Human Resources

Data protection code of practice

Introduction

Key Concepts

Existing Notifications

Collection and Amendment of Personal Data

Disclosure and Transfer of Personal Data

Publication of College Information

Retention and Disposal of Personal Data

Minimum Retention Periods for Records Containing Personal Data pdf format

Subject Access Requests

Subject Access Request Form pdf format

Data protection policy and code of practice leaflet pdf format

Introduction

1. This Code of Practice must be read in conjunction with the College’s Data Protection Policy document to give the fullest picture of Birkbeck’s data protection regime. This document gives an introduction to some basic points of practice relating to the handling and processing of personal data at Birkbeck. It also lists the particular activities carried out within the College’s administrative and academic departments that involve the handling and processing of personal data.

back to top

Key Concepts

2. The Data Protection Act 1998 places an obligation upon Birkbeck, as a data controller, to collect and use personal data in a responsible and accountable fashion. Birkbeck College is committed to ensuring that every current employee and registered student complies with this Act to ensure the confidentiality of any personal data held by the College in whatever medium. Three key concepts to be considered are those of purpose, fairness and transparency.

Purpose

3. Data controllers can only process personal data where they have a clear purpose for doing so, and then only as necessitated by that purpose. Paragraphs 39–50 of this Code of Practice summarise the purposes for which the College processes personal data. Personal data cannot be processed for purposes that have not been defined and declared in the College’s Data Protection Register entry (see paragraph 6 below).

Fairness

4. In defining the purposes for which Birkbeck processes personal data, the fairness of that processing must be considered. For some types of processing the required elements of fairness and legality are clearly outlined in the legislation, but for many others they are not. In such cases, Birkbeck has tried to take a broad approach to deciding what is fair in each case, based on an interpretation of the 1998 Act and in conjunction with advice from the Information Commissioner, the College’s own legal advisors, and on wider practice within the UK HE sector.

Transparency

5. Members of staff, students and others must be able to feel that there is no intention to hide from them details of how their personal data are collected, used and distributed by the College. One of the functions of this Code of Practice is to provide that assurance.

back to top

Existing Notifications

6. The Act requires many data controllers to notify the Information Commissioner of the purposes for which personal data are processed, together with certain details of that processing. Those notifications are then held on a public register. The College has two existing Register entries – for the College and the Students’ Union – that can be examined on-line at http://www.dpr.gov.uk/.

7. It is an offence for the College to hold personal data that falls outside of the classes declared in these notifications or to process personal data for any purposes that are not defined there. It is therefore very important that those who work with personal data in the course of their College duties are familiar with the details contained in these notifications.

8. Any changes that may be required should be passed to the College Secretary’s Office as these entries are periodically reviewed and amended as necessary by the College Secretary.

9. Paragraph 35 of this Code of Practice gives details of the College’s Designated Data Controllers, who are responsible for handling subject access requests and dealing with data protection enquiries within the College.

back to top

Collection and Amendment of Personal Data

Collection of personal data, amendment of personal data, security of personal data, secure storage of personal data and  the secure processing of personal data.

Collection of personal data

10. In most cases, the personal data held by the College will be obtained directly from the data subjects themselves. The law stipulates that a data protection notice must accompany any request for personal data. Any members of staff responsible for managing the collection of personal data for the legitimate activities of the College must ensure that a notice containing the following information is included in the request for that data:

  • A statement that Birkbeck, University of London is the data controller

  • The name and or job title of the specific member of staff responsible for the administration of the personal data being collected, to enable, for example, subsequent amendments to be submitted by the data subject

  • A clear explanation of the types of data being collected and the purposes for which that data will be processed

  • Any further information that is considered necessary to ensure that the data processing can be described as being fair, for example details of any third parties to whom the data might be disclosed

  • A statement making it clear that by submitting the personal data, the data subjects are giving their consent for the processing of the data for the stated purposes to take place.

Amendment of personal data

11. From time to time data subjects will wish to update some of their personal data held by the College, for example their home addresses or other contact details previously submitted. To do this, the data subjects must either contact the specific member of staff designated in the data protection notice at the time the data was submitted, or the appropriate Designated Data Controller as set out in paragraph 35. Proof of identity will be required before any amendments can be made.

