1.1 Purpose & Scope
This policy covers all London Brooks College (LBC) activities and processes in which personal data is used, whether in electronic or hard copy form.
This policy applies to all members of the LBC including staff, students and others acting for, or on behalf of, the LBC or who are otherwise given access to the LBC’s information infrastructure.
This poicy takes precedence over any other LBC policy on matters relating to data protection.
1.2 The Data Protection Act [DPA]
General Data Protection Regulation (GDPR), UK Data Protection Act, 2018 (DPA), which significantly extends the scope of data protection law. To comply with the law information must be collected and used fairly, stored safely and not disclosed to any person unlawfully.
Data held in electronic form continues to be covered by the new Act. However, manual files structured to enable specific information about a particular individual to be readily accessible will now also be caught and be regarded as “relevant filing systems”. Card index files, concertinas, files and ring binders containing information about individuals and arranged or divided, for example alphabetically, are covered by the Act.
The legislation compels the LBC to take specific measures to ensure that all information [personal data] held about living individuals, held in a “relevant filing system”, is processed according to the eight data protection principles.
2.1 The main obligations
The LBC has two principal obligations under the new law:
- Not to process data until it has registered with the Office of the Data Protection Commissioner. The registration process is known as Notification.
To comply with the eight data protection principles set out in the new Act, which govern how data should be processed, how they should be updated, and the rights of the individuals whose data are held.
- Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Example 1 of the 2018 Act is met or in the case of sensitive personal data, at least one of the conditions in Example 2 of the 2018 Act is also met [See Appendix A].
- Personal data shall be obtained only for one or more specific and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up-to- date.
1. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under this act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
2.2 Notification of data held and processed
Notification is the process by which the LBC [the data controller] informs the Data Protection Commissioner about the processing of personal data carried out by the Centre. Once the LBC has ‘notified’, the information about our LBC is then made available in a public register. Notification is a statutory requirement and failure to do so is a criminal offence.
The notification period is for one year and the LBC will have to renew its register entry annually otherwise it will expire. We will be informed in writing just before the expiry date of our register entry.
Once the LBC has ‘notified’ we must keep the notification up to date. If any part of the register entry becomes inaccurate or incomplete the LBC must take action to notify changes within 28 days of the event. The Data Protection Officer should be contacted if a change in any register entry is required.
2.3 Rights of access to information
The principal purpose of ‘notification’ and the public register is transparency and openness. It is a basic principle of data protection that the public should know or be able to find out who is carrying out processing of personal data
All staff, students and other users are entitled to know:
- what information the LBC holds and processes about them and why
- how to gain access to it
- how to keep it up to date
- what the LBC is doing to comply with its obligations under the 2018 Act.
We must be prepared to answer the following kind of query:
Do you hold data about me?
- Please supply copies of all data you hold about me
- For what purpose do you hold data about me?
- To whom do you disclose data about me?
Staff, students and other users of the LBC have the right to access any personal data that is being kept about them either on a computer or in any ‘relevant filing system’.
The LBC aims to comply with requests for access to personal information as quickly as possible but will ensure that it is provided within 40 days unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the data subject making the request.
There are a number of exceptions where exemptions from the Act apply. One
such exemption is that of personal references. A data subject does not have the right to obtain from the LBC the details of a confidential reference that we have given. In the case where we have received a reference from a third party regarding a data subject, we can disclose this information if it is was deemed reasonable to do so, but we may decide to seek consent from the third party who provided the reference.
2.3.2 Third party access to information
Under normal circumstances, third party access to an individual’s personal information would not be permitted. The LBC in this instance would not be processing the personal data of the student/staff member fairly and lawfully in
supplying information to a third party [Data Protection Principle 1].
However, if the third party was in fact the police, the LBC could disclose information about a data subject if we were satisfied that by withholding information we were likely to prejudice a criminal investigation. To comply with the Act we should not provide information to the police if there is no indication from the police as to why they wanted the information.
2.4 Data Subject Consent
A data subject is an individual who is the subject of personal data held by the LBC and can include students and staff.
The LBC can only hold and process certain classes of data with the consent of the individual. The Act distinguishes between ‘ordinary personal data’ such as name, address and telephone number and ‘sensitive personal data’ including information relating to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life and criminal convictions. Under the new 2018 Act the processing of such data is subject to much stricter conditions.
