Data Protection Policy
The College holds and processes information about employees, students and other data subjects for academic, administrative and commercial purposes. When handling such information, the college and all staff or others who process or use any personal information, must comply with the Data Protection Principles which are set out in the Data Protection Act 1998 (the Act). These are attached as the College’s Data Protection Guidelines on Appendix 2
In summary these state that personal data will:
- be processed fairly and lawfully
- be obtained for a specified and lawful purpose and will not be processed in any manner incompatible with the purpose
- be adequate, relevant and not excessive for the purpose
- be accurate and up-to-date
- not to be kept for longer than necessary for the purpose
- be processed in accordance with the data subject's rights
- be kept safe from unauthorised processing and accidental loss, damage or destruction
- not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data, except in specified circumstances
Definitions Staff”, students and other data subjects may include past, present and potential members of those groups. Other data subjects and third parties may include contractors, suppliers, contacts, referees, friends or family members. Processing refers to any action involving personal information, including obtaining, viewing, copying, amending, adding, deleting, extracting, storing, disclosing or destroying information.
2. Notification of Data Held
2.1 The College will notify all stay and students and other relevant data subjects of the types of data held and processed by the College concerning them, and the reasons for which it is processed. The information, which is currently held by the College and the purposes for which it is processed are set out in the Appendix 1 to this Policy. When processing for a new or different purpose is introduced the individuals affected by that change will be informed and the Appendix 1 will be amended.
3. Staff Responsibilities
3.1 All staff will ensure that all personal information which they provide to the College in connection with their employment is accurate and up-to-date inform the College of any changes to information, for example, changes of address check the information which the College will make available from time to time, in written or automated form, and inform the College of any errors or, where appropriate, follow procedures for up-dating entries on computer forms. The College will not be held responsible for errors of which it has not been informed.
3.2 When staff hold or process information about students, colleagues or other data subjects (for example, students' course work, pastoral files, references to other academic institutions, or details of personal circumstances), they should comply with the Data Protection Guidelines for Staff attached as Appendix 2
Staff will ensure that:
- all personal information is kept securely
- personal information is not disclosed either orally or in writing, accidentally or otherwise to any unauthorised third party,
- unauthorised disclosure may be a disciplinary matter, and may be considered gross misconduct in some cases.
3.3 When staff supervise students doing work which involves the processing of personal information, they must ensure that those students are aware of the Data Protection principles, in particular, the requirement to obtain the data subject's consent where appropriate.
3.4 Staff will be advised on an annual basis of any changes or amendments to this policy or any guidelines, as well as good practice.
4. Student and Parental Responsibilities
4.1 All students and parents / guardians will ensure that all personal information which they provide to the College is accurate and up-to-date inform the College of any changes to that information, for example, changes of address check the information which the College will make available from time to time, in written or automated form, and inform the College of any errors or, where appropriate, follow procedures for up-dating entries on computer forms. The College will not be held responsible for errors of which it has not been informed.
5. Rights to Access Information
5.1 Staff, students and other data subjects in the College have the right to access any personal data that is being kept about them either on computer or in structured and accessible manual files. Any person may exercise this right by submitting a request in writing to the Headteacher or nominated person. The College aims to comply with requests for access to personal information as quickly as possible, but will ensure that a response is provided within 21 days unless there is good reason for delay. In such cases, the reason for the delay will be explained in writing by the Headteacher to the data subject making the request. Further guidance on access to information is processed under the College’s procedures for the Freedom of Information Act.
6. Subject Consent
6.1 In some cases, such as the handling of sensitive information or the processing of research data, the College is entitled to process personal data, only with the consent of the individual. Agreement to the College processing some specified classes of personal data is a condition of acceptance of a student, and a condition of employment for staff. (See Appendix 1)
6.2 Sensitive Information
The College may process sensitive information about a person's health, disabilities, criminal convictions, race or ethnic origin, or trade union membership. For example, some jobs or courses will bring the applicants into contact with children, including young people between the ages of 16 and 19, and the College has a duty under the Children Act 1989 and other enactment's to ensure that staff are suitable for the job, and students for the courses offered. The College may also require such information for the administration of the sick pay policy, the absence policy or the equal opportunities policy, other college policies, or for academic assessment.
6.3 The College also asks for information about particular health needs, such as allergies to particular forms of medication, or conditions such as asthma or diabetes. The College will also use such information to protect the health and safety of the individual, for example, in the event of a medical emergency
7. The Data Controller and the Designated Data Controllers
The College is the data controller under the Act, and the Headteacher is ultimately responsible for implementation. Responsibility for day-today matters will be delegated to the Leadership Team and nominated members of staff as designated data controllers, as information and advice about the holding and processing of personal information is available from the designated data controllers.
Students will be entitled to information about their grades for assessments, however this may take longer than other information to provide. The College may withhold enrolment, awards, certificates, accreditation or references in the event that monies are due to the College.
8. Standard Publication of Information
8.1 The College will not publish information into the public forum of any data classes specified in Appendix 1 without the specific permission of individuals involved.
8.2 The College, or associated 3rd parties, will only publish digital or materials-based photographic or video sources in compliance with the College’s Data Protection – Photography and Video Guidance.
9. Retention of Data
9.1 The College will keep different types of information for differing lengths of time, depending on legal, academic and operational requirements. A list of recommended retention times is set out in the Retention Schedule (appendix 3 of Freedom of Information Act Policy)
10.1 Compliance with the Act is the responsibility of all students and members of staff. Any deliberate or reckless breach of this Policy may lead to disciplinary, and where appropriate, legal proceedings. Any questions or concerns about the interpretation or operation of this policy should be taken up with the Headteacher.
10.2 Any individual, who considers that the policy has not been followed in respect of personal data about him or herself, should raise the matter with the designated data controller initially. If the matter is not resolved it should be referred to the complaints or grievance procedure.