Data Protection Policy
(Staff-Student Merged)
Our strategic ‘touchstones’ of Excellence, Employability and Enterprise will shape
our purpose, values, structures, processes, systems, governance, partnerships and
capabilities in the delivery of all provision and services.
Vision: Working together to protect children and vulnerable adults.
Safeguarding is an important aspect of our values: being courageous,
speaking up and speaking out; being collaborative, working together,
to support and protect each other and ourselves.
1.0 Introduction
The Data Protection Act (the 1998 Act) regulates the processing of personal data by New College
Nottingham Corporation (ncn). Personal data is data relating to a living individual who can be
identified from that data alone, or with other data held by our College or which we are likely to
receive. Opinions about the individual or expressions of intentions towards them, is included in this
definition. Personal data covered by the 1998 Act includes that held by ncn (or by third parties who
handle it on our behalf), electronically, in structured manual records and to a limited extent (but not
in relation to human resources data) to unstructured manual records. The 1998 Act regulates the
“processing” of personal information which has a very broad meaning and includes obtaining,
storing, viewing, using, updating, disclosing and destroying.
The 1998 Act gives rights to individuals about whom information is processed and imposes
obligations on ncn when handling such information. ncn must comply with the Data Protection
Principles which are set out in the 1998 Act. In summary these state that personal data shall:







Be obtained and processed fairly and lawfully and shall not be processed unless certain
conditions are met.
Be obtained for a specified and lawful purpose and shall not be processed in any manner
incompatible with that purpose.
Be adequate, relevant and not excessive for those purposes.
Be accurate and, where necessary, kept up to date.
Not be kept for longer than is necessary for that purpose.
Be processed in accordance with the data subject’s rights.
Be kept safe from unauthorised access, accidental loss, damage or destruction.
Not be transferred to a country outside the European Economic Area, unless that country has
adequate levels of protection for data subject’s rights regarding their personal data.
In order for
ncn to comply with the 1998 Act, we have a number of policies and procedures regarding the
handling of Personal data. We have developed this Policy to show how we will comply the Data
Protection Principles when processing personal data .It should be read in conjunction with all other
College policies which concern the handling of data.:
2.0
Status and scope of the Policy and Responsibility and Compliance
This policy does not form part of the formal contract for education
It is a condition of employment that staff will abide by the rules and policies made by ncn from time
to time, and any failures to follow the policy can therefore result in disciplinary proceedings. Staff
are therefore required to handle data held in any of our records or systems in accordance with this
Policy and in any other College Policies concerning the handling of data. This will include our IT
Acceptable Use Policy, email guidance, lesson observation procedure and any other policies which
may affect the handling of data. Our policies and procedures can be found on the intranet.
This Policy applies to all personal information collected by or provided to our College, including any
personal information provided to us on the College’s recruitment “Application Form”.
This Policy will be reviewed from time to time. If any amendments are made then staff will be
notified directly though the HR Newsletter and our intranet news should changes to this Policy
significant affect how our College processes our personal data. This Policy was last updated on 5
October 2012.
Any member of staff who considers that the Policy has not been followed in respect of personal data
about themselves should raise the matter with the Human Resources department or the Head of
MIS. If the matter is not resolved by the Human Resources department within a reasonable time,
you should raise the matter as a formal grievance/Complaint (Student complaints procedure).
Any person who is unclear as to their responsibilities under this Policy, or is concerned that data is
not being handled according to this Policy should contact the Director of HR/ Head of MIS in the first
instance
College staff who handle student data are required to handle such data in accordance with the
standards and rights for students regarding their data as referred to in this Policy - this includes any
personal information provided to the College on the ncn “Student Application Form”.
3.0
Rights Regarding Your Personal Data
All staff/students are entitled to:




Be notified, usually when they first provide their details to ncn, of how we will use and
disclose their personal data.
On written request (and where required, payment of a small fee or provision of any further
information our College has said it reasonably needs to locate the information requested) be
told whether ncn holds their personal data and if so be provided with a copy of it. There are
certain exceptions to this right.
Ask ncn to stop processing their personal data in a specified way (or not to start processing it
in the first place) where this causes unwarranted substantial damage or distress to them or
someone else (except where the processing is necessary to fulfil ncn’s contractual
obligations, to provide education and training or to comply with a legal obligation or in order
to protect the vital interest of the staff/student). If a member of staff/student considers
that our processing of their personal data is causing or may cause damage or distress, they
should notify their Human Resources Business Partner or Head of MIS in the first instance.
Ncn is then required to confirm within 21 days whether we will cease the processing, or
whether we consider it is justified and why. Again there are certain exceptions to this right.
Ask ncn not to begin or to cease processing their personal data for direct marketing
purposes (see section 4 below)





