London Brookes College Policies and Procedures
1.1 Purpose & Scope
This policy covers all London Brooks College (LBC) activities and processes in which personal data is used, whether in electronic or hard copy form.
This policy applies to all members of the LBC including staff, students and others acting for, or on behalf of, the LBC or who are otherwise given access to the LBC’s information infrastructure.
This poicy takes precedence over any other LBC policy on matters relating to data protection.
1.2 The Data Protection Act [DPA]
General Data Protection Regulation (GDPR), UK Data Protection Act, 2018 (DPA), which significantly extends the scope of data protection law. To comply with the law information must be collected and used fairly, stored safely and not disclosed to any person unlawfully.
Data held in electronic form continues to be covered by the new Act. However, manual files structured to enable specific information about a particular individual to be readily accessible will now also be caught and be regarded as “relevant filing systems”. Card index files, concertinas, files and ring binders containing information about individuals and arranged or divided, for example alphabetically, are covered by the Act.
The legislation compels the LBC to take specific measures to ensure that all information [personal data] held about living individuals, held in a “relevant filing system”, is processed according to the eight data protection principles.
2.1 The main obligations
The LBC has two principal obligations under the new law:
- Not to process data until it has registered with the Office of the Data Protection Commissioner. The registration process is known as Notification.
To comply with the eight data protection principles set out in the new Act, which govern how data should be processed, how they should be updated, and the rights of the individuals whose data are held.
- Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Example 1 of the 2018 Act is met or in the case of sensitive personal data, at least one of the conditions in Example 2 of the 2018 Act is also met [See Appendix A].
- Personal data shall be obtained only for one or more specific and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up-to- date.
1. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under this act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
2.2 Notification of data held and processed
Notification is the process by which the LBC [the data controller] informs the Data Protection Commissioner about the processing of personal data carried out by the Centre. Once the LBC has ‘notified’, the information about our LBC is then made available in a public register. Notification is a statutory requirement and failure to do so is a criminal offence.
The notification period is for one year and the LBC will have to renew its register entry annually otherwise it will expire. We will be informed in writing just before the expiry date of our register entry.
Once the LBC has ‘notified’ we must keep the notification up to date. If any part of the register entry becomes inaccurate or incomplete the LBC must take action to notify changes within 28 days of the event. The Data Protection Officer should be contacted if a change in any register entry is required.
2.3 Rights of access to information
The principal purpose of ‘notification’ and the public register is transparency and openness. It is a basic principle of data protection that the public should know or be able to find out who is carrying out processing of personal data
All staff, students and other users are entitled to know:
- what information the LBC holds and processes about them and why
- how to gain access to it
- how to keep it up to date
- what the LBC is doing to comply with its obligations under the 2018 Act.
We must be prepared to answer the following kind of query:
Do you hold data about me?
- Please supply copies of all data you hold about me
- For what purpose do you hold data about me?
- To whom do you disclose data about me?
Staff, students and other users of the LBC have the right to access any personal data that is being kept about them either on a computer or in any ‘relevant filing system’.
The LBC aims to comply with requests for access to personal information as quickly as possible but will ensure that it is provided within 40 days unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the data subject making the request.
There are a number of exceptions where exemptions from the Act apply. One
such exemption is that of personal references. A data subject does not have the right to obtain from the LBC the details of a confidential reference that we have given. In the case where we have received a reference from a third party regarding a data subject, we can disclose this information if it is was deemed reasonable to do so, but we may decide to seek consent from the third party who provided the reference.
2.3.2 Third party access to information
Under normal circumstances, third party access to an individual’s personal information would not be permitted. The LBC in this instance would not be processing the personal data of the student/staff member fairly and lawfully in
supplying information to a third party [Data Protection Principle 1].
However, if the third party was in fact the police, the LBC could disclose information about a data subject if we were satisfied that by withholding information we were likely to prejudice a criminal investigation. To comply with the Act we should not provide information to the police if there is no indication from the police as to why they wanted the information.