12. As and when ‘self-service’ computer-based administrative systems are introduced for staff, students or others, the data subjects themselves will be able to take responsibility for the maintenance of certain elements of their personal records.

13. These systems will incorporate the necessary authentication and security mechanisms to ensure that data subjects are only able to view and amend their own data.

Security of personal data

14. Of fundamental importance within any data protection regime is the security of the personal data that is being processed. Data subjects have the right to expect that their personal data will be kept and processed securely and that no unauthorised disclosures or transfers will take place to anyone either within or outside the College. Authorised disclosures or transfers are those that are defined within the appropriate Notifications (see paragraphs 6–9 above) and declared to the data subject either at the point of data collection or subsequently, the necessary consent for disclosure or transfer having been obtained if required.

15. To help ensure the security of personal data within the College, all those in Birkbeck who process such data in the course of performing their duties are required to follow the general guidelines set out below.

Secure storage of personal data

16. Each member of staff whose work involves storing personal data, whether in electronic or paper format, must take personal responsibility for its secure storage, in line with Birkbeck’s Data Protection Policy, which states that personal data should:

  • Be kept in a locked filing cabinet, drawer, or safe;

or

  • If it is computerised, be coded, encrypted or password protected both on a local hard drive and on a network drive that is regularly backed up;

and

  • If a copy is kept on a diskette or other removable storage media, that media must itself be kept in a locked filing cabinet, drawer, or safe.

17. Ordinarily, personal data should never be stored at staff members’ homes, whether in manual or electronic form, on laptop computers or other personal portable devices or at other remote sites.

18. Staff should be aware that log files would record details of all users who access, alter or delete or attempt to access, alter or delete centrally held computerised databases and files containing personal data.

Secure processing of personal data

19. While staff members in the course of performing their legitimate duties are using personal data, reasonable precautions must be taken to ensure the safety and privacy of that data. For example:

  • In open-plan offices, computer screens that could potentially be displaying personal data should not be positioned such that unauthorized staff may readily see that data, and password protected screensavers should be used.

  • Personal data in manual form, such as in paper files, correspondence or database printouts, should not be left in view in open-plan offices while the relevant staff members are away from their desks. They should instead be locked away or at least covered.

  • Where manual records containing personal data are accessible to a number of staff in the course of their legitimate activities, access logbooks should be used where practicable to help monitor the whereabouts and use of such records.

20. Ordinarily, personal data should not be processed at staff members’ homes, whether in manual or electronic form, on laptop computers or other personal portable devices or at other remote sites. In cases where such off-site processing is felt to be necessary or appropriate, the agreement of the relevant Head of School or Department must be obtained, and all the security guidelines given in this document must still be followed.

back to top

Disclosure and Transfer of Personal Data

Authorised and unauthorised disclosures, security of data during transfer, and disclosures outside the College.

Authorised and unauthorised disclosures

21. Staff members working with personal data will be made aware by their line managers or other appropriate staff of the purposes for which the data is processed and the legitimate parties either within or outside Birkbeck to whom that data, either in whole or in part, may be disclosed or transferred. Personal information must not be disclosed either orally or in writing or via Web pages or by any other means, manual or electronic, accidentally or otherwise, to any unauthorised third party.

22. Staff should note that unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases.

Security of data during transfer

23. Where personal data is transferred between staff members within the College in the course of their legitimate activities, the level of security appropriate to the type of data and anticipated risks should be applied. For example, sensitive personal data should either be transferred by internal mail in sealed envelopes or by hand. If transferred by e-mail, such data should normally either be encrypted or sent in a password-protected attachment (for example using Microsoft Word’s ‘require password to open’ feature), with the password being supplied separately. Further advice on secure email and password protection can be obtained from Central Computing Services.

