Data Protection policy

1.1 This Data Protection Policy (the “Policy”) sets out how University of Staffordshire ("we", "our", "us", "the University") handles Personal Data. Capitalised terms are defined in the Glossary in Annex 1.

1.2 To carry out its business effectively, the University processes large amounts of Personal Data on a variety of Data Subjects, including applicants, students, alumni, staff, suppliers, visitors, research participants and members of the public.

1.3 Personal Data is held at the University in a variety of ways and for several different purposes. These purposes include the maintenance of staff and student records, statutory compliance and other matters such as research data and the management of relationships with alumni, applicants, supporters and other persons.

1.4 This Policy applies to all Personal Data we Process regardless of the media on which that data is stored and whether it relates to past or present employees, workers, students, alumni, suppliers, website users, or any other Data Subject.

1.5 Personal Data will be handled with care and in compliance with the applicable law governing data protection (the “data protection law”), including but not limited to the Data Protection Act 2018 (the “DPA 2018”) and the UK General Data Protection Regulation (the “UK GDPR”) or successor legislation.

1.6 This Policy applies to all University Personnel ("you", "your"). You must read, understand and comply with this Data Protection Policy when Processing Personal Data on behalf of the University and attend training on its requirements. This Policy sets out what we expect from you for the University to comply with applicable law. Your compliance with this Policy is mandatory. Breaches of this Policy may lead to disciplinary or other appropriate action being taken.

1.7 This Policy should be read and interpreted in conjunction with the other related University policies and procedures which are listed in Annex 2 of this Policy.

2.1 The University must Process Personal Data in accordance with data protection law, and in particular, the six data privacy principles (Article 5, UK GDPR). This means Personal Data will be:

(i) processed lawfully, fairly and in a transparent manner;
(ii) collected for specific, explicit and legitimate purposes. Further processing for archiving, scientific or historic research or statistical purposes is permissible;
(iii) adequate, relevant and limited to what is necessary for the purpose;
(iv) accurate and kept up to date;
(v) only kept for as long as it is needed; and
(vi) kept safe using appropriate technical and organisational measures.

2.2 The UK GDPR states that the University, as the Controller, shall be responsible for, and must be able to demonstrate compliance with the above principles.

3.1 Personal Data must be Processed lawfully, fairly and in a transparent manner in relation to the Data Subject. The University may only collect, Process and share Personal Data fairly and lawfully and for specified purposes.

3.2 In order for it to be legal and appropriate for the University to Process Personal Data at least one of the lawful bases set out in Article 6 UK GDPR must apply. The most relevant are:

(a)  the Data Subject has given Consent;
(b)  the Processing is necessary for the performance of a contract with the Data Subject, such as an educational or employment contract;
(c)  the Processing is necessary for compliance with a legal obligation;
(d)  the processing is necessary to protect the Data Subject’s vital interests;
(e)  the processing is necessary for the performance of a task carried out in the public interest; or
(f)   the processing is necessary for the legitimate interests of the University as Controller or of a third party except where those interests are overridden by the rights and freedoms of the Data Subject. This condition cannot be used by public authorities (such as the University) in performance of their public tasks.

3.3 Individuals will be informed of the lawful basis for the intended Processing of their Personal Data in the relevant Privacy Notice. In most cases the Personal Data Processed relating to students will be for the delivery of their educational contract, and, in the case of staff in relation to their employment contract. As well as the legal basis for Processing, Privacy Notices set out (amongst other things) the type of data generally held by the University, an explanation about circumstances in which Personal Data may be shared with others and a statement of the rights of Data Subjects. When Personal Data is being collected, the Data Subject’s attention should be drawn to the relevant Privacy Notice.