If the data are ‘sensitive’ then express consent to hold and process the data must be obtained, which normally means consent in writing.
In our case, the standard LBC Learning Agreement acts as a ‘consent’ form and by signing the form the student gives ‘express’ consent for us to hold and process the sensitive data collected on the form.
As for LBC staff it is a condition of employment that they agree to the LBC holding and processing personal data including information about previous criminal convictions.
Therefore, all prospective staff and students will be asked to sign a ‘Consent To Process’ form of some kind, regarding particular types of information, when an offer of employment or a course place is made. A refusal to sign such a form can result in the offer being withdrawn.
The LBC will also ask for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as Asthma or diabetes. The LBC will only use the information in the protection of the health and safety of the individual but will need consent to process in the event of a medical emergency, for example.
Some jobs or courses will bring the applicants into contact with children, including young people between the ages of 16 and 18. The LBC has a duty under the Children’s Act and other enactments to ensure that staff are suitable for the job, and students for the courses offered. The LBC also has a duty of care to all staff and students and must, therefore, make sure that employees and those who use the LBC facilities do not pose a threat or danger to other users.
- Responsibilities of staff and students
The purpose of this section is to make all staff and students aware of their responsibilities towards all personal data held by the LBC and to indicate the practical steps to be taken to comply with the act.
3.1 Staff Responsibilities
This policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and policies made by the LBC. Any failure to follow the policy can therefore result in disciplinary proceedings.
Regarding the processing of personal data by the LBC, staff should ensure that any data, which it is proposed to process, are covered by the LBC’s notification under the Data Protection Act 2018. The processing of personal data that have not been ‘notified’ is a criminal offence. To help staff the LBC will provide copies of the centre’s ‘notifications’ under the DPA .
All staff are responsible for checking that any information they provide to the LBC in connection with their employment is accurate and up to date and that any changes at a later date are notified.
All staff are responsible for checking the accuracy of the information held and keeping this information up to date.
Any member of staff, who considers that the policy has not been followed in respect of personal data about themselves, should raise the matter with the designated data controller initially. If the matter is not resolved it should be raised as a formal grievance.
Staff are responsible for ensuring that any person from whom personal data are obtained are not deceived or mislead as to the purpose for which such data are held, used or disclosed. Staff must ensure that an indication of the purpose[s] should appear on any form used to collect data, and where necessary, an explanation as to why the data are being collected. No unfair pressure should be used to obtain any personal data.
3.2 Student Responsibilities
Students must ensure that all personal data provided to the LBC are accurate and up to date. They must ensure that changes of address etc are notified to the appropriate person normally their tutor. Students who use the LBC computer facilities may, from time to time, process personal data. If they do they must notify their personal tutor who will notify the data controller. Any student who requires further clarification about this should contact their personal tutor who will liaise with the Data Controller/Data Protection Officer.
- Data Security
All staff should observe strict control of all databases of information [computerised or manual] on living individuals, whether they be staff, students, members of the public, suppliers, customers etc. The LBC must ‘notify’ all relevant filing systems and databases or it could face legal action.
Failure of any member of staff to inform LBC management of the existence of a database or manual filing system could result in disciplinary action.
The holding of a centre-related database outside the LBC also falls within these restrictions. The removal of Centre-Related personal data on a computer to off-site locations or the holding of Centre -related personal data on a computer outside LBC will only be permitted in strictly controlled circumstances. It is not permitted to hold any Centre-related data off-site on a computer or other “relevant filing system” without prior approval from LBC management.
Great care must be taken not to disclose personal data either intentionally or accidentally.
This can be helped by:
- Only allowing authorised access to computers [i.e. by not disclosing passwords]
- Switching off [or logging off] computer systems when you are not using them
- Keeping doors to rooms containing manual filing systems or computerised databases locked, when not in use
- Preventing unauthorised information being obtained from computer screens
- Not disclosing personal information over the telephone without following established procedures
- Only disclosing personal information to which an individual is entitled after first verifying the true identity of the person requesting the information
- Ensure proper disposal of waste materials such as computer printouts containing personal data
- Not removing any data/information from the LBC without prior authorisation
- Not storing/processing certain personal data on individuals unless it is absolutely required.