Disclosures outside the College

24. When a request to disclose or amend personal data relating to a member of the College (student or staff) is received from an individual or organization outside the College, in general no data should be disclosed or amended unless the authority and authenticity of the request can be established. Disclosures requested by those claiming to be relatives or friends should be refused unless the consent of the data subject is obtained for such disclosures or in one of the few situations where disclosure without consent is permitted by the law (see: http://www.jisc.ac.uk/publications/generalpublications/2001/pub_dpacop_0101.aspx

25. Requests for the disclosure of personal data from the Police, Government bodies, the British Council or other official bodies and agencies should be investigated sufficiently to verify the authenticity of the request and may then be acted upon if there is a legal requirement for such disclosure or the consent of the data subject has been given for the disclosure.

26. Details of any specific procedures and practices to be adopted when responding to requests for disclosure in individual administrative Departments or Academic Schools within the College will be available from the appropriate senior members of staff.

back to top

Publication of College Information

27. While the majority of personal data held by the College is processed for internal administrative purposes and is never disclosed outside the institution, some categories of data are routinely or from time to time released through one or more forms of publication.

Legal obligations, staff directory, staff personal data on Web pages and student personal data on Web pages.

Legal obligations

28. When required by law or College statute, the names of Senior Officers and Governors of the College and certain other personal data relating to employees and Governors are published in the annual Calendar and on the Web site. The College also fulfils all obligations placed upon it by its relationship with various funding bodies, Government Agencies and the like with regard to the release of personal data and statistical information concerning students and staff. Data subjects are informed of the College’s obligations in this respect at the time the data is collected.

Staff Directory

29. In order to meet the legitimate needs of researchers, visitors and enquirers to be able to make contact with appropriate staff, Birkbeck intends to make available on its public Web site a directory containing the job title, organizational unit, title, forename, surname, office telephone number, office room number and location and office e-mail address of each staff member. However, at the time of appointment and at any time while in post (via a request to the designated Data Controller) each individual member of staff will be able to specify the level of detail that will appear in this public directory, i.e. being able to request that the following be omitted: title, forename, e-mail address. The Web-based public directory will be searchable by name and organisational unit and will only return personal contact data for those staff that have given their consent for this disclosure. A complete directory is available on the College intranet, but this is password-protected and is only available to current students and staff. A printed directory is made available to all members of staff within the College, but is not ordinarily given to anyone else.

Staff personal data on Web pages

30. Apart from the staff directory described above, staff biographical details or other personal data may be published on Birkbeck’s Web sites or in other media, but only where the staff concerned have given their consent for such information to be made publicly available. However, publication in this way does not mean that such data have been placed into the public domain. Birkbeck retains control and copyright of such data, and the data must not be reproduced or further processed without the College’s express permission.

Student personal data on Web pages

31. Apart from the obligations mentioned above (paragraph 28) the College will not ordinarily reveal any personal details of students enrolled at Birkbeck to any individual or body outside the College. However, some research students may consent to contact details or other personal data being published, for example via the College’s public Web sites. It may also be the case that students enrolled on certain courses may produce Web-based material containing personal data as part of their course work. In such cases, responsibility for such disclosures rests entirely with the individual students concerned and is not indicative of any College-wide policy.

back to top

Retention and Disposal of Personal Data

The retention of personal data and the disposal of personal data.

The retention of personal data

32. The College has a duty to retain some staff and student personal data for a period of time following their departure from the College, mainly for legal reasons, but also for other purposes such as being able to provide references and academic transcripts, or for financial reasons, for example relating to pensions and taxation. Some material will also be retained to form part of the official College archive (selected following the guidance given in the JISC publication ‘Study of the Records Life Cycle’, available at http://www.jisc.ac.uk/index.cfm?name=recordsman_papers_cycle). Different categories of data will be retained for different periods of time, and these are set out in the table overleaf.

The disposal of personal data

33. When a record containing personal data is to be disposed of, the following procedures will be followed:

  • All paper or microfilm documentation containing personal data will be permanently destroyed by shredding or incinerating, depending on the sensitivity of the personal data.

  • All computer equipment or media that are to be sold or scrapped will have had all personal data completely destroyed, by re-formatting, over-writing or degaussing.

34. Employees and, where appropriate, students, will be provided with guidance as to the correct mechanisms for disposal of different types of personal data and audits will be carried out to ensure that this guidance is adhered to. In particular, employees and students will be made aware that erasing/deleting electronic files does not equate to destroying them.

back to top

Minimum Retention Periods for Records Containing Personal Data pdf format

Subject Access Requests

35. All staff, students, applicants and other users have a right under the Act to access certain personal data being kept about them at Birkbeck either on computer or in certain files. Any person who wishes to exercise this right should complete the Subject Access Request Form in Annexe 1 and submit it to the appropriate Designated Data Controller, who is:

For students: The Registrar

For staff: The Director of Human Resources

For all others: The College Secretary

36. The College will make a charge of £10 on each occasion that access is requested, although the College has discretion to waive this.

37. The College will comply with requests for access to personal information as quickly as is practicable, but will ensure that the information is provided within 40 days, as required by the Act.

38. Students and former students should be aware that exam scripts are exempted from the subject access rules and copies will not ordinarily be given to those who make a subject access request. However, a copy or summary of both internal and external examiner’s comments can be requested as part of a subject access request. If such a request is made before the results of the examination are announced, the College will provide the information within 5 months of the request being received or 40 days from the announcement of the result, whichever is the earlier, as required by the Act. The Processing of Personal Data within Specific Administrative Departments and Academic Schools Activities involving the processing of personal data

39. Listed In the following sections are categories of activities carried out within each of the specified organisational units within the College that involve the processing of personal data. It is the responsibility of the appropriate Directors and Heads to ensure that sufficiently detailed guidance is given to their staff to enable them to carry out these activities in accordance with the requirements of the Data Protection Act 1998.

Schools and Research Centres, Central Computing Services, College Secretary’s Office, Estates and Facilities, External Relations, Finance, Human Resources and Organisational Development , Library, Master’s Office, Registry, Students’ Union and the Vice-Master’s Office.

40. Schools and Research Centres

  • Admissions administration

  • Enquiries administration

  • Events/conference administration

  • School/Centre staff and function lists publication (e.g. on Web page)

  • Examination administration and marking

  • Marketing

  • Publication activities (including advertising and Web sites)

  • Research activities and administration

  • Staff management (includes performance, appraisal and development records, leave records, expenses records, etc)

  • Staff recruitment

  • Student assessment activities

  • Student records administration/student support

  • Supplier/order/invoice administration

  • Systems administration (e-mail, back-up/ storage, authentication, system logs, etc [in some cases])

  • Teaching activities and administration

  • Teaching performance/assessment/review activities

41. Central Computing Services

  • Department staff and function lists publication (e.g. on Web page)

  • Staff directory maintenance

  • Staff management (includes performance, appraisal and development records, leave records, expenses records, etc)

  • Staff recruitment

  • Student registration

  • Student and staff support activities and records/RMS Service Desk

  • Supplier/order/invoice administration

  • Systems administration (MIS, e-mail, back-up/storage, authentication, system logs, etc)

  • Telephone system administration

  • Training records administration (inc. ECDL and WebCT)

  • Web site forms (although usually created for another Department)

  • Workstation room bookings administration

42. College Secretary’s Office

  • Archives management

  • Corporate planning and management activities

  • Data protection SAR administration

  • Department staff and function lists publication (e.g. on Web page)

  • Governance activities (Committees, maintenance of the Register of interests of Governors and senior administrative staff, etc)

  • Health and Safety activities and administration

  • Staff management (includes performance, appraisal and development records, leave records, expenses records, etc)

  • Staff recruitment

  • Supplier/order/invoice administration

43. Estates and Facilities

  • CCTV

  • Department staff and function lists publication (e.g. on Web page)

  • Estates and Facilities management and letting (inc. catering contracts, cleaning contracts, etc)

  • Help desk administration

  • Mail system administration

  • Security/access control systems and records

  • Staff management (includes performance, appraisal and development records, leave records, expenses records, etc)

  • Staff recruitment

  • Supplier/order/invoice administration

  • Telephone Operator activities

44. External Relations

  • Alumni relations management

  • Department staff and function lists publication (e.g. on Web page)

  • Events/conference administration

  • Fundraising activities/donor administration etc

  • Graduation ceremonies administration

  • Mailing list administration and use

  • Marketing

  • Market research

  • News/press release activities/public relations

  • Other publication activities

  • Staff management (includes performance, appraisal and development records, leave records, expenses records, etc)

  • Staff recruitment

  • Supplier/order/invoice administration

45. Finance

  • Archives management

  • Department staff and function lists publication (e.g. on Web page)

  • Financial management and accounting

  • Payroll administration

  • Pension scheme administration

  • Research grants administration and IPR administration

  • Staff management (includes performance, appraisal and development records, leave records, expenses records, etc)

  • Staff recruitment

  • Student financial records administration

  • Supplier/order/invoice administration

46. Human Resources and Learning and Organisational Development

  • Archives management

  • Data protection SAR administration

  • Department staff and function lists publication (e.g. on Web page)

  • Employee relations management

  • Records or monitoring in accordance with the Race Relations Amendment Act 2000

  • Staff development and support activities/administration

  • Staff management (includes performance, appraisal and development records, leave records, expenses records, etc)

  • Staff records administration

  • Staff recruitment

  • Supplier/order/invoice administration

47. Library

  • Departmental staff and function list publication (eg. on Web page)

  • Loan and inter-library loan administration

  • Security/access control systems and records

  • Staff management (includes performance, appraisal and development records, leave records, expenses records, etc)

  • Staff recruitment

  • Staff and student support activities and records

  • Supplier/order/invoice administration

  • Systems administration (catalogue, back-up/storage, authentication, system logs, etc)

48. Master’s Office

  • Department staff and function lists publication (e.g. on Web page)

  • Staff management (includes performance, appraisal and development records, leave records, expenses records, etc)

  • Staff recruitment

  • Supplier/order/invoice administration

49. Registry

  • Admissions administration

  • Archives management

  • Assessment administration

  • Awards administration and conferment

  • Department staff and function lists publication (e.g. on Web page)

  • Data protection SAR administration

  • Enquiries administration

  • HESA returns activities

  • Staff management (includes performance, appraisal and development records, leave records, expenses records, etc)

  • Staff recruitment

  • Student disciplinary activities

  • Student records administration, including disability information

  • Student support activities

  • Supplier/order/invoice administration

  • Teaching performance/assessment/review activities

50. Students’ Union

  • Clubs and Societies activities and administration

  • Publishing activities

  • Student records administration

  • Student support activities

  • Staff management (includes performance, appraisal and development records, leave records, expenses records, etc)

  • Staff recruitment

  • Supplier/order/invoice administration

  • Union officers/staff and function lists publication (e.g. on Web page)

51. Vice-Master’s Office

  • Admissions administration

  • Archives management

  • Assessment administration

  • Awards administration and conferment

  • Business relations activities

  • Consultancy administration

  • Department staff and function lists publication (e.g. on Web page)

  • Enquiries administration

  • Events/conference administration

  • Faculty/School/Centre staff and function lists publication (e.g. on Web page)

  • Examinations administration and marking

  • Mailing list administration and use

  • Marketing

  • Market research

  • Publication activities (including advertising and web sites)

  • Staff management (includes performance, appraisal and development records, leave records, expense records etc.)

  • Staff recruitment

  • Student assessment activities

  • Student disciplinary activities

  • Student records administration, including disability information

  • Student support activities

  • Supplier/order/invoice administration

  • Teaching activities and administration

  • Teaching performance/assessment/review activities


The wording of this document draws heavily on version 2.0 of the ‘JISC Data Protection Code of Practice for the HE and FE Sectors’, produced by Andrew Charlesworth, Senior Lecturer in IT Law at the University of Hull Law School. The JISC document can be viewed on-line at http://www.jisc.ac.uk/publications/generalpublications/2001/pub_dpacop_0101.aspx

back to top
The HR team is based on the first floor of Egmont House
Postal address: Human Resources, Birkbeck, University of London, Malet Street, London WC1E 7HX
Email: humanresources@bbk.ac.uk