2.4 Data Subject Consent
A data subject is an individual who is the subject of personal data held by the LBC and can include students and staff.
The LBC can only hold and process certain classes of data with the consent of the individual. The Act distinguishes between ‘ordinary personal data’ such as name, address and telephone number and ‘sensitive personal data’ including information relating to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life and criminal convictions. Under the new 2018 Act the processing of such data is subject to much stricter conditions.
If the data are ‘sensitive’ then express consent to hold and process the data must be obtained, which normally means consent in writing.
In our case, the standard LBC Learning Agreement acts as a ‘consent’ form and by signing the form the student gives ‘express’ consent for us to hold and process the sensitive data collected on the form.
As for LBC staff it is a condition of employment that they agree to the LBC holding and processing personal data including information about previous criminal convictions.
Therefore, all prospective staff and students will be asked to sign a ‘Consent To Process’ form of some kind, regarding particular types of information, when an offer of employment or a course place is made. A refusal to sign such a form can result in the offer being withdrawn.
The LBC will also ask for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as Asthma or diabetes. The LBC will only use the information in the protection of the health and safety of the individual but will need consent to process in the event of a medical emergency, for example.
Some jobs or courses will bring the applicants into contact with children, including young people between the ages of 16 and 18. The LBC has a duty under the Children’s Act and other enactments to ensure that staff are suitable for the job, and students for the courses offered. The LBC also has a duty of care to all staff and students and must, therefore, make sure that employees and those who use the LBC facilities do not pose a threat or danger to other users.
- Responsibilities of staff and students
The purpose of this section is to make all staff and students aware of their responsibilities towards all personal data held by the LBC and to indicate the practical steps to be taken to comply with the act.
3.1 Staff Responsibilities
This policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and policies made by the LBC. Any failure to follow the policy can therefore result in disciplinary proceedings.
Regarding the processing of personal data by the LBC, staff should ensure that any data, which it is proposed to process, are covered by the LBC’s notification under the Data Protection Act 2018. The processing of personal data that have not been ‘notified’ is a criminal offence. To help staff the LBC will provide copies of the centre’s ‘notifications’ under the DPA .
All staff are responsible for checking that any information they provide to the LBC in connection with their employment is accurate and up to date and that any changes at a later date are notified.
All staff are responsible for checking the accuracy of the information held and keeping this information up to date.
Any member of staff, who considers that the policy has not been followed in respect of personal data about themselves, should raise the matter with the designated data controller initially. If the matter is not resolved it should be raised as a formal grievance.
Staff are responsible for ensuring that any person from whom personal data are obtained are not deceived or mislead as to the purpose for which such data are held, used or disclosed. Staff must ensure that an indication of the purpose[s] should appear on any form used to collect data, and where necessary, an explanation as to why the data are being collected. No unfair pressure should be used to obtain any personal data.
3.2 Student Responsibilities
Students must ensure that all personal data provided to the LBC are accurate and up to date. They must ensure that changes of address etc are notified to the appropriate person normally their tutor. Students who use the LBC computer facilities may, from time to time, process personal data. If they do they must notify their personal tutor who will notify the data controller. Any student who requires further clarification about this should contact their personal tutor who will liaise with the Data Controller/Data Protection Officer.
- Data Security
All staff should observe strict control of all databases of information [computerised or manual] on living individuals, whether they be staff, students, members of the public, suppliers, customers etc. The LBC must ‘notify’ all relevant filing systems and databases or it could face legal action.
Failure of any member of staff to inform LBC management of the existence of a database or manual filing system could result in disciplinary action.
The holding of a centre-related database outside the LBC also falls within these restrictions. The removal of Centre-Related personal data on a computer to off-site locations or the holding of Centre -related personal data on a computer outside LBC will only be permitted in strictly controlled circumstances. It is not permitted to hold any Centre-related data off-site on a computer or other “relevant filing system” without prior approval from LBC management.
Great care must be taken not to disclose personal data either intentionally or accidentally.
