Data Protection Policy
SUSSEX DOWNS COLLEGE
DATA PROTECTION POLICY
1. Central message of this policy
1.1. Data protection defined:
1.1.1. Data protection refers to the use of a set of statutory rules that aim to ensure that:
a Organisations and individuals who collect, store or use information about individuals do not abuse that information.
b The people about whom information is collected and used know of its existence and also know how to change it if it is incorrect.
1.1.2. Sussex Downs College employs staff, recruits students, has dealings with external examiners and other academic bodies, enters contracts with individuals and opens its facilities to the public.
1.1.3. Sussex Downs College keeps manual and computer records about staff and students qualifications, details of health needs, age race and other personal and sensitive data.
1.1.4. The purpose of this policy document is to set out guidelines that will ensure that this information is held in a lawful manner within the requirements of relevant parliamentary acts.
1.2. Relevant Parliamentary acts
1.2.1. The Data Protection Act 1984
The 1984 act introduced basic principles of data protection. It set up a framework for compulsory registration of data users, and established the data protection register to organize this process and to ensure compliance. The act set standards that all registered data users were required to observe.
1.2.2. The Data Protection Act 1998
This act was introduced in order to comply with EU Data Protection directive 95/46EC. It should be stressed that the1998 act itself is very complex, as is the European directive. Clearly this area also has links with relevant case and human rights laws and as such this policy should not be viewed as a replacement for tailored legal advice. Together with this fact, it is important to note that under the 1998 act, it is not sufficient simply to register with the Office of Data Protection. The act carries unlimited fines and the possibility of being sued by data subjects if requirements are not met. In serious cases, the Data Protection Commissioner will be able to close a business or institution down.
1.3. Data Protection definitions
1.3.1. Data
The acts apply to ‘personal data’, which are information about a living individual. Personal data can be as simple as an individual’s name and address or even email address. To be classed as relevant data, the data must on its own or together with something that one may reasonably come across enable the identification of an individual.
1.3.2. An important subsection within the definition of personal data is that of sensitive data. Sensitive data consists of information regarding:
a The racial or ethnic origin of the data subject
b Their political opinions
c Their religious beliefs, or other beliefs of a similar nature
d Whether they are a member of a trade union
e Their physical or mental health and condition
f Their sexual life
g The commission or alleged commission by them of any offence, or
h Any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.
1.3.3. Since this data is considered extra sensitive, it is subject to much stricter rules. Concurrently, ignoring the rights of the individuals concerned in the case of holding sensitive data will almost certainly result in harsher penalties and damages awards.
1.3.4. Data Processing
The act only applies to the ‘processing’ of personal data, but this is so widely defined that it covers virtually anything to do with accessing the information: “retaining, recording or holding…including organization, adaptation, or alteration, retrieval, consultation or use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, blocking, erasure or destruction of the data.”
1.3.5. Within the processing definition come data ‘Controllers’ and ‘Processors’: The ‘Data Controller’ is responsible for ensuring that data is collected, stored and processed fairly, for deciding which types of information will be processed and the reasons for processing. Legally, this is the responsibility of the corporation, or Sussex Downs College as a corporate body.
1.3.6. ‘Data Processors’ are persons or organizations other than someone employed by the data owner who may process data for or on behalf of the data controller.
1.3.7. Data subjects
If personal information about a given individual is held, such that that information allows the relevant person to be readily identified then that person is a data subject.
1.3.8. One of the conditions for processing data (discussed more fully in section 2 below) is that it is carried out with the consent of the data subject. The 1998 act outlines consent as:
“…any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”
1.3.9. Consequently, it remains the policy of Sussex Downs College that the data subject must explicity signify their agreement through some active communication between the parties. Data controllers cannot infer consent from non-response to a communication.
1.3.10. Relevant filing system
The 1998 act extends data protection to paper and other manual files, if the information contained within them comprises part of a ‘relevent’ filing system. Such a system is structured such that specific information is easily available to the person processing it. Hence, Sussex Downs College treats all data that allows specific information about a given individual to be readily available as falling under within the jurisdiction of the 1998 act.
2. The Data Protection principles
2.1. The First Principle – access
2.1.1. The first principle states that:
"Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless - at least one of the conditions in Schedule 2 is met, and in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met."
2.1.2. Broadly speaking, it is the policy of Sussex Downs College that personal data can be processed where consent has been given. Where contractual, legal or personal reasons circumstances fall within the below conditions, data can also be processed.
