures should be taken to ensure that there is no unauthorised access to areas in which records are held. Offices and storage areas that are unattended should be locked, and consideration should be given to also locking filing cabinets in those areas. Files should be kept away from public areas and should not be left unattended. Where possible, staff should operate a clear desk policy. Areas where records are stored whether offices, record stores or archives should be suitable for that purpose. Record systems should use appropriate filing systems and staff should re-file records accurately and without undue delay. Consideration should be given to tracking files when they are away from the record system. For more information see Records Management Procedures. Careful consideration should be given as to the method of transfer where a need is established for data to be shared with other Cardiff Met staff, or with individuals outside Cardiff Met. When manual records are no longer required they should be disposed of securely. Electronic records Library and Information Services (LIS) will ensure that appropriate security controls are in place to protect Cardiff Met corporate IT systems and the data held on those systems. All staff and students must comply with relevant LIS procedures. LIS is also responsible for ensuring that computers which are to be recycled or disposed of are thoroughly wiped. Access to Cardiff Met IT Services is granted by the allocation of a User Name. Users must not use another person s User Name, nor allow any password issued to them to become known to any other person.

7 When processing personal data staff should ensure that their screens can not be seen by the public, or by any other unauthorised person. IT equipment should not be left unattended. Personal data should only be processed outside Cardiff Met corporate IT systems, where it is at greater risk, if there is an identified need for the data to be processed in this way and if the data is encrypted. Any member of staff who undertakes such processing is responsible for ensuring the security of the data. For more information on encrypting data see Encryption Guidelines. If personal data are to be processed on a mobile or portable device (a laptop, PDA, memory stick, external hard drive, etc) the device must be password protected and the data should be backed up regularly. All such devices, and their data, must be kept safely and securely at all times. Any loss of personal data must be reported in accordance with the Electronic Communications Policy, so that the implications of the loss can be established and measures to mitigate the loss can be considered. Subject access requests A Subject access Request (SAR) is a request for personal data, of which the individual making the request is the data subject. An informal SAR may be addressed to any member of staff at Cardiff Met and staff may respond to such requests if they: Are certain that the person making the request is the data subject level of verification necessary will depend on the sensitivity of the information requested Have checked what information has been requested Have the authority to disclose the information Are able to disclose all the information requested A response needs to be sent as soon as possible and within 40 calendar days. A Subject Access Request Form is available on the Cardiff Met external website for formal SARs, which should be addressed to Cardiff Met s DPO. The DPO will conduct a search for information once the following have been received: Proof of identity A fee, if appropriate Sufficient information to locate the information requested Unless the person making the request specifies otherwise a search will be conducted for centralised records held by, for students: Academic Registry The relevant School and for staff: Human Resources The relevant School or Unit Upon receipt of a valid request for access to data the DPO will contact the relevant department(s).

8 Cardiff Met will carefully consider any grounds that may exist for refusing to disclose any of the information requested (usually when the information also includes the personal data of other individuals). If we reach the conclusion that any part of the request should be refused we will inform the requester in writing of the reasons for this. Responses to SARs will be provided in a permanent form unless it is believed that this would involve disproportionate effort or the data subject agrees otherwise. Any codes shown will be translated or explained to the data subject. All individuals who process personal data on behalf of Cardiff Met (including references, reports, s, etc) should be aware that if they contribute facts or opinions about an individual it is likely that the individual will have the right of access to that information. Disclosing personal data Personal data should only be disclosed to a third party (ie to someone other than the data subject) in accordance with the DPA. If a request for personal data is received careful consideration must be given as to whether complying with the request would breach the DPA. Within Cardiff Met Personal data should only be disclosed to other individuals or departments within Cardiff Met if the disclosure is in compliance with the DPA and, in particular, if it is for a notified purpose and is covered by the relevant Fair Processing Notice. To an agent Cardiff Met will only disclose information to a data processor (an individual or organisation processing information on behalf of Cardiff Met) if suitable contract terms are in place and if appropriate security checks have been undertaken by LIS. To a third party Personal data should not be disclosed to an external third party, including publishing that data to an external website, unless full consideration has been given to whether such a disclosure would comply with the DPA. Student results should not be published, for example on a notice board or in a local paper, unless the students have consented in writing. Requests for personal data made by someone other than the data subject will be treated as Freedom of Information Act requests and should be forwarded to, or advice sought from, the Freedom of Information Officer immediately. Data will only be disclosed if to do so would not breach the DPA. If a third party has an authority for their request other than the Freedom of Information Act, the nature of that authority and their identity should be established before any disclosure is considered. Requests citing Section 29 of the DPA (the prevention or detection of crime) should only be considered on receipt of the appropriate form, signed by a senior officer. Disclosures of student data will be made only by the Director of Student and Registry Services and disclosures of staff