This can be helped by:
- Only allowing authorised access to computers [i.e. by not disclosing passwords]
- Switching off [or logging off] computer systems when you are not using them
- Keeping doors to rooms containing manual filing systems or computerised databases locked, when not in use
- Preventing unauthorised information being obtained from computer screens
- Not disclosing personal information over the telephone without following established procedures
- Only disclosing personal information to which an individual is entitled after first verifying the true identity of the person requesting the information
- Ensure proper disposal of waste materials such as computer printouts containing personal data
- Not removing any data/information from the LBC without prior authorisation
- Not storing/processing certain personal data on individuals unless it is absolutely required.
Before processing any personal data, all staff should consider the following checklist:
- Do you really need to record the information?
- Is the information ‘standard’ or ‘sensitive’?
- If it is sensitive, do you have the data subject’s express consent?
- Has the data subject been told that this type of data will be processed?
- Are you authorised to collect/store/process the data?
- Have you checked with the data subject that the data is accurate?
- Are you sure that the data is secure?
- If you do not have the data subject’s consent to process, are you satisfied that it is in the best interest of the student/staff member to collect and retain the data?
- Have you informed the designated data controller for the LBC that you are storing this kind of information in a ‘relevant filing system’?
- The Data Controller and the Designated Data Controller/s
The LBC as a body corporate is the data controller under the Act, and the Board is therefore ultimately responsible for implementation. However, the designated data controllers will deal with day-to-day matters.
The designated data controller for LBC is Mr Cillian Logue [Data Protection Officer].
- Examination Marks
Students will be entitled to information about their marks for both coursework and examinations. However, this may take longer than other information to provide. The LBC may decide to withhold certificates, accreditation or references in the event that full course fees have not been paid, or all books and equipment returned to the LBC.
- Retention of Data
The LBC will keep some forms of information for longer than others. Because of storage problems, information about students cannot be kept indefinitely, unless there are specific requests to do so. In general information about students will be kept for a maximum of 7 years after they leave the LBC.
This will include
- name and address
- academic achievements, including marks for coursework and
- copies of any reference written.
All other information, including any information about health, race or disciplinary matters will be destroyed within 5 years of the course ending and the student leaving the LBC.
The LBC will need to keep information about staff for longer periods of time. In general, all information will be kept 5 years after a member of staff leaves the LBC. Some information, however, will be kept for much longer. This will include information necessary in respect of pensions, taxation, potential or current disputes or litigation regarding the employment and information required for job references.
- Third Party Processing
If we use a third party data controller to process data on behalf of the LBC we must ensure that the controller complies with the data protection act. This would apply to subsidiary trading companies and franchise partners. We must obtain sufficient guarantees in respect of the processor’s security measures and take reasonable steps to ensure compliance with those measures. We must ensure that the third party ‘processor’ is subject to a written contract with the LBC.
- Transfer of information outside the European Economic Area
The LBC will not transfer data outside of the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. For instance the United States has no Data Protection Act but individual ‘US’ companies can sign up to the “safe harbour” scheme guaranteeing data protection.
10.1 CCTV Footage
Images of people captured by the CCTV systems operated by LBC fall under the Data Protection Act. As with standard data people can request to see CCTV footage where their image has been captured and is stored by the LBC.
10.2 Security of CCTV Footage
It is LBC policy that access to CCTV controls and images be physically secure and actual access to CCTV footage be limited to certain senior managers within the centre.
10.3 Requests to access CCTV footage
In the instance where a person requests to see CCTV footage they must limit the request to a certain time slot within a one hour period and will only be entitled to view footage where they personally appear. In certain circumstances it may be required to seek the approval of third parties where people other than the person requesting access also appear in the footage. This may hold up the process of providing access to CCTV footage considerably.
Where an incident has been reported and it occurred in view of CCTV systems [e.g. it is suspected that crime has taken place in view of CCTV cameras] the CCTV footage in question will be viewed under controlled circumstances by at least two members of staff with authority to view CCTV Footage and operate the system. Where it is felt appropriate and where systems permit a copy of the incident footage will be made and passed to an appropriate member of the senior management team who will then be able to take appropriate action.
