Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications
  3. Marketing

1.1 The University of Exeter is committed to protecting... University of Exeter Data Protection Policy

advertisement 
University of Exeter
Data Protection Policy
1
Introduction
1.1 The University of Exeter is committed to protecting the fundamental rights and freedoms of individuals
including their right to privacy with respect to the processing of personal data. This policy is a statement
of the key measures which the University has adopted to ensure good practice and compliance with the
requirements of the Data Protection Act 1998 (the Act). The policy is supported by a range of guidance
materials and should be read in conjunction with the other University Policies and Procedures including
those listed in 10 below.
1.2 The Data Protection Act 1998 implements a European Data Protection Directive and applies to personal
data held in any medium (paper, computer, microfiche, tape etc). The University recognises that its first
priority under the Data Protection Act is to protect privacy and to avoid causing harm to individuals. This
means keeping information securely in the right hands and holding good quality information. The Act
aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used
are taken into account. In addition to being open and transparent, the University will seek to give
individuals as much choice as is possible over what data is held and how it is used.
1.3 Personal data is information about identifiable, living individuals. The University holds personal data of
employees, students, research subjects and other users. In accordance with our notification under the
Act personal data will be used for the following purposes 1:
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
Education
Research
Student and Staff Support Services
Staff, Agent and Contractor Administration
Accounts & Records
Advertising, Marketing, Public Relations, General Advice Services
Commercial Services
Fundraising
Publication of the University Magazine
Crime Prevention and Prosecution of Offenders
Alumni Relations
Administration of Membership Records
Advertising Marketing and Public Relations for Others
Archive Services
Realising the Objectives of a Charitable Organisation or Voluntary Body
1.4 This policy applies to all staff working for, or on behalf of, the University and includes direct employees,
employees of other organisations working for or in association with the University of Exeter, associates
and contractors or other third parties with legitimate access to University data or systems. In addition
students, volunteers and data processors are expected to comply when working on behalf of the
University. Any breach of the data protection policy or the Data Protection Act 1998 will be automatically
considered as a breach of discipline and existing University of Exeter disciplinary proceedings will apply.
1
The University’s latest notification can be accessed at www.ico.gov.uk
Version 2.0
2
Responsibilities
2.1 The University of Exeter is the ‘data controller’ 2 and the Council of the University is ultimately responsible
for compliance with the Data Protection Act 1998. The University will take the appropriate measures to
ensure compliance and to protect data subject’s rights under the Act.
2.2 The University has appointed a Data Protection Officer (Records Manager) who is responsible for
dealing with day-to-day data protection matters, providing training and for developing and encouraging
good information handling practice amongst all members of the University. The Data Protection Officer
will ensure that the University annually notifies the Information Commissioner of its processing.
2.3 Deans of College, Directors of Service and all employees in managerial or supervisory roles have the
responsibility of overseeing compliance and developing good data protection practice within their
designated areas. Managers should ensure that staff are appropriately trained 3.
2.4 All members of the University are responsible for complying with the Data Protection Act and this policy.
2.5 All members of the University must also ensure that any personal data they supply to the University are
accurate and up-to-date.
3
Personal Information in the Public Domain
3.1 It is considered to be necessary for the University’s legitimate interests for certain personal information
about its staff to be in the public domain. Personal data classified as being in the 'public domain' refers
to information which will be publicly available world-wide and may be disclosed to third parties without
recourse to the data subject.
3.2 The University's policy is to make the following items of personal data freely available unless individuals
have objected:• Names of members of Council and Senate
• Names and academic qualifications of academic and of support staff where appropriate
• Academic staff biographies and curricula vitae
• Staff workplace e-mail addresses and telephone numbers
• Any additional information relating to data subjects which they have agreed to be placed in the public
domain and which may be in automated and/or manual form.
3.3 Any individual who has good reason for not wanting his/her work telephone number or e-mail address to
be made public may, with agreement of the Dean of College/Director of Service, specify a department
telephone number or e-mail address instead.
3.4 The University of Exeter will take all reasonable steps as necessary to ensure that personal data not in
the 'public domain' are secure from unauthorised or unlawful processing and accidental loss, damage or
destruction, will process the data in accordance with current legislation and the University's Data
Protection Register entry and will not disclose the information to any unauthorised third party.
4
2
3
Processing Personal Data
Who determines the purposes for which and the manner in which any personal data are, or are to be, processed;
The Data Protection Officer regularly provides training open to any member of staff.
Version 2.0
4.1 Personal data must be processed fairly and therefore individuals should be made aware of how the
University intends to use their personal data. All students and staff are provided with a Data Protection
notice when they join the University outlining in general terms how the University uses their personal
data.
