Our Data Protection Policy

1. Introduction

  1. Since BSU is a centre of knowledge, education and training it is focussed on information and its use. BSU needs to keep certain information about its employees, students and other users to allow it to monitor performance, achievements, and health and safety, for example. It is also necessary to process information so that staff can be recruited and paid, courses organised and legal obligations to funding bodies and government met.
  2. Our use of information is governed by the principles of the Data Protection Act, 1998 (the 1998 Act). Under the 1998 Act, personal data shall:
    1. be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose
    2. be adequate, relevant and not excessive for those purposes
    3. be accurate and kept up to date
    4. be kept for no longer than is necessary for that purpose
    5. be processed in accordance with the data subject's rights
    6. be kept safe from unauthorised access, accidental loss or destruction
    7. not be transferred to a country outside the European Economic Area unless that country has equivalent levels of protection for personal data
  3. BSU and all staff or others who process or use personal information must ensure that they follow these principles at all times.

2. Status of the Policy

  1. This policy does not form part of the formal contract of employment but it is a condition of employment that employees will abide by the rules and policies made BSU from time to time. Failure to follow the policy can therefore result in disciplinary proceedings.
  2. Any member of staff who considers that the policy has not been followed in respect of personal data about him or herself should raise the matter with the Data Protection Officer initially. If the matter is not resolved it should be dealt with under the Grievance Procedure in the Employment Handbook (Section 2.18)

3. Notification of Data Held and Processed

  1. All staff, students and other users are entitled to:
    1. know what information BSU holds and processes about them and why
    2. know how to gain access to it
    3. know how to keep it up to date
    4. know what BSU is doing to comply with its obligations under the 1998 Act
  2. BSU will therefore provide staff and students and other relevant users with notification of the types of data BSU holds and processes about them, and the reasons for which it is processed. BSU will do this at least once every three years.

4. Responsibilities of Staff

  1. All staff are responsible for:
    1. checking that information that they provide to BSU in connection with their employment is accurate and up to date
    2. informing BSU of changes to or errors in information held.
  2. If and when, as part of their responsibilities, staff collect information about other people (e.g., about students' course work, opinions about ability, references to other academic institutions, details of personal circumstances), they must comply with the guidelines for staff.

5. Data Security

  1. All staff are responsible for ensuring that:
    1. personal data they hold are kept securely
    2. personal information is not disclosed either orally or in writing, accidentally or otherwise, to any unauthorised third party. Unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases.
  2. Personal information should be:
    1. kept under lock and key when not attended.
    2. if it is computerised, and in an area where it may be seen by unauthorised staff or students, be password protected; or kept only on disks which are kept securely.

6. Student Obligations

  1. Students must ensure that all personal data provided to BSU are accurate and up to date. They must ensure that changes of address, etc, are notified to Registry.
  2. Students who use BSU computer facilities may from time to time process personal data. If they do they must notify the Data Protection Officer.

7. Rights to Access Information

  1. Staff, students and others have the right to access any personal data that BSU keeps about them, either on a computer or in paper files. Any person who wishes to exercise this right should complete the BSU "Data Subject Access Request" form (.doc), or from the Data Protection Officer. BSU will make a charge on each occasion that access is requested, although the fee may be waived in certain circumstances.
  2. BSU aims to comply with requests for access to personal information as quickly as possible, and will ensure that it is provided within 21 days unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the data subject making the request.

8. Examination Marks

  1. Students will be entitled to information about their marks for both coursework and examinations. However, this may take longer to provide than other information. BSU may withhold certificates, accreditation or references in the event that the full course fees have not been paid, or all library books and equipment returned.

9. Publication of Information

  1. Information that is already in the public domain is exempt from the 1998 Act. It is BSU policy to make as much information public as possible, within the requirements of the Data Protection and Freedom of Information Acts. The University maintains a publication scheme, approved by the Information Commissioner, and general information is available on the BSU Freedom of Information website.
  2. Any individual who has good reason for wishing listed information to remain confidential should contact the Data Protection Officer.
  3. BSU's internal phone list will not be a public document.

10. Subject Consent

  1. Those who are offered places or posts at BSU will be notified of the standard data kept about them, and the uses to which it may be put, as declared in our registration with the Data Protection Commissioner. Acceptance of a place or a post will be understood to signify acceptance of such "standard" processing.
  2. Sometimes it is necessary to process "sensitive" information, for instance, about a person's health, criminal convictions, race and gender or family. This may be to ensure that BSU is a safe place to work or study, to operate BSU policies (e.g. sick pay, equal opportunities), or to enable the institution to comply with the law. It is recognised that processing it may cause particular concern or distress to individuals. Accordingly, in respect of sensitive data, staff and students will be asked to give "express consent", using a "Consent To Process" form.
  3. Some jobs or courses will bring the applicants into contact with children, including young people between the ages of 16 and 18. BSU has a duty under the Children Act and other acts to ensure that staff are suitable for their jobs, and students for their courses. In addition, BSU has a duty of care to staff and students in general and must make sure that employees and those who use BSU facilities do not pose a threat or danger to others. In order that these and similar requirements may be met, offers of employment or course places may be withdrawn if an individual refuses consent to process.

11. The Data Protection Officer and Data Owners

  1. BSU as a body corporate is the "Data Controller" under the Act, and the Board of Governors is therefore ultimately responsible for implementation. The Director has vested day to day responsibility for implementing the provisions of this policy with a Data Protection Officer, who is currently Dave Hassall.
  2. The Data Protection Officer designates "Data Owners" responsible for files held in particular locations or for particular functions. Data Owners may designate authorised staff to process personal data.
  3. The current Data Owners are declared in a list published by Computer Services.

12. Retention of Data

  1. BSU will keep data for the minimum time necessary to fulfil its purpose.
  2. Owing to the need to meet future requests for references, Registry student records will be kept indefinitely, unless there are specific requests to destroy them.
  3. BSU will keep information about ex-employees for seven years, in order to meet data needs for pensions, taxation, potential or current disputes or job references.
  4. A full list of information with retention times is published and is available from the Data Protection Officer.

13. Conclusion

  1. Compliance with the 1998 Act is the responsibility of all members of BSU. Any deliberate breach of the data protection policy may result in disciplinary action, access to facilities withdrawn, or even criminal prosecution. Questions or concerns about the interpretation or operation of this policy should be taken up with the Data Protection Officer.