Data Protection and Retention
Data Protection Policy
|Policy Owner||Chief Information Officer|
|Policy Approver(s)||Information Security Manager|
|Related Policies||Acceptable Use Policy|
|Related Procedures||See Appendixes (Page 9)|
|Storage Location||SharePoint Intranet|
|Effective Date||December 2015|
|Next Review Date||November 2016|
Data Protection Policy and Procedure
The City of Liverpool College Group “Group” must comply with the Data Protection Principles that are set out in the Data Protection Act, 1998. In summary these state that Personal Data shall be:
- Processed fairly and lawfully and shall not be processed unless certain conditions are met.
- Obtained for specified and lawful purposes and not further processed in a manner incompatible with that purpose.
- Adequate, relevant and not excessive.
- Accurate and where necessary up to date.
- Kept for no longer than necessary.
- Processed in accordance with data subjects’ rights.
- Protected by appropriate security.
- Not transferred without adequate protection.
The Group and all staff or others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens the Group has developed the Data Protection Policy.
- The Data Protection Officer
1.1 The City of Liverpool College is the Data Controller under the Act, and the Corporation Board, as the governing body of the Group is ultimately responsible for implementation. Enquiries relating to the holding of personal data should be referred, in the first instance, to SharEd Data Protection Officer(s).
See Appendix 2| Details of authorised staff |
1.2 Status of the Policy. This policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and policies enacted by the Group. Any failure to follow the policy can therefore result in disciplinary proceedings. Any member of staff, who considers that the policy has not been followed in respect of personal data about themselves, should raise the matter with the data protection officer.
2.1 All staff, and other users are entitled to:
- Know what personal information SharEd holds and processes about them and why.
- Know how to gain access to it.
- Know how to keep it up to date.
- Know what the Group is doing to comply with its obligations under the 1998 Act.
2.2 The Group on request will provide all staff and other relevant users with a standard form of notification as required. This will state all the types of data the Group holds and processes about them, and the reasons for which it is processed.
3.1 All staff are responsible for:
- Checking that any information they provide to the Group in connection with their employment is accurate and up-to-date.
- Informing the Group of any changes to information, which they have provided e.g. changes of address. Where access to self-service portal is available this will be acceptable as notification.
- Checking the information that the Group will send out from time to time, giving details of information kept and processed about staff.
- Informing the Group of any errors or changes. The Group cannot be held responsible for any errors unless the staff member has informed the Group of them.
- If and when, as part of their responsibilities, staff collect information about other people (i.e. about a learner’s coursework, opinions about ability, references to other academic institutions, or details of personal circumstances), they must comply with the guidelines for staff.
- Appendix 1 – Staff Guidelines for Data Protection Act
- Appendix 1, Annex 1- Frequently Asked Questions
4.1 All staff are responsible for ensuring that:
- Any personal data which they hold is kept securely
- Personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party.
IMPORTANT – Violation of any of the constraints of the Group’s Data Protection Policy or procedures may be considered a security breach and, depending on the nature of the violation, may be subject to sanctions under the Group’s disciplinary procedures. Unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases.
Personal information should be:
- Kept in a locked filing cabinet; or
- Kept in a locked drawer; or
- If it is computerised, be password protected; or
- If kept on disk, this must be kept securely.
The Data Protection Act asks for all electronic data to be held in a secure fashion and the Group has to show annually that this has been undertaken in order to renew its Data Protection Registration. Data is held securely in EBS/Maytas for learner details and iTrent/Cintra/OpenAccounts for staff details protected internally via user password and server side security and protected extensively from external access via firewalls and physical security.
It is a criminal offence to remove personal information from a secure registered site without adequate security such as encryption and password protection. The Data Protection Act also covers printed information showing personal data.
Examples of where removal of information from Group premises may have been undertaken are:
- Course lists (contained in spreadsheets / databases etc), that have not been encrypted and password protected, showing full demographic information saved to DVD, CD, Memory Card, USB Pen Drive, emailed to other organisations or transferred to a laptop or other portable storage device.
- Personal details of staff, that have not been encrypted and password protected, transferred off site in the same manner as above.
Please note that sending an email from the Group to another organisation is not classed as secure unless the information contained is encrypted and password protected.
It is also important that staff do not share their login name or password details with any other user within the Group or outside of the Group to minimise the risk of theft.
If your job role involves taking personal data off site and you would like help or advice on encrypting and securing data contact the IT Service Desk
5.1 In many cases, the Group can only process personal data with the consent of the individual. In some cases, if the data is sensitive express consent must be obtained. Agreement to the Group processing some specified classes of personal data is a condition of acceptance of a learner onto any course, and a condition of employment for staff. This includes information about previous criminal convictions.
5.2 Some jobs or courses will bring the applicants into contact with children, including young people between the ages of 16 and 18. The Group has a duty under the Children Act and other enactments to ensure that staff are suitable for the job, and learners for the courses offered. The Group also has a duty of care to all staff and others and must therefore make sure that employees and those who use Group facilities do not pose a threat or danger to other users.