4.2 Before processing takes place a legitimate basis must be found as specified within Schedule 2 of the
Data Protection Act 1998. This must be one of the following:
•
•
•
•
•
•
The data subject has given consent
It is necessary for the performance of a contract to which the data subject is a party
It is necessary for compliance with any legal obligation
It is necessary in order to protect the vital interests of the data subject
It is necessary for the administration of justice
It is necessary for the purposes of legitimate interests of the University or a third party
4.3 The rules relating to sensitive personal data 4 are additional to those listed above for "ordinary" personal
data. As a general rule, the University will only process sensitive data on the basis of explicit consent of
data subjects, in order to protect the vital interests of the data subject or another person or where a legal
obligation exists.
4.4 In exceptional circumstances personal data may be disclosed to a third party for the following purposes:
•
•
•
•
•
•
•
5
it is required to safeguard national security
it is necessary for the prevention or detection of crime
it is necessary for the discharge of regulatory function including securing the health, safety and welfare
of personas at work
it is to be used for research purposes only
it is available to the public under law (including Freedom of Information legislation)
it is necessary to establish, exercise or defend legal rights.
there is a legal duty to disclose the information
Transfer to Data Processors and Contractors
5.1 Any third party or contractor who has access to personal data and/or is acting as a data processor
should be fully aware of their obligations to comply with the Data Protection Act and be contracted to act
accordingly. 5
5.2 Personal data will not be transferred to any country outside of the European Economic Area (EEA),
unless there is adequate protection in place through local data protection laws, organisational policies or
contractual arrangements.
6
Retention and Destruction of Personal Data
6.1 The University will retain personal data in line with approved retention schedules 6, a core dataset will be
maintained long term and ephemeral information regularly destroyed. Members of the University should
ensure that personal data is destroyed confidentially. Where multiple copies exist all copies should be
destroyed in line with the schedule.
4
Sensitive Personal Data is defined as personal data consisting of information as to racial/ethnic origin, political opinions,
religious beliefs, membership of a trade union, physical or mental health, sexual life and the commission or alleged
commission of any offence.
5
A Data Protection Agreement is available for use in these circumstances.
6
http://www.exeter.ac.uk/recordsmanagement/records/guidance/
Version 2.0
6.2 Paper records should be shredded or destroyed using the University’s approved confidential waste
contractor and all electronic equipment used for storing personal data should be fully wiped before
disposal 7.
7
Security of Personal Data
7.1 Members of the University are responsible for ensuring that any personal data which they hold are kept
securely and not disclosed either orally or in writing, accidentally or otherwise to any unauthorised third
party.
7.2 Anyone who discovers a breach of the Data Protection Act should inform the University’s Data Protection
Officer and/or Information Security Manager via the IT helpdesk. Further information regarding security
measures can be found in the University’s Information Security Policy.
8
Right to Access Information
8.1 Members and other users of the University have the right to access their personal data which are held by
the University. Unless a valid exemption exists, this right of access covers all personal information held
in electronic format and most paper records with the exception of limited unstructured paper personnel
records. Any individual who wishes to exercise this right (known as a Subject Access Request) should
apply in writing to the Data Protection Officer and the University will normally make a charge (currently
£10 per request) 8.
9
Further information and related policies
9.1 This policy should be read in line with associated standards, policies and arrangements including:
9.1.1. Associated policies include
• Information Security Policy
• Records Management Policy
• Records Retention Schedules
9.1.2. University Guidance and Standards
• Data Protection Web Pages
• Specific guidance
9.1.3. External Resources
• Information Commissioner’s Office
• Data Protection Act
For further information contact the University’s Data Protection Officer/Records Manager.
10 Policy Updates and Status
Updates
August 2003
August 2011
October 2011
January 2012
7
8
Caroline Dominey
Caroline Dominey
ISSG
VCEG
Minor Amendments (Version 1.0)
Major Amendments / Policy redrafted
Approved
Approved (Version 2.0)
Disposal through Academic Services ensures this.
http://www.exeter.ac.uk/dataprotection/access/
Version 2.0
Version 2.0
Related documents
Biography - University of York
Biography - University of York
James Kennedy
James Kennedy
Phillips Exeter Academy Student Essays
Phillips Exeter Academy Student Essays
Annual Fund Grant Application Form 2015-16
Annual Fund Grant Application Form 2015-16
University of Exeter - Policy on Data Protection 1. Policy Statement
University of Exeter - Policy on Data Protection 1. Policy Statement
Internship Induction Checklist
Internship Induction Checklist
Download
advertisement