Code of practice 1 - Handling of personal data
1.1 This Code of Practice, drawn up in association with the College's Data Protection Policy, relates to the collection, holding and disclosure of data relating to individuals. The Code provides best practice for staff and students of the College and other authorised persons who collect, process, disclose or have access to personal data in whatever medium that data is held. In the terms of the General Data Protection Regulation (GDPR) "processing" covers all aspects of handling personal data, including obtaining, recording, holding, retrieving, collating, disclosure, erasure and destruction of data.
Keeping records of processing activities
2.1 The College has an obligation to keep records of its data processing activities. This replaced the obligation to notify the Information Commissioner of what personal data the College processes. The records that the College must keep include:
- the contact details of the College/its representative (if applicable)/ the Data Protection Officer;
- the purposes of the processing;
- the categories of data subjects and personal data processed;
- the categories of recipients with whom the data may be shared;
- information regarding Cross-Border Data Transfers;
- the applicable data retention periods; and
- a description of the security measures implemented in respect of the processed data.
Upon request, these records must be disclosed to the Information Commissioner.
To help the College comply with its record keeping obligations, all College information assets (including those that contain personal data) must be registered in the College’s Information Asset Register and must have an identified Information Asset Owner who (among other things) is responsible for updating the record as and when necessary.
Collecting and processing of personal data
3.1 Collection and processing of Personal Data must comply with the data protection principles
Personal data users have a duty to make sure that they comply with the GDPR and handle personal data in accordance with the data protection principles. These are set out in the College Data Protection Policy. In summary these state that the College will:
- process personal data lawfully, fairly and in a transparent manner;
- collect personal data for specified, explicit and legitimate purposes only, and will not process it in a way that is incompatible with those legitimate purposes;
- only process the personal data that is adequate, relevant and necessary for the relevant purposes;
- keep accurate and up to date personal data, and take reasonable steps to ensure that inaccurate personal data are deleted or corrected without delay;
- keep personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed;
- take appropriate technical and organisational measures to ensure that personal data are kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction or damage;
- demonstrate compliance with the above data protection principles.
3.2 Personal data is “any information relating to an identified or identifiable natural person (referred to as a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. So, some obviously personal data are name, contact details (post, phone, e-mail etc.), relationship, educational and financial details. Less obviously personal data are IP addresses and device IDs, pseudonymous data (e.g. hashed or encrypted data).
3.3 In addition, personal data has a sub-set known as ‘sensitive personal data’ or ‘special categories of data’. These are data relating to a data subject’s:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data for the purpose of unique identification
- sex life or sexual orientation
Sensitive personal data has a higher standard of protection than other personal data.
3.4 The data protection law also treats criminal data with a higher degree of care than other personal data. More is expected on this in the Data Protection Bill currently going through the UK Parliament.
3.5 The term "processing" is very broad. It essentially means anything that is done to, or with, personal data (including simply collecting, storing or deleting those data). This definition is significant because it clarifies the fact that the GDPR is likely to apply wherever an organisation does anything that involves or affects personal data.
3.6 Processing ‘standard’ personal data
3.6.1 We must have one of six prescribed lawful bases for processing personal data. Seeking consent from the individuals whose data they are is one basis for processing but should be considered only where there is no more suitable legal basis for the processing.
3.6.2 The six lawful basis are:
(i) processing is permitted if it is necessary for the entry into, or performance of, a contract with the data subject or in order to take steps at his or her request prior to the entry into a contract (in short, there is contractual necessity);
(ii) processing is permitted if it is necessary for compliance with a legal obligation under EU law or the laws of a Member State (in short, where the College has to comply with a UK or EU law legal obligation);
(iii) processing is permitted if it is necessary in order to protect the vital interests of the data subject or of another natural person (in short, to protect vital interests);
(iv) processing is permitted if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller under UK or EU/ EU Member States law (in short, the public interest basis – this would be relevant for some functions carried on by the College such as teaching and research in the public interest);
(v) processing is permitted if it is necessary for the purposes of legitimate interests pursued by the controller (or by a third party), except where the controller's interests are overridden by the interests, fundamental rights or freedoms of the affected data subjects which require protection, particularly where the data subject is a child (in short, the legitimate interest basis).
This does not apply to processing carried out by public authorities in the performance of their duties i.e. the College cannot rely on this basis with respect to activities that are carried out in the public interest such as teaching and research in the public interest;
(vi) processing is permitted if the data subject has consented to the processing (i.e. with consent).
