PROGRAMME AREA MINUTES - Coleg Gwent€¦ · Web viewThis is any manual filing system, microfiche or paper set of information that is structured in such a way that information relating

Data Protection Policy

Coleg Gwent

“our learners are at the heart of everything we do”“mae ein dysgwyr yn ganolog i bopeth a wnawn”

QM2.8

1. INTRODUCTION

Coleg Gwent holds information about its corporation members, employees, students, partners, suppliers and other users as a normal part of its day-to-day business. It is necessary for example to process information so that staff can be recruited and paid, students enrolled, courses organised, examinations and assessments held and legal obligations to funding bodies and government complied with.

The Data Protection Act 1998 came into force on 1st March 2000. This Act introduced significant new responsibilities that the College took into account.

The purpose of the Act is to ensure that data is collected and used in a responsible and accountable manner and to provide the individual with a degree of control over the use of their personal data. To comply with the law information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully.

It is the intention of Coleg Gwent to comply with the terms of the Data Protection Act 1998. The College will ensure that the interests of its employees and students are safeguarded by regularly reviewing its policy and taking account of Codes of Practice and other advice issued by the Information Commissioner. Coleg Gwent will also take account of the wider legal framework introduced by the Regulation of Investigatory Powers Act 2000, the Human Rights Act 1998,the Freedom of Information Act 2000, the Privacy and Electronic Communications Regulations 2003, the Computer Misuse Act 1990 and the Crime and Disorder Act 1998

Coleg Gwent and all staff or others who process or use personal information must ensure that they follow the Data Protection Principles at all times. In order to ensure that this happens, Coleg Gwent has developed the Data Protection Policy and associated financial control procedures.

Coleg Gwent acknowledges that the Corporation or individual members of staff may be held liable for criminal offences under the Data Protection Act 1998. Fines for breaches are unlimited.

2. THE DATA PROTECTION ACT 1998

The 1998 Act places duties and obligations on "Data Controllers" in relation to their "processing" of "personal data". Personal data includes information about living, identifiable individuals (data subjects) that is to be processed by means of automated equipment (including computer processing and CCTV images). This may include e-mails which are processed with reference to the data subject.

Personal data also includes information recorded as part of a "relevant filing system". This is any manual filing system, microfiche or paper set of information that is structured in such a way that information relating to a particular individual is readily accessible.

QM2.8 Data Protection Policy Issue 3 28.03.11 Page 2 of 16

Personal data must be processed fairly and lawfully. There must be a clear purpose for processing.

Processing means obtaining, recording, holding, organising, altering, retrieving, consulting, destroying or carrying out any operation on the information or data.

Sensitive personal data is a special category. It may only be processed with the explicit consent of the data subjects:

the racial or ethnic origin of the data subject political opinions religious or other beliefs of a similar nature trade union membership physical or mental health or condition sexual life the commission or alleged commission of any offence proceedings for any offence or alleged offence

The eight Data Protection Act Principles provide the framework for processing. Personal data must be:

1. fairly and lawfully processed2. processed for limited purposes 3. adequate, relevant and not excessive4. accurate5. not kept for longer than is necessary6. processed in accordance with individuals' rights7. secure8. not transferred to countries without adequate protection (outside EEA)

Rights for Individuals under the Data Protection Act 1998:

right of subject access (to data held on computer records and relevant filing systems upon making a request in writing and paying a fee)

right to prevent processing likely to cause unwarranted and substantial damage or distress

right to prevent processing for the purposes of direct marketing right to compensation right to correction, blocking, erasure or destruction right to ask the Information Commissioner to assess whether the DPA has been

contravened

Criminal Offences under the Data Protection Act 1998:

processing without notification failure to comply with an enforcement notice unlawful obtaining or disclosure of personal data


selling or offering to sell personal data without the consent of the data subject

3. STATUS OF THE POLICY

This policy is a broad summary of the Coleg Gwent's responsibilities under the Data Protection Act.

This policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and policies made by Coleg Gwent from time to time. Any failures to follow the policy can therefore result in disciplinary proceedings.

4. COLEG GWENT COMPLIANCE FRAMEWORK

The College, as a body corporate, is the Data Controller under the Act and the Corporation is therefore ultimately responsible for implementation.

The designated Data Controllers on behalf of the College are:

Principal Deputy Principal (External Affairs) Vice Principal (Human Resources & Organisation Development) Vice Principal (Curriculum & Quality) Vice Principal (Finance, Estates & Information Services)

The Data Controllers are responsible for data within their normal line management responsibility within the college. It is within their remit to delegate responsibilities as appropriate

The Data Protection Officer on behalf of the College is:

Head of Information Services

The Data Protection Officer will be responsible for convening a Data Protection team.

The Data Protection Team will be responsible for:

Data Protection Policy The Data Protection Notification Review of procedures Data Protection audits

A copy of the Data Protection Policy will be held on the Coleg Gwent intranet, in the student area of Moodle and in the Employee Handbook.

The College will maintain a Register of all systems used to process personal data in the College. This will include the type of system, the types of personal data held and


the purpose of processing. The purpose of the registers is to ensure that all processing of personal data within the College is adequately notified to the Information Commissioner.

A confidentiality criteria will be applied to all data as follows:

Sensitive personal data (as defined by the D P Act) Confidential personal data (subject to the D P Act) Internal use data operational (may contain personal data not subject to D P Act) Public use data (may contain personal data approved for public use)

College staff are only allowed to use authorised systems for processing personal data. Any request to establish new systems for processing personal data must be made formally to the Data Protection Officer on the form provided. Appendix A

Data Protection and Information Security should be reviewed regularly and be placed as a standing item on Senior Management and team meetings.

Evidence of non compliance should be recorded in the Data Protection Incident Log and investigated.

Where appropriate it should be a component of the corporate risk register

5. RESPONSIBILITIES OF STAFF

The College will require all staff to familiarise themselves and comply with the Data Protection Policy.

6. RESPONSIBILITIES OF STUDENTS

The College will require all students to consent to processing under the Data Protection Act and to comply with the Data Protection Policy.

7. RESPONSIBILITIES OF CONTRACTORS & PARTNERS

A data protection memorandum of understanding will be included in all contracts where third parties process data on behalf of Coleg Gwent and where third parties have access to data as a necessary part of their contracted work.

8. NOTIFICATION OF DATA HELD AND PROCESSED

All staff, students and other users are entitled to:

Know what information the College processes about them and why Know how to gain access to it Know how to keep it up to date Know what the college is doing to comply with its obligations under the 1998 Act


9. CONDITIONS FOR FAIR AND LAWFUL PROCESSING

Authorised processing of information takes place as part of the day-to-day business of the College in accordance with the schedule in the Coleg Gwent Data Protection Act Notification.

Conditions for authorised processing may include:-

consent of the data subject (freely given, specific and informed indication signifying agreement. Active communication, failure to respond not sufficient)

necessary for the legitimate interests of Coleg Gwent or by third parties to whom the data is disclosed except where processing is unwarranted because of prejudice to legitimate interests of the data subjects

necessary for a contract with the data subject necessary to protect the vital interests of the data subject (life or death

situations) necessary for the administration of justice (eg seeking legal advice) necessary for any enactment necessary function of a Crown Minister, or government department necessary

functions of a public nature exercised in the public interest

10. SUBJECT ACCESS RIGHTS TO INFORMATION

Employees, students, Corporation Members and other users of the College have subject access rights to certain personal data that is being held about them either on computer or in manual files.

All data subjects should be informed that they have the right to access their data. They should be told how they can exercise their right to access the data.

The fair processing statement on all college forms will advise data subjects that further information on how to obtain access may be obtained from the College Intranet or by writing to the Data Protection Officer at Coleg Gwent, Headquarters, The Rhadyr, Usk. This information is also held in the Student Handbook and the Employee Handbook.

All subject access requests must be made using the Colleges Subject Access Request Form in Appendix B. Solicitors’ letters on behalf of staff or students will be accepted provided they contain a consent form signed by the data subject.

Any subject access requests received anywhere in the College must be forwarded immediately to the Data Protection Officer. The Data Protection Officer will ask the data subject to complete a Subject Access Request form.

The data subject must return the form with sufficient information to enable the College to locate the information that the subject seeks. The College is not obliged to comply with open ended requests. The College may refuse to disclose data that makes reference to the personal data of third parties.


The College will make a standard charge as detailed in the financial control procedure on each occasion that access is requested, although the College has the discretion to waive this charge.

On receipt of a Subject Access Request form the Data Protection Officer will

- acknowledge receipt of the request in writing- notify the subject in writing of the College’s intention to comply within

40 calendar days- notify the relevant Data Controller of the subject access request by

copying the letter and subject access request form- Identify the relevant manual and computer filing systems which will

contain data

The Data Controller will:

- nominate a member of staff responsible for the request- instigate a search of relevant filing systems- supply the relevant data to the Data Protection Officer within the

required timescale

The College aims to comply with requests for access to personal information as quickly as possible and will ensure that it is provided within 40 calendar days unless there is good reason for the delay.

The Data Protection Officer will either supply the data within 40 calendar days or explain the reason for the delay in writing to the data subject.

11. DISCLOSURE OF PERSONAL DATA

Disclosure of data to authorised recipients takes place as part of the day to day business of the college. Authorised disclosure will take place according to the schedule in the Coleg Gwent Data Protection Act Notification.

Personal data must not be disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party.

Particular discretion must be used before deciding to transmit personal data by electronic means such as fax, email or removable media including data sticks and discs. A risk analysis must be undertaken with respect to the nature of the data, the intended recipients and the volume of data.

Data transmitted inside and outside of the college by electronic means should be pass word protected & if possible encrypted or sent via secure data transmission sites. Data must only be transferred using college approved media devices.

Where non routine requests are made or where staff are unsure of their responsibilities


they should seek the advice of their line manager. The line manager may decide to refer a request for a definitive decision to the Data Controller who holds responsibility for their areas of line management or to the Data Protection Officer. The Data Protection Officer will provide advice about the interpretation of the Act.

Staff should be aware that those seeking information about individuals may use deception to obtain information. Staff should take steps to verify the identity of those seeking information, for example by obtaining the telephone number and returning the call or by reviewing identification documents if an application is made in person. All applications for data should be made in writing.

Request by the other public bodies, including the police, must meet the requirements for lawful processing. The police must be able to demonstrate that they require the information in pursuit of a criminal investigation.

Where a disclosure is requested in an emergency, staff should make a careful decision as to whether to disclose, taking into account the nature of the information being requested and the likely impact on the subject of not providing it.

11.1. Disclosure of Data to Employers

Many students attend college under the sponsorship of their employers. This may include paid time to attend or payment of fees. These students will be required to consent to the sending of routine reports to their employers on academic progress and attendance as part of their “Data Protection consent to process” on the application and enrolment form.

11.2 Students below the Age of 18

Parents and guardians of young people attending college below the age of 18 do not have automatic rights under the Data Protection Act to information about their children. It is important to ensure appropriate communication between the home and the college. Students below the age of 18 (or becoming 18 during full time study) will be required to consent to sending of routine reports on academic progress and attendance as part of their "Data Protection consent to process" on the application and enrolment form.

Other non routine requests for information from parents or guardians should be considered carefully. It should be normal procedure to request permission from the student before disclosing any additional information.

12. SUBJECT CONSENT

In many cases, the College can only process personal data with the consent of the individual. In some cases, if the data is sensitive, express consent, must be obtained.


Agreement to the College processing some specified classes of personal data is a condition of acceptance of a student onto any course, and a condition of employment for staff.

Some jobs or courses will bring the applicants into contact with children, including young people below the age of 18. The college has a duty to ensure staff are suitable for the job, and students for the courses offered. The College also has a duty of care to all staff and students and must therefore make sure employees and those who use the College facilities do not pose a threat or danger to other users. Where appropriate therefore the college will obtain information about previous criminal convictions.

The College will notify all users at the point where information is collected from them which information will be processed and the purpose of processing under the Data Protection Act. The consent of the user will be obtained at the point of collection. This includes;

Application forms for corporation members Application forms for staff Application forms for students Enrolment forms Telephone enquiries and applications Internet enquiries, applications and enrolments

Retrospective consent will be sought where necessary.

All forms used to collect personal data will be reviewed periodically to ensure that they contain an adequate fair processing statement.

The College will presume students’ consent to receive promotional campaign details about additional activities and further study opportunities which may be of interest to them. Students have a right to decline receipt of this information.

The College will ask students below the age of 18 (or becoming 18 during full time study) to consent to disclosure of information to parents and guardians.

The College will ask to students to consent to disclosure of information to employers where students are sponsored by employers to attend college.

The College will inform students that their data is supplied to WAG and also ask students if they wish to consent to the Welsh Assembly Government (DfES) using their data for follow-up activities.

