Policy/Procedure/Guideline Review
Policy/Procedure/Guideline: / Data Protection ProcedureSenior Manager Responsible: / Assistant Principal - Corporate Services
SMT Approval: / 21 November 2014
Governor Approval: / 5 October 2015
Joint Consultative Committee:
Equality Impact Assessment: / 7 November 2014
Review date: / October 2018
Data Protection Procedure
Introduction
The College needs to keep certain information about its staff, students and other users to allow us to monitor recruitment, attendance, performance, achievements and health and safety. It is also necessary to process information so that staff can be recruited and paid, courses organised and legal obligations to funding bodies and government complied with. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this, the College must comply with the Data Protection Principles, which are set out in the Data Protection Act 1998. In summary these state that personal data shall:
- Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met.
- Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
- Be adequate, relevant and not excessive for those purposes.
- Be accurate and kept up to date.
- Not be kept longer than is necessary for that purpose.
- Be processed in accordance with the data subject’s rights.
- Be kept safe from unauthorised access, accidental loss or destruction.
- Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.
The College and all staff or others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, the College has developed the Data Protection Policy, available on the Staff extranet. Publication of Information
Information that is already in the public domain is exempt from the Data Protection Act. It is College policy to make as much information public as possible and in particular the following information will be available to the public:
- Names of our Governors
- Photographs of key staff i.e. members of the Executive and other managers
- List of staff
- Learner performance data
Extent of the Policy
The Data Protection policy covers all computerised and manual data processing relating to identifiable individuals. It not only includes information about individuals, but also opinions and intentions towards an individual. It therefore includes, for example, personnel records about staff, student records, emails relating to identifiable individuals, team meeting minutes, student and staff references.
Status of the Policy
This policy does not form part of the formal contract of employment, but it is a condition of employment that staff will abide by the rules and policies made by the college from time to time. Any failures to follow policy can therefore result in disciplinary proceedings.
Any member of staff who considers the policy has not been followed in respect of personal data about themselves, should raise the matter with the relevant designated data controller initially. If the matter is not resolved it should be raised as a formal grievance.
Public Register of Data Controllers and Notification
The College has a valid notification in the data protection register that relates to processing information. This can be viewed at It is the responsibility of the Data Protection Coordinator to ensure the registration is checked and updated annually.
Definition of Data
Personal data covers any data relating to a living individual (e.g. name, address, payroll details, examination results). Sensitive data form a subset of personal data that relate to a living person, recording such matters as racial or ethnic origin, political opinions, religious beliefs, trade union membership, health and criminal convictions.
Notification of Data Held and Processed
All staff, students and others are entitled to know:
- What information the College holds and processes about them and why
- How to gain access to it
- How to keep it up to date
- What the College is doing to comply with its obligations under the 1998 Act
The College will update staff data regularly, at least every two years, and staff can also update the data held by Human Resources at any time by contacting the HR team. Students’ data are updated annually through the enrolment process.
Responsibilities
The Data Protection co-ordinator
The College as a corporate body is the data controller under the Act, and the board is therefore ultimately responsible for implementation. However, the designated data protection co-ordinator (DPC) will be responsible for the policy and deal with day to day matters along with the designated data controllers.
The nominated Data Protection Coordinator is the Human Resources Manager.
The College also has two Designated Data Controllers, they are:
Sara Wright-MIS and Examinations Manager
Amanda Mills -IT and Network Services Manager
Personal information
All staff are responsible for:
- Checking that any information they provide to the College in connection with employment is accurate and up-to-date.
- Informing the College of any changes to information provided, e.g. change of address.
- Informing the College of any errors or changes. The College cannot be held responsible for any errors unless it has been informed.
Information about other people
If and when as part of their responsibilities, staff collect information about other people (e.g. students’ coursework, opinions about ability, references, or details of personal circumstances), they must comply with the guidelines for staff, which can be found at Appendix 1.
Data Security
All staff are responsible for ensuring that:
- Any personal data they hold is kept securely
- Personal information is not disclosed either orally or in writing, accidentally or otherwise, to any unauthorised third party.
Personal information should be:
- Put away in lockable cabinet; or
- In a locked drawer; or
- If it is computerised, be password protected; or
- Kept only on a disk which is itself kept securely
Staff should note that Data Protection compliance is ultimately the responsibility of all College staff. Individuals can be held legally responsible if they disclose personal information to any unauthorised third party. Breaches of data protection rules are considered to be a disciplinary matter, and may be considered gross misconduct in some cases.
Student Obligations
Students must ensure that all personal data provided to the College are accurate and up to date. They must ensure that changes of address etc. are notified to Student Services as soon as possible.
Students who find themselves in a position where they are processing personal data about staff or other students (e.g. as a student representative on a College committee or team or as a member of the Student Council) must ensure that they comply with the Colleges policy and the requirements of the Act.
Rights to Access Information
Staff, students and other users of the College have the right to access any personal data that is being kept about them either on computer or in certain files. Any person who wishes to exercise this right should complete the Form for Access to Data and send it to Human Resources (Appendix 2). Students should do this via their personal tutor.
The College will make a charge of £10 on each occasion that access is requested, although the College have discretion to waive this. This charge will be automatically waived for staff.
The College aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 21 days unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the person making the request.
Subject Consent
In many cases, the College can only process personal data with the consent of the individual. In some cases, if the data is sensitive, express consent must be obtained. Agreement to the College processing some specified classes of personal data is a condition of acceptance of an individual onto any course, and a condition of employment for staff. This includes information about previous criminal convictions.
Some jobs or courses will bring the applicants into contact with children, including young people between the ages of 16 and 18. The College has a legal duty to ensure that staff are suitable for any job offeredand students for the courses offered. The College also has a duty of care to all staff and learners and must therefore make sure that staff and those who use the College facilities do not pose a threat or danger to other users.
The College will also ask for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as asthma or diabetes. The College will only use the information in the protection of the health and safety of the individual, but will need consent to process in the event of a medical emergency, for example.
Therefore, all prospective staff and learners will be asked to sign a consent to process, in the student case this is part of the enrolment form and for staff, this is part of the application form and also part of the contract of employment. A refusal to sign such documents may result in the offer being withdrawn.
Processing Sensitive Information
Sometimes it is necessary to process information about a person’s health, criminal convictions, race, gender, and family details. This may be to ensure that the College is a safe place for everyone, or to operate other College policies, such as the sick pay policy. Because this information is considered sensitive, and it is recognised that the processing may cause particular concern or distress to individuals, staff and students will be asked to give express consent for the College to do this. Offers of employment or course places may be withdrawn if an individual refuses consent to this, without good reason.
Examination Marks
Students will be entitled to information about their marks for both coursework and examinations. However, this may take longer than other information to provide. The College may withhold certificates, accreditation or references in the event that the full course fees have not been paid, or all books or equipment returned to College.
Retention of Data
Please see Appendix 3 for the guidelines for the retention of personal data.
Summary
Compliance with the 1998 Act is the responsibility of all members of the College. Any deliberate breach of the data protection policy may lead to disciplinary action being taken, access to the College being withdrawn, or even a criminal prosecution. Any questions or concerns about the interpretation of this procedure should be referred to the Data Protection Coordinator in the first instance.
Appendix 1to the Data Protection Policy: Staff Guidelines
- All staff will process data about students on a regular basis. This might include marking registers or College work, writing reports or references, or as part of their pastoral or academic supervisory role. The College will ensure that all students are notified of this sort of processing and give their consent as required by the 1998 Act.
The information that staff deal with on a day-to-day basis will be ‘standard’ and will cover categories such as:
General personal details such as name and address;
Details about class attendance, course work marks and grades and associated comments.
Notes of personal supervision, including matters about behaviour and discipline.
- Information about a student’s physical or mental health; sexual life; political or religious views; trade union membership or ethnicity or race is sensitive and can only be collected and processed with the student’s consent.
Examples of the kind of instances when this kind of information might be required, might be to ensure a student’s needs are met during a field trip, or that there might be increased health and safety risks, for example if a student is pregnant, or as part of the College’s safeguarding responsibilities.
- All staff have a duty to make sure that they comply with the data protection principles, which are set out in the data protection policy. In particular, staff must ensure that records are
- accurate
- up-to-date
- fair
- kept and disposed of safely
- All staff will be responsible for ensuring that all data is kept securely. In the case of manual data this could be in filing cabinets, locked cupboards or rooms with access restricted to named individuals or categories of individual only. In the case of electronic information, access must be subject to reasonable controls including passwords and restricted access rights. Reasonable steps must be taken to detect and prevent unauthorised access. Regular backups should be taken to ensure that important data cannot be lost.
- Staff must not disclose personal data to any student unless for academic or pastoral purposes, without authorisation or agreement from the data controller, or in line with college policy.
- Staff shall not disclose personal data to any other staff member except with the authorisation or agreement of the designated data controller, or in line with college policy.
- Before processing any personal data, all staff should consider the following checklist:
- Do you really need to record the information?
- Has the student been told that this type of data will be processed?
- Is the information standard or is it sensitive?
- If it is sensitive, do you have the data subject’s express consent?
- Are you authorised to collect/store/process the data?
- If yes, have you checked with the data subject that the data is accurate?
- Are you sure that the data is securely held on College premises?
- If you do have the data subject’s consent to process, are you satisfied that it is in the best interests of the student or the staff member to collect and retain the data?
Appendix 2
Form for Access to Data
Data Protection Act 1998
Please complete this form, and send to Human Resources, to request access to information held about you by Nelson and Colne College.
Surname: / Forename:Address:
Information Requested:
Student / Staff number:
Date:Signature:
Notes:
- The requested information will be provided within 21days of receipt of this signed form or a letter will be despatched to you indicating the reason for any delay.
- Only fully completed and signed forms will be processed.
- The information requested will only be provided in written format.
- You must specify the information that you wish to request.
- There will be a charge of £10.00 to cover administration costs for each request for information.
For Office Use Only / Fee Received (amount) £
Name: / Signature:
Date Received: / Date information dispatched:
(Copy to be retained with this form)
Appendix 3
Guideline for retention of personal data
Type of Data / Suggested Retention Period / ReasonHuman Resources files including training records and notes of disciplinary and grievance hearings. / 6 years from the end of employment / References and potential litigation
Application forms/interview notes / 6 months from the date of the interviews. / Limitation period for litigation
Facts relating to redundancies where less than 20 redundancies / 3 years from the date of redundancy/ies / Limitation period for litigation
Facts relating to redundancies where 20 or more redundancies / 12 years from date of redundancies / Limitation period for litigation
Income Tax and NI returns, including correspondence with tax office / 3 years after the end of the financial year to which the records relate / Income Tax (Employment) Regulations 1993
Statutory Maternity Pay records and calculations / 3 years after the end of the financial year to which the records relate / Statutory Maternity Pay (General) Regulations 1986
Statutory Sick Pay records and calculations / 3 years after the end of the financial year to which the records relate / Statutory Sick Pay (General) Regulations 1982
Wages and Salary records / 6 years from the last date of employment / Taxes Management Act 1970
Accident books, and records and reports of accidents / 3 years after the date of the last entry / RIDDOR 1985
Health records / During employment / Management of Health and Safety at Work Regulations
Health records where reason for termination of employment is connected with health, including stress related illness. / 6years from the last date of employment / Limitation period for personal injury claims
Student records, including academic achievements, and conduct. / 6 years from the date the student leaves the College / Limitation period for negligence.
1