Data Protection Policy

Components

Introduction

This policy sits alongside the Information Security Policy, Records Management Policy and Information Risk Management Policy to form a suite of policies that support an information governance framework.

As a higher education institution, the University collects and uses large volumes of personal data, including categories of personal data defined as special category, relating to prospective students, applicants, students, alumni and donors, staff, suppliers, partners and website users etc.

This high-level policy sets out how the University processes that personal data in accordance with data protection legislation (UK General Data Protection Regulation and the Data Protection Act 2018)  when obtaining, handling, sharing, transferring, storing and disposing of personal data.

An appendix of relevant definitions, which will assist with understanding and interpretation of this policy is set out at Appendix A.

Objectives

The University’s core data protection objectives are that:

  • Our personal data shall be processed in a manner, which is compliant with data protection legislation, the Data Protection Principles, and applicable codes of practice from the Information Commissioner’s Office.
  • There are clear and established data protection roles and responsibilities.
  • We adopt a privacy by design and default approach to our use of personal data.
  • We shall maintain an accurate and up to date record of our processing activities.
  • We shall share personal data with our partners, where there is a benefit to the University, in a compliant and secure manner.
  • We shall only engage and enter contractual relationships with processors who we are confident will protect our personal data and process it in a manner compliant with data protection legislation.
  • Information governance incidents, involving personal data, shall be reported, risk assessed and appropriately managed.
  • We shall support our data subjects to exercise their data subject rights, and
  • Our staff shall be appropriately trained in the application of this policy and related data protection procedures.

Scope

This policy applies to all personal data processed by the University regardless of the media on which that data is stored or whether it relates to past or present students, staff or other data subjects.  

It applies to all University personnel (‘you’, ‘your’) whether employees, contractors or agency staff.  All personnel should read, understand and comply with this policy when processing personal data. As per the contract of employment with the University, compliance with this policy and associated procedures is mandatory. Accompanying data protection procedures, guidance and training shall be provided to help our staff to interpret and act in accordance with this policy. Any breach of this policy and associated procedures may result in disciplinary action.

If you have any questions or uncertainties about the operation of this policy, or concerns that the policy is not being followed you should speak directly to your applicable Data Protection Business Partner.

Roles and responsibilities

Senior Information Risk Owner

The University shall appoint a Senior Information Risk Owner (SIRO) who assumes responsibility for information governance and data protection risk. The role of the SIRO is undertaken by the Director of Finance.

Information Asset Owners

The SIRO shall delegate responsibility for ownership of information assets and data protection risk to Information Asset Owners (IAOs), who have local responsibility for data protection compliance in their area of service, as per the IAO Terms of Reference (TOR) and Handbook.

Information Asset Managers

IAOs will establish a network of Information Asset Managers (IAMs) who will hold local responsibility for data protection within their area of service and will assist their IAO in fulfilling their duties, as per the IAM TOR.

Information Governance Board

As per the Information Governance Board (IG Board) TOR, the IG Board is responsible for strategic level implementation of information governance policy and oversight of compliance with this policy. The Board shall be chaired by the SIRO, and attended by a representative selection of the IAOs and leads from the areas of Data Protection, Freedom of Information, Information Security and Records Management.

Data Protection Officer

The University’s Data Protection Officer (DPO) is primarily responsible for advising on and assessing the University’s compliance with data protection legislation and making recommendations to improve practice. Further, the DPO acts as the University’s primary point of contact with the Information Commissioner’s Office.

All staff

All University personnel, including permanent staff, fixed term contractors and temporary workers must comply with this policy whenever handling personal data on behalf of the University.

All Students

Students must comply with this policy and any other data protection measures made known to them when collecting and processing personal data as part of their course, studies or research.

The Data Protection Principles

All University personnel should adhere to the principles relating to the processing of personal data set out in the UK GDPR, which require personal data to be:

  1. Processed lawfully, fairly and in a transparent manner in relation to the data subject (Lawfulness, Fairness and Transparency);
  2. Collected only for specified, explicit and legitimate purposes (Purpose Limitation);
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data Minimisation);
  4. Accurate and where necessary kept up to date (Accuracy);
  5. Not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (Storage Limitation);
  6. Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (Security, Integrity and Confidentiality);
  7. Not transferred to another country without appropriate safeguards being in place (Transfer Limitation); and
  8. Made available to Data Subjects and allow Data Subjects to exercise certain rights in relation to their Personal Data (Data Subject’s Rights).

We are responsible for and must be able to demonstrate compliance with the data protection principles listed above (Accountability Principle).

Lawfulness, fairness and transparency

We should only collect and use personal data where we are clear that there is a lawful basis, we are acting fairly and where adequate privacy notice information has been provided to the data subject. This means:

  • Ensuring there is an appropriate lawful basis for processing and in the case of special category personal data ensuring there is a further basis for the processing.
  • Where we rely upon consent we collect and retain this in a compliant manner. This includes informing data subjects how they may withdraw their consent for the processing of their personal data.
  • Providing privacy notices to data subjects at the point of data collection and disclosure to third parties. These notices ensure that we supply the necessary information to satisfy privacy notice and transparency requirements.
  • Not misleading data subjects about how we intend to use their personal data.