4.0
Ask ncn not to make any important decisions about them solely by automated methods.
Where decisions are to be made in this way, staff will be told of this beforehand and will
have 21 days to ask for the decision to be considered or re-taken manually. Within 21 days
of receiving this notice, we will notify the member of staff of the steps we propose for
considering or re-taking the decision.
Ask us to block, remove or amend any information which is inaccurate. It will not always be
appropriate for us to amend the information and sometimes it will be necessary to
supplement the information with appropriate explanations rather than change it.
Claim compensation through the courts for any damage or damage and distress caused by
our failure to comply with relevant requirements of the 1998 Act. It is a defence to such
claim where we have taken all such care to comply as was reasonable in the circumstances.
Ask us in writing not to begin, or if such processing has already started, to cease processing
their personal data for direct marketing purposes.
Ask the regulator, the Information Commissioner, to assess whether or not it is likely that we
are processing their personal data compliantly.
Purposes
Staff
ncn needs to process certain information about its staff




to allow it to discharge its contractual obligations to its staff eg pay, remuneration and
benefits, leave and time off;
to monitor performance and achievements to comply with its statutory obligations (for
example, holding health and safety records and accident reports, revenue reporting
obligations and duties under disability discrimination legislation);
for the purposes of promotion, training and discipline of staff; and
to comply with the requirements of its regulatory bodies (e.g. the Skills Funding Agency and
Ofsted)
ncn’s entry on the Information Commissioner’s Register of Data Controllers is No. is Z700805X and
can be found at: http://www.ico.gov.uk/ESDWebPages/search.asp
This entry sets out the purposes for which we process personal data, including for human resources
purposes.
We may (with the member of staff’s approval where required) disclose personal data to third
parties. Where necessary, it will place appropriate obligations and restrictions on these third parties
protect the data. We may do this as follows:


Where reasonably needed to comply with statutory and other legal requirements, such as to
protect ncn’s or another person’s rights, property or safety.
Disclose pay, entitlement and contribution details to the Department for Work and Pensions
and HM Revenue and Customs to routinely administer staff remuneration or if they ask for





specific information to verify entitlement to relevant allowances and benefits. Where
appropriate, we will notify the member of staff where such a request is received.
When requested by these or other agencies for the purpose of law enforcement (including
in relation to income tax liability or entitlement to benefits as referred to above). It may not
always be appropriate to notify the member of staff concerned of this, for example where it
is requested in connection with a criminal investigation. In some circumstances, we are
prevented by law from notifying the subject and could face criminal charges for wrongly
disclosing the agency’s enquiries.
To enable ncn’s authorised third party service providers to perform certain services on its
behalf
When dealing with our professional advisers.
Where required in order to obtain staff references from previous employers (as specified in
our job application form) and to provide references to potential future employers where
staff ask for this.
Staff data may also be processed for purposes referred to in our Discipline, Grievance,
Capability, Whistle blowing and Sickness Absence Policies.
In carrying out its business, such as using a third party to provide services to ncn, we may transfer
personal data about staff outside the European Economic Area. This does not necessary require the
consent of staff members concerned, although we will notify those concerned that this will happen if
appropriate. We will put in place measures to ensure that staff rights regarding the processing of
their personal data in that country or countries are adequately safeguarded.
Students
Ncn needs to keep certain information about its students for the purposes of discharging its
contractual obligation to provide education and training, including monitoring performance and
achievements and discipline. It is also necessary to process the information as follows:




To comply with ncn’s statutory obligations (e.g. health & safety, child protection and
disability discrimination legislation).
To share with other partner organisations for purposes relating to education or training (e.g.
Jobcentre Plus).
To provide updates relating to each student’s attendance, performance, achievement and
conduct to current or prospective employer(s), sponsor or provider of learning support.
To notify Nottingham and Nottinghamshire Futures when you complete or leave your
College programme.
4.2
Ncn is required to share details about your core learning relationship with relevant
government agencies.
4.2.1
This is so ncn can: discharge its legal duties under the Apprenticeships, Skills, Children and
Learning Act 2009, and for the Agency’s Learning Records Service (LRS) to create and
maintain a unique learner number (ULN) (as referred to in the enrolment form); and
discharge its obligations to its other regulatory and funding bodies and government
departments/agencies (e.g. the Skills Funding Agency, Education Funding Agency, Higher
Education Funding Council for England and Ofsted).
4.2.2
The relevant government agencies, including Chief Executive of Skills Funding, the Skills
Funding Agency, Education Funding Agency, Higher Education Funding Council for England ,
Ofsted, use this information to:


administer education and training funding;
assess how effective learning opportunities and training and those providing them are, and
how funding, performance and opportunities can be improved;
Identify education and learning opportunities that might benefit you and to contact you
about these; and ask your views and experiences through surveys and research.

4.2.3
Details of ncn’s main funding partner organisations are available at:
http://skillsfundingagency.bis.gov.uk/privacy.htm;
http://www.learningrecordsservice.org.uk/documentlibrary/documents/Code+of+Practice+
or+Sharing+of+Personal+Information.htm;
http://www.dwp.gov.uk/privacy-policy;
and
http://www.education.gov.uk.
http://www.hefce.ac.uk/contact/freedomofinformation/
The Agencies above either broker or process learner data primarily for the purposes of calculating
institutional funding and for the production of statistics on behalf of the Government. All personal
data that is submitted to these agencies is transmitted via secured transfer protocols that are
subject to Government standards.
4.2.4
The Education Funding Agency for England, the Chief Executive of Skills Funding and their
partners may contact students from time to time in respect of surveys and research to
monitor ncn’s performance; to improve the quality of the services; to plan future provision
of education; and to inform students about relevant courses or learning opportunities.
4.3
Ncn may also use your personal details to:





Administer any fee and learning support arrangements you receive or apply for.
Provide statistical information about your programme of study to former schools and
colleges you have attended.
To help prevent or detect crime and to protect ncn and its premises, staff, students and
members of the public.
To contact you from time to time by post, email, telephone or text message, using the
contact details (including updated contact details as applicable), that you provide or which
are in ncn’s records, about its courses, learning and training opportunities including
partnering initiatives.
For the ncn Alumni programme for the purposes of following your progress upon completion
of your learning programme with ncn.

(If you are under 18 years old), update your parent(s)/guardian(s) about your attendance
and performance.
4.4
Ncn will process your details as set out in this Section 4 of the Policy unless you opted out
from the relevant uses in your student enrolment form.
4.5
Ncn is committed to providing equal access and equal chances for all of its students. Ncn
may monitor data on student gender, age, ethnicity and disability. The information you
provide is used only to help us monitor whether all our students have an equal chance to
progress and succeed. Further information about our Equality and Diversity Policy and
Scheme are available from Student Services reception areas or online at www.ncn.ac.uk.
4.6
The College’s entry on the Information Commissioner’s Register of Data Controllers is No.
Z700805X and can be found at:
http://www.esd.informationcomISsioner.gov.uk/esd/DoSearch.asp.
This entry sets out in detail the purposes for which Ncn processes personal data.
5.0
Subject Consent and Sensitive Personal Information
In some circumstances, we may be required to process sensitive personal data relating to its staff.
Sensitive information is classified in the 1998 Act as information relating to a person’s racial or
ethnic origin, political opinions, religious or similar beliefs, physical or mental health, trade union
membership, sexual life, commission or alleged commission of any offence or information
concerning related criminal proceedings and outcomes.
We may process sensitive personal data about staff/students for the following reasons as referred to
in more detail later in this section of the Policy:

For vetting suitability for a particular role or courses in respect of checks made via the
Criminal Records Bureau. Some courses leading to a professional qualification require the
College to assess the student as fit to practise the particular profession. Those courses often
require practical placements with employers, which may bring the students into contact
with children and vulnerable adults (e.g. nursery nursing). The College is therefore required
to conduct criminal records checks via the Criminal Records Bureau on applicants for such
courses and the fitness to practise requirements require successful applicants to report any
convictions incurred while on the course. The CRB checks will be conducted on recruitment
and the information will be processed by the College for the purposes of assessing the
eligibility of the applicant for the particular course, his/her fitness to practise the particular
profession or for the purposes of assessing risks to health & safety, and the information may
be disclosed to those persons within the College who are responsible for making such
assessments. It may also be disclosed to placement providers. Applicants and students will
be required to complete relevant consent forms. Places on such courses are provided and
maintained on the basis of satisfactory CRB checks and continuing good character and
failure to provide consent to processing this information may result in the offer of a place