9 data will be made only by the Director of Human Resources, if necessary in consultation with the DPO. All third party requests should be recorded and the reasons for the disclosure or the refusal should be adequately documented. Web Publishing Cardiff Met maintains a strong web presence. Staff personal data, including contact details, will only be published on the website if the individual has an external facing role, which can not be accomplished by publishing generic contact details, or is at a level of Dean of School/Head of Unit or above. Student personal data, including promotional photographs, will only be published on the website if a Schedule 4 Condition, normally consent, is satisfied. Web cameras should not be used where these provide images of identifiable individuals. Overseas Processing If personal data are to be processed outside the EEA, either by Cardiff Met staff or by a data processor acting on our behalf, we will ensure that the data will be adequately protected. This may be by means of an European Commission finding of adequacy, or by using a contract incorporating the EC s model clauses, or by another approved means. Records retention and disposal Cardiff Met will retain personal data as long as it is required for the purpose for which it was obtained. Records will be retained for as long as there is a business need or statutory requirement for them and will then be archived or destroyed as documented in our Records Retention Schedule (RRS). Cardiff Met will retain appropriate historical records, for confirming previous student and staff details and as a record of the business conducted by the institution. Information identified as retained for archival purposes shall be kept by the School or Unit to a suitable standard. Any other material shall be destroyed, once the business need for retaining it has passed, in accordance with the RRS. Staff should not keep individual archives and should not retain any personal records they hold for longer than is indicated by the RRS. Personal data will be destroyed securely in accordance with the Confidential Waste Policy. IT equipment and portable storage media must be disposed of in accordance with the Equipment and Data Disposal Policy. Students who process personal data Students who need to process personal data as a justifiable part of their studies (whatever the level or mode) will be covered by Cardiff Met s data protection

10 notification. Any student who processes personal data as part of their studies should be supplied with relevant guidance on the data protection implications of their processing and should work under the direct supervision of a member of staff. Research Staff (and, where relevant, students) undertaking research will be covered by Cardiff Met's data protection notification. So long as any research undertaken does not support measures taken against individuals and is not published in a way that would identify individuals or cause them damage or distress, data used for research purposes will enjoy certain exemptions from the terms of the DPA. Notably, data may be used for research even if not originally collected for that purpose, data may be kept indefinitely, and subjects do not have the right to access the data. Despite the terms of these exemptions, Cardiff Met seeks to ensure that, wherever practicable, data subjects are made fully aware of any research use their data may be put to. Wherever possible, research data will be anonymised before use. Additionally, researchers are required to keep their data secure and to guard against any accidental disclosure that might arise from direct or indirect reference to individuals in any research report. In cases where sensitive personal data are being processed, researchers should obtain the approval of the relevant committees before commencing processing. In cases where research data are to be shared with other researchers based overseas, the explicit consent of the research subjects should be sought. References References issued on behalf of Cardiff Met should largely comprise brief statements of fact and minimal opinion. Where opinion is given, it should be supported with factual evidence wherever possible. All staff shall be made aware that references they write may become available to the subject. In cases where references are written for internal consumption only (for example, by use in a promotions panel) these should be made available to the subject on request unless this would lead to an unavoidable disclosure of some other third party s personal details. References received by Cardiff Met should be made available to the subject on request. All standard reference request forms should make this clear to the referee, and all Schools/Units should ensure that referees are fully aware of the possibility of subject access. Examination marks Students should be informed of marks for coursework at the time of their award. Examination marks should usually be made available to students in the form of formal transcripts of marks, which should be forwarded to students as soon as is practically possible. If so requested, marks must be released to debtors no more than 40 days after their official release (or 5 months from the date of request if this is sooner), though such release will not be by formal transcript. CCTV