The college will ask students to provide evidence of their personal identity at the point of enrolment and inform students that their data will be used to create or confirm a record in the Learner Records Service. Students will be asked if they wish to consent to sharing this data.


The college will circulate data periodically to data subjects to provide opportunity for data to be updated and corrected.

13. PROCESSING SENSITIVE INFORMATION

Sometimes it is necessary to process information about a person’s health, criminal convictions, race and gender or family details. This may be to ensure the College is a safe place for everyone, or to operate other College policies, such as the absence policy or equal opportunities policy. Because this information is considered sensitive, and it is recognised that the processing of it may cause particular concern or distress to individuals, staff and students will be asked to give express consent for the College to do this. Offers of employment or course places may be withdrawn if an individual refuses to consent to this, without good reason.

14. PUBLICATION OF COLLEGE INFORMATION

Information that is already in the public domain is exempt from the 1998 Act. It is College policy to make as much information public as possible, and in particular the following information will be available to the public:

Names of Corporation Members, details of application to become a corporation member and register of interests

Names and positions of senior post holders and register of interests

Staff register of interests

A publication scheme exists under the Freedom Of information Act 2000 which contains information in the public domain

The College’s internal phone list is available on the College Intranet.

Any individual who has good reason for wishing details to remain confidential should contact the designated data controller.

15. DATA SECURITY

All staff are responsible for ensuring that:

Any personal data, which they hold, is kept securely Personal data should only be stored on appropriate systems on the college

network Personal data is not be stored on standalone computer Integral Drives – Unless

specifically Authorised by the Data controller for a specific role (eg laptops for work place assessors)

Personal information is not disclosed either orally or in writing or accidentally or


otherwise to any unauthorised third party Where necessary data is transmitted by appropriate secure means

Staff should know that unauthorised disclosure may be regarded as a disciplinary matter, and may be considered gross misconduct in some cases. For example disclosure of personal computer login details and password for use by another person may give unauthorised access to personal data.

Personal information should be:

Where possible kept in a locked filing cabinet or locked drawer Kept in a room which is has secure access and is locked when not occupied If it is computerised, be password protected

Particular care must be taken with data held on removable media such as portable disks and data sticks or on laptop computers.

Only college authorised devices with appropriate encryption software may used to store personal data. Members of staff must seek the approval of their manager before storing data on a portable mobile device.

Staff should ensure that casual disclosure does not take place by for example leaving computer printouts uncovered on desktops or by allowing unauthorised users to view computer screens.

Computer printouts must be kept securely and destroyed in a confidential manner.

College offices where staff are employed to process personal data should be locked when not occupied. Consideration should be given to door security systems such as key pads in multi-occupied rooms to prevent unauthorised access.

Staff should take particular care with data processed while working at home. College personal data must not be stored on home PCs.

All staff and students are responsible for ensuring that they observe the procedures of the College Computer Security Policy.

Any breach of the Data Protection Act must be notified to the Data Protection Officer who will make a record on the Incident Security Log and follow up with appropriate action. All breaches will be reviewed by the Data Protection Group and added to an on-going risk register where necessary.

16. RETENTION OF DATA

Personal data will be retained for no longer than is necessary for the purpose for which it was collected. Standard retention times are necessary to meet various contractual requirements.


Standard retention times for documents relevant to the college Financial control procedures are specified in the College Retention of Documents Procedure.

To meet the requirements of DfES for the Wales Lifelong Learning Record basic student identifying details may be maintained indefinitely. This includes:

Name and addressDate of BirthColeg Gwent student identification numberUnique Learner Identifier (LLWR reference number).Learner Registration Service Unique Learner Number

17. DISPOSAL OF DATA

Particular care must be taken with the disposal of personal data. Staff should be aware that the same standards should be applied to informal records, lists and printouts held by individual members of staff containing personal data as to records which are part of the formal College records system.

This material must not be disposed of in ordinary office waste paper bins.

Personal data must be destroyed by secure methods such as shredding or confidential waste sacks handled by authorised contractors.

Specific responsibilities are outlined in the Coleg Gwent Financial Procedures Manual. Formal records may only be destroyed with the appropriate authority.

18. STUDENT UNION DATA

The College is not responsible for data held by the students union. However the College will provide guidance to student union as to their responsibilities under the Data Protection Act.

