DATA PROTECTION POLICY
- Purpose
1.1This policy concerns Bournemouth University Higher Education Corporation's (BU's) obligations under the Data Protection Legislation (this includes the General Data Protection Regulation (the GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulation (PECR)).The purpose of the Data Protection Legislation is to safeguard personal information (called Personal Data in the Data Protection Legislation and defined at section 4 below).
- Who does this policy apply to?
2.1This policy is intended to ensure that all staff at BU are properly informed about their role in meeting BU's obligations under the Data Protection Legislation.
2.2It applies to:
2.2.1all employees of BU, whether permanent or temporary, and workers, casual and agency staff and volunteers when working in or for BU (Staff); and
2.2.2all of the following BU representatives (together, BU Representatives):
- all external members of the BU Board when acting in that capacity (External Members);
- all employees, directors or trustees of BU's wholly owned subsidiary companies (Subsidiary Representatives); and
- all other persons when working in or for BU, whether directly or indirectly, such as external members of Faculty or BU committees, individuals that BU appoints as directors of any company, fundraisers, consultants and contractors (External Representatives).
2.3If you have any questions or concerns about this policy or about data protection generally, please use the email address . Your query will be picked up by either the Data Protection Officer or BU’s Information Office (Legal Services, working with the Data Protection Officer) as appropriate.
- ABOUT THIS POLICY AND WHY IT IS IMPORTANT
3.1Data protection is important because it seeks to protect individuals' privacy rights and requires that their personal information is used in a manner that is fair and lawful. The Data Protection Legislation is enforced by a national regulator, the Information Commissioner’s Office (“ICO”), and by the courts. A breach of the Data Protection Legislation could have serious consequences for the individuals whose Personal Data is affected, as well as for BU – including legal action against BU and/or damage to BU's reputation.
3.2Failure to comply with the Data Protection Legislation can also, in certain circumstances, result in criminal liability. Breach of this policy and its associated procedures in force from time to time, may constitute a disciplinary offence for Staff and Subsidiary Representatives and will be subject to investigation under BU’s disciplinary procedures. For External Members and External Representatives, breach of this policy and its associated procedures in force from time to time, may result in other contractual or legal sanctions.
3.3This policy is intended to give an overview of BU's obligations under the Data Protection Legislation and sets out in broad terms what those subject to this policy need to do to help ensure that BU complies with the Data Protection Legislation. There are a number of other policies and procedures which sit under or alongside this policy:
- some are generally relevant and give more detailed guidance on decisions and actions involving Personal Data;
- others apply to particular situations or types of activity within BU.
Please see the Appendix for a list of some of these. You should ensure that you are familiar with those that are or may be relevant to your role within BU.
- KEY DATA PROTECTION ACTIONS FOR ALL STAFF
4.1This section sets out a summary of the steps which those subject to this policy should take to fulfil their data protection responsibilities, where they are involved in processing Personal Data. Some of these steps are less likely to be relevant in practice for those who do not have management or decision-making responsibilities, but is still important to understand the principles which apply when decisions are made about processing of Personal Data:
4.1.1Mandatory Training: Undertake BU’s mandatory data protection training within the required timescale. (This does not apply to all External Representatives; if you are an External Representative, you will be told if you need to undertake the training.)
4.1.2Processing Personal Data: Be aware of when, where and why, both practically and in terms of legal basis, Personal Data is being processed and the need to comply with the Data Protection Legislation. Be particularly cautious about processing special category data (previously “sensitive personal data”) or recording comments about individuals.
4.1.3Apply “data minimisation”: Only process the minimum Personal Data necessary for a particular purpose. Apply access controls, security measures, retention policies and (where possible) tools such as encryption and pseudonymisation. For managers: make sure that your team is aware of the controls, measures, policies and tools used within your team. Remember, the fact that you can access or view Personal Data does not necessarily mean that you should do so.
4.1.4Protect Personal Data: Apply available data security tools and measures to protect Personal Data from unauthorised access or disclosure. This applies to the way in which you store, use and destroy/delete Personal Data.
4.1.5Data Breach Reporting: Promptly report any actual, suspected or potential breach of data security or of the Data Protection Policy, including “near misses”.
4.1.6New processing activities: If you are involved in planning or decisions about new processing activity (i.e. a new use of Personal Data), as a project team consider carrying out a Privacy Impact Assessment (“PIA”) and ensure that these questions are asked and answered:
- Do we need to use Personal Data at all?
- Have individuals already been told about this use of their data?
- Is there a clear legal basis for the processing (i.e. applicable conditions of processing have been identified)?
- What arrangements or controls need to be put in place before you start processing, to ensure data minimisation and data security?
4.1.7Existing processing activities:
- Be aware that your handling of Personal Data must be consistent with relevant privacy notices;
- Be aware of the basis for processing Personal Data, in particular whether it relies on the individuals’ consent and the scope of any consent;
- Follow any established processes or practices within your team regarding when, how and by whom the Personal Data should be used, unless you have reason to think that this approach is inappropriate. Managers should ensure that these are identified to staff during induction. Do not depart from standard process without seeking advice.