The introduction of the new data protection law has forced the LBC to review the way in which data is processed.
One of the purposes of this Policy is to ensure that a proper ‘action’ is taken to comply with the new requirements which covers the following:
- To ensure that the LBC gives proper notification and is registered correctly
- To identify the manual records currently held and their contents, and determine which are likely to be caught by the new act
- To establish how data are collected, and what ‘consents’ are obtained, particularly in the case of ‘sensitive’ data
- To review the security arrangements of third party processors such as franchise partners, and make sure that written contracts with them are put in place
- To remind employees of the data protection principles and make sure they are adhered to.
Compliance with the GDPR Act is the responsibility of all members of the College. Any deliberate breach of the data protection policy may lead to disciplinary action being taken, or access to LBC facilities being withdrawn, or even a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the designated data controller.
Document Retention and Data Policy
Introduction to the policy
London Brooks College Data retention policy sets out what information London Brooks College (LBC) holds, how long we hold it for and when it will be deleted.
The LBC needs to keep certain information about its employees, learners and other users to allow it to monitor performance, achievements, and health and safety, for example. It is also necessary to process information so that courses can be organised and legal obligations to funding bodies and government are complied with. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this, the LBC must comply with the Data Protection Principles which are set out in the Data Protection Act 1998 (the 1998 Act) and revisions.
The LBC and all staff or others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, the LBC has developed the Data Protection Policy. See GDPR Policy above.
NOTIFICATION OF DATA HELD AND PROCESSED
- allstaff and learners and other users are entitled to
- know what information the LBC holds and processes about them and why
- know how to gain access to it
- know how to keep it up to date
- know what the LBC is doing to comply with its obligations under the 1998 Act and its revisions
The LBC will therefore provide all staff and learners and other relevant users with a standard form of notification. This will state all the types of data the LBC holds and processes about them, and the reasons for which it is processed.
Learners must ensure that all personal data provided to the LBC is accurate and up to date. They must ensure that changes of address, etc. are notified to the learner registration office/other person as appropriate
HOW LONG IS PERSONAL DATA HELD FOR?
We aim not to hold personal data longer than necessary. Unless requested by an individual, the following types of data will be held for the periods shown below, after which it will be securely deleted or destroyed:
TYPE OF INFORMATION
Client general records
Financial transactions, invoices and supplier details
Employee records, contracts of employment, changes to terms and conditions, annual leave, training records
While employment continues and up to 6 years after
Employer Financial transactions
One year from the end of the month in which they were received or sent unless a longer period is relevant as above. Emails to and from ex-employees or contractors will be deleted within 6 weeks of them leaving unless these form part of the employment record – see above.
HOW IS PERSONAL DATA DELETED?
Personal data is permanently deleted in accordance with the retention periods listed above from:
Paper records, which are securely shredded.
Learner Information Retention Schedule
AEB learners and ESF beneficiaries Documentary records and data required by the ILR funding methodology will be retained until 31st December 2030.
Higher Education students, ESFA 16-19 learners and Advanced Learner Loans learners Documentary records and data required by the ILR funding methodology will be retained for 7 years after the end of the academic year of the funding claim or loan payment.
Non-funded learners Documentary records and data required by the ILR funding methodology will be retained for 7 years after the end of the academic year of the course.
All learners The personal data required by the ILR funding methodology previously referred to includes the following data: Name, gender, date of birth, ethnicity, learning difficulties and/or disabilities, National Insurance number, Unique Learner Number, address, country of domicile, telephone number, email address, EHCP, GCSE Maths & English grades, employment status, learner support reason(s).
Also required for audit purposes but not included in the ILR are the following data: UCI candidate reference, Additional Learning Support details, qualifications on entry,
Personal data held in Unit-e that is not required in the ILR claims or for statistical purposes will be deleted from the electronic record in the spring term following the academic year that the learner leaves College. This data includes details such as medical details, next of kin details, and the personal photograph.
Personal data held in Unit-e that is not required in the ILR claims but is valuable for statistical purposes will be deleted from the electronic record in the spring term following the academic year that the learner leaves College, with an anonymised data set being retained. This data includes details such as sexual orientation, religious beliefs, previous school, and how they heard about the College.
Check and clear down/deletion of student enrolment records where there are no enrolments, no uncommitted enrolments and the record was created on a date that precedes course setup, will be carried out by MIS in the Spring term of the year to which the record refers. Check and clear down/deletion of student Additional Learning Support records where there are no enrolments, no uncommitted enrolments and the record was created on a date that precedes course setup, will be carried out by MIS in the Spring term of the year to which the record refers.
Personal data held on online portfolios about learners who have left the College will be retained for the following academic year, and then deleted during the following spring term. This delay is in order to assist staff to respond to any requests for references. Data relating to the Conduct and Performance and Cause for Concern processes will be retained in an anonymised data set after this deletion.
All current year student related paperwork is held in staff-only offices that are locked when the office is unoccupied. Within these offices the paperwork is kept in cabinets which are locked outside working hours. Student and applicant paperwork from previous years is kept in a secure locked facility on the College premises, in boxes marked with their date of destruction. At the end of the period of retention, applicant and student paperwork will be securely destroyed.
It is essential that any documents which are to be disposed of and contain confidential or personal data must be disposed of in a secure manner, shredding of the document being an obvious approach, in order to prevent breaches of confidence, the Data Protection Act 1998, or the General data Protection Regulations Disposal of documents other than those containing confidential or personal data may be disposed of by binning, recycling, deletion (in the case of electronic documents), and the transfer of documents to external bodies. Records of disposal will be maintained by each service area, and will detail the document disposed of, the date and the officer who authorised the document’s disposal.
What are ‘cookies’?
‘Cookies’ are small text files that are stored by the browser (e.g. Internet Explorer or Safari) on your computer or mobile phone. They allow websites to store such things as user preferences. You can think of cookies as providing a “memory” for the website, enabling it to recognise a user and respond appropriately.
Every time a user visits our website, web analytics software provided by a third party generates an anonymous analytics cookie. These cookies can tell us whether you have visited the site before.
Your browser will tell us if you have these cookies, and if you do not, we generate new ones. This allows us to track how many individual unique users we have, and how often they visit the site.
Unless you are signed in, these cookies cannot be used to identify individuals; they are used for statistical purposes only. If you are logged in, we will also know the details you gave to us for this, such as username and email address.
When you register with us, we generate cookies that signal whether you are signed in or not. Our servers use these cookies to work out which account you are signed in with, and if you are allowed access to a particular service. Your cookies get deleted when you either close your browser or shut down your computer.
Third party cookies
Third parties may also set their own anonymous cookies, for the purposes of tracking the success of their application or customising the application for you. Because of how cookies work, we cannot access these cookies, nor can the third parties access the data in cookies used by us.
For example, when you share a news article using a social media sharing button on our website, the social network that has created the button will record that you have done this.
How do I turn cookies off on my browser?
It is usually possible to stop your browser from accepting cookies or to stop it accepting cookies from a particular website. For example, we cannot tell if you are signed in without using cookies, so you would not be able to place orders.
All modern browsers allow you to change your cookie settings. These settings will typically be found in the ‘options’ or ‘preferences’ menu of your browser. To understand these settings, the following links may be helpful, otherwise, you should use the ‘Help’ option in your browser for more details.
If you are primarily concerned about third party cookies generated by advertisers, you can turn these off by going to the Your Online Choices site. You can also visit the trade body representing these advertising platforms for more information: Network Advertising Initiative.
They have provided a one-stop place that gathers all the opt-out controls http://networkadvertising.org/managing/opt_out.asp
If you would like to find out more about cookies and their use on the Internet, you may find the following links useful:
All about cookies
The IAB has provided the following website to give information specifically about privacy issues around Internet advertising:
For further legal information about privacy issues, you may find these links useful:
If you have any matters relating to your data, security or our policies, please get in touch.