As a general principle, University staff and students should not record one another without their knowledge and agreement.

Purpose limitation

Personal data must be used only for the specified, explicit, and legitimate purposes, these are typically the purposes cited within our privacy notices at the point of data collection. It should not be further used in any manner incompatible with those purposes unless we have informed the data subject of the new purposes and there is an appropriate lawful basis / the data subject has given their consent, where necessary.

There shall be strictly no personal use of the personal data to which you have been afforded access as part of fulfilling your role with the University.

Data protection legislation contains specific recordable criminal offences relating to the misuse of personal data. These include:

  • Knowingly or recklessly obtaining or disclosing personal data without the consent of the University.
  • Knowingly or recklessly procuring the disclosure of personal data without the consent of the University.
  • Knowingly or recklessly retaining personal data without the consent of the University.

Data minimisation

Personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. Anything recorded about an individual should be appropriate and professional. Where necessary, we should clearly distinguish facts from professional opinion.

Staff should be satisfied that what has been recorded about an individual is justified and could be explained if ever challenged by line management. Potentially, anything recorded about an individual could be disclosed back to them as part of a Rights Request.

Accuracy

Personal data should be accurate and, where necessary, kept up to date. It should be corrected or deleted without delay when found to be inaccurate.

We should ensure that the personal data we use and hold is accurate, complete, kept up to date and relevant to the purposes for which we collected it. We should check the accuracy of any personal data at the point of collection and at regular intervals afterwards.

All staff and students are responsible for checking that the information they provide to the University in connection with their employment or studies is accurate and up to date.

Storage limitation

Personal data should not be kept in an identifiable form for longer than is necessary for University purposes.

The University maintains a comprehensive Retention and Disposal Schedule, based upon JISC standards, which formalises our retention periods for the various categories of personal data which we process.

Our data subjects are aware of these periods as these are communicated within the published schedule and our privacy notices. It is necessary that the University comply with these retention periods to maintain the trust and support of our data subjects, as well as fulfilling legislative requirements.

A far as is possible, we should ensure that all personal data is managed within the core University systems, where retention and disposal can be more efficiently managed. We should avoid creating subsidiary, secondary or local versions of personal data, which would also need to be managed both in terms of information security and retention.

Security, integrity and confidentiality

Personal data should be secured by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage. The University applies the Information Classification Procedure to ensure an appropriate level of information security according to the sensitivity of information.

Data Protection Assessments

The University will implement a data protection by default and design approach to processing personal data through integrating data protection assessments into business processes and projects. Data protection by design is about considering and assessing data protection and privacy issues up front, at a stage where it is still possible to shape design and outcomes.

As per the Data Protection Assessment Procedure, assessments should be conducted whenever we are doing something new, different or reviewing a practice involving personal data, or where there is existing processing which is considered high risk.

The assessment conducted should be proportionate to the data protection risk involved with the processing, as follows: Basic Assessment where the risk is low, and Data Protection Impact Assessment where the risk is high according to the ICO Screening Questions as set out within the Procedure.

Record of Processing Activity (ROPA)

The University will maintain an accurate and up to date record of our activities which involve the processing of personal data. Our IAOs and IAMs shall be responsible for ensuring that the ROPA for their area of service is complete and up to date.

ROPAs are a key tool in demonstrating our compliance with data protection legislation, as well as identifying risks and issues to be managed, such as gaps in our privacy notices and data protection assessments, over retention of personal data and inappropriate levels of security for sensitive information assets.

Please see the: Guide to completing your IAR and ROPA for further information.

Information sharing

The University may share personal data with third parties where we identity a benefit to the University, there is a wider public interest (and there is a lawful basis for disclosure), or where we are otherwise legally obliged to make a disclosure.

Information sharing can take place in both one-off scenarios or on going controller to controller partnership working relationships.

The University has many established information sharing processes. However, wherever:

  • The personal data being shared
  • The purposes for the sharing
  • The partners
  • The method of transfer

is new or different, a data protection assessment should be conducted as per the Data Protection Assessment Procedure, to ensure there is a lawful basis, that the right information is shared in a secure manner, and any data protection risks and issues are considered and managed.

Furthermore, where we share our personal data in frequent and on-going relationships with partners these arrangements should be formalised through the use of an information sharing agreement. Your relevant Data Protection Business Partner may be contacted direct for support.

Use of data processors

We should only use processors / third party vendors who take their data protection responsibilities seriously. By applying the Third Party Vendor Management Procedure, we will:

  • Conduct appropriate data protection due diligence activity to understand and manage the risks associated with allowing our personal data to be processed by third parties at the procurement stage.
  • Data protection risk assess each instance of our relationship with a processor.
  • Ensure that data protection compliant contracts are put in place with our processors.
  • Understand and manage emerging risks and issues associated with the on-going relationship with our processors through the use of mid contract reviews.

