University of Cumbria Students’ Union
Data Protection Policy StatementApplicable to: UCSU staff and members andfor the information of other interested parties, 2015-16
The University of Cumbria Students‟ Union (UCSU) is a “data controller” under the provisions of the Data Protection Act and recognises that its members have the right to know what information is held about them, and that any data held is in compliance with the Data Protection Act 1998. UCSU processes and on occasion discloses information about employees, students and other Data Subjects for membership and membership services (including the delivery of an Information and Advocacy Service, groups and societies and volunteering), administrative and commercial purposes Commercial purposes include the promotion of products and services provided by selected third party clients – this may include the advertising of products and services with a clear student message – e.g. Endsleigh student insurance, student discounts & opportunities from a variety of retailers - e.g. Domino’s Pizza, Stagecoach and student essential services such as local doctors surgeries, sexual health services and career opportunities.
All commercial correspondence is booked and managed by the UCSU External Sales & Events Coordinator with assistance from the UCSU Research and Communications Coordinator to make the message as student friendly as possible. All commercial correspondence is sent with an ‘unsubscribe’ option at the bottom of the email. Recipients who wish to unsubscribe are then removed from the commercial mailing list and informed they will no longer receive these types of email.”
UCSU is committed to a policy of protecting the fundamental rights and freedoms of individuals and in particular their right to privacy. When handling such information, it is the duty of UCSU and all staff or others who process or use any personal information to comply with the Act in full at all times in accordance with the eight principles of the DPA.
UCSU also has a Data Sharing Agreement with the University of Cumbria (appendix 2)
1. Personal data shall be processed fairly and lawfully
2. It shall be obtained for specified purposes
3. It shall be adequate, relevant and not excessive
4. It shall be accurate and up-to-date
5. It shall not be kept longer than necessary
6. It shall be processed in accordance with the rights of the data subject
7. Measures shall be taken to protect processing, and to prevent loss and damage
8. It shall not be transferred outside the EEA unless there is an adequate level of protection in that country
To ensure compliance with the Act, UCSU will:
- Observe the spirit and the letter of the 1998 Act and will not seek to exploit ambiguous wordings or ‘grey areas’ yet to be clarified by Case Law to avoid its responsibilities.
- Co-operate fully with the Information Commissioner and his office.
- Publish and maintain a Code of Practice outlining the meaning of the Data Protection Act 1998 and establishing procedures for processing data in day to day working.
- The Codes of Practice will provide a reference source for all staff and volunteers to clarify anomalies, which may arise in routine operations.
- Consider that all departments are subject to the Act: No individual, section or department shall hold or process records in any manner which does not conform to the UCSU’s Data Protection Policy and Codes of Practice.
- Seek to obtain comprehensive ‘informed consent’ from Data Subjects regarding the keeping of records, the processing of data and the disclosure of data to third parties.
- Initiate and maintain an on-going programme of staff development
- Periodically review its policies and practices to ensure continuing compliance with the Act.
In order to minimise its liability in law,UCSU will:
- Ensure that all new data systems and new forms of processing data will be implemented in accordance with the 1998 Act.
- Regard all members of staff of the Union as having an obligation to divulge the existence and contents of databases or other soft or hard copy filing systems that contain personal data, to the Chief Executive Officer.
- Implement and maintain appropriate practical and technical measures to ensure the security of all personal data.
UCSU Data Protection
Code of Practice
1. Introduction
1.1 The Data Protection Act is concerned with making sure organisations handlepersonalinformation in a responsible way. This includes, for example, information about students, staff or other customers.
1.2 It is the responsibility of all UCSU staff members and volunteers to comply with the Data Protection Act 1998, by following the Data Protection Principles as set out in the Act. This code seeks to set out the key principles and messages of the Act and to provide some guidance and support in line with UCSU business.
2. Data Protection Principles
1. Personal data shall be processed fairly and lawfully
2. It shall be obtained for specified purposes
3. It shall be adequate, relevant and not excessive
4. It shall be accurate and up-to-date
5. It shall not be kept longer than necessary
6. It shall be processed in accordance with the rights of the data subject
7. Measures shall be taken to protect processing, and to prevent loss and damage
8. It shall not be transferred outside the EEA unless there is an adequate level of protection in that country
3. Notification process and data protection audits
3.1 Under the Data Protection Act, the Information Commissioner (who oversees
Compliance with the Act) keeps a public register of data controllers. This is a list of organisations who handle personal information. UCSU must complete anotification to the Information Commissioner outlining the main types of personal data we handle.
3.2 UCSU has Resources, Risk and Compliance Committee (RRC) and it will be responsible for ensuring that anannual auditof the types of data UCSUholdsis conducted.UCSU will keep an up to date record of datasets/ lists of student data and the ‘controller’ of those datasets. The audit will include a review of length of time data is being stored for and purpose.