2.1.3. Conditions for processing personal data (Schedule 2 of the Act)
At least one of the following conditions must be met in the case of all processing of personal data:
2.1.3.1. The data subject has given their consent to the processing
2.1.3.2. The processing is necessary:
a For the performance of a contract to which the data subject is a party, or
b For the taking of steps at the request of the data subject with a view to entering into a contract
2.1.3.3. The processing is necessary to comply with any legal obligation to which the data controller is subject, other than an obligation imposed by contract
2.1.3.4. The processing is necessary in order to protect the vital interests of the data subject.
This condition is only fulfilled where the processing is necessary for matters of life and death such as disclosure of medical information to a hospital Casualty Department.
2.1.3.5. The processing is necessary:
a For the administration of justice
b For the exercise of any functions conferred by or under any enactment
c For the exercise of any functions of the Crown, a Minister of the Crown or a government department, or
d For the exercise of any other functions of a public nature exercised in the public interest.
2.1.3.6. The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case because of prejudice to the rights and freedoms of legitimate interests of the data subject
2.1.4. Conditions for processing sensitive data
At least one of these must be satisfied, in addition to at least one of the conditions for processing above before processing of sensitive data:
2.1.4.1. The data subject has given the explicit consent to the processing of personal data
2.1.4.2. The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment (for example criminal records)
2.1.4.3. The processing is necessary:
a In order to protect the vital interest of the data subject or another person, in a case where:- consent cannot be given by or on behalf of the data subject, or the data controller cannot reasonably be expected to obtain the consent of the data subject, or
b In order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.
2.1.4.4. The Processing:
a Is carried out in the course of legitimate activities by any body or association which exists for political, philosophical, religious or trade-union purposes and which is not established or conducted for profit
b Is carried out with appropriate safeguards for the rights and freedoms of data subjects
c Relates only to individuals who are either member of the body or association or who have regular contact with it in connection with its purposes, and
d Does not involve disclosure of the personal data to a third party without the consent of the data subject
2.1.4.5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject
2.1.4.6. The processing:
a Is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings)
b Is necessary for the purpose of obtaining legal advice
c Is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
2.1.4.7. The processing is necessary:
a For the administration of justice
b For the exercise of any functions conferred by or under any enactment
c For the exercise of any functions of the Crown, a Minister of the Crown or a government department.
2.1.4.8. The processing is necessary for medical purposes and is undertaken by:
a A health professional
b A person who owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.
2.1.4.9. The processing:
a Is of sensitive personal data consisting of information as to racial or ethnic origin
b Is necessary for the purpose of identifying or keeping under review the existence of absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained
c Is carried out with appropriate safeguards for the rights and freedoms of data subjects.
2.1.5. The role of data controllers
It is the responsibility of the individual accessing the data (that is, the data controller) to consider their legitimate basis for current and future processing. It is the policy of Sussex Downs College to ensure that all relevant staff are aware of their obligations with respect to this. Should a situation arise in which a member of staff, notwithstanding compliance with one or more of the relevant conditions still suspects that the processing is unfair or unlawful for other reasons, they should consult their line manager.
2.1.6. Fairness of processing
The act itself outlines a series of approaches by which ‘fairness of processing’ can be ensured. It is the policy of Sussex Downs College to adhere to this ‘fair processing code’. The code is described below:
2.1.6.1. Paragraph 1 (the fair obtaining requirements) of the fair processing code provides that in deciding whether or not processing (which term now specifically includes obtaining) is fair, the way in which personal data are obtained will be considered. This will include particular reference to whether any person from whom the personal data are obtained is deceived or misled as to the purpose or purposes for which the personal data are to be processed. As has been explained previously, this may also have a bearing on the validity of any consent given by the data subject to the processing, which in turn may remove the basis for processing which was being relied upon by the data controller.
There are two specified cases where data will always be treated as having been fairly obtained. These are when data consist of information obtained from a person who is either:
a Authorized
b Required
to supply it by or under any enactment.
2.1.6.2. Paragraphs 2 and 3 (Information to be provided to Data Subjects) of the fair processing code provide that personal data are not to be treated as processed fairly unless the requirements set out below are observed, subject to certain exceptions. Again it should be noted that observance of these requirements will not ensure fair processing where there are other factors present which would render the processing unfair. There is a general duty of fairness which consists in part of the fair processing code.
2.1.6.3. Paragraph 4 (General Identifiers) of the fair processing code provides for the use of personal data which contain a "general identifier" such as a number or code used for identification purposes as defined in the Act. The Secretary of State will prescribe by order conditions which must be complied with to ensure the fair and lawful processing of personal data containing a general identifier of a description to be prescribed by order. Details of any proposed order in this respect are not known at present.