International transfers

Personal data should not be transferred outside of the European Economic Area without first ensuring that there are appropriate safeguards in place or that the data subjects understand and consent to the risks involved. Such safeguards include:

  • An UK adequacy decision as set out in Appendix B.
  • Use of the standard contractual clauses as provided by the Information Commissioner’s Office.
  • An explanation of the risks to data subjects and informed consent.

Such considerations should be addressed as part of the data protection assessment process with support from the Data Protection Business Partner.

Information Governance Incidents

As per the Information Governance Incident Management Procedure an information governance incident means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Examples of incidents include, but are not limited to:

  • E-mail mismanagement: sending an e-mail containing personal data to the incorrect recipient, sending the wrong information or uploading the incorrect attachment, not trimming the e-mail trail so excessive personal data is disclosed, and not using bcc functionality where appropriate /  compromising the recipients of an e-mail to one another etc.
  • Loss or theft of information or IT equipment containing personal data.
  • Incorrectly deleting or destroying personal data prior to the expiration of its retention period.
  • Instances of overseeing or overhearing client consultations or the discussion of personal data by those without a business need to know.
  • Attack via technical means. i.e. use of hacking, malware or ransomware.
  • Attack via non-technical means, i.e. social engineering and phishing.

As per the Procedure all incidents should be reported promptly using the Information Governance Incident Reporting Form.

Rights requests

The University is committed to upholding the rights of our data subjects in order to maintain trust, openness and transparency. You should be aware of what rights exist and be able to recognise if a request is made to you in order to ensure they are managed efficiently and within statutory timeframes.

The following rights exist:

  1. withdraw consent to processing at any time;
  2. receive certain information about the University’s processing activities;
  3. request access to the personal data that we hold;
  4. prevent our use of personal data for direct marketing purposes;
  5. ask us to erase personal data if it is no longer necessary in relation to the purposes for which it was collected or processed or to rectify inaccurate data or to complete incomplete data;
  6. restrict processing in specific circumstances;
  7. challenge processing which has been justified on the basis of our legitimate interests or in the public interest;
  8. request a copy of an agreement under which personal data is transferred outside of the EEA;
  9. object to decisions based solely on Automated Processing, including profiling;
  10. prevent processing that is likely to cause damage or distress to the data subject or anyone else;
  11. be notified of a personal data breach which is likely to result in high risk to their rights and freedoms;
  12. make a complaint to the supervisory authority / the Information Commissioner’s Office;
  13. in limited circumstances, receive or ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format.

The University will typically have one month in order to respond to such requests.

If you receive a rights request from a data subject, you should forward this promptly to: dataprotection@mmu.ac.uk.

The Data Protection Team shall contact the IAM (or an agreed / established point of contact) for the area of service believed to hold personal data relevant to the request. The IAM shall coordinate the data harvesting activities or take appropriate action to fulfil the rights request on behalf of their area of service.

If the requested information is not held within the IAM’s area of service this should be communicated back to the Data Protection Team promptly, where possible with an indication of where relevant information may be held.

The data harvesting request from the Data Protection Team will contain a clear deadline by which a response to the data harvesting request should be made; typically 7 - 10 days.

Training provision

The University is committed to ensuring that all personnel receive appropriate data protection training to successfully support you to fulfil your role, whilst complying with the requirements of the data protection legislation and this policy.

This includes the completion of the Essential Information Governance Training Package and refresher training at two year intervals. Furthermore, staff should complete and attend all data protection training sessions as directed by line management.

A record of your attendance at data protection training sessions will be maintained to assist us to demonstrate our compliance with the Accountability Principle.

Review

A review of this policy will be undertaken by the Data Protection Team every two years or more frequently as required, and will be approved by the Information Governance Board.

Appendix A - Definitions

Our definitions in this policy reflect those within the UK GDPR. 

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or online identifier.

‘special category personal data’ means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘the data protection principles’ means the principles relating to the processing of personal data

‘personal data breach / information governance incident’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, The University, processors of the University.

‘privacy notice’ means a statement provided to data subjects when or before their personal data is collected which explains who we are, how their personal data will be used, what lawful bases we rely upon to use their personal data for these purposes, to whom it may be disclosed and any other information they may need to know in order to ensure that the processing is fair, as set out in Article 13 and 14 GDPR.

Appendix B – List of UK Adequacy Decisions

Andorra Gibraltar Luxemburg
Argentina Greece Malta
Austria Guernsey Netherlands
Belgium Hungary New Zealand
Bulgaria Iceland Norway
Canada Ireland Poland
Croatia Isle of Man Portugal
Cyprus Israel Romania
Czech Republic Italy Slovakia
Denmark Japan Slovenia
Faroe Islands Jersey Spain
Finland Latvia Sweden
France Liechtenstein Switzerland
Germany Lithuania Uruguay

Appendix C – List of associated policies and procedures

Records Management Policy

Information Security Policy

Information Risk Management Policy

Data Protection Assessment Procedure

Data Protection Assessment Research Procedure

Freedom of Information Procedure

Information Governance Incident Management Procedure

Third Party Vendor Management Procedure