Data Protection & Freedom of Information Policy
Contents
PageOverview1 Summary
2 Further Information
3 Approval
4 Review
5 Distribution / 1
1
1
1
1
1
Primary Information1 Policy
1.1 Purpose
1.2 Statement
1.3 Status of the Policy for Staff
2 Responsibilities
2.1 Staff and Members of the Corporation
2.2 Students and Others
2.3 Entitlement
3 Freedom of Information
4 Security
5 Data Controllers / 2
2
2
2
2
3
3
3
3
4
4
5
6 Subject Consent
7 Processing of Sensitive Information
8 Examination Results
9 Retention of Data
10 Disposal
11 Notification
12 Compliance Assurance / 6
6
6
6
6
7
7
Appendices / 8
Appendix 1 Access to Data Form / 8
Appendix 2 Data Retention Table / 9
Appendix 3 Current Notification / 11
Appendix 4 Declaration Form for Data User
This document is available in large print or in an alternative format that meets your needs.
Please contact the HR Officer. ¾ / 15
March 2015 / Ref:POL0062
Data Protection & Freedom of Information Policy
Overview
1 Summary
This document states the College policy on data protection. It states the framework within which all personal data in the College will be processed. It provides guidance to staff, corporation members and students on how the College will ensure compliance with the 8 data protection principles and explains the College’s response when these principles are not adhered to. It also states how the College meets its commitment to fulfilling the requirements of the Freedom of Information Act.
2 Further Information
· Director Information Services
· Assistant Principal Quality Improvement & Student Support
· Registry manager
A further guidance document is available on the intranet on the Policies, Procedures and Guidance Notes page under Guidance Notes: Data Protection Staff Guidelines
3 Approval
The policy was approved by the SLT on 9th February 2015.
4 Review
This document will be reviewed biennially by the Director Information Services.
5 Distribution
This document is distributed to all Governors, external members of Corporation Board & sub committees.
This policy is available to all staff via the College Intranet.¾
March 2015 / Page - 9 - / Ref:POL0062Data Protection & Freedom of Information Policy
Primary Information
1 Policy
1.1 Purpose
To ensure that all staff, corporation members and students understand their responsibilities and rights under the Data Protection Act 1998 and the Freedom of Information Act 2000.
1.2 Statement
The College needs to keep certain information about its employees, students and other College users to allow it to monitor, for example, performance, achievements and health and safety. It is also necessary to process information so that staff can be recruited and paid, courses organised and legal obligations to funding bodies and government complied with. To comply with the law, information will be collected and used fairly, stored safely and not disclosed to any person unlawfully. To do this, the College will comply with the 8 Data Protection Principles which are set out in the Data Protection Act 1998 (the 1998 Act). In summary these state that personal data shall:
· Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met.
· Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose
· Be adequate, relevant and not excessive for those purposes
· Be accurate and kept up to date
· Not be kept for longer than is necessary for that purpose
· Be processed in accordance with the data subject's rights
· Be kept safe from unauthorised access, accidental loss or destruction
· Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data
The College and all staff or others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, the College has developed this Policy.
The College is fully committed to the principles set out in the Freedom of Information Act 2000 and in furtherance of this has adopted a Publication Scheme indicating types of information that will be readily available from the College website.
1.3 Status of the Policy for Staff
This policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and policies made by the College from time to time. Any failures to follow the policy can therefore result in disciplinary proceedings.
Any member of staff who considers that the policy has not been followed in respect of personal data about themselves should raise the matter with their line manager. If the matter is not resolved it should be referred to the Personnel Manager. If still not resolved it should be raised as a formal grievance.
March 2015 / Page - 9 - / Ref:POL0062Data Protection & Freedom of Information Policy
Primary Information
2 Responsibilities
Compliance with the 1998 Act is the responsibility of all members of the College. Any deliberate breach of this data protection policy may lead to disciplinary action being taken, access to College facilities being withdrawn or even a criminal prosecution.
2.1 Staff and Members of the Corporation
All staff and governors are responsible for:
· Checking that any information that they provide to the College in connection with their employment/governance is accurate and up to date.
· Informing the College of any changes to information which they have provided (eg. changes of address).
· Checking the Information that the College will send out from time to time, giving details of information kept and processed about staff.
· Informing the College of any errors or changes. The College cannot be held responsible for any errors unless the staff member has informed the College of them.
If and when, as part of their responsibilities, staff or governors collect information about other people (e.g. about student course work, opinions about ability, references to other academic institutions, details of personal circumstances) they must comply with the Data Protection Staff Guidance document (available on the intranet on the Policies, Procedures and Guidance Notes page).
2.2 Students and Others
Students must ensure that all personal data provided to the College is accurate and up to date. They must ensure that changes of address, etc. are notified to the Registry Office or other College department as appropriate.
Students should not use college facilities (e.g. computers) to process personal data. Data sets created during, or provided for, course exercises should be fictional.
2.3 Entitlement
All data subjects (staff, students and others) about whom data is held are entitled to:
· Know what data the College holds and processes about them and why
· Know how to gain access to it
· Know how to keep it up to date
· Know what the College is doing to comply with its obligations under the 1998 act
· Have inaccurate data corrected
· Prevent data being used for direct marketing
To access personal data that is being kept about them a data subject (any person the College holds data about) should complete the College “Access to Data” form (Appendix 1) and return it to the College Data Protection Officer (Director – Information Services).
March 2015 / Page - 9 - / Ref:POL0062Data Protection & Freedom of Information Policy
Primary Information
The College aims to comply with requests for access to personal data as quickly as possible, but will ensure that it is provided within 40 calendar days unless there is good reason for delay. In such cases the reason for delay will be explained in writing to the data subject making the request. The College will make a charge of £10 on each occasion that access is requested, although the College has discretion to waive this.
3 Freedom of Information
A wide range of information about the College is made available under the Freedom of Information Act 2000. A guide to this information (the “Publication Scheme”) is available on the College website.
Some of the information published under the Freedom of Information Act is personal data, specifically:
· Names and contact details of College governors
· Names and posts of management staff
· Photographs of governors and the College Senior Leadership Team
Any individual who has good reason for wishing their details in the above categories to remain confidential should contact the Data Protection Officer.
The College will maintain a core set of documents (as defined by the Publication Scheme) in electronic format on the College website. Requests for information not available from the website may be received into the College in various forms (email, formal request form available on the website) but all should be forwarded to the Freedom of Information Officer (Director Information Services – ) for response which will be within 20 working days of receipt.
Any charges related to supply of information under this policy are laid out in the Publication Scheme.
4 Security
All staff are responsible for ensuring that:
· Any personal data they hold is kept securely
· Personal information is not disclosed either orally or in writing, accidentally or otherwise, to any unauthorised third party
Staff should note that unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases.
Detailed arrangements and guidance for securing data are to be found in the College Data Protection Staff Guidelines (available on the intranet). In general, personal information should:
· be kept in a secure environment (e.g. locked draw, cabinet, room)
· be password protected if computerized
· have backup arrangements made
· have all security arrangements (location of keys, passwords, backup arrangements) documented and stored separately and securely.
March 2015 / Page - 9 - / Ref:POL0062Data Protection & Freedom of Information Policy
Primary Information
5 Data Controllers
The College as a body corporate is the data controller under the Act, and the board is therefore ultimately responsible for implementation.
The College Data Protection Officer (Director – Information Services) has overall responsibility for ensuring compliance with the Act, including maintaining the College Notification (Appendix 3):
College managers (CLEF members) are responsible for ensuring compliance with the Act in their managerial area, including informing the Data Protection Officer of any change in their area necessitating a change in the College Notification (Appendix 3).
6 Subject Consent
In many cases, the College can only process personal data with the consent of the individual. In some cases, if the data is sensitive (see 7 below.), express consent must be obtained. Agreement to the College processing some specified classes of personal data is a condition of acceptance of a student onto any course, and a condition of employment for staff. This includes information about previous criminal convictions.
Some jobs or courses will bring the applicants into contact with children, including young people under 16. The College has a duty under the Childrens Act and other enactment's to ensure that staff are suitable for the job, and students for the courses offered. The College also has a duty of care to all staff and students and must therefore make sure that employees and those who use the College facilities do not pose a threat or danger to other users.
The College will also ask for information about particular health needs, such as allergies to particular forms of medication, or any condition such as asthma or diabetes. The College will only use the information in the protection of the health and safety of the individual, but will need consent to process in the event of a medical emergency, for example.
Therefore, all prospective staff and students will be asked to sign a “Consent To Process”, regarding particular types of information when an offer of employment or a course place is made. A refusal to sign such a form can result in the offer being withdrawn.
7 Processing of Sensitive Information
Sometimes it is necessary to process information about a person's health, criminal convictions, race, gender and family details. This may be to ensure the College is a safe place for everyone, or to operate other College policies, such as the sick pay scheme or equal opportunities policy. Because this information is considered sensitive, and it is recognised that the processing of it may cause particular concern or distress to individuals, staff and students will be asked to give express consent for the College to do this. Offers of employment or course places may be withdrawn if an individual refuses to consent to this, without good reason. More information about this is available from Customer Services (for students) and the Personnel Department (for staff).
Where sensitive information is shared with other organisations (in either direction) a written, signed agreement describing the conditions under which such sharing will take place must be in place.
March 2015 / Page - 9 - / Ref:POL0062Data Protection & Freedom of Information Policy
Primary Information
8 Examination Results
Students will be entitled to information about their marks for both course work and examinations. However, this may take longer than other information to provide as it is dependent on awarding bodies and similar third parties.
9 Retention of Data
The College will keep some forms of information for longer than others.
The concept of lifelong learning means many students return again and again to the College. To ensure a consistent record of academic achievement and performance at College a core student record will be kept for 10 years following a student leaving the College. Other information, including any information about health or disciplinary matters will be destroyed after 6 years of the student leaving the College.
The College will need to keep information about staff for longer periods of time. In general, all information will be kept for 6 years after a member of staff leaves the College. Some information however, will be kept for much longer. This will include information necessary in respect of pensions, taxation, potential or current disputes or litigation regarding the employment, and information required for job references.