19. EXAMINATION RESULTS

Students will be entitled to information about their marks for both coursework and examinations. Examination results are normally notified directly to students. Lists of examination results identifying individual students are not posted on College notice boards.

Examination results are made available to Directors of Education and Heads of feeder schools with interests in particular campuses.

Examination results may be made available for publication in the local newspapers. The College does not have to obtain specific consent to publish results but students have a right to object to publication. News stories focussing on individual students will only be made available with the consent of the student.


Students do not have subject access right to examination scripts. However they may claim subject access rights to any comments recorded by the examiner in the margins of scripts.

Subject requests for examination marks or results must be met within forty days of the announcement of the results or 5 months from the date the request is received, whichever is the earlier.

20. REFERENCES

The provision of a reference will generally involve the disclosure of personal data. The College is responsible for references given in a corporate capacity. All staff references requested should be referred to the Human Resources Department. All references provided in a corporate capacity about employees and students will incorporate a standard disclaimer paragraph agreed by the College.

The College is not responsible for references given in a personal capacity. These should never be provided on Coleg Gwent stationery and should be clearly marked as personal.

The College will not provide subject access rights to confidential references written on behalf of the College about employees and students and sent to other organisations. This is a specific exemption allowed by the Act.

The College recognises that once the reference is with the organisation to whom it was sent then no specific exemption from subject right access exists.

The College will normally provide subject right access to confidential references received about employees and students provided to the College by other organisations. However the College may withhold information if it is likely to result in harm to the author or some other person or if it reveals information about another third party other than the previous supervisor or manager of the employee.

21. CCTV

CCTV systems in the College are used for the prevention and detection of crime and for educational purposes. CCTV systems must be positioned to avoid capturing images of persons not visiting College premises. The recorded images must be stored safely and only retained long enough for any incident to come to light. Recordings will only be made available to law enforcement agencies involved in the prevention and detection of crime and to no other third party.

22 DIRECT MARKETING

The College will presume students’ consent to receive promotional campaign details about additional activities and further study opportunities which may be of interest to them. Students have a right to decline receipt of this information. This will be stored on


the student database.

Any staff wishing to send out marketing material to students such as details for further course opportunities must check on the student database to verify that the student has not declined.Approved by Corporation February 2014Date of next Review: February 2015


Appendix A Notification of Change To Data Register

DATA PROTECTION ACT 1998

Notification of Change To Data Register

DirectorateFinance and InformationDevelopment and PlanningCampus OperationsHR and Organisation Development

CampusDepartmentSystem Type Computer based / Manual file / CCTV

Purpose of ProcessingTypes of personal data

Category of data subject Staff / students / applicants / corporation members / other

Source of data Forms used as source:

Fair processing statement included Yes / No/ NA

Disclosures of data List organisations or individuals

Existing systems: Comment on why a new system is required

Date requested Name and signature

Data Controller signature

Date:

Approved / Not approved / Comment

Data Protection Officer signature

Date:

Approved / Not approved / Comment

CG13

QM2.8

Appendix B Subject Access Request

DATA PROTECTION ACT 1998

SUBJECT ACCESS REQUEST

This form is to be completed by an individual who seeks access to personal data held about them by Coleg Gwent.

To help the College comply with your request please give accurate personal details and an indication of the kind of data you are looking for.

Coleg Gwent charges a fee of £10.00 per subject access request. The College will try to provide the data you seek within 40 calendar days of receipt of your request, but will contact you if we are not able to meet your request with the target timescale. Copies of two items of proof of identity e.g. birth certificate, passport must be included.

SURNAME FIRST NAME(s) D.O.B. GENDER

CURRENT ADDRESS: ADDRESS: (at time of Coleg Gwent contact)

REQUEST: (please indicate)

STAFF STUDENT OTHER

START DATE FINISH DATE CAMPUS/LOCATION COURSE TITLE/JOB TITLE

DESCRIPTION OF DATA REQUIRED:

I enclose a cheque to the value of £10.00 payable to Coleg Gwent.

I enclose proof of personal identity.

Signed ……………………………………………………………….. Date ……………………………………………………

Please return this form to the Head of Information Services, Coleg Gwent, Headquarters, The Rhadyr, Usk NP15 1XJ

For Office Use Only

Date Received by Coleg Gwent:…………………………

Date of Data Supplied: …………………………………

CG141

QM2.8