3.6.3 Consent must be unambiguous, verifiable (we ought to document proof of consent), distinguishable from other matters, easy to withdraw, (generally) must not be conditioned on access to a service. Silence, inactivity and pre-ticked boxes do not amount to consent.
Not only that the standard of valid consent under the GDPR is high but also if we seek consent to the processing of personal data, the individuals who have consented will also be able to exercise the right to erasure and the right to portability more easily.
3.7 Processing sensitive data
The GDPR imposes a number of additional restrictions and conditions on data controllers who want to record and process sensitive personal data. The College can process sensitive personal data when (in addition to having a lawful basis as explained above) for processing any personal data, we can also satisfy one of ten additional grounds which are as follows:
- Legal claims
- It is necessary in the context of employment law, or laws relating to social security and social protection
- Reasons of substantial public interest
- To protect vital interests
- Medical diagnosis and treatment (undertaken by health professionals, including assessing the working capacity of employees)
- Charity or not-for-profit bodies with respect to their own members
- Public health
- Data manifestly made public by the data subject
- For archiving purposes in the public interest, for historical, scientific, research or statistical purposes, subject to appropriate safeguards
- Obtain explicit consent
We should document our analysis on this.
3.8 Staff, and to some extent students, collect both ‘standard’ and sensitive personal data on employees, students and other individuals.
3.9 Most personal data which is collected on a day-to-day basis will be "standard", i.e. for general administrative purposes, and will cover categories such as:
- General personal details such as name, address, date of birth and next of kin;
- Details about class attendance, course-work marks and grades and associated comments;
- Notes of personal supervision, including matters about behaviour and discipline;
- Management of student clubs and societies.
3.10 A data protection impact assessment (in short, DPIA), must be conducted:
- where there is “high risk” to data subject rights and freedoms;
- prior to processing;
- in consultation with the Data Protection Officer.
A DPIA is always required where there will be:
- automated decision with legal / significant effect;
- large scale sensitive data processing;
- large scale monitoring of public areas.
Consultation with the Information Commissioner is required if high risk cannot be mitigated.
The College has a DPIA template which you can access.
3.11 Data Subjects must be informed of the purposes for which data are being collected at the point of collection. The College informs students and prospective students of how it uses their personal data in its Privacy Notice for Students and Prospective Students[PDF], staff and prospective staff in its Privacy Notice for Staff and Prospective Staff [PDF] and alumni and supporters in the Advancement Privacy Notice [PDF]. Any additional processing which is done and which is not explained and provided for in these notices or which applies to other categories of Data Subjects will require careful analysis as to the lawful basis of processing, data protection impact assessment and its own privacy notice to inform the relevant Data Subjects of the proposed processing.
3.12 All personal data must be held securely in accordance with the College's Information Security Policy. All persons having access to such data shall treat it as confidential and shall not communicate it to other persons or bodies except in accordance with this Code of Practice.
3.13 Before processing any personal data, members of the College and other authorised individuals should study the checklist for processing data set out in the Appendix to this Code.
3.14 Where any of the data protection principles are not followed data users may find themselves subject to College disciplinary procedures. Also, the College may be investigated and fined by the Information Commissioner and may be liable to pay compensation to any affected individuals
3.15 Disclosure of personal data to third parties
3.15.1 No data relating to a particular student, member of staff or other individual acquired in the course of an individual's duties should be disclosed to anyone (including other students or staff) unless:
- required for normal academic, administrative or pastoral purposes of College business, or
- the individual concerned has given permission, or
- they are required to do so in the discharge of regulatory functions or required by legislation, or
- in the case where, even though prior consent has not been given, disclosure is deemed to be needed to protect the vital interests of the Data Subject or it is required for the prevention or detection of crime or the apprehension or prosecution of offenders, or
- in certain limited cases and subject to certain conditions and safeguards, it is used for legitimate research purposes.
3.15.2 In many cases, where sharing of personal data is relevant to College is where College appoints another organisation to process data that belongs to the College on behalf of the College or where an organisation provides services to the College that require that organisation to have access to College-owned personal data or to systems holding College-owned personal data. This is known as appointing a processor.
3.15.3 The College must only use processors that guarantee compliance with the GDPR. The College must appoint the processor in the form of a binding agreement in writing (such as a data processing agreement or a services agreement with appropriate data processing clauses), which states that the processor must only act on the College’s documented instructions. The agreement must also contain a number of other provisions prescribed by the GDPR. The College has a data processing agreement template suitable when the College engages processors based in the EEA. For any other data processing arrangements, staff should contact the DPO for a suitable template.
3.15.4 Before sharing any data (personal or other) staff should consider the following key questions:
- Do you have the legal power or ability to share the data in question?
- Will the proposed data sharing involve sharing of “standard” personal data and sensitive personal data and, if so, would the sharing be fair, transparent and in line with the rights and expectations of the people whose information is being shared? Check what people have been told in the relevant privacy notice about data sharing.
- Is there any specific statutory prohibition on sharing the data in question?
- Are there any copyright restrictions?
- Is there a duty of confidence (express or implied by the content of the information or because it was collected in circumstances where confidentiality was expected e.g. medical or banking information)?
- If a decision is ultimately taken to share data with another organisation or person, will a data processing or data sharing agreement be signed or will the services agreement include data processing/sharing provisions? This is a requirement.
3.16 Transfer of data overseas
3.16.1 The transfer of personal data to recipients outside the EEA is generally prohibited unless:
- the jurisdiction in which the recipient is located is deemed to provide an adequate level of data protection;
- the data exporter puts in place appropriate safeguards; or
- a derogation or exemption applies such as the transfer is required for the performance of a contract between a data subject and a data controller, or for taking steps at the request of a data subject with a view to entering into such a contract, or where specific and informed consent of the data subject has been obtained for effecting such a transfer.
Where staff contemplate transferring personal data outside the EEA, they should discuss the proposal with the Data Protection Officer to establish if there is a lawful basis for such transfer.
3.16.2 Posting personal data to the World Wide Web constitutes transfer of data worldwide. A third party accessing College-owned personal data from outside the EEA would also constitute a transfer of data outside the EEA. Using a cloud services provider with servers outside the EEA would also constitute a transfer of data outside the EEA. However, if data is only in transit through a non-EEA country (and is not accessible) this will not constitute a transfer outside the EEA.
3.16.3 Subject to taking appropriate security measures, as set out in 3.17 below, personal data may be transferred to countries in the European Economic Area (EEA) without further restriction.
3.16.4 Proper records must be kept justifying any decision made about such exempted transfers, or clear evidence can be demonstrated showing the Data Subject had given consent to the transfer, having been suitably informed.
3.16.5 In the absence of a sponsorship arrangement between the College and an external body in respect of a particular student, personal data should not be disclosed in response to a request from non-EEA governments, agencies or organisations for the purposes of assessing the names, numbers and whereabouts of foreign nationals studying overseas without specific informed consent of the Data Subject(s) concerned, nor should such data be disclosed to such bodies for the purposes of determining liability to attend National Service without such consent.
3.17.1 Proper security measures must be applied to all methods of holding or displaying personal data and appropriate measures taken to prevent loss, destruction or corruption of data. For fuller details on security measures see the College Information Security Policies, associated Codes of Practice and Guidelines.
3.17.2 Staff, students and authorised third parties are not permitted to remove from the College personal data with the intention of processing this information elsewhere, unless such use is authorised by the data owner and that authorisation recorded. Removing data in this way must not compromise the standards of security operating within the College, and the data protection principles should be observed at all times.
Appendix - checklist for processing of personal data
- Do you really need to record the information?
- Which is your legal basis for processing the information (one of six bases)?
- Is the information "standard" or is it "sensitive"?
- If it is sensitive information, do you satisfy one of the ten additional conditions to be able to process the information?
- If you are going to rely on consent to process “standard” personal data or “sensitive” personal data, are you able to obtain valid consent?
- Has the data subject been told how the data will be processed?
- Are you authorised within College to collect/store/process the data?
- If yes, are there mechanisms in place to check the accuracy of the data?
- Is it clear who else has a right to access/process these data?
- Do you have mechanisms in place to ensure that the data are kept securely whether held electronically or in a relevant filing system?
- Are you clear as to how long you may retain these data? Have you checked the College’s Retention Schedule to see if it prescribes any retention period for these data?
- Do you have procedures in place to ensure that the data are kept up to date?
- Do you have procedures in place to remove these data securely when it is no longer needed?
- Do you have procedures in place to remove these data where a data subject exercises their right for it not to be processed;
- Has a data protection impact assessment been carried out either because it is mandatory or as best practice?