2.1.7. Information to be provided to Data Subjects - data obtained from data subject.
2.1.7.1. When data are obtained from the data subject the data controller must ensure, so far as practicable, that the data subject has, is provided with, or has made readily available to them the following information (referred to as the "fair processing information"):-
a The identity of the data controller,
b If it has nominated a representative for the purposes of the Act, the identity of that representative
c The purpose or purposes for which the data are intended to be processed, and any further information which is necessary, taking into account the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.
2.1.7.2. In deciding whether and, if so, what further information is "necessary" to satisfy the fourth requirement above, data controllers should consider what processing of personal data they shall be carrying out once the data are obtained and consider whether or not data subjects are likely to understand the following –
a The purposes for which their personal data are going to be processed
b The likely consequences of such processing
c And more particularly, whether particular disclosures can reasonably be envisaged.
2.1.7.3. It would be expected that the more unforeseen the consequences of processing the more likely it is that the data controller will be expected to provide further information. This aspect also has a bearing on the question of what amounts to consent; in the same way that consent must be "informed", so data subjects themselves must be fully aware of the ways in which their personal data may be processed in order for that processing to be considered as fair.
2.1.8. Information to be provided to Data Subjects - data obtained other than from data subject
2.1.8.1. The fair processing information should also be provided to data subjects (within the timescale set out below) in cases where the data have been obtained from someone other than the data subject, unless one of the exceptions below applies.
2.1.8.2. The following exceptions from the fair processing code can only be claimed by data controllers where they have obtained personal data from someone other than the data subject. It should be stressed that the ability to rely on any exception does not absolve the data controller from the overriding duty to process personal data fairly. The exceptions referred to are:-
a Where providing the fair processing information would involve a disproportionate effort
b Where it is necessary for the data controller to record the information to be contained in the data or to disclose the data to comply with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
c In addition, the Secretary of State may prescribe further conditions, by way of "appropriate safeguards", which must also be met for the exception to be available. These are not known at present.
2.1.9. Timescale
2.1.9.1. As the Act makes no specific provision relating to timescale in the case of data obtained from data subjects, it should be presumed that the fair processing information must be provided to the data subject at the time that the data are obtained.
2.1.9.2. In circumstances where the data controller has obtained data from someone other than the data subject, the fair processing information must be given (or made readily available) to the data subject before the time when the data controller first processes the data, or in a case where at that time disclosure to a third party (which does not include employees or agents of the data controller) within a reasonable period is envisaged:-
a the time when the data are first disclosed to a third party, if the data are in fact disclosed within a reasonable period of time
b the time when the data controller becomes, or ought to become, aware that the data are unlikely to be disclosed to a third party within a reasonable period of time, if within a reasonable period of time the data controller becomes, or ought to become, aware that the data are unlikely to be disclosed, or in any other case, after a reasonable period of time.
2.1.9.3. Accordingly, data controllers cannot simply obtain personal data from sources other than the data subject and then do nothing else with the data except hold it indefinitely. Before a reasonable period of time has elapsed the data controller must go through the process of informing the data subject in accordance with the fair processing code, subject to the exceptions referred to above.
2.2. The Second Principle – the purpose of data held
2.2.1. The second principle states that:
“Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.”
2.2.2. Guidance on adhering to the second principle
It should be noted here that under the 1998 act, it was sufficient to simply register the nature of the data being collected. This is not longer acceptable. With respect to data processing at Sussex Downs College, it is the responsibility of the data controller to give notice to the data subject as to the nature of the data being held, and reasons for it in accordance with the fair processing code.
2.3. The Third Principle – the relevance of the data
2.3.1. The third principle states that:
“Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.”
2.3.2. Guidance on adhering to the third principle
2.3.2.1. Data about employees
The most relevant process at Sussex Downs College that falls within the scope of the third principle is that collected during the recruitment process. It is the policy of Sussex Downs College that at this stage only data strictly relevant to the selection process, and to being able to contact the job applicants should be collected. This may include information about qualifications and experience including references, information about criminal records and general health.
2.3.2.2. Throughout the course of employment, Sussex Downs College holds the policy that sufficient data should be held about staff to allow reasonable assessment of performance to be made, to allow rapid and accurate contact to be made with next of kin should circumstances require this, to record relevant health issues including maternity and arrangements for leave. Additionally, payroll will hold information allowing the efficient payment of both wages and any relevant national insurance and tax contributions.
