Data Protection Policy

Transcription

1 Data Prtectin Plicy PLEASE NOTE: A new Data Prtectin Plicy, cmpliant with the requirements f the Data Prtectin Act 2018 and the Eurpean General Data Prtectin Regulatin (GDPR), is currently underging the apprval prcess at the University and will shrtly replace this plicy. Intrductin The University f Birmingham ("the University") needs t keep certain infrmatin abut its emplyees, students and ther users t allw it t mnitr perfrmance, achievements, and health and safety, fr example. It als needs t prcess infrmatin s that staff can be recruited and paid, curses rganised and legal bligatins t funding bdies and gvernment cmplied with. T cmply with the law, infrmatin must be cllected and used fairly, stred safely and nt disclsed t any ther persn unlawfully. T d this, the University must cmply with the Data Prtectin Principles, which are set ut in the Data Prtectin Act 1998 ( the Act ). In summary these state that persnal data shall: Be btained and prcessed fairly and lawfully and shall nt be prcessed unless certain cnditins are met. Be btained fr a specified and lawful purpse and shall nt be prcessed in any manner incmpatible with that purpse. Be adequate, relevant and nt excessive fr thse purpses. Be accurate and kept up t date. Nt be kept fr lnger than is necessary fr that purpse. Be prcessed in accrdance with the data subject's rights. Be kept safe frm unauthrised access, accidental lss r destructin. Nt be transferred t a cuntry utside the Eurpean Ecnmic Area, unless that cuntry has equivalent levels f prtectin fr persnal data. Anyne wh prcessed data n behalf f the University, including staff (including hnrary staff), students, vlunteers, cntractrs r thers wh prcess r use any persnal infrmatin must ensure that they fllw these principles at all times. In rder t ensure that this happens, the University has develped the Data Prtectin Plicy. A glssary f terms and list f useful resurces is attached t this Plicy. Status f the Plicy This plicy des nt frm part f the frmal cntract f emplyment, but it is a cnditin f emplyment that emplyees will abide by the rules and plicies made by the University frm time t time. Any failures t fllw the plicy can therefre result in disciplinary prceedings. Any member f the University, wh cnsiders that the plicy has nt been fllwed in respect f persnal data abut themselves, shuld raise the matter with the Data Prtectin Officer initially. If the matter is nt reslved satisfactrily it culd be raised as a frmal grievance r cmplaint. Respnsibilities f Staff All staff are respnsible fr: Checking that any infrmatin that they prvide t the University in cnnectin with their emplyment is accurate and up t date. Infrming the University f any changes t infrmatin, which they have prvided, eg changes f address. Infrming the University f any errrs r changes in staff infrmatin. The University cannt be held respnsible fr any such errrs unless the staff member has infrmed the University f them. If and when, as part f their respnsibilities, staff cllect infrmatin abut ther peple, (eg abut students' curse wrk, pinins abut ability, references t ther academic institutins, r details f persnal circumstances), they must cmply with the guidelines fr staff (Appendix 1).

2 Data Security All staff and students are respnsible fr ensuring that: Any persnal data, which they prcess, is kept securely in accrdance with the University s Infrmatin Security Plicy; Persnal infrmatin is nt disclsed accidentally r therwise t any unauthrised third party. Student Obligatins Students must ensure that all persnal data prvided t the University is accurate and up t date. They must ensure that changes f address etc are updated n the student registratin system. Students may, as part f a prject, prcess persnal data. If they d s they must cmply with the University s Data Prtectin Plicy and Infrmatin Security Plicy. Rights t Access Infrmatin Staff, students and ther users f the University have the right t access any persnal data that is being kept abut them either n cmputer r in certain files. Any persn wh wishes t exercise this right shuld cntact Legal Services, in writing. The University will make a charge f 10 n each ccasin that access is requested. The University aims t cmply with requests fr access t persnal infrmatin as quickly as pssible, but will ensure that it is prvided within 40 days. Subject Cnsent In many cases, the University prcesses persnal data with the cnsent f the individual. If the data is sensitive, express cnsent must almst always be btained. Agreement t the University prcessing sme specified classes f persnal data is a cnditin f acceptance f a student nt any curse, and a cnditin f emplyment fr staff. This includes infrmatin abut previus criminal cnvictins in accrdance with the Rehabilitatin f Offenders Act All prspective staff and students will be asked t cnsent t their data being prcessed when an ffer f emplyment r a curse place is made. A refusal t sign such a frm withut gd reasn may result in the ffer being withdrawn. Prcessing Sensitive Infrmatin Smetimes it is necessary t prcess sensitive persnal infrmatin. This may be t ensure the University is a safe place fr everyne, r t perate ther University plicies, such as the sick pay plicy r equality plicies. The University will als ask fr infrmatin abut particular health needs, such as allergies t particular frms f medicatin, r any health cnditins r disabilities. Because this infrmatin is cnsidered sensitive, and it is recgnised that the prcessing f it may cause particular cncern r distress t individuals, staff and students will be asked t give express cnsent fr the University t prcess this infrmatin. The Data Cntrller and the Data Prtectin Officer The University as a bdy crprate is the data cntrller under the Act, and the University Cuncil is therefre ultimately respnsible fr implementatin. Hwever, the Data Prtectin Officer will deal with day t day matters. The University has designated Mrs CM Pike OBE (Directr f Legal Services) t act as Data Prtectin Officer. Any query relating t the implementatin within the University f the Act and Subject Access Requests under sectin 7 f the Act shuld be referred t Legal Services. Examinatin Marks

