The purpose of the Data Protection Act 1998 is to protect the rights and privacy of living individuals and to ensure that personal data is not processed without their knowledge, and, wherever possible, is processed with their consent.
Hartpury College needs to keep certain information about staff, students and other users to allow it to monitor performance, achievements, and health and safety, for example. It is also necessary to process information so that staff can be recruited and paid, courses organised and legal obligations to funding bodies and government complied with. To comply with the law, information must be used fairly, stored safely and not disclosed to any other person unlawfully. To do this, the College must comply with the Data Protection Principles which are set out in the Data Protection Act 1998 ("the Act"). The principles are set out in detail under the section Data Protection Principles later in this policy. In summary these state that personal data shall:
- Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met.
- Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
- Be adequate, relevant and not excessive for those purposes.
- Be accurate and kept up-to-date.
- Not be kept longer than is necessary for that purpose.
- Be processed in accordance with the data subject's rights.
- Be kept safe from unauthorised access, accidental loss or destruction.
- Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.
The College and all staff or others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, the College has developed this Data Protection Policy. The policy applies to all staff and students of the College. Any breach of the Act or the College Data Protection Policy is considered to be an offence and in that event, Hartpury College disciplinary procedures will apply. As a matter of good practice, other agencies and individuals working with the College, and who have access to personal information, will be expected to have read and comply with this policy. It is expected that departments/sections who deal with external agencies will take responsibility for ensuring that such agencies sign a contract agreeing to abide by this policy.
Data relating to a living individual who can be identified from that information or from that data and other information in possession of the data controller. Includes name, address, telephone number, id number. Also includes expression of opinion about the individual, and of the intentions of the data controller in respect of that individual.
Different from ordinary personal data (such as name, address, telephone) and relates to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life, criminal convictions. Sensitive data are subject to much stricter conditions of processing.
Any person (or organisation) that makes decisions with regard to particular personal data, including decisions regarding the purposes for which personal data are processed and the way in which the personal data are processed.
Any living individual who is the subject of personal data held by an organisation.
Any operation related to organisation, retrieval, disclosure and deletion of data and includes: Obtaining and recording data, accessing, altering, adding to, merging, deleting data Retrieval, consultation or use of data disclosure or otherwise making available of data.
Any individual/organisation other than the data subject, the data controller (College) or its agents.
Any person to whom the data is disclosed, including another staff member of the data controller.
A recognised and lawful source of personal data collection.
A recognised and lawful recipient of personal data (in compliance with the purpose of processing).
Relevant Filing System
Any paper filing system or other manual filing system which is structured so that information about an individual is readily accessible. Please note that this is the definition of "Relevant Filing System" in the Act. Personal data as defined, and covered, by the Act can be held in any format, electronic (including websites and emails), paper-based, photographic etc. from which the individual's information can be readily extracted.
Data - information which is:
- Being processed by means of equipment operating automatically in response to instructions given for that purpose.
- Recorded with the intention that it should be processed by means of such equipment.
- Recorded as part of a relevant filing system (a structured system)
- Forms part of an accessible record. This includes such things as manual index card files, microfiche, etc.
The College as a corporate body is the Data Controller under the Act.
A Data Protection Officer Vice Principal (Business and Finance), has been appointed who is responsible for day-to-day data protection matters and for developing specific guidance notes on data protection issues for members of the College.
The College Executive, Heads of Departments/Sections and all those in managerial or supervisory roles are responsible for developing and encouraging good information handling practice within the College.
Compliance with data protection legislation is the responsibility of all members of the College who process personal information. Members of the College are responsible for ensuring that any personal data supplied to the College are accurate and up-to-date.
Status of the Policy
It is a condition of employment that staff will abide by the rules and policies made by the College from time to time. Any failure to follow the policy can therefore result in disciplinary proceedings.
Any member of staff who considers that the policy has not been followed in respect of personal data about themselves should raise the matter with the Data Protection Officer initially. If the matter is not resolved it should be raised as a formal grievance.
Notification of Data Held and Processed
Notification is the responsibility of the Data Protection Officer.
All staff, students and other users are entitled to:-
- Know what information the College holds and processes about them and why.
- Know how to gain access to it.
- Know how to keep it up-to-date
- Know what the College is doing to comply with its obligations under the Act
Responsibilities of Staff
All staff are responsible for
- Checking that any information that they provide to the College in connection with their employment is accurate and up to date.
- Informing the College of any changes to information, which they have provided, e.g. changes of address.
- Checking the information that the College will send out from time to time, giving details of information kept and processed about staff.
- Informing the College of any errors or changes. The College cannot be held responsible for any errors unless the staff member has informed the College of them.
If and when, as part of their responsibilities, staff collect information about other people, (e.g. about students' course work, opinions about ability, references to other academic institutions, or details of personal circumstances), they must comply with the guidelines for staff (See Appendix A).
Data Protection Principles
All processing of personal data must be carried out in accordance with the eight data protection principles.
- Personal data shall be processed fairly and lawfully. This means that in many cases processing will not be allowed without the consent of the data subject (see “Subject Consent” below), or where the processing is required for the performance if a contract to which the data subject is a party, or necessary for compliance with any legal obligation which the data controller is subject.
Those responsible for processing personal data must make reasonable efforts to ensure that data subjects are informed of the identity of the Data Controller, the purpose(s) of the processing, any disclosures to third parties that are envisaged and an indication of the period for which the data will be kept.
- Personal data shall be obtained for specific and lawful purposes and not processed in a manner incompatible with those purposes.
Data obtained for specified purposes must not be used for a purpose that differs from those.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is held. Information, which is not strictly necessary for the purpose for which it is obtained, should not be collected. If data are given or obtained which is excessive for the purpose, they should be immediately deleted or destroyed.
- Personal data shall be accurate and, where necessary, kept up to date.
Data, which are kept for a long time, must be reviewed and updated as necessary. No data should be kept unless it is reasonable to assume that they are accurate. It is the responsibility of individuals to ensure that data held by the College are accurate and up-to-date. Completion of an appropriate registration or application form etc will be taken as an indication that the data contained therein is accurate. Individuals should notify the College of any changes in circumstance to enable personal records to be updated accordingly. It is the responsibility of the College to ensure that any notification regarding change of circumstances is noted and acted upon.
- Personal data shall be kept only for as long as necessary. This means that for as long as the College holds personal information, it must show a purpose for having them. If the College cannot justify keeping personal data it must get rid of them.
- Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of data.
- Personal data shall not be transferred to a country or a territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Data must not be transferred outside of the European Economic Area (EEA) - the Twenty-five EU Member States together with Iceland, Liechtenstein and Norway - without the explicit consent of the individual.
Data Subject Rights
Data Subjects have the following rights regarding data processing, and the data that are recorded about them:
- To make subject access requests regarding the nature of information held and to whom it has been disclosed.
- To prevent processing likely to cause damage or distress.
- To prevent processing for purposes of direct marketing.
- To be informed about mechanics of automated decision taking process that will significantly affect them.
- Not to have significant decisions that will affect them taken solely by automated process.
- To sue for compensation if they suffer damage by any contravention of the Act.
- To take action to rectify, block, erase or destroy inaccurate data.
- To request the Commissioner to assess whether any provision of the Act has been contravened.
Students must ensure that all personal data provided to the College are accurate and up to date. They must ensure that changes of address, etc are notified to the student registration office/other person as appropriate.
Students who use the College computer facilities may, from time to time, process personal data. If they do they must notify the designated Data Protection Officer. Any student who requires further clarification about this should contact the designated Data Protection Officer.
All members of staff are responsible for ensuring that any personal data (on others) which they hold are kept securely and that they are not disclosed to any unauthorised third party. All personal data should be accessible only to those who need to use it. You should form a judgement based upon the sensitivity and value of the information in question, but always consider keeping personal data:
a) in a lockable room with controlled access, or
b) in a locked drawer or filing cabinet, or
c) if computerised, password protected, or
d) kept on disks which are themselves kept securely.
Care should be taken to ensure that PCs and terminals are not visible except to authorised staff and that computer passwords are kept confidential. PC screens should not be left unattended without password protected screen-savers and manual records should not be left where they can be accessed by unauthorised personnel.
Care must be taken to ensure that appropriate security measures are in place for the deletion or disposal of personal data. Manual records should be shredded or disposed of as "confidential waste". Hard drives of redundant PCs should be wiped clean before disposal.
This policy also applies to staff and students who process personal data "off-site". Off-site processing presents a potentially greater risk of loss, theft or damage to personal data. Staff and students should take particular care when processing personal data at home or in other locations outside the College Campus.
Rights to Access Information
Staff, students and other users of the College have the right to access any personal data that are being kept about them either on computer or in certain files. Any person who wishes to exercise this right should complete the College "Access to Data Request" form, Appendix B (staff) and Appendix C (students) and hand it to the Data Protection Officer, although failure to complete the form does not invalidate the request.
For students, the College will make a charge of £10.00 on each occasion that access is requested, although the College has discretion to waive this. For staff, there will be no charge.
The College aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within twenty-one days unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the data subject making the request. In any event the 21 day period will not start until the College has received:
- all information reasonably required to identify the data subject;
- any fee due; and
- proof of identity
Any inaccuracies in data disclosed in this way should be communicated immediately to the Data Protection Officer who will take appropriate steps to make the necessary amendments.
The College has the right to refuse repeated or vexatious subject access reports under the Act.
In many cases, the College can only process personal data with the consent of the individual. In some cases, if the data is sensitive, express consent must be obtained unless processing is necessary for one of the purposes stated in the Act. Agreement to the College processing some specified classes of personal data is a condition of acceptance of a student on to any course, and a condition of employment for staff. This includes information about previous criminal convictions.
Some jobs or courses will bring the applicants into contact with children, including young people between the ages of fourteen and eighteen. The College has a duty under the Children Act and other enactments to ensure that staff, students and those who use the College facilities do not pose a threat or danger to other users.
The College will also ask for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as asthma or diabetes. The College will only use the information in the protection of the health and safety of the individual,
Model Contract Clauses for staff contracts of employment are contained in Appendix D.
Disclosure of Data
The College must ensure that personal data are not disclosed to unauthorised third parties which includes family members, friends, government bodies, and in certain circumstances, the Police. All staff and students should exercise caution when asked to disclose personal data held on another individual to a third party. For instance, it would usually be deemed appropriate to disclose a colleague's work contact details in response to an enquiry regarding a particular function for which they are responsible. However, it would not usually be appropriate to disclose a colleague's work details to someone who wished to contact them regarding a non-work related matter. The important thing to bear in mind is whether or not disclosure of the information is relevant to, and necessary for, the conduct of College business. Best practice, however, would be to take the contact details of the person making the enquiry and pass them onto the member of the College concerned.
This policy determines that personal data may be legitimately disclosed where one of the following conditions applies:
- The individual has given their consent (e.g. a student/member of staff has consented to the College corresponding with a named third party)
- Where the disclosure is in the legitimate interests of the institution (e.g. disclosure to staff - personal information can be disclosed to other College employees if it is clear that those members of staff require the information to enable them to perform their jobs)
- Where the institution is legally obliged to disclose the data (e.g. HESA and HESES returns, ethnic minority and disability monitoring)
- Where disclosure of data is required for the performance of a contract.
The Act permits certain disclosures without consent so long as the information is requested for one or more of the following purposes:
- To safeguard national security*;
- Prevention or detection of crime including the apprehension or prosecution of offenders*;
- Assessment or collection of tax duty*;
- discharge of regulatory functions (includes health, safety and welfare of persons at work)*;
- to prevent serious harm to a third party;
- to protect the vital interests of the individual, this refers to life and death situations.
* Requests must be supported by appropriate paperwork.
When members of staff receive enquiries as to whether a named individual is a member of the College, the enquirer should be asked why the information is required. If consent for disclosure has not been given and the reason is not one detailed above (i.e. consent not required), the member of staff should decline to comment. Even confirming whether or not an individual is a member of the College may constitute an unauthorised disclosure.
Unless consent has been obtained from the data subject, information should not be disclosed over the telephone. Instead, the enquirer should be asked to provide documentary evidence to support their request. Ideally a statement from the data subject consenting to disclosure to the third party should accompany the request.
As an alternative to disclosing personal data, the College may offer to do one of the following:
- pass a message to the data subject asking them to contact the enquirer;
- accept a sealed envelope/incoming email message and attempt to forward it to the data subject.
Please remember to inform the enquirer that such action will be taken conditionally: i.e. "if the person is a member of the College" to avoid confirming their membership of, their presence in or their absence from the institution.
If in doubt, staff should seek advice from their Head of Department/Section or the College Data Protection Officer.
Publication of College Information
It is College policy to make as much information public as possible, and in particular the following information will be available to the public for inspection:
- Names of College governors and Register of interests of Governing Body members and senior staff with significant financial responsibilities (for inspection during office hours only).
- List of staff
- Photographs of Senior Management Team and College Governors.
- information on examination results.
- Graduation programmes and videos or other multimedia versions of graduation ceremonies.
- Information in prospectuses (including photographs), annual reports, staff newsletters, etc.
- Staff information on the College website (including photographs).
The College's internal phone list will not be a public document.
Any individual who has good reason for wishing details in these lists or categories to remain confidential should contact the Data Protection Officer.
It is recognised that there might be occasions when a member of staff, a student, or a lay member of the College, requests that their personal details in some of these categories remain confidential or are restricted to internal access. All individuals should be offered an opportunity to opt-out of the publication of the above (and other) data. In such instances, the College should comply with the request and ensure that appropriate action is taken.
Processing Sensitive Information
Sometimes it is necessary to process information about a person's health, criminal convictions, race and gender and family details. This may be to ensure the College is a safe place for everyone, or to operate other College policies, such as the sick pay policy or equal opportunities policy. The College will not need such consent if processing is necessary for a) complying with a legal obligation imposed on the College, b) to keep an Equal Opportunity Policy under review where the data is about race or ethnic origin, or c) (in emergencies) protecting the data subject or a third party who cannot give consent. Because this information is considered sensitive, and it is recognised that the processing of it may cause particular concern or distress to individuals, staff and students may be asked to give express consent for the College to do this. Offers of employment or course places may be withdrawn if an individual refuses to consent to this, without good reason. More information about this is available from the Data Controller.
Students will be entitled to information about their marks for both coursework and examinations. However, this may take longer than other information to provide. Examination scripts are exempt from disclosure under the Act. The College may withhold certificates, accreditation or references in the event that the full course fees have not been paid, or all books and equipment returned to the College.
Retention of Data
The College will keep some forms of information for longer than others. Because of storage problems and the requirements of the Act, information about students cannot be kept indefinitely, unless there are specific requests to do so. A list is attached; see Appendix Efor the archiving guidelines and retention times employed by the College.
Any department or section that uses personal data for direct marketing purposes must inform data subjects of this at the time of collection of the data. Individuals must be provided with the opportunity to object to the use of their data for direct marketing purposes. Where the direct marketing is to be conducted by email or other electronic means, you must be also ensure that it complies with the Privacy and Electronic Communications Regulations which is outside the scope of this data protection policy. For further information contact the Data Protection Officer
Use of CCTV
For reasons of personal security and to protect College premises and the property of staff and students, close circuit television cameras are in operation in certain campus locations. The presence of these cameras may not be obvious. This policy determines that personal data obtained during monitoring will be processed as follows:
- Any monitoring will be carried out only by a limited number of specified staff;
- Personal data obtained during monitoring will be destroyed as soon as possible after any investigation is complete;
- Staff involved in monitoring will maintain confidentiality in respect of personal data.
Personal data collected only for the purposes of academic research (includes work of staff and students) must be processed in compliance with the Data Protection Act 1998.
Researchers should note that personal data processed ONLY for research purposes receive certain exemptions (detailed below) from the Data Protection Act 1998 IF:
- the data is not processed to support measures or decisions with respect to particular individuals AND
- if any data subjects are not caused substantial harm or distress by the processing of the data
If the above conditions are met, the following exemptions may be applied to data processed for research purposes only:
- personal data can be processed for purposes other than that for which they were originally obtained (exemption from Principle 2);
- personal data can be held indefinitely (exemption from Principle 5);
- personal data are exempt from data subject access rights where the data are processed for research purposes and the results are anonymous (exemption from part of Principle 6 relating to access to personal data).
Other than these three exceptions, the Act applies in full. The obligations to obtain consent before using data, to collect only necessary and accurate data, and to hold data securely and confidentially must all still be complied with.
Notes to Researchers
Whilst the Act states that research may legitimately involve processing of personal data beyond the originally stated purposes the College hopes that, wherever possible, researchers will contact participants if it is intended to use data for purposes other than that for which they were originally collected.
For those departments which gather sensitive personal data extra care should be taken to ensure that explicit consent is gained and that data are held securely and confidentially so as to avoid unlawful disclosure.
Researchers should ensure that the results of the research are anonymous when published and that no information is published that would allow individuals to be identified. Results of the research can be published on the web or otherwise sent outside the European Economic Area but if this includes any personal data, the specific consent of the data subject must, wherever possible, be obtained.
Compliance with the Act is the responsibility of all members of the College. Any deliberate breach of the data protection policy may lead to disciplinary action being taken, or access to College facilities being withdrawn, or even a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the College Data Controller.
Download Appendix A - Staff Guidelines For Data Protection
Download Appendix B (Staff) - Access To Data Request Form
Download Appendix C (Student) - Access To Data Request Form
Download Appendix D - Consent To Process-Model Contract Clauses For Staff
Download Appendix E - Guidelines For Archiving Data Protection