2.3.2.3. Data about students
Student admissions, enrolment and continuing education (where this concerns lesson performance, admissions to university and the workplace as well as attendance and disciplinary issues) fall under the third principle. It remains the policy of Sussex Downs College that only data relevant to such processes should be held for students involved with the establishment.
2.4. The Fourth Principle – the accuracy of the data
2.4.1. The fourth principle states that:
“Personal data shall be accurate, and where necessary, kept up to date.”
Under this part of the act, data controllers must take reasonable steps to ensure the accuracy of the data. Hence Sussex Downs College has the policy that student data shall be checked on a yearly basis at the start of the calendar year.
Data subjects have the right to have personal data rectified, blocked, erased or destroyed, and any relevant requests specifying which data requires altering received in writing by Sussex Downs College shall be observed promptly.
2.5. The Fifth Principle – timescale
2.5.1. The fifth principle states that:
“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”
This area is particularly pertinent for students, as references for University and future careers may be sought from the college. The college may also retain information about staff for similar reasons. Sussex Downs College feels that it is reasonable to assume that such purposes will have ceased after a period of ten years. Hence data still existent under such circumstances shall be destroyed.
2.6. The Sixth Principle – the rights of data subjects
2.6.1. The sixth principle states that:
“Personal data shall be processed in accordance with the rights of data subjects under this [the 1998> act”.
2.6.2. Guidance on adhering to the sixth principle
2.6.2.1. The act states that a person will contravene this principle if:
a They fail to supply information to the data subject when requested (in line with section 7 of the act)
b They fail to comply with notices given under the following provisions:
The right to prevent processing likely to cause damage or distress
The right to prevent processing for the purposes of direct marketing
Rights in relation to automatic, unsolicited decision making
2.6.2.2. Sussex Downs College
It is the policy of Sussex Downs College that data subjects can have access to data relevant to themselves on payment of £10. Sussex Downs College will respond to such requests within forty days. Sussex Downs College will not process data in a manner likely to cause damage and distress and will not use data for direct marketing processes unless a contradictory statement is issued by the data subject. No decisions that significantly affect data subjects shall be undertaken based solely on processing data by automatic means.
2.7. The Seventh Principle – prevention of unlawful access and/or processing
2.7.1. The seventh principle states that:
“Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
2.7.2. Guidance on adhering to the seventh principle
2.7.2.1. “Appropriate” security measures are:
a Taking into account the state of technological development at any time and the cost of implementing any measures, the measures must ensure a level of security appropriate to the harm that might result form a breach of security and the nature of the data to be protected
b Having reliable staff that have access to the personal data
2.7.2.2. Sussex Downs College
It is the policy of Sussex Downs College that all reasonable steps should be taken by the ICT department to ensure the security of any relevant database systems. Furthermore, the information services department shall closely monitor the members of staff with access to confidential information, and the register of those users will access rights should be updated on a regular basis. It is also the responsibility of data services to ensure that any third party data processors comply with the obligations equivalent to those imposed on the data controller by the seventh Principle.
2.8. The Eighth Principle
2.8.1. The eighth principle states that:
“Personal data shall not be transferred to a country or territory outside the European Economic Area [EEA>, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
2.8.2. Guidance on adhering to the eighth principle
2.8.2.1. The EEA
The EEA consists of the member states of the European Union (currently 15) together with Iceland, Liechtenstein and Norway.
2.8.2.2. Sussex Downs College
The vast majority of any international data movement carried out by the college is within the EEA, and that out of it usually to Japan, so this principle is not of great importance to the college. However, those data controllers should be aware of the existence of this ruling, and shall ensure that appropriate security measures be taken when passing data internationally.
3. Summary
3.1. The eight Principles
It is the policy of Sussex Downs College to process any personal data in line with the principles of the data protection Act (1998) as described above. To reiterate, these are:
Principle 1:
"Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless - at least one of the conditions in Schedule 2 is met, and in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met."
Principle 2:
"Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes."
Principle 3:
"Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed."
Principle 4:
"Personal data shall be accurate and, where necessary, kept up to date".
Principle 5:
"Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes".
Principle 6:
"Personal data shall be processed in accordance with the rights of data subjects under this Act."
Principle 7:
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
Principle 8:
"Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data."
3.2. Exemptions
Sussex Downs College assumes that all personal information collected and processed by the college is subject to the data protection Act (1998). However data may not be affected by the act if:
3.2.1. There is some public interest involved. This covers:
a National security
b Journalism, where publication is in the public interest
3.2.2. Another set of relevant principles applies, such as legal professional privilege.