3.4 When Processing Special Categories of Personal Data, in addition to a lawful basis set out in 3.2, the University is required under the UK GDPR to have an additional legal basis for processing, such as:

(a)  the Data Subject has given explicit consent;
(b)  the Processing of Special Categories of Personal Data is to perform or exercise obligations or rights in relation to employment, social security or social protection law;
(c)  the Processing is necessary to ensure the vital interest of the Data Subject or another person, where the individual is physically or legally incapable of giving consent;
(d)  the Special Category Personal Data has already been made manifestly public by the Data Subject;
(e)  the Processing is necessary for reasons of substantial public interest as defined by the DPA 2018, Schedule 1, Part 2 (e.g. safeguarding, preventing/detecting unlawful acts);
(f)   the Processing is required for occupational health ,absence management or the provision of health or social care services or treatment; or
(g)  the Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

3.5 For Personal Data relating to Criminal Convictions Data, the University must comply with one of the lawful bases as set out above in 3.2 and also meet one of the conditions specific to Criminal Convictions Data as set out in the DPA 2018, Schedule 1.  The DPA 2018, Schedule 1 conditions are similar to those that apply to Special Categories of Personal Data, including the substantial interest conditions provided by the DPA 2018, Schedule 1, Part 2.  

4.1 Data Subjects Consent to Processing of their Personal Data if they indicate agreement clearly either by a statement or positive action to the Processing. Consent requires affirmative action, so silence, pre-ticked boxes or inactivity are unlikely to be sufficient. If Consent is given in a document which deals with other matters, then the Consent must be kept separate from those other matters.

4.2 Data Subjects must be easily able to withdraw Consent to Processing at any time and withdrawal must be promptly honoured. Consent may need to be refreshed if you intend to Process Personal Data for a different and incompatible purpose which was not disclosed when the Data Subject first consented. The University will maintain records of Consents given and withdrawn.

4.3 Consent should only be relied upon if there is no other relevant lawful basis for Processing, or when Processing Special Categories of Personal Data or Criminal Convictions Data.

4.4 If there is an intention to use Personal Data for electronic marketing purposes the University will usually be relying on Consent as the lawful basis for Processing and the Data Subjects will be notified of this intention and will be asked for clear and specific Consent before any such use will be made of their Personal Data.

5.1 Personal Data must be collected only for specified, explicit and legitimate purposes. It must not be further Processed in any manner incompatible with those purposes.

5.2 Personal Data cannot be used for new, different or incompatible purposes from that disclosed when it was first obtained unless we have informed the Data Subject of the new purposes and they have Consented where necessary.

5.3 There is an exception to this in relation to research. Please see section 15.1 of this Policy for further details.

6.1 Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.

6.2 Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.

7.1 Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the Personal Data is Processed.

7.2 The University will maintain comprehensive Retention of Documents Policy to help avoid excessive retention or premature destruction of Personal Data.

7.3 Personal Data which is no longer required or which should no longer be held under data protection law will be disposed of in a manner appropriate to its nature and the need for security.

7.4 The University will maintain an Information Asset Register detailing all Processing including the Personal Data held, its source, details of sharing of the data and the lawful basis for the Processing.

8.1 The University will maintain appropriate technical and organisational measures to ensure the security of Personal Data. In particular:

8.1.1 Data security is created, reviewed, tested and improved on an on-going basis;
8.1.2 Procedures are in place to analyse and respond to any identified threats to data security;
8.1.3 Policies specifically relating to digital security measures are listed at the end of this Policy;
8.1.4 Each Service and School maintains and complies with documented organisational measures governing the security of data held within its own area; and

8.1.5 Particular care is exercised in protecting Special Categories of Personal Data and Criminal Convictions Data from loss and unauthorised access, use or disclosure.

8.2 The University assesses and identifies areas that could cause data protection compliance or security problems and records these on its risk register. Controls are applied to mitigate the identified risks and these are regularly verified for effectiveness.

