Fitzwilliam College Data Protection Policy

Similar documents
Data Protection: Fair processing of student personal information Contents

Southern Golden Retriever Rescue Data Protection Policy

DATA PROTECTION POLICY. Little Baddow Parochial Church Council

1.1. This policy lays out how Glebe Primary School will comply with its responsibilities under the Data Protection Act 1998.

GUIDANCE NOTE ON THE DATA PROTECTION ACT Information for clubs & county associations

Our lawful basis for processing. Processing is necessary. Processing is necessary for compliance with. legal obligation.

* Unless otherwise indicated, this policy will still apply beyond the review date.

DATA PROTECTION AND PERSONAL INFORMATION FAIR PROCESSING POLICY

POSITIVE SOLUTIONS FAIR PROCESSING NOTICE

Data Protection Policy. Newbury Academy Trust

This information, or "personal data" as it is often referred to, must be processed according to the principles contained within the Regulation.

What is a Fair Processing Notice (FPN)? To ensure that we process your personal data fairly and lawfully we are required to inform you:

Bradfield College. Information and Records Retention Policy

Document Title. Date coming into force: Review Date: Edition No:

DATA PROTECTION POLICY

KCSP Data Protection Policy

Fair Processing Notice

London Borough of Redbridge

Welcome To Your Data Protection Journey. Paula Tighe Information Governance Executive

The following guidelines have been developed to assist all staff with the adherence to the Privacy & Data Protection Act (Vic) 2014 (the PDP Act ).

Legal Compliance Education and Awareness. Privacy Act (Commonwealth)

Data Protection Act Policy

Data Protection Policy

Privacy. Policy. Purpose. Coverage. Policy. Code and version control:

THE UNIVERSITY, CAMBRIDGE IN AMERICA AND THE COLLEGES DATA SHARING PROTOCOL

Privacy Notice Student Loans Company Ltd

Data held by BASC clubs and syndicates - a brief guide

Multi Agency Assessment Panels Data Protection Protocol

Privacy Policy. HDI Global SE - UK

WHO IS RESPONSIBLE FOR LOOKING AFTER YOUR PERSONAL DATA?

Mobius Life Limited Data Privacy Notice

All Sorts UK Limited Data Protection Policy 17 th May 2018

Banks Sheridan Limited Data Protection Privacy Policy 19 May 2018

Appropriate Policy Document

Privacy & Data Protection Procedure-Box Hill Institute Group

The Controller and Processor Data Protection Binding Corporate Rules of BMC Software

PRIVACY POLICY OF BPO INSOLVENCY LIMITED (COMPANY REGISTRATION NO ) REGISTERED OFFICE 37 WALTER ROAD SWANSEA SA1 5NW

FINANCIAL SERVICES OPPORTUNITIES INVESTMENT FUND LIMITED Company Registration Number: PRIVACY NOTICE

Information and Records Retention Policy

Arcare Aged Care APP Privacy Policy

European Union General Data Protection Regulation

Amgen Binding Corporate Rules (BCRs) Public Document

ASTRAZENECA GLOBAL POLICY DATA PRIVACY

DATA PROCESSING TERMS DEFINITIONS

PROTECTION OF PERSONAL INFORMATION POLICY (PoPI)

PROPFIN LTD. Data Protection Policy

DATA PROTECTION AND DOCUMENT RETENTION POLICY

GLOBAL DATA PROTECTION POLICY URUP

Man and Machine - Data Protection Policy

MONASH UNIVERSITY PRIVACY COMPLIANCE MANUAL

Management of Personal Information Policy (Privacy Policy)

DATA PROTECTION AND DOCUMENT RETENTION POLICY

INTERNATIONAL SOS. Data Protection Policy. Version 1.8

GUIDELINES FOR THE CONTRACTING OUT OF RESEARCH ACTIVITIES

Data Protection Privacy Notice for people not directly involved in the accident

University of Wollongong

PRIVACY NOTICE Use of Information Data Controller and Data Processor

Data Protection Cayman Islands

Claims Handling We process Your Personal Data in order to record and handle your insurance claim. This may include sharing your Personal Data with:

Privacy Policy. Responsible Officer. General Counsel Approved by

EQUAL ACCESS FUNDING PTY LTD PRIVACY POLICY

EU Data Processing Addendum

ERGO Versicherung AG UK Branch Data Privacy Notice

Santia Special Conditions (Accreditation Only)

Aboriginal Housing Victoria (AHV) Privacy Policy

Enrolment Terms and Conditions

Data Sharing Agreement Between University of Chichester and University of Chichester Students Union