3 Students will be entitled t infrmatin abut their marks fr bth cursewrk and examinatins as part f their tutrial supprt. This is within the prvisins f the Act relating t the release f data. Hwever, this may take lnger than ther infrmatin t prvide. Retentin f Data The University will keep sme frms f infrmatin fr lnger than thers. Data n students, including any infrmatin n health, race r disciplinary matters, will be destryed after 10 years but a skeletal recrd will be retained t include a full transcript f academic achievements. The University will need t keep central persnnel recrds indefinitely. This will include infrmatin necessary in respect f pensins, taxatin, ptential r current disputes r litigatin regarding the emplyment, and infrmatin required fr jb references. Research data must be retained in accrdance with the Cde f Practice fr Research. Cmpliance Cmpliance with the Act is the respnsibility f all members f the University. Any deliberate breach f the data prtectin plicy may lead t disciplinary actin being taken, r access t University facilities being withdrawn, r even a criminal prsecutin. It may als result in persnal liability fr the individual. Any questins r cncerns abut the interpretatin r peratin f this plicy shuld be taken up with the Data Prtectin Officer. This plicy was apprved by the University s Cuncil n 17 December 2007 and updated in May 2017 and takes immediate effect.

4 Data Prtectin Act 1998 Guidelines fr Staff Appendix 1 1. Members f staff will prcess persnal data n a regular basis. The University will ensure that staff and students give their cnsent t prcessing, r that anther cnditin fr prcessing applies, and are ntified f the categries f prcessing, as required by the Act. 2. Infrmatin abut an individual's physical r mental health; sexual life; plitical r religius views; trade unin membership; ethnicity r race; the cmmissin f criminal ffences and curt prceedings dealing with criminal ffences is sensitive and can nrmally nly be cllected and prcessed with their express cnsent. 3. Members f staff have a duty t make sure that they cmply with the data prtectin principles, which are set ut in the University Data Prtectin Plicy. In particular, staff must ensure that recrds are: accurate; up-t-date; fair; kept and dispsed f safely, and in accrdance with the University plicy. 4. Individual members f staff are respnsible fr ensuring that all data they are hlding is kept securely. 5. Members f staff must nt disclse persnal data, unless fr nrmal academic, administrative r pastral purpses, withut authrisatin r agreement frm the Data Prtectin Officer, r in line with the University plicy. 6. Members f staff must cmplete University registratins frms in respect f all databases hlding persnal data befre cmmencing prcessing f the data. The University may need t amend its registratin with the Office f the Infrmatin Cmmissiner. Frms and advice are available frm Legal Services n extensin r 7. Befre prcessing any persnal data, all staff shuld cnsider the checklist. 8. All staff shuld either cmplete nline data prtectin training thrugh Canvas r attend an pen training sessin thrugh POD, and make themselves aware f the Data Prtectin Tlkit and ther resurces n the Legal Services website. Staff Checklist fr Recrding Data D yu really need t recrd the infrmatin? Is the infrmatin 'standard' r is it 'sensitive'? If it is sensitive, d yu have the data subject's express cnsent? Has the individual r data subject been tld that this type f data will be prcessed? Are yu authrised t cllect/stre/prcess the data? If yes, have yu checked with the data subject that the data is accurate? Are yu sure that the data is secure? If yu d nt have the data subject's cnsent t prcess, are yu satisfied that ne f the ther cnditins fr prcessing data applies? In respect f databases cntaining persnal data, have yu ntified Legal Services that yu intend t hld the data and registered the database? Hw lng d yu need t keep the data fr, and what is the mechanism fr review/destructin?

5 Glssary f Terms Data Any infrmatin held by the University fr the purpses f University business. Persnal Data Infrmatin abut a living persn. This infrmatin is prtected by the Act. Data Subject The persn abut whm the data are held. Sensitive Data The Act intrduces categries f sensitive persnal data, namely, persnal data cnsisting f infrmatin as t: a. the racial r ethnic rigin f the data subject, b. their plitical pinins, c. their religius beliefs r ther beliefs f a similar nature, d. whether they are a member f a trade unin, e. their physical r mental health r cnditin, f. their sexual life, g. the cmmissin r alleged cmmissin by them f any ffence, r h. any prceedings fr any ffence cmmitted r alleged t have been cmmitted by them, the dispsal f such prceedings r the sentence f any curt in such prceedings. Data Cntrller A persn (r rganisatin) wh determines the purpses fr which, and the manner in which, any persnal data are, r are t be, prcessed. Prcessing Cvers almst anything which is dne with r t the data, including: btaining data recrding r entering data nt the files hlding data, r keeping it n file withut ding anything t it r with it rganising, altering r adapting data in any way retrieving, cnsulting r therwise using the data disclsing data either by giving it ut, by sending it n , r simply by making it available cmbining data with ther infrmatin erasing r destrying data

6 Useful resurces Guidance and advice is available frm Legal Services ( - lgin required). The Legal Services intranet ( Prtectin/DPA-Resurces.aspx - lgin required) cntains: Data Prtectin Key Pints and Reference Guide Data Prtectin Tlkits Breach/incident reprting guidance and reprting frm Privacy impact assessment guidance and template Infrmatin fr NHS Digital researchers Link t the Canvas Data Prtectin Training. The Infrmatin Cmmissiner s Officer s website cntains guidance n data prtectinhttps://ic.rg.uk/fr-rganisatins/guide-t-data-prtectin/.