8.3 The University acknowledges its duty under data protection law to conduct a Data Impact Risk Assessment (DPIA) in certain circumstances. The types of circumstances when a DPIA will be required include:

• when introducing new technologies or procedures which may involve a high risk to the rights and freedoms of individuals;
• monitoring or publicly accessible areas (CCTV);
• Processing Special Categories of Personal Data; or
• Processing of large amounts of Personal Data

9.1 The University recognises that Data Subjects have a number of rights in relation to their Personal Data, including the right to:

• where the legal basis of the Processing is Consent, withdraw that Consent at any time;
• receive certain information about the Controller's Processing activities;
• have access to the Personal Data held about them;
• have errors corrected and taking into account the purposes, to complete incomplete Personal Data;
• have data erased in some circumstances;
• object to or to restrict Processing in some circumstances;
• have data securely transferred to another organisation; and
• assert the right to human intervention, to express their opinion and to obtain and challenge explanations where automated decision-making is used and has an impact on them.

9.2 The University will respond to requests for access to Personal Data or the assertion of other data protection rights within one month of receiving the request in accordance with the statutory time limits and the University’s Data Subject Access Requests Procedure (see Annex 2).

9.3      You must immediately forward any Data Subject request you receive to the DPO.

10.1 Data may be shared with other organisations in accordance with the University Privacy Notices and as permitted by law.

10.2 The University enters into written agreements with all processors of Personal Data controlled by the University which comply with data protection law.

10.3 Data is only transferred outside the UK in compliance with the conditions for transfer set out in law. In particular, Personal Data will only be transferred to territories outside the UK where adequate standards of privacy protection can be guaranteed, either by national laws or via contractual arrangements, and in other circumstances where transfers are permitted by UK data protection law. The University takes steps to ensure that there are adequate safeguards and data security in place and has measures to audit security arrangements on a periodic basis.

10.4 Mechanisms are in place to notify third parties, where required, of any change in the status of consent given by a Data Subject where Consent is the lawful basis for the Processing of Personal Data.

11.1 The University provides data protection training for all staff. This is done on induction and when updates are required. Specialist training is given to staff with specific duties, such as marketing, information security, and the handling of requests from Data Subjects. The training encourages personal responsibility and good security behaviours, including how to recognise and report Personal Data Breaches.

11.2 Serious breaches of this or a related policy (or repeated minor breaches) will be dealt with under the University's disciplinary procedures and may also be a breach of the law.

12.1 The University has a designated Data Protection Officer with overall responsibility for data protection compliance.

12.2 The Data Protection Officer is responsible for:

12.2.1 Maintaining this policy and all records relating to data protection;
12.2.2 Providing guidance, support, training and advice on compliance with the UK GDPR;
12.2.3 Liaison with the Information Commissioner’s Office;
12.2.4 Taking legal advice on matters relating to data protection where necessary;
12.2.5 Supervising the management of access and other requests from Data Subjects;
12.2.6 Managing the procedure for the reporting and resolving of Personal Data breaches;
12.2.7 Reviewing and auditing the way Personal Data is managed, and ensuring that methods of handling Personal Data are regularly assessed and evaluated; and
12.2.8 Monitoring and reporting on compliance with data protection training.

12.3 Directors of Services and Deans of Schools are responsible for ensuring awareness of and compliance with this policy in their areas.

12.4 The Director of Digital Services is responsible for maintaining the University’s Digital Services capability Policies in liaison with the Data Protection Officer.

12.5 Principal investigators are responsible for Personal Data management in their own research studies and for ensuring that secure information systems and operating procedures are in place with regards to data handling. Where Personal Data is Processed, research staff and students must adhere to the Personal Data Processing requirements set out in this Policy, as well as the University’s Code of Practice for Research.

12.6 Staff training encourages personal responsibility and good security behaviours, including how to recognise and report breaches.

13.1    The UK GDPR requires Controllers to notify any Personal Data Breach to the Information Commissioner and, in certain instances, the Data Subject.

13.2 The University has a procedure, the Data Subject Access Requests Procedure (see Annex 2), for the reporting of breaches to the appropriate individuals as soon as they are discovered, and to investigate and implement recovery plans. This procedure includes assessment of the likely risk to individuals and, if required, notification of affected individuals and reporting to the Information Commissioner’s Office in line with legal requirements.