5.3 The Group may also ask for information about particular health needs, such as allergies to particular forms of medication, or any condition such as asthma or diabetes. The Group will only use the information in the protection of the health and safety of the individual, but will need consent to process the data in the event of a medical emergency, for example.
5.4 Therefore, all prospective staff and others are asked to sign a Consent To Process, regarding particular type of information when an offer of employment is made. A refusal to consent can result in the offer being withdrawn.
6.1 Information that is already in the public domain is exempt from the 1998 Act. It is Group policy to make as much information as public as possible, and in particular the following information will be available to the public for inspection:
- Names and contacts of the Group’s board
- List of staffNote: The Group’s internal telephone list will not be a public document.
Any individual who has good reason for wishing details in these lists or categories to remain confidential should contact the Data Protection Officer.
7.1 Staff, and other users of within the Group have a right to access personal data that is being held about them either on computer or in certain files. Any person who wishes to exercise this right should complete the “Subject access request form” form and give it to a data controller or his or her representative. In order to gain access, an individual may wish to receive notification of the information currently being held. This request should be made in writing using the standard form. The Group may make a charge of up to £50 on each occasion that access is requested, although the Group will have discretion to waive this. The Group aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 40 working days unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the data subject making the request. Where a fee is required the 20 working days begin when payment is received.
- Appendix 3 – Procedure for subject access to personal data
- Appendix 4 – Subject access request form
- Appendix 5 – Standard letter in response to subject access to personal data
Students/apprentices are entitled to information about their marks both for coursework and examinations. For further information see the organisation’s respective Policy for details.
Any complaints received from individuals relating to personal information held on record or being processed by the college should be forwarded to Ken Ryan (Data Protection Officer) – firstname.lastname@example.org.
The Group keeps some forms of information for longer than others, in line with Financial, Legal, or Archival requirements. Because of storage limitations, some information cannot be kept indefinitely, unless there are specific requests to do so. Information about members of staff will be kept 10 years after they leave the Group.
The Group can lawfully intercept e-mail, telephone and Internet communications and can monitor and/or record communications without consent by colleagues in the following circumstances:
- To establish the existence of facts relevant to the Group.
- To ensure compliance with regulatory or self-regulatory practices or procedures relevant to the Group.
- To ensure certain standards of performance and conduct which ought to be achieved by staff are being met.
- To prevent or detect crime, fraud or corruption.
- To investigate or detect the unauthorised use of the telecommunications system (e.g. in breach of Group rules or policies).
- To ensure the effective operation of systems, including monitoring for viruses and other threats to systems.
- The Group may monitor (but not record) communications without consent in the following circumstances:
- To ensure that communications are relevant to the Group (this could include viewing emails during a colleague’s absence to ascertain whether or not they are Group related).
- To monitor communications to a confidential and anonymous helpline.
- Providing counselling or support.
For the personal data that controllers store and process:
- It must be collected and used fairly and inside the law.
- It must only be held and used for the reasons given to the Information Commissioner.
- It can only be used for those registered purposes and only be disclosed to those people mentioned in the register entry. You cannot give it away or sell it unless you said you would to begin with.
- The information held must be adequate, relevant and not excessive when compared with the purpose stated in the register. So you must have enough detail but not too much for the job that you are doing with the data.
- It must be accurate and be kept up to date. There is a duty to keep it up to date, for example to change an address when people move.
- It must not be kept longer than is necessary for the registered purpose. It is alright to keep information for certain lengths of time but not indefinitely. This rule means that it would be wrong to keep information about past customers longer than a few years at most.
- The information must be kept safe and secure. This includes keeping the information backed up and away from any unauthorised access. It would be wrong to leave personal data open to be viewed by just anyone.
- The files may not be transferred outside of the European Economic Area (that’s the EU plus some small European countries) unless the country that the data is being sent to has a suitable data protection law. This part of the DPA has led to some countries passing similar laws to allow computer data centres to be located in their area.
|Appendix 1||Data Protection Policy and Confidentiality: Staff Guidelines and Frequently Asked Questions|
|Appendix 2||Details of authorised staff|
|Appendix 3||Procedure for subject access to personal data|
|Appendix 4||Subject access request form|
|Appendix 5||Standard letter in response to subject access to personal data|
|Appendix 6||Retention Period for Group documents|
|Version||Change||Author||Date of Change||Approved By|
|1.0||First draft||Deyton Hulcombe||21/05/2015||Ken Ryan|
|1.1||Corrections||Deyton Hulcombe||14/10/2015||Terry Broadhurst|
|1.2||Corrections||Deyton Hulcombe||18/11/2015||Terry Broadhurst|
|1.3||Amendments||Deyton Hulcombe||08/03/2016||Alasdair Redmond|