being withdrawn, failure to secure a necessary placement and/or removal from the course.
Where needed to ensure our College is a safe environment for staff, students and visitors
To assess disability needs. Ncn also has a duty to take reasonable steps to accommodate
disabled applicants and students. In order to discharge this duty ncn will need to process
information concerning applicants‟ and students‟ disabilities and will disclose such
information only to those persons within ncn who need to have access to it for the purposes
of assessing what adjustments can reasonably be made to accommodate the disability
and/or to assess fitness to practise issues. Ncn may disclose information relating to disability
to placement providers for similar purposes. While ncn acknowledges the right of an
applicant or student to require that information relating to their disability remains
confidential, failure to provide consent to processing this information may mean that ncn
may not be able to make reasonable adjustments to accommodate the individual’s disability.
For maintaining staff sickness absence records and to administer staff sickness/ health
benefits and entitlements
To comply with its obligations regarding equal opportunity under gender, race, age and
disability discrimination laws
As part of any enquiry, investigation or action by relevant authorities as referred to in
section 4.2 above.
Generally, the purposes for which we will process sensitive personal data about staff/students does
not require us to obtain the data subject’s consent. We will generally process sensitive personal
data about staff/students for one or more of the following reasons recognised in the 1998 Act:




The processing is necessary so that we can comply with our obligations and exercise our
rights under employment law
The processing is necessary to protect the vital interests staff/students or another person
(e.g. in the case of serious medical emergency)
As required in relation to legal proceedings, for obtaining legal advice, or otherwise for
establishing, exercising or defending legal rights
As required for monitoring equality of opportunity, where carried out with appropriate
safeguards for the rights of individuals.
To comply with legislation and guidance aimed at safeguarding students who are children or
vulnerable adults, all members of staff are required to undergo Criminal Records Bureau (CRB)
checks when being recruited by ncn. These are conducted in accordance with our Policy and
procedure on Criminal Records Checks’ a copy of which is provided to staff as part of the job
application pack. It is also available on the recruitment pages of our website or upon request from
the HR Department. Further checks are periodically undertaken during the course of employment
and a further check may be needed if staff duties change (eg, if their role is such that an enhanced
CRB check is required). Staff will be aware when these checks are to be carried out as they will be
asked to complete the relevant CRB forms.
Ncn also has a duty of care to all staff, students and visitors and must therefore make sure that
staff/students do not pose a threat or danger to themselves or to others. We may therefore ask for
information about particular health needs, or any medical conditions. We will only use the
information for the purposes of protecting of the health and safety of the individual (or others who
may be at risk of harm), and for the purposes of making reasonable adjustments under the Disability
Discrimination Act, or in response to any complaints or claims relating to health and safety or
disability requirements. This may involve providing relevant data to appropriate Line Managers,
staff and advisers on a ‘need to know’ basis. Where appropriate, staff will be notified of this in the
specific context in which the need to use or disclose the data arises.
Sometimes it is also necessary to process information about a person‟s health, unspent criminal
convictions, race and gender and family details. This may be to ensure the College is a safe place for
everyone, or to operate other College policies, such as the equal opportunities policy and this
information will be disclosed to those persons within the College who have responsibility for such
matters.
In order to demonstrate compliance with its equal opportunities obligations, we may be called upon
to provide details of comparative staff/students. We will only process equal opportunities data in a
form which identifies the member of staff/student concerned where this is necessary to comply with
our legal obligations or to exercise our rights under equal opportunities laws.
6.0
Keeping Information up to date
We must ensure that staff/student data is accurate and kept up to date. To help achieve this all
staff/Students must assist in relation to any errors or changes regarding their personal details. In
particular, staff/students are responsible for the following:




7.0
Checking that any information they provide in connection with their employment/enrolment
or studies is accurate and up to date;
Informing Ncn of any changes to the personal details they have provided to us eg change of
contact details, bank details for payroll purposes, next of kin etc;
Updating their Personal Details Section in the Accero HR system and in our staff directory.
Complying with any other requests that ncn may periodically issue to review the information
we hold about staff in our staff records.
Data Security
ncn takes precautions including administrative, technical and physical measures to protect staff
personal data against loss, theft and misuse, as well as against unauthorised access and disclosure.
All staff are required to follow College polices and standards regarding the security of staff and
student data. Staff are required to ensure that:



Passwords are not shared.
Any personal information (about any individual) which they hold is kept securely; and
Personal information is not disclosed either orally or in writing or accidentally or otherwise
to any third party unless authorised to do so.
Policies and procedures also provide that Personal information is:




kept in a locked filing cabinet; or
in a locked drawer; or
if it is computerised, be password protected; or
kept only on disk which is protected and/or itself kept securely.
Failure to comply with College policies and procedures for handling staff /student data will be a
disciplinary offence which may be considered gross misconduct and may also involve personal
criminal liability.
8.0
Right to Access Your Personal Data (Subject Access)
Staff/students have the right to ask ncn if it holds their personal data and if so be provided with a
copy of it. Any person who wishes to exercise this right should complete the college access to
information form and return it to Human Resources department/Head of MIS. However it should be
noted that staff are not entitled under the 1998 Act to access their personal data held in
unstructured manual files for human resources purposes.
We are entitled to charge the statutory fee for subject access. Our policy is not to charge this fee
(currently £10) but we reserve the right to review our policy on charging.
We aim to comply with staff/students requests to access their own personal data as quickly as
possible, but will ensure that it is provided within 40 days as prescribed by the 1998 Act.
Should staff/student consider the details provided in response to a subject access request are
incorrect or out of date, they should notify their HR Business Partner/Data Protection Officer as soon
as possible. Please also refer to section 6.1 in this regard regarding basic staff details.
If you have any queries or concerns regarding New College Nottingham management of personal
data including your right to access data about yourself, please contact michelle.deacon@ncn.ac.uk
explaining what the problem is and where an appropriate provide any evidence of what the
information should say. If after 28 days the information has not been corrected then you can make a
complaint.
There are two options op[en to you if you feel that your questions/concerns have not been dealt
with adequately.
If you are a current staff or student please e-mail michelle.deacon@ncn.ac.uk with the nature of the
complaint
If you are still dissatisfied, you can go directly to the information Commissioners, the independent
body that oversees the Data Protection Act. You can contact the Office of the Information
Commissioner in the following ways:
Telephone: 01625 545700
in writing to:
The information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
via the website: www.ico.gov.uk
9.0
Publication of College Information
Ncn are also required to comply with Freedom of Information Legislation. This requires us to adopt
and maintain a scheme setting out what information ncn routinely publish, and to publish
information according to that scheme (or in relation to any environmental information that it holds,
to progressively make it easily accessible to the public by electronic means). A copy of our
“Freedom of Information Publication Scheme” is available on the ncn website/Intranet. We are also
required to deal with any individual requests for information that we receive. It is our policy to be as
transparent as possible regarding the information that we hold, taking account of the interests of
data subjects where the information contains personal data. Each decision to include personal data
of staff/student in our publication scheme, or as to whether to disclose it under an individual
request for information, will be assessed on a case by case basis according to legal requirements and
relevant published guidance. Staff should generally expect that the following information will made
available to the public:



Names of College governors and minutes of College meetings (except confidential items and
material relating to individual members of staff)
Lists of staff, staff profiles and articles authored by staff; and
Photographs of staff where the relevant staff member has consented to such photographs
being made available to the public.
Having regard to current case law and published guidance on this issue, we do not currently regard
our internal phone list in its entirety to be a public document . However, any requests from the
public for a copy of the list or any part thereof, would have to considered on a case by case basis.
Any member of staff who reasonably believes that including their name a published list would or
would likely be detrimental to them, should contact their HR Business Partner.
We may also receive requests to various types of staff information, including:




salaries, bonusing;
employment termination and compromise agreements;
names/ references in our documents/records (eg opinions or expressions of intention about
a person or matter, or how they were involved) ;
registers of interests.
Similarly we will consider such requests on a case by case basis. However we may, according to the
particular circumstances, be obliged to disclose such information unless this was unfair in that to do
so would not be within the individual’s reasonable expectations or would or might have an
unjustified detrimental effect on them.
Case by case assessments will take account of factors such as:





whether the information relates to the individual in their professional or private capacity;
their seniority;
whether their role is public facing;
whether their role involves important decisions on significant public spending; or
whether it would breach an enforceable contractual clause.
We may seek the individual’s views before making a decision. However, we will make our own
decision as to whether disclosure would be fair.
10.0 Responsibility for Implementation
ncn is the Data Controller in respect of personal data. The member of staff with ultimate
responsibility for implementation of this policy and for compliance with the 1998 Act for ncn is
Michelle Deacon Data Protection Officer
The Data Protection Officer is responsible for the day to day matters related to data protection and
The HR Business Partner for Pay and Data, who is part of the Human Resources department, is
responsible for the day-to-day matters related to data protection.
11.0 Retention of Data
ncn will keep certain information about staff/students for as long as is reasonable or necessary to
comply with the law or for legitimate business needs. This will include information need in
connection with administering pensions and taxation, for potential or current disputes or litigation
regarding the employment, in the case of job applicants, in relation to any complaints or claims
regarding the selection process, and information required for job references. If you have a query or
concern regarding the retention of your personal data, please contact the HR Department. For
students this will include information needed in connection with administering student enrolment,
attendance, achievement, success, post-college destination, personal tutor notes, academic records
and information required for references and, in the case of prospective students, in relation to any
enquiries, applications and interviews. If you have a query or concern regarding the retention of
your personal data, please contact the head of IS.
Any questions or concerns about the interpretation or operation of this Policy should be taken up
with the Head of MIS.
24-07-13