EnerSys UK Pension Scheme (the Scheme) Privacy Notice

1A-1084 Kenaston Street tel: (613) Ottawa, ON K1B 3P5 fax: (613)

SCCCI Personal Data Protection Policy

LOCAL GOVERNMENT ASSOCIATION TEMPLATE MEMORANDUM OF UNDERSTANDING FOR LGPS FUNDS

Depending on the circumstances and the stage of your membership, we may hold some or all of the following information about you:

BDML Connect Ltd Privacy Policy_v1.0_March updated Markerstudy Group 2018 Page 1 of 11

Privacy Notice A2 Solicitors LLP

PRIVACY NOTICE LAST UPDATED: SEPT. 2018

The Pension and Life Assurance Plan of NG Bailey (Scheme) Privacy notice

Individual accreditations

HR Records that are needed:

Privacy Statement v 1.1

We take privacy and security of your information seriously and will only use such personal information as set out in this Privacy Notice.

BINDING CORPORATE RULES

YMCA SOUTH AUSTRALIA Privacy Policy

Highland Distillers Pension Scheme (the "Scheme") Privacy Notice

PRIVACY AND CREDIT REPORTING POLICY

Privacy Policy. Amendment History. Trustee Name

DATA PRIVACY & FAIR PROCESSING NOTICE

Privacy in Canada Federal Legislation: Personal Information Protection and Electronic Documents Act

SELATTYN AND GOBOWEN PARISHH COUNCIL RETENTION OF DOCUMENTS POLICY

privacy notice who is responsible for processing your personal data and who you can contact in this regard reasons for processing your data

Taking care of what s important to you

Moxtra, Inc. DATA PROCESSING ADDENDUM

1. What Data do we collect and where do we get it from?

Privacy Policy. Who we are. Definitions

Privacy Policy. NESS Super is committed to respecting your right to privacy and protecting your personal information.

CANADIAN AMATEUR SYNCHRONIZED SWIMMING ASSOCIATION, INC. SASKATCHEWAN SECTION PRIVACY POLICY

Examples of the types of information collected, and its use and disclosure, are given at Appendix A.

Policy for the Protection of Personal Information and Privacy University Secretariat

DATA PROTECTION ADDENDUM

Data Protection Policy

HOW WE PROTECT YOUR PERSONAL INFORMATION PLEASE READ THIS CAREFULLY

Transcription:

Fitzwilliam College Data Protection Policy INTRODUCTION The information within this policy and supporting guidelines are important and apply to all members and staff of the College who shall in this policy be collectively referred to as the College in the paragraphs below. Non-compliance may result in disciplinary action in accordance with the College s procedures. As a Data Controller within the meaning of the Data Protection Act 1998 the College has a statutory obligation to notify the Information Commissioner of the purposes for which it processes personal data. Like all Educational establishments, the College holds and processes information about its members, employees, applicants, students, alumni and other individuals for various purposes. The College s notification permits the processing of data only for the following purposes: Provision of education and support services to our students and staff; Advertising and promoting the university, and the services we offer; Publication of the university magazine and alumni relations; Undertaking research and fundraising; Managing our accounts and records and providing commercial activities to our clients. The use of CCTV systems to monitor and collect visual images for the purposes of security and the prevention and detection of crime. For the avoidance of doubt the term university in the above list should be taken as synonymous with College. A full copy of the College s data notification may be found on the Information Commissioner s website (https://ico.org.uk/esdwebpages/dosearch?reg=356413) or obtained from the Data Protection Officer. DEFINITIONS Personal data means data which relate to a living individual who can be identified: (a) From those data (b) From those data and other information is in the possession of, or is likely to come into the possession of, the data controller, and includes any expressions of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. Data means information which: (a) Is being processed by means of equipment operating automatically in response to instructions given for that purpose (b) Is recorded with the intention that it should be processed by means of such equipment

(c) Is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system. Sensitive Personal data means personal data consisting of information as to: Racial or ethnic origin Political opinions Religious beliefs or other beliefs of a similar nature Membership of a Trade Union Physical or mental health or condition Sexual life Commission or alleged commission of a criminal offence Any Court proceedings The Act applies to all instances of the processing of personal data. Processing includes the activities of collecting, holding, using, disclosing, retaining or destroying relevant information, whether held in paper or electronic files. Personal data can include photographs, video tapes or CCTV footage. A Data Subject is the person to whom the personal data relates. RESPONSIBILITIES The Data Protection Officer is the Bursar. Maintain the College s registration and notification to the Information Commissioner Maintain, update and promulgate this policy and supporting procedures. Internal decisions regarding the applicability of the Act and the applicability of exemptions Appoint Data Controllers Data Controllers shall be appointed to oversee the control of particular classes of personal data. Data Controllers shall be Heads of Department or relevant College Officers and will be responsible for the application of this policy to the class of data within their control, including: Ensuring access to the data is controlled. Maintaining security consulting the IT Manager where the data are held electronically. Ensuring that the data are regularly reviewed for accuracy and appropriateness. Ensuring destruction rules are followed (Guidance on the retention of records containing personal data is provided at Appendix 1). Archiving securely data that do not need to be accessed regularly. The Senior Tutor shall be the data controller for personal data held by Tutors and Directors of Studies. All members of the College who record and/or process personal data in any form, must ensure that they comply with the requirements of the Act and with the College s data protection policy. In particular members of the College must not, without the prior written authorisation of the Data Controller: Develop a new computer system for processing personal data. Use an existing computer system for processing personal data for a different purpose.

Create a new manual filing system containing personal data Use an existing manual filing system containing personal data for a different purpose. Grant access to, or transfer personal data to any third party (i.e. not a member of Staff or member of the College). DATA PROCESSING The College may only process personal data for the purposes set out in its Notification, and must at all times abide by the Data Protection Principles, set out within the Act. These are as follows: 1. Personal data shall be processed fairly and lawfully 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4. Personal data shall be accurate and where necessary kept up to date. 5. Personal data processed for any purpose or purposes shall not be kept longer than is necessary for that purpose or those purposes. 6. Personal data shall be processed in accordance with the rights of data subjects under the Act 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. The College will be open with individuals from the outset about the purpose for which data is being collected and the way their data is processed. This information will be contained within appropriate Privacy Notices on all forms in which data is gathered. All privacy notices will be approved by the Data Protection Officer and may not be changed without his/her consent. Explicit consent will always be obtained from the data subject when collecting sensitive personal data. Information may be shared with the University provided it is directly relevant to the College s objectives. Unless required to do so under a statutory exemption (e.g. in connection with criminal justice or the taxation system), the College will not share information with any other third party without having first informed the individual and given them the opportunity to object. The College will not use information obtained about individuals in ways which unjustifiably have a negative impact on them. PERSONAL DATA REGISTER The Data Protection Officer will maintain a register relating to the use of personal data which shall contain the following information: Class of data

Data Controller Purposes for which it is held Sensitive personal data collected Filing system Security How data is collected Copies of privacy notice List any third party who stores or has access to personal data. The register defines the scope and terms of data processing that is permitted, and the relevant responsibilities. No change to activities defined in the register may be made without written authorisation of the Data Protection Officer. DATA SECURITY Data controllers are responsible for ensuring that data are held under appropriate security, and for ensuring that all staff with access to personal data are trained in the relevant provisions of the Act. Rules for managing data will be issued by the Data Protection Officer. A breach of these rules may be regarded as a disciplinary offence. EMAIL All those working within the College need to be aware that the Data Protection Act applies to emails which contain personal data about individuals which are sent or received by members of the College (other than for their own private purposes), including those sent through an individual s own email account. Such emails should form part of the College s records. THE RIGHTS OF DATA SUBJECTS Data subjects have the following rights: A right of access to a copy of the information comprised in their personal data. A right to object to processing hat is likely to cause or is causing damage or distress. A right to prevent processing for direct marketing. A right to object to decisions being taken by automated means A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed A right to claim compensation for damages caused by a breach of the Act Any requests relating to personal data, including Subject Access requests, should be made in writing to the Data Protection Officer at Fitzwilliam College (contact details below). The request should make clear that the applicant is making a request under the Data Protection Act 1998. Subject Access requests should be accompanied by a processing fee of 10.00. The College will respond as quickly as possible within the statutory deadline. In accordance with the Data Protection Act the College reserves the right to refuse repeated requests where a reasonable period has not elapsed between requests.

The College will consider any objections to intended processing of personal data but reserves the right to process personal data in order to carry out its functions as permitted by law. NOTICES, REQUESTS AND COMPLAINTS Notices, requests and complaints relating to this policy should be addressed to: The Data Protection Officer Bursar s Office Fitzwilliam College Storey s Way Cambridge CB3 0DG Tel: 01223 332067 Fax: 01223 Email: bursar@fitz.cam.ac.uk The Data Protection Officer will seek to resolve any issue to the satisfaction of the data subject. Should a data subject be dissatisfied with the decision of the Data Protection Officer they shall have the right to request an independent internal review of the decision. Such review shall be carried out by a member of the College nominated by the Master, or in the Master s absence, the College Committee. There is also a right to complain to the Information Commissioner. Approved by the Governing Body on 22nd January 2014 Revised 15 th October 2014.