11 Cardiff Met operates CCTV cameras on its premise in order to assist in: The prevention and detection of crime and the apprehension of offenders Managing traffic and car parks The investigation of disciplinary cases The management of emergency situations All cameras will be mounted in public view and signs will be displayed warning of their presence and the purposes of their operation. Access to recorded images will be restricted to staff who need that access in order to achieve the above purposes. The images will only be disclosed to other organisations or individuals where: A valid request is made by a law enforcement or prosecution agency for images recorded which would assist in a specific criminal inquiry A valid request is received from relevant legal representatives It is decided by the Data Protection Officer or his/her nominee that the assistance of University staff is needed to identify a victim, witness or perpetrator in relation to a criminal incident. In such cases images from the system may be circulated via the University system to selected staff on a targeted basis or placed on a restricted area of the University's website. As part of that decision, the wishes of the victim of an incident will, where possible, be taken into account An individual whose images have been recorded and retained requests disclosure by virtue of the Data Protection Act 1998 A valid request in accordance with Freedom of Information Act 2000 is received where no personal data is put at risk. Any request for disclosure of information must be made, in writing, to the System Manager or to the DPO (through the standard SAR procedure). In the latter case the subject will need to specify that they wish the search to cover CCTV images. The DPO or his/her nominee is responsible for determining whether disclosing images in response to any particular request would be in breach of the DPA. Data will normally be preserved for 30 days. After this period, if they are not needed for evidential purposes, the data will be over-written. If required for evidential purposes, they will be retained for as long as is necessary.

12 Appendix A Rights of Individuals If Cardiff Metropolitan University is processing information about you, then you have a number of rights in relation to that information. The: Right of access Right to prevent processing Rights concerning automated decisions Right to compensation Right to correct or erase inaccurate data The University will normally ask you for proof of your identity if you contact the University about any of these rights. If you would like more information about your rights or want to contact Cardiff Metropolitan University to assert a right, the University would encourage you to get in touch with: Siân Newton Data Protection Officer Secretariat Unit Cardiff Metropolitan University Llandaff Campus Western Avenue Cardiff CF5 2YB snewton@cardiffmet.ac.uk Right of Access You have the right: To be informed if the University is processing personal data about you (If so) To be given a description of the data, the purposes for which the data are being processed and to whom it may be disclosed To have a copy of your personal data and any information that we have as to the source of the data To be informed of the logic behind some automated decisions If you would like to see or have a copy of any data about yourself then please have a look at the guide to requesting information from Cardiff Metropolitan University You can also download and print the guide as a Word document Information from Cardiff Metropolitan University. How to Request If you are a student or a Cardiff Met alumni the Student Fair Processing Notice, which gives details of the information we are processing about you, is available by clicking here. Right to Prevent Processing

13 You have the right to prevent the University processing your personal data if the processing is causing, or is likely to cause, substantial damage or distress to you or to someone else. If anything Cardiff Metropolitan University is doing with your personal data is causing loss, harm, real upset or real anguish, then you should write to us to tell us: What processing you want stopped, or not begun Why the processing is causing unwarranted damage or distress When you want to stop the processing You also have the right to prevent the processing of your personal data for direct marketing Again, you should write to the University to tell the University to stop (including when to stop). Rights Concerning Automated Decisions You have the right to ensure that most decisions which significantly affect you are not made solely by automatic means and to ask the University to reconsider a decision that has already been taken. If you want to assert this right, you should put it in writing. Right to Compensation You have the right to claim compensation if the University has failed to comply with any of the requirements of the Act and you have suffered damage, or damage and distress, as a result. You can also claim for distress alone in certain cases. If you feel that you have a claim for compensation and want to attempt to resolve the situation informally you should first explain the circumstances of your claim in writing. You also have the right to apply to the Court for compensation. Right to Correct or Erase Inaccurate Data If you believe the University is holding incorrect information about you, the University will, in most cases, make any necessary corrections or even erase the information, although you also have the right to apply to a Court to have inaccurate data about you rectified, blocked, erased or destroyed. This right extends to any opinions based on the inaccurate data.

14 Appendix B Cardiff Met s current notification is registration number Z471616X. Our notified purposes are: Personnel administration Work planning and management Marketing and selling Fundraising Purchaser / supplier administration Membership administration Ancillary and support functions (specifically: Car Parking administration, Debt collection, Safety office, Maintenance of the on-line telephone directory and telephone exchange service) Customer and client administration Research and statistical analysis (specifically: Educational research, Health research, Social research, Technical research) Information and data bank administration Housing management Education and training administration Credit facilities administration Legal services Consultancy and advisory services (specifically: Careers, Chaplaincy, Counselling) Alumni relations Colleges commercial activities Web-based user directory services Web-site maintenance Lending and hire services administration Share and stock-holding registration

15 Appendix C The Data Protection Principles and Conditions Principle 1: Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one Schedule 2 condition is met and, in the case of sensitive personal data, at least one Schedule 3 condition is also met. Principle 2: Personal data shall be obtained for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with those purposes. Principle 3: Personal data shall be adequate, relevant and not excessive in relation to the purposes for which they are processed. Principle 4: Personal data shall be accurate and, where necessary, kept up to date. Principle 5: Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose. Principle 6: Personal data shall be processed in accordance with the rights of data subjects under the DPA. Principle 7: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Principle 8: Personal data shall not be transferred to a country outside the EEA unless that country ensures an adequate level of protection for data subjects including if a Schedule 4 Condition applies. Schedule 2 Conditions The data subject has given consent Processing is necessary for the performance of a contract to which the data subject is a party Processing is necessary for compliance with any legal obligation placed on the controller Processing is necessary to protect the vital interests of the data subject Processing is necessary for functions of a public nature, in the public interest Processing is necessary for the purposes of legitimate interests pursued by the data controller or by third parties to whom the data is disclosed (except where this might prejudice the rights or freedoms of the data subject). Schedule 3 Conditions The data subject has given explicit consent Processing is necessary for compliance with any legal obligation placed on the controller that relates to employment.

16 Processing is necessary to protect the vital interests of the data subject, or another person, when consent cannot be given or cannot reasonably be expected to be obtained, or, in some cases, has been unreasonably withheld. Processing is the legitimate activity of a not for profit body, undertaking political, philosophical, religious or trade union purposes. The information involved has already been made public by the subject Processing is necessary for legal proceedings, or prospective proceedings. Processing is necessary for the administration of justice, functions conferred by enactment, functions of a government department Processing is necessary for medical purposes and is undertaken by a health professional, or another with a duty of confidentiality Processing is of information relating to racial or ethnic origin and is necessary for reviewing equality of opportunity Schedule 4 Conditions The data subject has given consent Transfer is necessary for the performance of a contract, which has been requested by the data subject Transfer is necessary for reasons of substantial public interest Transfer is necessary to protect the vital interests of the data subject Transfer is necessary for legal proceedings, or prospective proceedings The rights and freedoms of the subject are adequately protected