13.3 Any suspicions of a likely Personal Data Breach should be reported to the DPO immediately to allow the University to take mitigating action and comply with the requirement to report most data breaches to the Information Commissioner's Office within 72 hours of the breach being discovered, if necessary.

The University has a process to monitor compliance with this Policy and related policies.  The University Executive receives regular reports from the Data Protection Officer, as does the Audit and Risk Committee of the Board of Governors. Data protection at the University is monitored as part of the annual internal audit plan.

15.1 Personal Data collected for the purposes of academic research is covered by the UK GDPR. It is important that staff collecting such Personal Data for research purposes incorporate an appropriate form of Consent on any data collection form and issue appropriate Privacy Notices to research participants. There are some circumstances in which Consent is not needed, provided certain safeguards are implemented. In addition, the prohibition on using Personal Data for incompatible purposes does not apply to data obtained for research purposes, provided that the safeguards are implemented.

15.2 In the context of the University, the lawful basis for processing Personal Data for research is that it is in the public interest.

15.3 For further information, please see the University’s Code of Practice for Research.

The University’s use of CCTV and body-worn cameras is regulated by a separate policy (see Annex 2), designed to ensure that the Close Circuit Television (CCTV) system used at the University is operated in compliance with the law relating to data protection, and includes the principles governing the Processing of Personal Data.

17.1 If you require more information about how the University manages personal data generally please contact the University’s Data Protection Officer at the following address:

Data Protection Officer
University of Staffordshire
Stoke-on-Trent
ST4 2DE

Email: dataprotection@staffs.ac.uk

17.2    If you wish to raise a concern or make a complaint about the way in which the University processes your Personal Data, you should in the first instance contact the Data Protection Officer with full details using the contact details above. If you do not believe that your complaint has been satisfactorily resolved by the Data Protection Officer, you may contact the Information Commissioner at the following address:

Information Commissioners Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

icocasework@ico.org.uk

https://ico.org.uk/

We keep this Data Protection Policy under regular review. This Data Protection Policy does not override any applicable national data privacy laws and regulations.

Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject's wishes by which they, by a statement or by a clear positive action, signify agreement to the Processing of Personal Data relating to them.

Controller: the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the UK GDPR. The University is the Controller of all Personal Data relating to our University Personnel and Personal Data used in our business for our own commercial purposes.

Criminal Convictions Data: personal data relating to criminal convictions and offences, including personal data relating to criminal allegations and proceedings.

Data Subject: a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.

Data Privacy Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity. A DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programmes involving the Processing of Personal Data.

Explicit Consent: consent which requires a very clear and specific statement (that is, not just action).

UK GDPR: the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) as defined in the Data Protection Act 2018. Personal Data is subject to the legal safeguards specified in the UK GDPR.

Personal Data: any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes Special Categories of Personal Data and Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person's actions or behaviour.

Personal Data Breach: any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that we or our third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.

Privacy Notices: separate notices setting out information that may be provided to Data Subjects when the University collects information about them. These notices may take the form of:

a) general privacy statements applicable to a specific group of individuals (for example, employee privacy notices or the website privacy policy); or

b) stand-alone, one-time privacy statements covering Processing related to a specific purpose.

Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.

Related Policies: the University's policies, operating procedures or processes related to this Data Protection Policy and designed to protect Personal Data, listed in Annex 2.Special Categories of Personal Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.

University Personnel: all employees, workers, contractors, agency workers, consultants, directors, members and others.

• Code of Conduct for Research and Research Integrity
• Research Ethical Review Policy
• Subject Access Requests Procedure
• Data Classification, Handling and Disposal Policy
• Retention of Records Policy
• Student Privacy Notice
• Staff Privacy Notice
• Alumni Privacy Notice
• Outreach Privacy Notice
• Beacon Privacy Notice
• CCTV and Body-Worn Cameras Policy