Everyone has rights with regard to the way in which their personal data are handled.
About this policy
1.1 The types of personal data that Bath Spa University (We) may be required to handle include information about current, past and prospective students, employees, officers, governors, suppliers and others that we communicate with. The personal data, which may be held on paper or on a computer or other media, are subject to certain legal safeguards specified in the General Data Protection Regulations (GDPR) and the UK Data Protection Act 2017-19 and associated legislation.
1.2 This policy and any other documents referred to in it set out the basis on which we will process any personal data we collect, or that is provided to us by data subjects or other sources.
1.3 This policy does not form part of any employee's contract of employment and may be amended at any time.
1.4 This policy sets out rules on data protection and the legal conditions that must be satisfied when we process personal data.
1.5 This policy is not the University’s Privacy Notice (our statements informing data subjects how their personal data is used by the University) and it should be read and complied with in conjunction with the University’s Information Governance Policy and associated information security and IT acceptable uses policies, the University Records management policy and the University’s Privacy Notices.
2.1. The University is committed to adhering to Data Protection law and associated Regulations as part of working practices.
2.2. During the course of our activities we process personal data about our students, prospective students, staff, suppliers and other third parties as laid out in our Privacy Notices. We recognise that the correct and lawful treatment of this data will maintain confidence in the University and will provide for successful academic and business operations.
2.3. This policy applies to all data users, processing data on behalf of the University. All staff must comply with this policy where the term ‘staff’ means anyone working in any context within the University at whatever level or grade and whether permanent, fixed term or temporary, including but not limited to employees, retired but active research staff, other visiting research or teaching staff, workers, agency staff, agents, volunteers, and external members of committees.
2.4. This policy applies to students of the University when processing personal data on behalf of the University whether as part of research activities, group study, performance, experiments, fieldwork and case studies. It does not apply when acting in a private or non-University capacity.
Adhering to Data Protection law at the University is summarised (but not restricted to) as the below:
- The application of the data protection principles for all processing; lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality.
- An understanding and the enablement of data subject rights as outlined within the law: to be informed; access; rectification; erasure; restriction; data portability; and objection (including in relation to automated decision-making).
- Ensuring the implementation of the University’s accountability obligations under data protection law, including: implementing appropriate data protection policies; implementing data protection by design and default in projects, procurement and systems; using appropriate contracts with third party data controllers and data processors; holding relevant records about personal data processing; implementing appropriate technical and organisational security measures to protect personal data; reporting certain personal data breaches to the Information Commissioner’s Office; conducting Data Protection Impact Assessments where required; and ensuring adequate levels of protection when transferring personal data outside the European Economic Area.
- Cooperating, responding to and taking guidance and advisory actions (where relevant) with the Information Commissioner’s Office (ICO).
Roles and responsibilities
3.1. The University has the duty as a Data Controller (or when acting as a joint controller or processor) for complying with data protection law in a demonstrable manner, including resourcing adequate controls for the security of processing, maintaining records of processing activities and all activities as laid out within this policy.
The Data Protection Officer
3.2. In line with relevant articles of the GDPR and associated data protection law the post of Data Protection Officer is an independent role, separate from areas where they may be exposed to a conflict of interest in determining the means of processing at the University. The DPO is responsible for ensuring compliance with GDPR and the Act and with this policy. They can be contacted on firstname.lastname@example.org and hold the following principle responsibilities
- Supported by the University’s Secretariat, they will be responsible for monitoring and auditing the University’s compliance with data protection law, advising senior management of risks and potential breaches as and when they may occur, and reporting to the Board of Governors on the overall risk profile on at least an annual basis.
- Advising the University, principally via the University Secretariat and IT Services, on all aspects of its compliance with data protection law, including an active role within the University’s Information Governance Board and advising on Data Protection Impact Assessments.
- Acting as the University’s point of contact with the ICO with regard to data protection and breach notification.
- Acting as an available point of contact for complaints from data subjects.
Information Governance Board
3.3. The board is responsible for ensuring that appropriate processes are implemented and communicated to enable data assets containing personal data within their departments to be included in the University’s Data Asset Registers.
3.4. The board has additional responsibilities and scope as laid out in the University’s Information Governance Policy.
3.5. A subgroup of this board will be responsible for managing and/or handling Data Protection Impact Assessments and liaising with the Data Protection Officer where appropriate.
3.6. The Information Governance Board papers will include a record of DPIAs conducted, and will provide a risk statement on at least an annual basis to be circulated to senior management.
3.7. The compliance team with the University’s Secretariat are responsible for:
- Providing advice, guidance, training and tools/methods, in accordance with the University’s overall risk profile and having taken into account the advice of the Data Protection Officer, relevant case law and ICO/other regulatory guidance, to help University departments, schools and staff comply with this policy;
- Publishing and maintaining core privacy notices and other relevant University-wide data protection documents (with the exclusion of those maintained via the Information governance protocols);
- Handling data subject rights requests.
3.8. The Information Security Manager and associated relevant personnel within IT Services are responsible for:
- The review and adequacy assessments of security configurations in relation to Data Protection Impact Assessments and software implementation, maintenance and projects.
- Providing advice, guidance, training and tools/methods, in relation to the University’s Information Governance Policy and associated data management and governance protocols.
Senior Management, Heads of Department, Line Managers
3.9. In addition to the individual responsibilities laid out for individual staff below, management staff are expected to:
- Make all staff within their areas aware of this policy as necessary;
- Ensure that appropriate processes and training (Information Governance, E-learning modules etc.) are engaged with to enable compliance with data protection law; and
- Ensure that appropriate processes are implemented within their areas to enable data assets containing personal data within their area are included in the University’s Data Asset Registers.
3.10. Each data user at the University hold the following responsibilities relating to data protection laws, where reasonable the below also applies to students:
- Completing relevant data protection training
- Following relevant advice, guidance and tools/methods provided by Information Governance and the Secretariat depending on their role, regardless of whether access to and processing of personal data is through University-owned and managed systems, or through their own or a third party’s systems and devices
- When processing personal data on behalf of the University, only using it as necessary for their contractual duties and/or other University roles, in line with the purposes and practices illustrated to data subjects via the privacy notice and associated statements during data collection and not disclosing it unnecessarily or inappropriately
- Recognising, reporting internally via the information governance protocols, and cooperating with any remedial work arising from personal data breaches
- Cooperating with the fulfilment of data subject rights requests
- When engaging with students who are using personal data in their studies and research, advising those students of relevant advice, guidance and tools/methods to enable them to handle such personal data in accordance with this policy
Changes to this policy
We reserve the right to amend this policy at any time. Where appropriate, we will notify data subjects of those changes by mail or e-mail. This policy will be reviewed on an annual basis by the Data Protection Officer in conjunction with the Secretariat.
Subject access requests
In line with data subject rights you are entitled to make a request for the data we hold.
To make a Subject Access Request please contact the Data Protection Officer via the Compliance team on email@example.com
Date of last approval: May 2018
Approved by: VCAG
Date of next review: March 2019
Department/Post responsible: Secretariat (Compliance)