Furness College sees you, the student, at its very heart.
Purpose & Scope
Furness College and Barrow 6th Form College recognises its duties under the Data Protection Act and this policy outlines the college’s responsibilities as a Data Controller and how individual staff members (Data Processors) fulfil those responsibilities. This policy also takes into account the requirements of the General Data Protection Regulations take effect from 25th May 2018.
The Data Protection Policy ensures that the College operates within the law and ensures that staff and students are aware of their rights and responsibilities in order to comply with the Data Protection Act.
The college aims to promote equality and diversity and is committed to safeguarding all learners and staff.
This policy does not form part of the formal contract of employment but it is a condition of employment that staff abide by college policies and procedures. Any failure to follow college policy may result in disciplinary action.
Data Protection Act 1998
1.1. The Data Protection Act 1998 came into force on 1 March 2000. It regulates the use of personal data and gives effect in UK law to the European Directive on data protection (95/46/EC). The Act covers manual and computerised records, and is concerned with the processing of personal information, that is information relating to living individuals. It works in two ways:
• Giving individuals (data subjects) certain rights
• Requiring those who decide how and why personal information is processed to be open about their use of the information and to comply with the data protection principles in their information handling practices.
1.2. There are eight data protection principles that are central to the Act. In brief, they say that personal data must be:
• processed fairly and lawfully
• processed for limited purposes and not in used in conflict with those purposes
• adequate, relevant and not excessive
• not kept for longer than is necessary
• processed in line with data subjects’ rights
• not transferred to countries that do not protect personal data
1.3. Examples of personal data likely to be covered by the Act are:
• Students enrolment records (name, address, date of birth etc)
• Class registers
• Student certificates
• Student progress records
• CCTV footage
• An email about any employee
• Details of an employee’s salary, whether stored manually or electronically
• Any notes or records kept by line managers
• A completed application form
1.4. Examples of information that is not covered by the Act are:
• Any reports where responses are anonymised, and cannot be traced back to individuals
Data in respect of public authorities, such as the College, is defined as “recorded information held by that authority”, of which personal data falls under the DPA and non-personal information under the FOI. Data can be in the form of computer records, written information, photographs, CCTV, voice recordings, non-electronic or un-filed records.
Data Controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
Data Processor means any person (other than an employee of the data controller) who processes the data on behalf of the data controller
Personal information means information which relate to a living individual who can be identified and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Sensitive personal information means personal information relating to the subject’s racial or ethnic origin; political opinions; religious beliefs or other beliefs of a similar nature; membership of a trade union; physical or mental health or condition; sexual life; or any offence, alleged offence or proceedings disposal of such proceedings or the sentence of any court in such proceedings. Additional rules apply in relation to the disclosure of such data.
2.1. Compliance with the Data Protection Act is the responsibility of all staff. All staff must ensure that they follow the eight principles of the Data Protection Act, outlined at Section 1.2, of this Policy. All staff are responsible for ensuring that any personal data that they hold is kept secure and that no personal information is disclosed to any unauthorised third party(orally, in writing or electronically).
When not in use personal information should normally be kept in a locked filing cabinet drawer or if is stored electronically, either be password protected or kept on a storage device which is encrypted and kept securely.
Staff must not retain or use personal data for their own purposes.
Line managers have a responsibility for the type of personal data that they collect and hold relating to staff and should only use college recording processes.
In respect of their own personal information staff have a responsibility to ensure that any information that they provide in relation to their employment is accurate and up to date.
3.1. Notifying Individuals of Processing
Usually and where practicable, individuals are informed of how the college intends to use their personal information at the point where they release it to the college, for example in the form of a Privacy Statement on the enrolment form.
The college as an education and training provider has signed a data sharing protocol with the Educational and Skills funding Agency (ESFA) and the Higher Education Funding Council for England and Wales (HEFCE). The college may also be required to share information with other agencies and organisations. By submitting or signing the enrolment form, students are giving consent for the release on non-sensitive and specified sensitive information for the purposes of delivering education and training.
3.2. Processing Sensitive Personal Information
Sometimes it is necessary to process information about a person’s health, criminal convictions, race, gender and family details. This may be to ensure that the college is a safe place for everyone or to operate other college processes such as the Sickness Absence Policy or the Equality, Diversity and Inclusion Policy or to comply with the duties of the Children Act 2004 or Prevent duty.
Because the information is considered sensitive in the Act and it is recognised that the processing of it may cause particular concern or distress to individuals, staff and students will be asked to give express consent for the college to do this. However offers of employment or course places may be withdrawn if an individual refuses to consent to this without good reason. Such instances will be made clear before processing commences.
3.3 Release of Personal Information
Depending on the type of request, there may be a legal or contractual requirement for the college to respond to requests for the release of personal information. Examples of such requests are:
• Sharing information with parents or carers
• Release of information to the police or courts
• Data sharing agreements with employers etc
All such request should either be agreed at the point of enrolment or be made specifically to the college Data Protection Officer.
3.4 Subject Access Requests
The Act grants individuals the right to make a Subject Access Request to have a copy of the information that an organisation holds about them, and to apply to a Data Controller to correct inaccurate information held about them.
Anyone wanting to make a Subject Access Request should do so by writing to the Data Protection Officer (DPO), who will then manage the process and report back with the results within one month of receiving the request. The DPO will monitor and manage compliance with all such requests.
3.5 Breaches of Data Protection
The college will take all necessary steps to prevent breaches of data protection. Any loss of personal information must be reported to the Data Protection Officer for an assessment of the cause, any potential impact on individuals and any ongoing risks associated with the breach. The Data Protection Officer will then decide on the necessary steps to be taken including:
• Informing appropriate people and organisations that a breach has occurred
• Notifying serious breaches to the Information Commissioners Office
• Implementing a recovery plan including damage limitation
• Reviewing and updating information security
3.6 Data Protection by Design
Data protection by design is an approach to projects that promotes privacy and data protection compliance from the start. All new projects, processes and systems created and adopted by the college should be designed with privacy in mind and will be subjected to a Privacy Impact Assessment. The reason for completion of the impact assessment will ensure that data protection is at the core of all major decisions that impact upon users of the college and its employees.
3.7 Retention and Disposal of Information
The college keeps a register of all sources of personal information that it requires to fulfil its business and legal obligations. Contained within the register against each entry is the reference to the period for which the college will hold the information and the date and manner in which it will be disposed of.
All personal information whether hard copy or electronic will be stored and disposed of in line with the Retention and Disposal of Data Policy. Hard copy will be treated as confidential waste and electronic information will be deleted in line with the policy.
4. Further Information
4.1. Reference should also be made to the Information Commissioners Office (ICO) Information Practices Code. A copy of this is available from the ICO website: www.ICO.org.uk
4.2. Further details regarding the Data Protection Act 1998 and General Data Protection Regulations can be found on the data protection website: https://www.gov.uk/data-protection
4.3. Furness College (and Barrow 6th Form College) as a corporate body is the data controller under the Data Protection Act
The designated Data Protection Officer will deal with all requests for information under the Data Protection Act. The College’s Data Protection Officer is the Deputy Principal Curriculum & Quality and all requests should be submitted in writing or via email at firstname.lastname@example.org or Furness College, Channelside, Barrow-in-Furness, Cumbria LA14 2PJ.