4. Enforcement – penalties for non-compliance with the Act
The Data Protection Act is overseen by the Information Commissioner, whocan investigate whether an organisation is complying with the Act.The commissioner’s has a range of powers in relation to breaches of the principles, from up to £500,000 for serious breaches to the conduct of audits. Details of fines and prosecutions of individual organisations are regularlypublished on the Information Commissioner’s website at www.ico.gov.uk
5. Offences under the Act
Some of the most significant offences under the Act are as follows:
- Processing personal data without a notification to the Information
Commissioner or an inaccurate notification.
- Providing false information to the Information Commissioner during an
investigation
- Destroying, altering or concealing information which has been requestedunder a subject access request (individual members of staff can be prosecuted for this offence);
- The offences carry a maximum fine of £5,000 in the Magistrates Court and theUCSU could be criminally liable if it were to be prosecuted for a breach of the Act.
6. Ten issues that staff need to be aware of:
1. Make sure people know how you will use their information– this could becovered in the UCSUData Protection Statement for students, or individual statements in any forms, procedures or handbooks youprovide to students or other customers e.g. students using the Information and Advocacy service. Please be aware that images of people are also covered by the Data Protection Act (e.g. photographs and videos). Please refer to the UCSU Data Protection and Photography Guidance (appendix 1) for specific guidance and forms to use.
2. Make sure you understand the definition of ‘sensitive’ personal data. This kindof information has to be handled with special care and we normally need tohave the person’s explicit consent for the use of this information.Refer to Section 10 below for more detail.
3. If you send marketing informationmake sure you comply with the specialrules on direct marketing.
4. Keep personal data secure at all times and do not travel with personal dataunless absolutely necessary or without the necessary precautions.
5. Be cautious about disclosing personal data to others – check the guidance toensure you are aware of when you can and can’t share personal data.
6. Deal with requests from the Police for personal data in line with UCSUprocedures - unless it is a genuine emergency, the request should be made in writing on the Police’s own form and disclosure should be authorised by the UCSU Chief Executive Officer.
7. Sharing personal information with partner organisations - if you will beregularly sharing information with a partner organisation make sure you haveagreed standards between you as to how personal information will behandled. In some cases the UCSU will be legally liable for any breaches ofthe Act by a partner organisation.
8. Do not keep personal data for longer than necessary - we must have a goodreason for keeping personal information and should not store it for longerthan necessary. This is normally no longer than a maximum period of 6 years.
9. Ensure you know how to recognise a subject access request - a subjectaccess request is a request by someone for a copy of their own personalinformation (e.g. a request for ‘a copy of my student/staff file’, ‘any
information you hold on me’, ‘all information relating to my complaint’ etc).
10. Be aware that anything you write down about someone could be disclosed tothem- subject access requests can include the disclosure of e-mails and handwritten notes to the individual as well as more formal documents.
7. How to Respond to a Request for Personal Information
7.1 If you receive a request from somebody for personal information, consider the following:
- Is the information they are requesting information about themselves?
- Is the information they are requesting information about a third party?
7.2 Requests for Own Information
If it is information about themselves, you can provide the information relatively easily, and it is something that you would normally do in the course of your duties and ensure you:
- Verify to your own satisfaction the person’s identity. This may mean getting the request in writing (including email), or checking an ID in person
- Ensure that personal data about a third party is not also being disclosed.
- Then – provide the information required, if it is easily done. In most cases, personal data should not be disclosed over the telephone, unless you can verify the person’s identity.
7.3 Subject Access Requests (SAR)
- Ensure that you recognise a ‘Subject Access Request’ or a ‘SAR’. This maybe a request for ‘a copy of my student/staff file’, ‘any information you hold on me’, ‘all information relating to my complaint’ etc…
- If the request is complex or requires much copying, or they mention the Data Protection or Freedom of Information Act, or you are uncertain what to do, confer with the Data Protection Officer.
- Please contact the Chief Executive Officer, Daryl Ormerod, if you receive this kind of request.
7.4 Third Party Requests
If the information requested is for personal information about a third party, consider the following:
- Who is the request from?
1) Member of staff
You can give out the information if the staff member requires the information in order to perform his or her official duties or with the consent of the individual concerned. (Remember to verify to your own satisfaction the member of staff’s identity. This might involve returning their phone call, or emailing them).
2) Student
Third party data should not be disclosed to students without the consent of the individual concerned.
3) Requests from outside the Student Union
Requests must only be accepted in writing. Telephone callers or visitors in person must be requested to make a written enquiry. This includes police officers (see below).
Disclosure of personal data to third parties is allowed only where the Data Subject has given consent, or in certain other limited circumstances. These include for the prevention or detection of crime.
7.5 Ad-hoc requests for student information from the Police
There is an exemption under the Data Protection Act which allows us to discloseinformation to the Police. This is known as the ‘Section 29’ exemption and coversdisclosure for ‘the prevention or detection of crime’ and ‘apprehension orprosecution of offenders’.The Police must be asked to make the request in writing, preferably on thePolice’s own form (usually known as a DP1 or DP3 form). The form should bepassed on to Daryl Ormerod, UCSU Chief Executive Officerwho will make a decision on what to disclose.
The details of the request should be passed on to your line manager or directly to Daryl via the Police Request Log Sheet (appendix one)
In limited circumstances, usually very serious emergencies, student informationcan be provided without receiving a request in writing from the Police. In thesesituations you should:-
- Make sure you obtain the name and number of the police officer and briefdetails of why they need the information.
- If the request is received by phone make a note of the main switchboardnumber and ring the person back - this provides a basic check that the call isgenuine.
- As far as possible you should still try to obtain the authorisation of the Chief Executive Officer, Daryl Ormerod, or your line manager, if he is not available.
- A log sheet should still be completed after the event and returned to Daryl Ormerod.
- If possible it is preferable to deal face to face with the Police in these
situations rather than by phone or e-mail where it is more difficult to verifythe identity of the person making the request.
- In Police investigations relating to the UCSU,in situations where the UCSU itself has contacted the Police about an issue
and the Police are carrying out an investigation, then it will usually not benecessary for the Police to complete a DP1 or DP3 form.
- In these situations, as long as the request seems reasonable and is obviouslyrelated to the investigation then it is acceptable to provide the information.
- Please keep a record of what information was provided and why.
7.6 Confidentiality of other third parties
Personal data should not be disclosed in any case where information about another third party cannot be protected (without the consent of that individual). The information should not be revealed if it is not reasonable to do so. If third party identity can be made anonymous, it should be.
8. Personal Data held electronically
8.1 Email
Email should where possible be avoided when transmitting personal data about a third party, unless the data is securely encrypted. Sending personal data by email within the UoC network is acceptable as this is encrypted. However, care should be taken to ensure data is transmitted to the correct email address etc… Any email, whether or not it contains personal information, may be liable to disclosure, either under the Data Protection Act, or under the Freedom of Information Act. All members of staff should be aware of this when writing emails, and when keeping them.
8.2 UCSU Website
- Accessibility of data on Internet
TheUCSU website is accessible worldwide on the Internet. The website contain pages where there is personal data, such as names, pictures, contact details etc. Such data, when released on the Internet, by definition goes beyond the European Economic Area and therefore contravenes the 8th Data Protection principle unless (for example) the data subject has given their consent. For this reason, personal data should not normally be available on web pages. - Staff business data on the Internet
Staff personal data which is required to be supplied for the purpose of the normal organisational functioning and management of the Union and, in particular, information which is already supplied in publicly available hardcopy publications does not require the consent of the person to its publication on the Internet or Intranet. This could include for instance business contact details, names, job titles and departments, roles. However, a person has the right to object to the use of their data where it would cause them significant damage or distress. Staff business contact details are currently made available on the Internet. - Staff or student personal information on the Internet
If staff or student personal contact details, or other personal information which is not related to their role at the Union, is placed on the Internet, the permission of that person must be obtained. - Personal Data Collection on Web Pages
When web pages are used to collect personal data, by the use of forms etc, a Data Protection statement should be included.
8.3 Personal data held electronically on computer shared drives and local areas
Personal data will frequently be held electronically, whether in the form of databases, spreadsheets, or simply as part of a Word document. Staff who have access to such data will generally have a legitimate purpose for accessing the data, if they are employed by the UCSU. However, the following points need to be adhered to:
- Consider whether to impose authorised or restricted access to electronic data.
- Terminals or PCs may need to be kept in a room which is kept locked.
- Where the site PC screens can be seen by unauthorised staff , members or others, screens should be clean of any previous data when not in use and locked when leaving your desk
- Computers should be logged off or switched off when not in use
- Disks or tapes should be stored and locked away when not in use
- Passwords should be kept confidential, chosen carefully and changed regularly
- Personal information should be made anonymous whenever possible.
- Delete personal data as soon as it is no longer required.
- Take appropriate security precautions if working on data away from UCSU premises, regarding the safety and security of data en route, or it is being seen by unauthorised people
- Maintain as many of these measures as possible, also when working on lap-tops.
9.Working from home
- When working from home using personal data, use the remote access facility(yourfiles) instead of carrying work home with you.
- When using the remote access facility, or USB devices, ensure documents aresaved back to the network and any copy on your PC is deleted when you have finished work on them. This includes deleting documents from your recycle bin.
- Avoid using wireless if practical. Do not use wireless if it is not encrypted, you are not the connection owner or viewing sensitive data. Yourfiles is securedand may be used over wireless if absolutely necessary.
- Sending personal data to other: Mark internal post as confidential where appropriate. E-mails can also beflagged as confidential where necessary.
- Consider using registered delivery when sending personal information by post
- When e-mailing personal data outside the University, consider passwordprotecting the data and providing the password separately by phone.
- Do not use FTP, Dropbox or other online services which have no guarantee ofsecurity.
- When wishing to transfer sensitive personal data, information which couldcause harm or distress if inadvertently disclosed or large volumes of personal data, contact the IT service desk ()for advice on the best approach.
10. Sensitive Personal Data
10.1 Sensitive personal data covers the following: