University of Lincoln Data Protection Policy, version 0.1, August 2010
University of Lincoln
Data Protection Policy
Page 3 of 12
Document SummaryAuthor, Title and Department / Approving Body
Ann-Marie Noble, Information Compliance Manager, Registrar’s Office / Executive Board
Date of Approval / Date for Review
10 September 2010 / September 2012
Revision History
Version / Date / Author(s) / Note
1 / 9.10 / Ann-Marie Noble / Approved
1.1 / 3.11 / Ann-Marie Noble / Minor updates made
1.2 / 5.11 / Ann-Marie Noble / Updated Appendix 2
1.3 / 6.12 / Ann-Marie Noble / Revised sections 2.1, 4.3.6, 4.6.9 and Appendix 2. New sections 4.3.4 and 4.6.2-6.
1.4 / 10.13 / Naomi Timings / Minor updates and amendment to S3.2
Contents
1 / Introduction
1.1 Purpose of the Policy / 4
1.2 Policy Objectives / 4
1.3 Help with this Policy / 4
2 / Scope
2.1 Who is Covered by the Policy? / 4
2.2 What Data is Covered by the Policy? / 4
3 / The Data Protection Act
3.1 The Eight Data Protection Principles / 5
3.2 Right of Data Subject Access / 5
3.3 Registration and Notification / 5
3.4 The Information Commissioner’s Office / 5
4 / Responsibilities
4.1 Obtaining Personal Data / 6
4.2 Recording Personal Data / 6
4.3 Storing Personal Data / 6
4.4 Using Personal Data / 7
4.5 Sharing and Disclosing Personal Data / 7
4.6 Transferring Personal Data / 8
4.7 Destroying Personal Data / 9
5 / Reporting a Data Security Breach / 9
Appendix 1 – The Eight Data Protection Principles / 10
Appendix 2 – Sources of Further Advice and Guidance / 11
1 Introduction
1.1 Purpose of the Policy
The University of Lincoln’s Data Protection Policy has been produced to ensure its compliance with the Data Protection Act 1998 (DPA) and associated legislation. The Policy is intended to complement the University’s Data Protection Statement and incorporates guidance from the Information Commissioner’s Office (ICO) and other relevant organisations.
The Policy provides a framework for compliance and will be supported by a series of guidance documents focussing on specific areas of data compliance within the University. The guidance documents will be used to provide advice and keep staff up-to-date with good practice.
1.2 Policy Objectives
The objectives of the policy are:
§ To ensure staff are aware of the statutory duties that the DPA places on the University;
§ To ensure staff are aware of their legal obligations and responsibilities under the DPA;
§ To ensure staff are aware that compliance with this policy is compulsory and that any member of staff who fails to comply may be subject to disciplinary action.
1.3 Help with this Policy
Guidance and clarification about the interpretation or any other aspect of this policy is available from the Information Compliance Officer.
2 Scope
2.1 Who is Covered by this Policy?
This policy applies to all staff at the University. This includes temporary, casual or agency staff and contractors, consultants and suppliers working for, or on behalf of, the University.
This policy also covers any staff and students who may be involved in research or other activity that requires them to process or have access to personal data (see section 2.2 below), for instance as part of a research project or as part of professional practise activities. If this occurs, it is the responsibility of the relevant faculty to ensure the data is processed in accordance with the DPA and that students and staff are advised about their responsibilities. In addition the activity should be referred to the research ethics committee or other appropriate University authority.
2.2 What Data is Covered by the Policy?
This policy is concerned with personal data as defined by the DPA. The Information Commissioner’s Office (ICO) provides a detailed description of this definition, however briefly; personal data is information relating to a living, identifiable individual where the structure of the data allows the information to be accessed. This includes data held manually and electronically and data compiled, stored or otherwise processed by either the University or by a third party on its behalf.
Sensitive personal data is a subset of personal data and means personal data consisting of information relating to:
§ racial or ethnic origin,
§ political opinions,
§ religious beliefs or other beliefs of a similar nature,
§ membership of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
§ physical or mental health or condition,
§ sexual life,
§ commission or alleged commission of any offence, or
§ any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings.
3 The Data Protection Act
The DPA gives individuals the right to know what information is held about them and provides a framework to ensure that personal information is handled properly. The Act works in two ways: firstly, it states that anyone who processes personal information must comply with eight principles and secondly, it provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.
3.1 The Eight Data Protection Principles
The DPA requires that the University, its staff and others who process or use any personal information must comply with the eight data protection principles. The principles require that personal data is:
§ Fairly and lawfully processed
§ Processed for limited purposes
§ Adequate, relevant and not excessive
§ Accurate and up to date
§ Not kept for longer than is necessary
§ Processed in line with your rights
§ Secure
§ Not transferred to other countries without adequate protection
An expanded version of the list of data protection principles is provided in appendix 1.
3.2 Rights of the Data Subjects
Under the DPA data subjects have various rights, these being;
1. The right to access information that is held about them (subject to exemptions)(section 7 DPA)
2. The right to prevent processing which is likely to cause damage or distress (section 10 DPA)
3. The right to prevent processing for direct marketing (section 11 DPA)
4. The right to prevent processing for automatic decision making (section 12 DPA)
5. The right to claim compensation (suffered as a breach of the DPA)
6. The right to rectify, block, destroy or erase personal data (section 70 DPA)
If a request by a data subject for any of the above is received by the University, they should be sent upon receipt to the Information Compliance Officer.
Under the DPA individuals have a right to see what personal data is being held about them by the University, subject to a limited number of exemptions. Unless the information requested is provided as part of the normal course of business, the individual who is the subject of the data (ie the data subject) should be directed to the Information Compliance Manager for advice on how to make a Subject Access Request (SAR). The University must respond to SARs within forty calendar days of receiving the request.
3.3 Registration and Notification
As a data controller, the University is required to register with the ICO and submit an annual notification listing the purposes under which it processes personal information. The University must also notify the ICO within 28 days should any entry become inaccurate or incomplete. The ICO publishes a register of data controllers on its website which is available to the public for inspection. The University’s notification can be found on the ICO’s website by entering its registration number which is Z7846984.
It is an offence for the University to process personal data that falls outside of the purposes declared in its notification. Staff who work with personal data should be familiar with the University’s notification and inform the Information Compliance Officer if they intend to implement changes that may require the notification to be amended.
3.4 The Information Commissioners’ Office
The ICO is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO enforces and oversees the Data Protection Act as well as the Freedom of Information Act, the Environmental Information Regulations, and the Privacy and Electronic Communications Regulations. The ICO has the power to take regulatory actions to enforce compliance with the DPA which include enforcement notices, audit, monetary penalties (up to a maximum of £500,000) and criminal prosecution.
The ICO also receives and responds to complaints from individuals and organisations who feel they are being denied access to personal information they are entitled to, or feel their information has not been handled according to the eight principles.
Further information about the ICO can be found on its website at http://www.ico.gov.uk.
4 Responsibilities
University staff who process personal data as part of their duties must ensure that they are complying with the eight data protection principles described in section 3.1. Processing data is a collective term for any action taken relating to personal data and includes obtaining, recording, storing, using, sharing, disclosing, transferring, and destroying data.
4.1 Obtaining Personal Data
1. Only personal data that is necessary for a specific University-related business reason should be obtained.
2. When obtaining personal data staff must first ensure that the purpose under which they are collecting the data is included in the University’s notification (see section 3.3). If it is not they should notify the Information Compliance Officer before any personal data is collected so that the notification can be amended.
3. A privacy notice (also known as a fair processing notice or a data protection statement) must be actively communicated to individuals at the point at which their personal data is collected and ideally should be in the same medium. A privacy notice must as a minimum explain who you are, what you intend to do with the personal data and who it will be shared with or disclosed to. It is also good practice to include further information in a privacy notice, for example how long the data will be kept for, how the data will be kept secure, the consequences of not providing the data and the right to make a subject access request. Further guidance on writing privacy notices is available from the Information Compliance Officer.
4. In some cases individuals will have a choice over whether or not to provide their personal data, or over the use that can be made of it. In these cases clear consent must be obtained.
5. Data must be collected in a secure manner.
6. When new projects and initiatives are being developed within the University that may have implications for people’s privacy, the Information Compliance Officer should be involved at an early stage to help identify and assess any privacy concerns (and undertake a Privacy Impact Assessment)
4.2 Recording Personal Data
1. Staff must ensure that mechanisms are put in place for keeping personal data accurate and up-to-date for the purpose for which it is held.
2. Personal data should be retained in accordance with any retention period specified in the relevant privacy notice.
3. Staff should be aware that any material they produce that refers to individuals may be accessed by that individual regardless of the informality of that information or how or where it is held, including any opinion of an individual. Staff should be aware of this when documents are created.
4.3 Storing Personal Data
1. All staff whose work involves processing personal data, whether in electronic or paper format, must take personal responsibility for its secure storage.
2. Access to personal data, in electronic or paper format, should be restricted to staff who need to access the information in the course of their duties.
3. Personal data in paper format must be kept in a locked filing cabinet, cupboard or drawer.
4. Documents containing personal data should only be printed when there is a business need to do so. Documents should not be automatically (push) printed to shared print devices unless staff take other appropriate measures to ensure the security of the data.
5. Personal data in electronic format should be stored within the University Data Centre which is regularly backed up and should not be kept on local hard drives. As a minimum, user accounts should be password protected and consideration should be given to the use of additional folder, file or database level password protection, access restrictions and/or encryption. Staff can contact the University’s ICT Helpdesk for advice on how to do this.
6. Staff who intend to store personal data on a portable storage device, such as a laptop, tablet, memory stick, hard drive, disk or mobile phone, must seek the authorisation of their line manager. The personal data on the portable storage device must be encrypted and the device must be kept in a locked filing cabinet, cupboard or drawer.
7. Staff must not keep sensitive personal data (see section 2.2) on portable storage devices unless they have received authorisation from both their line manager and the Information Compliance Officer.
8. Normally personal data should never be stored at staff members’ homes, whether in paper or electronic format. In instances where off-site processing is necessary, staff must obtain authorisation from their line manager. If the processing includes sensitive personal data (see section 2.2) the authorisation of their line manager and the Information Compliance Officer is required.
4.4 Using Personal Data
1. Personal data should only be processed for the specific purpose contained in the privacy notice provided when the data was collected.
2. If staff wish to use the personal data in a new and unforeseen way the privacy notice should be updated to reflect the change. If the change would not reasonably be expected by the data subjects, staff must actively communicate the revised privacy notice to them. In certain cases clear consent from the data subjects must be obtained before the personal data is used in the new way.
3. Personal data should only be used for marketing activities where data subjects have given their consent. Unsolicited marketing activities involving messages sent by telephone, fax, email or text must conform to the Privacy and Electronic Communications Regulations 2003 (PECR).