Fareham College holds personal data about our employees, clients, suppliers and other individuals for a variety of business purposes.
This policy sets out how we seek to protect personal data and ensure that staff understand the rules governing their use of personal data to which they have access in the course of their work. In particular, this policy requires staff to ensure that the Data Protection Officer (DPO) be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed.
Definitions within this policy:
- Personnel, administrative, financial, regulatory, payroll and business development purposes.
- Compliance with our legal, regulatory and corporate governance obligations and good practice
- Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests
- Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring and checking
- Investigating complaints
- Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration and assessments
- Monitoring staff conduct, disciplinary matters
- Marketing our business
- Improving services
- Information relating to identifiable individuals, such as job applicants, current and former employees, agency, contract and other staff, clients, suppliers and marketing contacts.
Special Categories of Personal Data:
- Personal data about an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings
- Any use of sensitive personal data should be strictly controlled in accordance with this policy.
This policy applies to all staff. You must be familiar with this policy and comply with its terms.
This policy supplements our other policies relating to internet and email use. We may supplement or amend this policy by additional policies and guidelines from time to time. Any new or modified policy will be circulated to staff before being adopted.
Who is responsible for this policy?
As the college’s Data Protection Officer, the Deputy Principal of Finance & Resource, has overall responsibility for the day-to-day implementation of this policy.
Fair and lawful processing
Fareham College employees and associates must process personal data fairly and lawfully in accordance with individuals’ rights. This generally means that we should not process personal data unless the individual whose details we are processing has consented to this happening.
The Data Protection Officer’s responsibilities:
- Keeping the board updated about data protection responsibilities, risks and issues
- Reviewing all data protection procedures and policies on a regular basis
- Arranging data protection training and advice for all staff members and those included in this policy
- Answering questions on data protection from staff, board members and other stakeholders
- Responding to individuals such as clients and employees who wish to know what data is being held on them by Fareham College
- Checking and approving with third parties that handle the company’s data any contracts or agreement regarding data processing
Responsibilities of the IT Director:
- Ensure all systems, services, software and equipment meet acceptable security standards
- Checking and scanning security hardware and software regularly to ensure it is functioning properly
- Researching third-party services, such as cloud services the company is considering using to store or process data
Responsibilities of the Marketing Manager:
- Approving data protection statements attached to emails and other marketing copy
- Addressing data protection queries from clients, target audiences or media outlets
- Coordinating with the DPO to ensure all marketing initiatives adhere to data protection laws and the company’s Data Protection Policy
Responsibilities of the MIS Director:
- Addressing data protection queries from clients and/or organisations that deal directly with the personal or sensitive data of our student body.
- Coordinating with the DPO to ensure all MIS initiatives adhere to data protection laws and the company’s Data Protection Policy
Responsibilities of the Director of People & Culture:
- Addressing data protection queries from clients and or organisations that deal directly with the personal data of our staff teams.
- Coordinating with the DPO to ensure all HR initiatives adhere to data protection laws and the company’s Data Protection Policy
- All College Personnel must comply with this policy.
- College Personnel must ensure that they keep confidential all Personal Data that they collect, store, use and come into contact with during the performance of their duties.
- College Personnel must not release or disclose any Personal Data: outside the College; or inside the college to College Personnel not authorised to access the Personal Data, without specific authorisation from their manager or the Data Protection Officer; this includes by phone calls or in emails.
- College Personnel must take all steps to ensure there is no unauthorised access to Personal Data whether by other
- College Personnel who are not authorised to see such Personal Data or by people outside the College.
The processing of all data must be:
- Necessary to deliver our services
- In our legitimate interests and not unduly prejudice the individual’s privacy
- In most cases this provision will apply to routine business data processing activities.
- Our Terms of Business contains a Privacy Notice to clients on data protection.
- Sets out the purposes for which we hold personal data on customers and employees
- Highlights that our work may require us to give information to third parties such as expert witnesses and other professional advisers
- Provides that customers have a right of access to the personal data that we hold about them
Special category personal data
In most cases where we process special category personal data we will require the data subject’s explicit consent to do this unless exceptional circumstances apply or we are required to do this by law (e.g. to comply with legal obligations to ensure health and safety at work). Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.
Accuracy and relevance
We will ensure that any personal data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.
Individuals may ask that we correct inaccurate personal data relating to them. If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform the DPO.
Your personal data
You must take reasonable steps to ensure that personal data we hold about you is accurate and updated as required. For example, if your personal circumstances change, please inform the HR team so that they can update your records.
You must keep personal data secure against loss or misuse. Where other organisations process personal data as a service on our behalf, the DPO will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations.
Storing data securely:
Physical data storage:
In cases when data is stored on printed paper, it should be kept in a secure place where unauthorised personnel cannot access it. Printed data should be shredded when it is no longer needed.
Digital data storage:
- Data stored on a computer should be protected by strong passwords that are changed regularly. We encourage all staff to use a password manager to create and store their passwords.
- Data stored on CDs or memory sticks must be locked away securely when they are not being used.
- The DPO must approve any cloud used to store data
- Servers containing personal data must be kept in a secure location, away from general office space.
- Data should be regularly backed up in line with the company’s backup procedures
- Data should never be saved directly to mobile devices such as laptops, tablets or smartphones
- All servers containing sensitive data must be approved and protected by security software and strong firewall.
- All memory sticks and/or external hard drives used for storing personal or sensitive data, MUST be bit locker encrypted, with a strong password. This encryption will be implemented and maintained by the Technical Services team.
We must retain personal data for no longer than is necessary. What is necessary will depend on the circumstances of each case, taking into account the reasons that the personal data was obtained, but should be determined in a manner consistent with our data retention policy and guidelines.
Transferring data internationally
There are restrictions on international transfers of personal data. You must not transfer personal data anywhere outside the UK without first consulting the Data Protection Officer. This includes both transference to 3rd parties and working on holiday. If you are in doubt contact the DPO for further clarification.
Subject access requests
Please note that under the Data Protection Act 2018, individuals are entitled, subject to certain exceptions, to request access to information held about them.
If you receive a subject access request, you should refer that request immediately to the DPO. We may ask you to help us comply with those requests.
Please contact the Data Protection Officer if you would like to correct or request information that we hold about you. There are also restrictions on the information to which you are entitled remove and/or amend, under applicable law.
All staff will receive training on this policy. New joiners will receive training as part of the induction process. Further training will be provided at least every two years or whenever there is a substantial change in the law or our policy and procedure.
Training is provided through an in-house seminar on a regular basis.
It will cover:
- The law relating to data protection
- Our data protection and related policies and procedures.
Completion of training is compulsory.
As of the 25th of May 2018, new laws in Data Protection came in to effect.
To ensure compliance with the new laws, the following provisions have been added and will be in effect as of the release of this policy.
Privacy Notice - transparency of data protection
Being transparent and providing accessible information to individuals about how we will use their personal data is important for our organisation. The following queries must be asked when requesting data. The questions must be asked and answers recorded within the data register, as well as being made accessible upon request:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- Identity and contact details of any data controllers
- Details of transfers to third country and safeguards
- Retention period
Conditions for processing
We will ensure any use of personal data is justified using at least one of the conditions for processing and this will be specifically documented. All staff who are responsible for processing personal data will be aware of the conditions for processing. The conditions for processing will be available to data subjects in the form of a privacy notice.
Justification for personal data
We will process personal data in compliance with all six data protection principles:
- Fair and Lawful
We will document the additional justification for the processing of sensitive data, and will ensure any biometric and genetic data is considered sensitive.
The data that we collect is subject to active consent by the data subject. This consent can be revoked at any time.
Criminal record checks
Any criminal record checks are justified by law. Criminal record checks cannot be undertaken based solely on the consent of the subject.
Subject access requests
Individuals have the right under the GDPR to ask a College to confirm what Personal Data they hold in relation to them and provide them with the data. This is not a new right but additional information has to be provided and the timescale for providing it has been reduced from 40 days to one month (with a possible extension if it is a complex request). In addition, the college will no longer be able to charge a fee for complying with the request.
Subject Access Requests are becoming more and more common and are often made in the context of a dispute which means that it is crucial that they are handled appropriately to avoid a complaint being made to the ICO.
Right to be erased
A data subject may request that information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request.
Right of erasure is a limited right where by individuals request the erasure of Personal Data concerning them where:
- the use of the Personal Data is no longer necessary;
- their consent is withdrawn and there is no other legal ground for the processing;
- the individual objects to the processing and there are no overriding legitimate grounds for the processing;
- the Personal Data has been unlawfully processed; and
- the Personal Data has to be erased for compliance with a legal obligation.
In a marketing context, where Personal Data is collected and processed for direct marketing purposes, the individual has a right to object to processing at any time. Where the individual objects, the Personal Data must not be processed for such purposes.
Right of data portability
Individuals are also given the right to request that any Personal Data is rectified if inaccurate and to have use of their Personal Data restricted to particular purposes in certain circumstances.
The College will use all Personal Data in accordance with the rights given to Individuals’ under Data Protection Laws, and will ensure that it allows Individuals to exercise their rights in accordance with the College’s Rights of Individuals Policy and Rights of Individuals Procedure. Please familiarise yourself with these documents as they contain important obligations which College Personnel need to comply with in relation to the rights of Individuals over their Personal Data.
Rights in relation to automated decision making and profiling
Under Data Protection Laws there are controls around profiling and automated decision making in relation to Individuals.
Automated Decision Making happens where the College makes a decision about an Individual solely by automated means without any human involvement and the decision has legal or other significant effects; and
Profiling happens where the College automatically uses Personal Data to evaluate certain things about an Individual.
Any Automated Decision Making or Profiling which the College carries out can only be done once the College is confident that it is complying with Data Protection Laws. If College Personnel therefore wish to carry out any Automated Decision Making or Profiling College Personnel must inform the Data Protection Officer.
College Personnel must not carry out Automated Decision Making or Profiling without the approval of the Data Protection Officer.
The College does not carry out Automated Decision Making or Profiling in relation to its employees.
Data protection impact assessments (DPIA)
The GDPR introduce a new requirement to carry out a risk assessment in relation to the use of Personal Data for a new service, product or process. This must be done prior to the processing via a Data Protection Impact Assessment (DPIA). A DPIA should be started as early as practical in the design of processing operations. A DPIA is not a prohibition on using Personal Data but is an assessment of issues affecting Personal Data which need to be considered before a new product/service/process is rolled out. The process is designed to:
- describe the collection and use of Personal Data;
- assess its necessity and its proportionality in relation to the purposes;
- assess the risks to the rights and freedoms of individuals; and
- the measures to address the risks.
A DPIA must be completed where the use of Personal Data is likely to result in a high risk to the rights and freedoms of individuals.
Where a DPIA reveals risks which are not appropriately mitigated the ICO must be consulted.
Where the College is launching or proposing to adopt a new process, product or service which involves Personal Data, the College needs to consider whether it needs to carry out a DPIA as part of the project initiation process. The College needs to carry out a DPIA at an early stage in the process so that the College can identify and fix problems with its proposed new process, product or service at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur.
Situations where the College may have to carry out a Data Protection Impact Assessment include the following (please note that this list is not exhaustive):
- large scale and systematic use of Personal Data for the purposes of Automated Decision Making or Profiling (see definitions above) where legal or similarly significant decisions are made;
- large scale use of Special Categories of Personal Data, or Personal Data relating to criminal convictions and offences e.g. the use of high volumes of health data; or
- systematic monitoring of public areas on a large scale e.g. CCTV cameras.
All DPIAs must be reviewed and approved by the Data Protection Officer.
Privacy by design and default
Privacy by design is an approach to projects that promote privacy and data protection compliance from the start. The DPO will be responsible for conducting Privacy Impact Assessments and ensuring that all IT projects commence with a privacy plan.
When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.
Data audit and register
Regular data audits to manage and mitigate risks will inform the data register. This contains information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.
Under the GDPR, College’s will be obliged to notify the ICO in the event of a Data Breach unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
Notification must take place within 72 hours of the College becoming aware of the breach.
Fareham College is obliged to notify any individuals affected by the Data Breach as soon as possible where the breach is likely to result in a high risk to their rights and freedoms, for example identity theft or fraud or where the breach may give rise to discrimination.
All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:
- Investigate the failure and take remedial steps if necessary
- Maintain a register of compliance failures
- Notify the Supervisory Authority (SA) of any compliance failures that are material either in their own right or as part of a pattern of failures
Fareham College is not obliged to notify the individuals affected where:
- there are technological and organisational protection measures (e.g. encryption);
- the Controller has taken action to eliminate the high risk; and
- it would involve disproportionate effort – in this case they must be informed some other way e.g. by a notice in newspapers.
However, the ICO will need to be notified, and may decide to alter the planned action of the college.
If the College appoints a contractor who is a Processor of the College’s Personal Data, Data Protection Laws require that the College only appoints them where the College has carried out sufficient due diligence and only where the College has appropriate contracts in place.
One requirement of GDPR is that a Controller must only use Processors who meet the requirements of the GDPR and protect the rights of individuals. This means that data protection due diligence should be undertaken on both new and existing suppliers. Once a Processor is appointed they should be audited periodically to ensure that they are meeting the requirements of their contract in relation to Data Protection.
Any contract where an organisation appoints a Processor must be in writing.
The college considers having appointed a Processor as engaging someone to perform a service for the college and as part of it they may get access to the college’s Personal Data. Where the college appoints a Processor, the college, as Controller remains responsible for what happens to the Personal Data.
GDPR requires the contract with a Processor to contain the following obligations as a minimum:
- to only act on the written instructions of the Controller;
- to not export Personal Data without the Controller’s instruction;
- to ensure staff are subject to confidentiality obligations;
- to take appropriate security measures;
- to only engage sub-processors with the prior consent (specific or general) of the Controller and under a written contract;
- to keep the Personal Data secure and assist the Controller to do so;
- to assist with the notification of Data Breaches and Data Protection Impact Assessments;
- to assist with subject access/individuals rights;
- to delete/return all Personal Data as requested at the end of the contract;
- to submit to audits and provide information about the processing; and
- to tell the Controller if any instruction is in breach of the GDPR or other EU or member state data protection law.
- In addition, the contract should set out:
- The subject-matter and duration of the processing;
- the nature and purpose of the processing;
- the type of Personal Data and categories of individuals; and
- the obligations and rights of the Controller.