Before processing any personal data, all staff should consider the following checklist:
- Do you really need to record the information?
- Is the information ‘standard’ or ‘sensitive’?
- If it is sensitive, do you have the data subject’s express consent?
- Has the data subject been told that this type of data will be processed?
- Are you authorised to collect/store/process the data?
- Have you checked with the data subject that the data is accurate?
- Are you sure that the data is secure?
- If you do not have the data subject’s consent to process, are you satisfied that it is in the best interest of the student/staff member to collect and retain the data?
- Have you informed the designated data controller for the LBC that you are storing this kind of information in a ‘relevant filing system’?
- The Data Controller and the Designated Data Controller/s
The LBC as a body corporate is the data controller under the Act, and the Board is therefore ultimately responsible for implementation. However, the designated data controllers will deal with day-to-day matters.
The designated data controller for LBC is Mr Cillian Logue [Data Protection Officer].
- Examination Marks
Students will be entitled to information about their marks for both coursework and examinations. However, this may take longer than other information to provide. The LBC may decide to withhold certificates, accreditation or references in the event that full course fees have not been paid, or all books and equipment returned to the LBC.
- Retention of Data
The LBC will keep some forms of information for longer than others. Because of storage problems, information about students cannot be kept indefinitely, unless there are specific requests to do so. In general information about students will be kept for a maximum of 7 years after they leave the LBC.
This will include
- name and address
- academic achievements, including marks for coursework and
- copies of any reference written.
All other information, including any information about health, race or disciplinary matters will be destroyed within 5 years of the course ending and the student leaving the LBC.
The LBC will need to keep information about staff for longer periods of time. In general, all information will be kept 5 years after a member of staff leaves the LBC. Some information, however, will be kept for much longer. This will include information necessary in respect of pensions, taxation, potential or current disputes or litigation regarding the employment and information required for job references.
- Third Party Processing
If we use a third party data controller to process data on behalf of the LBC we must ensure that the controller complies with the data protection act. This would apply to subsidiary trading companies and franchise partners. We must obtain sufficient guarantees in respect of the processor’s security measures and take reasonable steps to ensure compliance with those measures. We must ensure that the third party ‘processor’ is subject to a written contract with the LBC.
- Transfer of information outside the European Economic Area
The LBC will not transfer data outside of the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. For instance the United States has no Data Protection Act but individual ‘US’ companies can sign up to the “safe harbour” scheme guaranteeing data protection.
10.1 CCTV Footage
Images of people captured by the CCTV systems operated by LBC fall under the Data Protection Act. As with standard data people can request to see CCTV footage where their image has been captured and is stored by the LBC.
10.2 Security of CCTV Footage
It is LBC policy that access to CCTV controls and images be physically secure and actual access to CCTV footage be limited to certain senior managers within the centre.
10.3 Requests to access CCTV footage
In the instance where a person requests to see CCTV footage they must limit the request to a certain time slot within a one hour period and will only be entitled to view footage where they personally appear. In certain circumstances it may be required to seek the approval of third parties where people other than the person requesting access also appear in the footage. This may hold up the process of providing access to CCTV footage considerably.
Where an incident has been reported and it occurred in view of CCTV systems [e.g. it is suspected that crime has taken place in view of CCTV cameras] the CCTV footage in question will be viewed under controlled circumstances by at least two members of staff with authority to view CCTV Footage and operate the system. Where it is felt appropriate and where systems permit a copy of the incident footage will be made and passed to an appropriate member of the senior management team who will then be able to take appropriate action.
The introduction of the new data protection law has forced the LBC to review the way in which data is processed.
One of the purposes of this Policy is to ensure that a proper ‘action’ is taken to comply with the new requirements which covers the following:
- To ensure that the LBC gives proper notification and is registered correctly
- To identify the manual records currently held and their contents, and determine which are likely to be caught by the new act
- To establish how data are collected, and what ‘consents’ are obtained, particularly in the case of ‘sensitive’ data
- To review the security arrangements of third party processors such as franchise partners, and make sure that written contracts with them are put in place
- To remind employees of the data protection principles and make sure they are adhered to.
Compliance with the GDPR Act is the responsibility of all members of the College. Any deliberate breach of the data protection policy may lead to disciplinary action being taken, or access to LBC facilities being withdrawn, or even a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the designated data controller.