Data Protection Code of Practice

Set out below is the University’s code of practice on data protection, which accords with UK Data Protection legislation and takes into account the guidance published periodically by the Information Commissioner’s Office (ICO).

The law
When does the law apply?
How does the University comply with the law?
Data security
Retention of data
Individual rights
Roles and responsibilities
Further information

The law

Data protection legislation encompasses the UK Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (GDPR). It requires that personal data is:

processed fairly, lawfully and in a transparent manner;
used only for limited, specified stated purposes and not used or disclosed in any way incompatible with these purposes;
adequate, relevant and limited to what is necessary;
accurate and, where necessary, up to date;
not kept for longer than necessary; and
kept safe and secure.

In addition, the University is also required to be able to evidence compliance with these principles.

When does the law apply?

It applies to all processing of personal data carried out for a University purpose, irrespective of whether the data is processed on non-University equipment or by third parties.

“Processing” encompasses the collection, recording, structuring, storage, adaptation or alteration, retrieval, use, making available, alignment or combination, restriction, erasure or destruction of personal data by either manual or automated means.

“Personal data” encompasses any information relating to a living individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

In practical terms, it seems prudent to assume that anything which is recorded in relation to an individual may fall under the provisions of the legislation.

How does the University comply with the law?

The University takes seriously its responsibilities under data privacy legislation. It recognises that the mishandling of an individual’s personal data my cause them distress or put them at risk. There are also legal, financial and reputational risks for the University if the personal data it is responsible for is not processed lawfully.

In accordance with the law, the University will advise individuals about the processing which is taking place and the lawful bases under which it is being conducted. The University has a series of published documents in place which address its main processing activities:

Where processing of the personal data of external enquirers, or other users of the University’s services, is necessary the University can, in most instances, rely on the provisions in the legislation to process for a task carried out in the public interest, the performance of a contract, or as a legitimate interest of the organisation.. Processing activity which is not covered by one of the above will be addressed on a case-by-case basis with guidance from the Data Protection Officer.

Where processing of data is taking place which could be considered high risk, or where new technologies are being used, staff are expected to complete a Data Protection Impact Assessment in conjunction with the Information Governance Team. A register of risks associated with the processing of personal data will be maintained and concerns will be escalated through the appropriate governance channels.

Data security

All individuals with access to personal data must complete the mandatory Data Protection and Information Security training.

The University anticipates that the majority of the personal data for which it is responsible will be in electronic format and stored on its secure servers. Whilst the security of the network is the responsibility of the University, individuals are expected to take appropriate security precautions in respect of day-to-day PC usage; further detail is iterated in the University’s Information Protection Policy.

Where personal data is kept in paper copy, individual owners are expected to take necessary precautions to secure this, such as the use of locked drawers or filing cabinets.

Sometimes it is necessary to share personal data outside the University, in which instance individuals should refer to the guidance on the University’s intranet site to ensure that the transfer is lawful and secure. Advice can also be sought from the Data Protection Officer.

Where personal data has been lost, or an individual believes that their University computer or its systems have been breached, the University protocol for reporting a breach must be followed; details can be found on the University’s Data Protection website.

Retention of data

It is not in the interest either of individuals or the University to retain unnecessary or duplicate information. A retention schedule is available on the University’s Data Protection website.

Individual rights

Subject to certain exemptions, individuals have numerous rights under data protection legislation to allow them to restrict, or to access the personal data that the University holds on them. If a member of staff receives such a request from an individual, they must forward it to the Information Governance Team to be handled centrally.

Roles and responsibilities

The University

The University is the registered Data Controller and, as such, retains overall responsibility for the management and protection of the personal data under its control. In doing so it will ensure that:

Appropriate policies and procedures are in place to facilitate compliance with data protection legislation.

A Data Protection Officer is appointed to oversee compliance.

People who come into contact with personal data have received adequate training and know where to seek advice.

Appropriate technical and organisational measures are implemented to protect personal data.

A record of processing activity across the institution is maintained as required.

The ICO is notified of any data breaches as required.

Appropriate measures are implemented to protect the rights of individuals.

Staff

All staff are required to:

Undertake the mandatory Data Protection and Information Security training.

Familiarise themselves with the relevant policies

Ensure that personal data is used appropriately and kept secure.

Advise the Information Governance Teamof any requests received in relation to individual rights under data protection legislation.

Follow the appropriate reporting procedure in the event of a loss, or breach, of personal data.

Ensure that the personal data about themselves which they provide to the University is up to date and accurate.

Students

All students are required to:

Ensure that the personal data about themselves which they provide to the University is up to date and accurate.

Where they come into contact with the personal data of others (including for use in research) they must abide by the University policies and procedures often, in the first instance, via conversation with their course leader/tutor.

Further information

Further information and advice is available either from your local Data Champion or from the University's Information Governance Team.

November 2024