Appendix 1 Fitzwilliam College Data Protection Policy Retention of records containing personal data. Type of Record Retention Period Reason for Period Student records, including academic achievements and conduct and financial records At least 6 years from the date the student leaves the College, in case of litigation for negligence. Limitation period for negligence Accounting and Audit rules Student applications and interview reports Personnel files Staff application forms/interview notes At least 10 years for personal and academic references Certain personal data may be held in perpetuity This information will be retained by the College for as long as it remains relevant. In the case of unsuccessful applications this normally means that files will be destroyed on the 1st September in the year following application. 7 years from the end of the employment by the College. 6 months from the date of successful appointment. Permits the College to provide references for a reasonable length of time. While personal and academic references may become stale, some data e.g. transcripts of student marks may be required throughout the student s future career. Upon the death of the data subject, data relating him/her ceases to be personal data. Provision of feedback and answering queries. Consistent with University policy References and potential litigation Time limit on litigation Data for unsuccessful applicants will be destroyed at this time.

Facts relating to redundancies where less than 20 redundancies Facts relating to redundancies where 20 or more redundancies Income tax and NI returns Statutory maternity pay records and calculations Statutory sick pay records and calculations 7 years from the date of redundancy 12 years from the date of redundancies At least 7 years after the end of the financial year to which the records relate. At least 7 years after the end of the financial year to which the records relate At least 7 years after the end of the financial year to which the records relate Time limit on litigation Limitation Act 1980 Income Tax (Employment) Regulations 1986 Statutory Maternity Pay (general) Regulations 1986 Statutory Sick Pay (general) Regulations 1986 Wages and salary records 7 years Taxes Management Act 1970 Accident books, records and reports of accidents 3 years after the date of the last entry Social Security (Claims and Payments) Regulations 1979 RIDDOR 1985 Health records During Employment Management of Health and Safety at Work Regulations Health records where reason for termination of employment is connected with health, including stress related illness Medical records kept by reason of the Control of Substances hazardous to Health regulations 3 years Limitation period for personal injury claims 40 years Control of Substances Hazardous to Health Regulations 1985 CCTV footage 28 days To allow sufficient time for a crime or serious event to be discovered and investigated. Applications for academic posts (including Research Fellowships) Library Management System 6 months from the date of successful appointment. Data for unsuccessful applicants will be destroyed at this time. Records of former students are retained for 2 years Time limit on litigation In case a student returns for further studies later

Appendix 2: Data to be held in the Register - Questionnaire Department Class of Data (File set general description) Please complete a separate form for each class Data Controller s details Purpose (what is the information in this file held for?) Type of data held Please list (e.g. personnel records, Pay and pensions, Admissions records etc) Sensitive personal data collected Data subjects (e.g. Fellows, staff, students) Source: (from whom/ where does the information come? How are the data collected?) Please attach copies of privacy notices used. Filing system (paper and electronic) Security List any third party who stores or has access to the data. Duration for which the file set is retained Any other relevant information

Appendix 3: College Data Protection Privacy Statement (for the College Website) Fitzwilliam College is a Data Controller under the Data Protection Act 1998. We hold information for the purposes specified in our notification to the Information Commissioner, including the provision of education, student and staff support services, staff, agent and contractor administration, and alumni relations (including fund raising initiatives) and we may use this information for any of them. You may see the full notification at http://www.ico.gov.uk/esdwebpages/dosearch.asp?reg=5869883 You may view the College s Data Protection Policy at http://www.fitz.cam.ac.uk/about/legaldocuments The College operates in close partnership with the University of Cambridge, making use of shared systems, databases and infrastructure as well as co-operating on initiatives which are in the collective interests of the combined University. We may share information with the University provided it is directly relevant to the College s objectives. We will not give information to anyone outside the College or the University and their affiliates and associated bodies unless the law permits us to do so, or we have your express permission to do so. For more information go to http://www.fitz.cam.ac.uk/about/legal-documents and look for Data Protection Policy. If you have any queries, wish to restrict data processing or sharing including use for marketing or do not want to be contacted by the College, please inform us. (Minimal information is always retained to make sure you are not contacted again inadvertently: name, subject, matriculation and graduation details, USN and date of birth.) You will need to contact the University separately if you wish to restrict University data processing, sharing, marketing or contact. We will publish any changes we make to this data protection statement and, where appropriate, notify you by email. Contact: The Data Protection Officer Bursar s Office Fitzwilliam College Storey s Way Cambridge CB3 0DG Tel: 01223 332067 Fax: 01223 332078 Email: bursar@fitz.cam.ac.uk

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback