Birkbeck, University of London Human Resources

Data protection policy

Introduction

Status of this Policy

The Data Controller and the Designated Data

Controllers

Responsibilities of Staff

Student Obligations

Data Security

Rights to Access Information

Examination Marks

Subject Consent

Processing Sensitive Information

Publication of College Information

Retention of Data

Conclusion

Data protection policy and code of practice leaflet pdf format

Introduction

1. Birkbeck College needs to keep certain information about its employees, students and other users to allow it to monitor performance, achievements, and health and safety, for example. It is also necessary to process information so that the College can comply with its legal obligations and staff can be recruited and paid and courses organised. To comply with the law, information must be collected and used fairly, stored safely

and not disclosed to any other person unlawfully.

2. To do this, Birkbeck College must comply with the Data Protection Principles which are set out in the Data Protection Act 1998 (the 1998 Act).

3. In summary these state that personal data shall:

4. Birkbeck College and all staff or others who process or use personal information must ensure that they follow these principles at all times.

5. In order to ensure that this happens, the College has developed this Data Protection Policy and the accompanying Data Protection Code of Practice.

back to top

Status of this Policy

6. This policy does not form part of the formal contract of employment for staff, or the formal offer of a place for study for students, but it is a condition of employment or study that employees and students will abide by the rules and policies made by the College from time to time. Any failures to follow the policy can therefore result in disciplinary proceedings.

back to top

The Data Controller and the Designated Data Controllers

7. The College as a body corporate is the Data Controller under the 1998 Act, and the Governors are therefore ultimately responsible for implementation. However, the Designated Data Controllers will deal with day-to-day matters.

8. The College has three Designated Data Controllers. They are the Registrar, the Director of Human Resources, and the College Secretary.

9. Any member of staff, student, applicant or other individual who considers that the Policy has not been followed in respect of personal data about himself or herself should raise the matter with the appropriate Designated Data Controller, who would be:

For students: The Registrar

For staff: The Director of Human Resources

For all others: The College Secretary

10. The academic Schools and administrative Sections will themselves have designated staff who will provide the Registrar, the Director of Human Resources and the College Secretary with details of the data held in their academic School or administrative Section.

back to top

Responsibilities of Staff

11. All staff are responsible for:

12. If and when, as part of their responsibilities, staff collect information about other people (e.g. about a student’s course work, opinions about ability, references to other academic institutions, or details of personal circumstances), they must comply with the guidelines for staff set out in paragraphs 10–13 of the College’s Data Protection Code of Practice.

back to top

Student Obligations

13. Students must ensure that all personal data provided to the College is accurate and up to date. They must ensure that changes of address etc. are notified to the Registry.

14. Students who may from time to time process personal data as part of their studies must notify their supervisor/tutor, who should inform the Registrar, and must comply with the guidelines for data collection and security as set out in paragraphs 10–26 of the College’s Data Protection Code of Practice.

back to top

Data Security

15. All staff are responsible for ensuring that:

16. Staff should note that unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases.

17. Personal information should:

or

and

18. Further information on data security is given in paragraphs 14–26 of the College’s Data Protection Code of Practice.

back to top

Rights to Access Information

19. All staff, students and other users are entitled to:

20. This Policy document and the College’s Data Protection Code of Practice address in particular the last three points above. To address the first point, the College will, upon request, provide all staff and students and other relevant users with a statement regarding the personal data held about them. This will state all the types of data the College holds and processes about them, and the reasons for which they are processed.

21. All staff, students and other users have a right under the 1998 Act to access certain personal data being kept about them either on computer or in certain files. Any person who wishes to exercise this right should complete the Subject Access Request Form and submit it to the appropriate Designated Data Controller (see above).

22. The College will make a charge of £10 on each occasion that access is requested, although the College has discretion to waive this.

23. The College aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 40 days, as required by the 1998 Act.

back to top

Examination Marks

24. During the course of their studies, students will routinely be provided with information about their marks for both coursework and examinations. However, exam scripts themselves are exempted from the subject access rules and copies will not ordinarily be given to a student who makes a subject access request. Further details are given in paragraph 38 of the College’s Data Protection Code of Practice.

back to top

Subject Consent

25. In many cases, the College can only process personal data with the consent of the individual. In some cases, if the data is sensitive, as defined in the 1998 Act, express consent must be obtained. Agreement to the College processing some specified classes of personal data is a condition of acceptance of a student onto any course, and a condition of employment for staff. This includes information about previous criminal convictions.

26. Some jobs or courses will bring the applicants into contact with children, including young people between the ages of 16 and 18. The College has a duty under the Children Act 1989 and other enactments to ensure that staff are suitable for the job, and students for the courses offered. The College also has a duty of care to all staff and students and must therefore make sure that employees and those who use College facilities do not pose a threat or danger to other users.

27. The College may also ask for information about particular health needs, such as allergies to particular forms of medication, or any medical condition such as asthma or diabetes. The College will only use this information in the protection of the health and safety of the individual, but will need consent to process this data in the event of a medical emergency, for example.

28. Therefore, the application forms that all prospective staff and students are required to complete will include a section requiring consent to process the applicant’s personal data. A refusal to sign such a form will prevent the application from being processed.

back to top

Processing Sensitive Information

29. Sometimes it is necessary to process information about a person’s health, criminal convictions, race, and trade union membership. This may be to ensure that the College is a safe place for everyone, or to operate other College policies, such as the sick pay policy or the equal opportunities policy. Because this information is considered sensitive under the 1998 Act, staff (and students where appropriate) will be asked to give their express consent for the College to process this data. An offer of employment or a course place may be withdrawn if an individual refuses to consent to this without good reason. More information about this is available from the Designated Data Controllers.

back to top

Publication of College Information

30. The names of Senior Officers and Governors of the College or any other personal data relating to employees or Governors will be published in the annual Calendar and on the public Web site when any statute or law requires such data to be made public.

31. Certain items of information relating to College staff will be made available via searchable directories on the public Web site, in order to meet the legitimate needs of researchers, visitors and enquirers seeking to make contact with appropriate staff. Paragraphs 27–30 of the College’s Data Protection Code of Practice set out the details of this scheme.

32. Individual Schools, Research Centres and Administrative Departments within the College may make additional staff or research student biographical details or other personal data available on their public Web sites. It may also be the case that students enrolled on certain courses may produce Web-based material containing personal data as part of their course work. All such activities are set out in detail in paragraphs 27–31 of the College’s Data Protection Code of Practice.

back to top

Retention of Data

33. The College has a duty to retain some staff and student personal data for a period of time following their departure from the College, mainly for legal reasons, but also for other purposes such as being able to provide references and academic transcripts, or for financial reasons, for example relating to pensions and taxation. Different categories of data will be retained for different periods of time. The exact details of retention periods and purposes are set out on pages 11–12 of the College’s Data Protection Code of Practice.

back to top

Conclusion

34. Compliance with the 1998 Act is the responsibility of all members of the College. Any deliberate breach of the data protection policy may lead to disciplinary action being taken, or to access to College facilities being withdrawn, or even to a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the appropriate Designated Data Controller.

 


Printed from: http://www.bbk.ac.uk/hr/policies_services/policies_az/data_protection_policy
Date printed: 11/12/2017