Greater Brighton Metropolitan College - Data Protection Policy
Data Protection Policy
1.1. Greater Brighton Metropolitan College, Littlehampton Road, Goring-By-Sea, Worthing, West Sussex, BN12 6NU (the College) is required to maintain certain data about individuals operational purposes and to fulfil its legal requirements. The College recognises the importance of the correct and lawful treatment of personal data as it maintains confidence in the College and provides for successful operations.
1.2. The type of data the College may require includes information on current, past and future employees, students, sponsors, suppliers and others the College is involved with (Subjects).
1.3. Personal data whether held electronically, on paper, or on other media is subject to the Data Protection Act 1998 (DPA).
1.4. Personal data means data relating to a living and identifiable individual. Personal data can be factual (such as name, address or date of birth) or it can be an opinion (such as an appraisal).
1.5. Sensitive personal data can include information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, health condition or any offences, alleged or committed.
2. Status of the Policy
2.1. Any breach of this policy will be taken seriously and may result in disciplinary proceedings.
2.2. The policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and policies made by the College. This policy may be amended at any time.
2.3. Any Subject who considers that the policy has not been followed in respect of personal data about themselves should raise the matter with the designated Data Protection Officer (DPO).
3. Designated Data Protection Officer
3.1. The College’s DPO is responsible for overseeing compliance with the DPA and implementation of this policy on behalf of the College.
3.2. The DPO can be contacted as follows:
Data Protection Officer
Greater Brighton Metropolitan College
Worthing, West Sussex
Email to: TBC
Telephone: 01903 273047
3.3. Any questions or concerns about the policy should, in the first instance, be taken up with the DPO.
4.1. The College endorses and adheres to the eight principles of the DPA. These specify the conditions that must be satisfied in obtaining, handling, processing, transportation and storage of personal data.
4.2. The principles are that personal data is:
4.2.1. to be obtained and processed fairly, lawfully and shall not be processed unless certain conditions in Schedule 2 (see paragraph 4.3) and for sensitive data in Schedule 3 (see paragraph 4.4) are met;
4.2.2. to be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose;
4.2.3. to be adequate, relevant and not excessive for those purposes;
4.2.4. to be accurate and kept up to date;
4.2.5. not to be kept for longer than is necessary for that purpose;
4.2.6. to be processed in accordance with the data subject's rights;
4.2.7. to be kept safe from unauthorised access, accidental loss or destruction;
4.2.8. not to be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.
4.3. Conditions set out in Schedule 2, DPA
Conditions relevant for the purpose of the first Principle: processing of any personal data:
a) With the consent of the data subject
b) To establish or perform a contract with the data subject
c) To comply with a legal obligation
d) To protect the vital interests of the data subject
e) For the exercise of certain functions of a public interest nature
f) For the legitimate interests of the data controller unless outweighed by the interests of the data subject.
4.4. Conditions set out in Schedule 3, DPA
The following is not a complete list of all conditions relevant for the purpose of the first Principle: processing of any sensitive personal data:
a) With the explicit consent of the data subject
b) To perform any right or obligation under employment law
c) To protect the vital interests of the data subject or another person
d) For the legitimate activities of certain not-for-profit bodies
e) When the data has been made public by the data subject
f) In connection with legal proceedings
g) For the exercise of certain functions of a public interest nature
h) For medical purposes
i) For equal opportunity ethnic monitoring.
5. Fair and lawful processing
5.1. The DPA is not intended to prevent the processing of personal data, but to ensure that it is done fairly and without adversely affecting the rights of Subjects.
5.2. For personal data to be processed lawfully, they must be processed on the basis of one of the legal grounds set out in the DPA. These include, among other things, the conditions set out in paragraphs 4.3 and/or 4.4 of this policy.
6. Processing for limited purposes
6.1. In the course of the College’s activities, it may collect and process personal data, and this may include data the College receives directly from a Subject (for example, by completing forms or by corresponding with the College by mail, phone, email or otherwise) and data the College receives from other sources (including, for example, business partners, sub-contractors in technical, payment and delivery services, credit reference agencies and others).
The College will only process personal data for the specific purposes set out in Appendix C or for any other purposes specifically permitted by the DPA.
6.2. The College will notify those purposes to the Subject when it first collects the data or as soon as possible thereafter.
7. Notifying Subjects
7.1. If the College collects personal data directly from Subjects, it will inform them about:
a) The purpose or purposes for which it intends to process that personal data.
b) The types of third parties, if any, with which it will share or to which it will disclose that personal data.
c) The means, if any, with which Subjects can limit the College’s use and disclosure of their personal data.
7.2. If the College receives personal data about a Subject from other sources, it will provide the Subject with this information as soon as possible thereafter.
7.3. The College will also inform Subjects whose personal data it processes that it is the data controller with regard to that data.
8. Adequate, relevant and non-excessive processing
The College will only collect personal data to the extent that it is required for the specific purpose notified to the Subject.
9. Accurate data
The College will ensure that personal data it holds is accurate and kept up to date. The College will check the accuracy of any personal data at the point of collection and at regular intervals afterwards. The College will take all reasonable steps to destroy or amend inaccurate or out-of-date data.
10. Timely processing
The College will not keep personal data longer than is necessary for the purpose or purposes for which they were collected. The College will take all reasonable steps to destroy, or erase from its systems, all data which is no longer required.
11. Processing in line with Subjects’ rights
The College will process all personal data in line with Subjects' rights, in particular their right to:
a) Request access to any data held about them by the College.
b) Prevent the processing of their data for direct-marketing purposes.
c) Ask to have inaccurate data amended (see also paragraph 9).
d) Prevent processing that is likely to cause damage or distress to themselves or anyone else.
12. Data security
12.1. The College will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
12.2. The College will put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if it agrees to comply with those procedures and policies, or if it puts in place adequate measures itself.
12.3. The College will maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
a) Confidentiality means that only people who are authorised to use the data can access it.
b) Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
c) Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on the College’s central computer system instead of individual PCs.
12.4. Security procedures include:
a) Entry controls. Any stranger seen in entry-controlled areas should be reported.
b) Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)
c) Methods of disposal. Paper documents should be shredded. Digital storage devices should be physically destroyed when they are no longer required.
d) Equipment. Data users must ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.
13. Transferring personal data to a country outside the EEA
13.1. The College may transfer any personal data it holds to a country outside the European Economic Area (EEA), provided that one of the following conditions applies:
a) The country to which the personal data is transferred ensures an adequate level of protection for the Subjects' rights and freedoms.
b) The Subject has given their consent.
c) The transfer is necessary for one of the reasons set out in the DPA, including the performance of a contract between the College and the Subject, or to protect the vital interests of the Subject.
d) The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.
e) The transfer is authorised by the relevant data protection authority where the College has adduced adequate safeguards with respect to the protection of the Subjects' privacy, their fundamental rights and freedoms, and the exercise of their rights.
13.2. Subject to the requirements in paragraph 12.1, personal data the College holds may also be processed by staff operating outside the EEA who work for it or for one of its suppliers. These staff may be engaged in, among other things, the fulfilment of contracts with the Subject, the processing of payment details and the provision of support services.
14. Disclosure and sharing of personal information
14.1. The College may disclose personal data it holds to third parties:
a) If it sells or buys any business or assets, in which case it may disclose personal data it holds to the prospective seller or buyer of such business or assets.
b) If it or substantially all of its assets are acquired by a third party, in which case personal data the College holds will be one of the transferred assets.
c) If the College is under a duty to disclose or share a Subject's personal data in order to comply with any legal obligation, or in order to enforce or apply any contract with the Subject or other agreements; or to protect its rights, property, or safety of its employees, customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
14.2. The College may also share personal data it holds with selected third parties for the purposes set out in Appendix C.
15. Dealing with Subject Access Requests
15.1. Subjects must make a formal request for information the College holds about them and, ideally, they should use the form at Appendix A as it may mean the College can more easily locate the requested personal data. The request must be made in writing. Staff who receive a written request should forward it the DPO immediately.
15.2. When receiving telephone enquiries, the College will only disclose personal data it holds on its systems if the following conditions are met:
a) The College will check the caller's identity to make sure that information is only given to a person who is entitled to it.
b) The College will suggest that the caller put their request in writing if it is not sure about the caller’s identity and where their identity cannot be checked.
15.3. Staff will refer a request to the DPO for assistance in difficult situations. Staff should not be bullied into disclosing personal information.
16. Responsibilities of Subjects
16.1. All Subjects are responsible for:
a) Checking that any personal data they provide to the College is accurate and kept up to date.
b) Informing the College of any changes to the information held about them:
• for Staff, this is the HR Department
• for Students, this is the MIS Team
• for Suppliers, this is the Finance Department
• For all other notifications, contact the DPO.
c) Checking any information the College may send to them giving details of the information being kept or processed – any errors should be reported to the College.
d) If their responsibilities involve collecting or processing information about other people they must comply with this policy and the DPA.
17. Changes to this policy
The College reserves the right to change this policy at any time. Where appropriate, it will notify Subjects of those changes by mail or e-mail.
18. Publication of College Data
Data already in the public domain is exempt from the DPA.
19. Retention of Data
19.1. The College will keep some types of information for a longer time than others. All staff are responsible for ensuring information is not kept longer than necessary – see Appendix B.
19.2. Any data destruction is performed in a secure manner.
20. Related Policies, Procedures and Documents
• Closed Circuit Television Policy
• Subject Access Request Policy
Appendix A,B,C and D