4.1.8Sharing or transferring Personal Data: Be cautious. Be clear about the purpose of the sharing and only disclose what is necessary for that purpose. Except in a true emergency:
- Only share within BU if the recipient needs the Data for a clearly-defined purpose within the uses described in the relevant privacy notice and in accordance with established practice.
- Only share outside BU if you are following an established process or practice (see above) or after seeking appropriate advice. BU needs to do “due diligence” (appropriate checks) on the recipients of Personal Data to ensure it will be appropriately safeguarded.
4.1.9Data Retention: Only keep Personal Data where needed for a defined purpose (including any legal and audit requirements) and in accordance with BU or departmental policy – but seek appropriate advice before destroying or deleting materials.
4.1.10Respond promptly to requests for information or assistance with PIAs, data audits, subject access requests, data breach investigations and other data protection queries or issues.
4.1.11Seek advice about new processing activities or if in any doubt about data protection issues.
4.2In taking these steps you may require support or advice from others within BU, in particular the Data Protection Officer (), Legal Services () or IT Services. You should never hesitate to seek advice if you have any doubts or concerns about the handling of Personal Data by yourself or others, or technical questions about IT tools or processes.
- REPORTING DATA BREACHES AND BREACHES OF THIS POLICY
5.1A data breach is a situation in which there has been accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or unauthorised access to Personal Data. This may happen as a result of either accidental actions/omissions or deliberate steps, but these will be breaches of this Policy and the Data Protection Legislation. A data breach may be a result of third party attack on BU systems or result in disclosure/risk of disclosure of BU Personal Data to third parties. However, it may also occur when Personal Data is made available to unauthorised persons or used inappropriately within BU. A data breach may take a wide range of forms. If you are in any doubt as to whether a situation represents a data breach, you should immediately contact the DPO or the Information Office for advice.
5.2A “near miss” of a data breach is a situation in which a data breach was close to taking place but was avoided by ad hoc intervention (rather than standard application of policy or process).
5.3BU has a legal duty to notify the ICO of certain data breaches within 72 hours of becoming aware of the breach. In addition, under the Data Protection Legislation BU must take immediate action to respond to any suspected data breaches so that it can limit the impact of breaches on individuals and prevent recurrence. It is also important for BU to respond to any “near miss”, as this will indicate a risk of future data breach.
5.4Staff and BU Representatives who have reason to suspect or be concerned that a data breach has occurred must report their concern(s) as quickly as possible. An IT related Data Breach should be reported via the IT-Service Desk via 01202 965515. For all other Data Protection concerns contact the Data Protection Officer (). In the event a serious or potentially serious incident occurs out of standard BU hours, the Serious Incident Officer (SIO) should be informed via 222 (01202 962222). The Data Protection officer () must be informed of all incidents, confirmed data breaches, near misses and concerns.
5.5Incidents which are identified as a data breach will be; identified, assessed, contained, recovered and reviewed. BU will manage Data Breaches in line with the ICO Data Breach management guidance and the BU Data Breach Incidents Management Plan, which aligns to the BU Major Incident Plan. In many cases it will be relevant to follow the Information Security Management Process. These processes provide for appropriate escalation for informing and consulting key stakeholders. The ICO and data subjects affected will be notified where appropriate. The decision to make such a notification will be made by the Chief Operating Officer (COO) and/or the Director of Finance and Performance, in consultation with the DPO.Other staff to whom this policy applies should not make such notifications without authority to do so.
5.6Any “near miss” should be promptly reported to the DPO, who will consult as appropriate and consider what action (if any) needs to be taken to prevent a future data security breach.
- SOME USEFUL DEFINITIONS
6.1Personal Data: data relating to a living individual who can be identified from:
- that data; or
- that data and other information held, or likely to come into the possession of, the data controller.
This definition is wide and covers almost all information held by BU about a living individual including names, addresses, dates of birth, expressions of opinion and any indication of intention in relation to the individual, as well as identification numbers (such as a student ID number), location data, an online identifier or to one or more factors specific to a person's identity. It includes information from which identifying details have been removed, if BU still holds the information which would enable identification of individuals [pseudonymised information]. Information only ceases to be Personal Data if is completely anonymised, i.e. if individuals can’t be identified from the information as it is viewed and BU has no ability to re-identify the individuals to which the information relates.
6.2Special Categories of Data: information which used to be known as “Sensitive Personal Data” under the Data Protection Act 1998. The Data Protection Legislation specifies that Special Category Data is information about an individual's:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic and biometric characteristics;
- physical or mental health or condition; and
- sex life or sexual orientation.
In addition, the Data Protection Legislation also makes separate special provision for Personal Data which is information about an individual’s actual or alleged criminal activity or convictions. These categories of Personal Data are treated differently from other Personal Data under the Data Protection Legislation, because their use is likely to be particularly sensitive and to have more impact on individuals.
