The College needs to keep certain information about its employees, students and other users to allow it to monitor performance, achievements, and health and safety, for example. It is also necessary to process information so that staff can be recruited and paid, courses organised and legal obligations to funding bodies and government complied with. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this the College must comply with the Data Protection Principles which are set out in the Data Protection Act 1998 (the 1998 Act). In summary these state that personal data shall:
· be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met.
· be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
· be adequate, relevant and not excessive for those purposes.
· be accurate and kept up-to-date.
· not be kept longer than is necessary for that purpose.
· be processed in accordance with the data subject's rights.
· be kept safe from unauthorised access, accidental loss or destruction.
· not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.
The College and all staff or others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, the College has developed the Data Protection Policy.
Status of the Policy
This policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and policies made by the College from time to time. Any failure to follow the policy can therefore result in disciplinary proceedings. Any member of staff, who considers that the policy has not been followed in respect of personal data about themselves, should raise the matter with a data controller.
Notification of Data Held and Processed
All staff, students and other users are entitled to:
· know what information the College holds and processes about them and why
· know how to gain access to it
· know how to keep it up-to-date
· know what the College is doing to comply with its obligations under the 1998 Act.
The College will therefore provide all staff and students and other relevant users with a standard form of notification. This will state all the types of data the College holds and processes about them, and the reasons for which it is processed. The College will try to do this at least once every year.
Responsibilities of Staff
All staff are responsible for:
· checking that any information they provide to the College in connection with their employment is accurate and up-to-date
· informing the College of any changes to information, which they have provided eg changes of address
· checking the information that the College will send out from time to time, giving details of information kept and processed about staff
· informing the College of any errors or changes. The College cannot be held responsible for any errors unless the staff member has informed the College of them.
If and when, as part of their responsibilities, staff collect information about other people (ie about student's coursework, opinions about ability, references to other academic institutions, or details of personal circumstances) they must comply with the guidelines for staff which are attached as Appendix 1.
All staff are responsible for ensuring that:
· any personal data which they hold is kept securely
· personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party.
Staff should note that unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases.
Personal information should be:
· kept in a locked filing cabinet; or
· kept in a locked drawer; or
· if it is computerised, be password protected; or
· kept only on disk which is itself kept securely.
Students must ensure that all personal data provided to the College is accurate and up-to-date. They must ensure that changes of address etc, are notified to the College Registry. Students who use College computer facilities may, from time to time, process personal data. If they do they must notify a data controller. Any student who requires further clarification about this should contact the Information Services Manager.
Right to Access Information
Staff, students and other users of the College have a right to access personal data that is being held about them either on computer or in certain files. Any person who wishes to exercise this right should complete the College's "Access to Information" form and give it to a data controller or his or her representative.
In order to gain access, an individual may wish to receive notification of the information currently being held. This request should be made in writing using the standard form. The College will make a charge of £10 on each occasion that access is requested, although the College will have discretion to waive this.
The College aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 21 days unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the data subject making the request.
Publication of College Information
Information that is already in the public domain is exempt from the 1998 Act. It is College policy to make as much information as public as possible, and in particular the following information will be available to the public for inspection:
Names and contacts of College governors
List of staff
Photographs of key staff.
The College internal telephone list will not be a public document.
Any individual who has good reason for wishing details in these lists or categories to remain confidential should contact one of the designated data controllers.
In many cases, the College can only process personal data with the consent of the individual. In some cases, if the data is sensitive express consent must be obtained. Agreement to the College processing some specified classes of personal data is a condition of acceptance of a student onto any course, and a condition of employment for staff. This includes information about previous criminal convictions.
Some jobs or courses will bring the applicants into contact with children, including young people between the ages of 16 and 18. The College has a duty under the Children Act and other enactments to ensure that staff are suitable for the job, and students for the courses offered. The College also has a duty of care to all staff and students and must therefore make sure that employees and those who use College facilities do not pose a threat or danger to other users. The College will also ask for information about particular health needs, such as allergies to particular forms of medication, or any condition such as asthma or diabetes. The College will only use the information in the protection of the health and safety of the individual, but will need consent to process the data in the event of a medical emergency, for example.
Therefore, all prospective staff and students will be asked to sign a Consent To Process form, regarding particular type of information when an offer of employment or a course place is made. A refusal to sign such a form can result in the offer being withdrawn.
Processing Sensitive Information
Sometimes it is necessary to process information about a person's health, criminal convictions, race and gender and family details. This may be to ensure that the College is a safe place for everyone, or to operate other College policies, such as sick pay policy or equal opportunities policy.
Because this information is considered sensitive, and it is recognised that the processing of it may cause particular concern or distress to individuals, staff and students will be asked to give express consent to the College to do this. Offers of employment or course places may be withdrawn if an individual refuses to consent to this, without good reason.
The Data Controller and the Designated Data Controller/s
The College as a body corporate is the data controller under the Act, and the board is ultimately responsible for the implementation. However, the designated data controllers will deal with day-to-day matters.
The College has 2 designated data controllers. They are:
the Vice-Principal, and
the Information Services Manager
Students are entitled to information about their marks both for coursework and examinations. However this may take longer than other information to provide. The College may withhold certificates, accreditation or references in the event that the full course fees have not been paid, or all books and equipment have not been returned to the College.
The College will keep some forms of information for longer than others. Because of storage limitations, information about students cannot be kept indefinitely, unless there are specific requests to do so. In general information about students will be kept for a maximum of five years after they leave College. This will include:
· name and address, and
· academic achievements, including marks for coursework
All other information, including information about health, race or disciplinary matters will be destroyed within three years of the course ending and the student leaving the College. The College will need to keep information about staff for longer periods of time. In general all information will be kept for five years after a member of staff leaves College. Some information, however will be kept for much longer. This will include information necessary in respect of pensions, taxation, potential or current disputes or litigation regarding the employment, and information required for job references. A full list of information retention times is available from a data controller.
Compliance with the 1998 Act is the responsibility of all members of the College. Any deliberate breach of the data protection policy may lead to disciplinary action being taken, or access to College facilities being withdrawn, or even a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with a designated data controller.
Staff Guidelines for Data Protection
1 All staff will process data about students on a regular basis, when marking registers, or College work, writing reports or references, or as part of a pastoral or academic supervisory role. The College will ensure through registration procedures, that all students give their consent to this sort of processing, and are notified of the categories of processing, as required by the 1998 Act.
The information that staff deal with on a day-to-day basis will be 'standard' and will cover categories such as:
· General personal details such as names and addresses.
· Details about class attendance, coursework, marks and grades, and associated comments.
· Notes of personal supervision, including matters about behaviour and discipline.
2 Information about a student's physical or mental health; sexual life; political or religious views; trade union membership or ethnicity or race is sensitive and can only be collected and processed with the student's consent. If staff need to record this information, they should use the standard College form.
3 All staff have a duty to ensure that they comply with the data protection principles which are set out in the data protection policy. In particular staff must ensure that records are:
· kept and disposed of safely, and in accordance with College policy.
4 The College will designate staff in each area as 'authorised staff'. These are the only staff authorised to hold or process data that is:
· not standard data; or
· sensitive data.
The only exception to this will be if a non-authorised staff member is satisfied that the processing of data is necessary:
· in the best interests of the student or staff member, or a third person, or the College; AND
· he or she has either informed the authorised person of this, or has been unable to do so and processing is urgent or necessary in all the circumstances.
5 Authorised staff will be responsible for ensuring that all data is kept securely.
6 Staff must not disclose personal data to any student, unless for normal academic or pastoral purposes, without authorisation of agreement from a data controller, or in line with College policy.
7 Staff shall not disclose personal data to any other member of staff except with the authorisation and agreement of a designated data controller, or in line with College policy.
8 Before processing any personal data, all staff should consider the checklist.
Staff Checklist for Recording Data
· Do you really need to record this information?
· Is the information 'standard' or 'sensitive'?
· If it is sensitive, do you have the data subject's express consent?
· Has the student been told that this type of data will be processed?
· Are you authorised to collect/store/process the data?
· If yes, have you checked that the data is accurate?
· Are you sure that the data is secure?
· If you do not have the data subject's consent to process, are you satisfied that it is in the best interests of the student or the staff member to collect and retain the data?
· Have you reported the fact of the data collection to the authorised person within the required time?