1.1 Personal data is information which relates to a living individual and from which they can be identified, either directly or indirectly.
1.2 Personal data is held at the University in a variety of ways and for many different purposes. These purposes include, but are not limited to, the maintenance of staff and student records and other matters such as research data and the management of relationships with alumni, supporters and other persons.
1.3 Personal data will be handled with care and in compliance with the law governing data protection, the General Data Protection Regulation (GDPR)
1.4 This policy sets out the commitment of the University to the maintenance of high standards of protection for the personal data it holds, whether in digital or manual records.
2.1 The University confirms its commitment to compliance with the GDPR.
2.2 This policy covers all university activity in which personal data is used. It applies to all members of the university including staff, students, governors and others acting for or on behalf of the University or who are otherwise given access to the University’s information infrastructure.
2.3 This policy should be read and interpreted in conjunction with the other related University policies and procedures which are listed at the end of this policy.
Registration at the Information Commissioner’s Office
3.1 The University maintains and complies with its registration at the Information Commissioner’s Office in accordance with the requirements of the GDPR and is committed to co-operating with the Office in the fulfilment of its obligations and support of the principles underpinning data protection law.
4 Principles governing the processing of personal data
In compliance with Article 5 of the GDPR, personal data will be:
4.1 processed lawfully, fairly and in a transparent manner
4.2 collected for specific, explicit and legitimate purposes
4.3 adequate, relevant and limited to what is necessary for the purpose
4.4 accurate and kept up to date
4.5 only kept for as long as it is needed
4.6 kept safe using appropriate technical and organisational measures
5 The legal basis for processing
5.1 The University makes Privacy Statements readily available to students, staff and others. Privacy Statements set out the type of data generally held by the University, the reasons for the collection of the personal data, an explanation about circumstances in which data may be shared with others and a statement of the rights of individuals under the GDPR.
5.2 Individuals will be informed of the lawful basis for the intended processing of their personal data. In the case of students and staff the lawful basis will generally be the need to fulfil the contract between the individual and the University.
5.3 If there is an intention to use the data for marketing purposes or other purposes where the University is relying on consent as the lawful basis for processing, the individual will be notified of this intention and will be asked for clear and specific consent before any such use will be made of the data. The University will maintain records of consents given and withdrawn.
6 Use and disposal of Data
The University has processes in place to ensure that the personal data it holds remains accurate and up to date and is disposed of in accordance with its Data Classification and Handling Policy. In particular:
6.1 The University will seek to maintain high standards of data integrity and aim to avoid duplication, inaccuracy and inconsistencies across personal data retention locations.
6.2 The University will maintain a comprehensive Retention of Records Policy to help avoid excessive retention or premature destruction of personal data.
6.3 Personal data which is no longer required, or which should no longer be held under GDPR will be disposed of in a manner appropriate to its nature and the need for security in accordance with its Data Classification, Handling and Disposal Policy.
6.4 The University will maintain an Information Asset Register detailing all processing activity including the data held, its source, details of sharing of the data and the lawful basis for the processing.
The University will maintain appropriate technical and organisational measures to ensure the security of personal data. In particular:
7.1 Data security is created, reviewed, tested and improved on an on-going basis
7.2 Procedures are in place to analyse and respond to any identified threats to data security
7.3 Policies specifically relating to digital security measures are listed at the end of this policy
7.4 Each Service and School maintains and complies with documented organisational measures governing the security of data held within its own area.
8 Risk Management
8.1 The University assesses and identifies areas that could cause data protection compliance or security problems and records these through School and Service risk registers which are actively managed. Controls are applied to mitigate the identified risks and these are regularly verified for effectiveness as part of this process.
8.2 The University acknowledges its duty under GDPR to conduct a Data Protection Impact Assessment when introducing new technologies or procedures which may involve a high risk to the rights and freedoms of individuals.
9 The rights of data subjects
The rights of data subjects under GDPR will be respected. In particular:
9.1 the University recognises that data subjects have the right to have access to the personal data held about them; to have errors corrected; to have data erased in some circumstances; to object to or to restrict processing in some circumstances; to have data securely transferred to another organisation; and to assert the right to human intervention, to express their opinion and to obtain and challenge explanations where automated decision-making is used and has an impact on them;
9.2 the University will respond to requests for access to data or the assertion of other GDPR rights within the statutory time limits in accordance with its Subject Access Request Procedure.
11 Staff training and personal responsibility
11.1 The University provides data protection training for all staff. This is done as part of the on-boarding procedure for new staff and when updates are required. Completion of data protection training is an essential element of a successful probation. The training reinforces personal responsibility and good security behaviours, including how to recognise and report breaches and the safe movement of data through appropriate channels.
11.2 Specialist training is provided to staff with specific roles, such as marketing, information security, and Human Resources.
11.3 Breaches of this or a related policy will be dealt with in accordance with the University's Disciplinary Procedure.
12 Roles and Responsibilities
12.1 The University has a designated Data Protection Officer with overall responsibility for data protection compliance in accordance with the duties set out in GDPR.
12.2 The Data Protection Officer is responsible for:
12.2.1 Maintaining this policy and all records relating to data protection;
12.2.2 Providing guidance, support, training and advice on compliance with GDPR;
12.2.3 Liaison with the Information Commissioner’s Office;
12.2.4 Taking legal advice on matters relating to the GDPR where necessary;
12.2.5 Supervising the management of access and other requests from data subjects;
12.2.6 Managing the procedure for the reporting and resolving of personal data breaches;
12.2.7 Reviewing and auditing the way personal information is managed, and ensuring that methods of handling personal information are regularly assessed and evaluated;
12.2.8 Monitoring and reporting on compliance with data protection training.
12.3 Directors of Services and Deans of Schools are responsible for ensuring awareness of and compliance with this policy in their areas
12.4 The Director of Digital Services is responsible for maintaining the University’s Digital Services capability Policies in liaison with the Data Protection Officer.
12.5 Principal investigators are responsible for personal data management in their own research studies and for ensuring that secure information systems and operating procedures are in place with regards to data handling. Where personal data is processed, research staff and students must adhere to the personal data processing requirements set out in this policy, as well as the University’s Code of Practice for Research.
12.6 Staff training reinforces personal responsibility and good security behaviours, including how to recognise and report breaches