6.3Data Subject: the individual who is the subject of particular Personal Data.
6.4Data Controller: an organisation or person who is responsible for making decisions about the purposes for which and the manner in which Personal Data is to be processed. For the purposes of this policy, BU is almost always a Data Controller although it may, in certain circumstances, be acting jointly with other Data Controllers.
6.5Data Processor: an organisation or person processing Personal Data strictly on behalf of a Data Controller.
6.6Processing: the Data Protection Legislation applies to the "Processing" of Personal Data. "Process" and "Processing" covers virtually anything done in relation to Personal Data. For example, collecting, organising, structuring, adapting, altering, using, disclosing, copying, deleting or even just storing Personal Data are all covered by the Data Protection Legislation.
6.7Anonymisation: permanently removing identifying details within information relating to individuals, so that the Data Controller is permanently unable to identify the individuals. Anonymised information is not Personal Data.
6.8Pseudonymisation: removing or masking details within information relating to individuals so that the individuals aren’t identifiable from it. This term applies where the same Data Controller will still hold information which enables the re-identification of individuals in the Pseudonymised information. Pseudonymised information is still Personal Data and is different from Anonymised data.
- DATA PROTECTION ROLES AND RESPONSIBILITIES AT BU
7.1BU is responsible for complying with the Data Protection Legislation. Usually this responsibility is as a Data Controller, although BU may also, in certain circumstances, process Personal Data on behalf of a third party, in which case BU will have responsibility as a Data Processor.
7.2The Board of Governors has delegated day-to-day responsibility for compliance with the Data Protection Legislation to the Chief Operating Officer.
7.3Deans of Faculties and Directors/Heads of Professional Services will be responsible for data protection within their area of business and directly accountable to the CIO and BU board for findings in non-compliance to this policy
7.4Business and system owners, including academic staff, are responsible for implementing the administrative and technical controls which support and enforce this policy.
7.5Managers are responsible for ensuring that staff for whom they have line management responsibility receive appropriate local induction with regard to data protection, in addition to the mandatory BU data protection training module.
7.6All those outlined in section 2 are responsible for complying with this Policy, where it is relevant to their role within BU, and by adopting the process and procedures which support this Policy.
7.7It is mandatory for all Staff and BU Representatives, other than External Representatives, to undertake an online module of data protection training when they first join BU. This should be included in individual staff induction programmes. Thereafter, those required to undertake the initial training may be required to undertake mandatory refresher data protection while they continue to work for BU. You will be informed if this requirement applies to you. Failure to undertake initial training, or refresher training if required, within the specified timescales may be treated as a disciplinary matter. If you do not receive an email or other link to undertake initial training at the appropriate time, please contact the Data Protection Officer.
7.8As required by the Data Protection Legislation, BU has an appointed Data Protection Officer (“DPO”). The DPO must be involved in all issues which relate to the protection of Personal Data within BU. Their role includes:
- acting as the key contact for the ICO and for individuals who want to exercise their rights under the Data Protection Legislation;
- providing information and advice to BU and its employees about their processing of Personal Data. This includes advice on carrying out PIAs (see further below);
- monitoring and supporting compliance by BU and its staff with the Data Protection Legislation and BU policies; and
- co-ordinating BU’s response to any data breach incidents.
7.9BU’s Information Office is a service provided by Legal Services in co-ordination with the DPO which supports and works closely with the DPO. The Information Office provides advice on the Data Protection Legislation to Staff, other Subsidiary Representatives acting in their capacity as such and external members of the BU Board acting in their capacity as such. It also manages BU’s response to requests from Data Subjects to exercise their rights under the Data Protection Legislation, including subject access requests.
7.10The IT Services Information Security team also provide support to both Legal Services and the Data Protection Officer, through data breach management support, security incident management and advice and guidance on data protection and information technology.
Any queries about this policy can be raised with either the DPO or the Information Office. Messages sent to the central email address can be viewed by both the DPO and the Information Office, and they will decide who is best placed to respond to you.
7.11It is always important to raise queries about data protection promptly, and not to delay in forwarding communications you receive to the DPO or Information Office as appropriate. In particular, if you receive any of the following types of communication or information (or which might fall into these categories) you should forward these to as soon as possible, to enable BU to manage these matters in accordance with tight timescales set in the Data Protection Legislation:
- a subject access request (see section 18);
- any other request to exercise an individual’s rights under the Data Protection Legislation (see section 18);
- any complaint about how an individual’s Personal Data is being or has been Processed;
- any other information which indicates or may indicate that there has been a breach of data security or any other data protection breach, i.e. that data has been accessed or otherwise Processed in contravention of this policy, a related BU policy or the Data Protection Legislation.
- DATA PROTECTION PRINCIPLES
8.1The Data Protection Legislation is built around a number of principles about the processing of Personal Data. Those subject to this policy should at all times observe these data protection principles whenever collecting, using or otherwise Processing Personal Data. These require that Personal Data shall be: