Data Protection Policy

1.1 Queen Margaret University (QMU) is committed to protecting personal information and the rights of individuals in line with our obligations under data protection law (including the UK General Data Protection Regulations (UKGDPR) and Data Protection Act 2018 (DPA)).

1.2 This policy sets out the obligations of QMU to ensure all employees, visitors, students and other third parties are aware of their duties under this policy and the legislative requirements.

1.3 This policy applies to the processing of all personal data by, and on behalf of, the University.

1.4 Annex A contains definitions of key terms.

2.1 We have appointed a Data Protection Officer (DPO). Any questions about this policy should be directed to the DPO.

2.2 Contact Details: Cara Dickson, Legal Adviser and Data Protection Officer, dataprotection@qmu.ac.uk.

3.1 This policy applies to all employees, students, contractors and workers.

3.2 It is a condition of employment that all employees abide by QMU policies and procedures.

3.3 It is a condition of the student contract that all students abide by QMU policies.

3.4 Any breach of this policy may result in disciplinary action.

4.1 When processing personal data, QMU acts as both a controller and a processor of personal data. In both roles, it must adhere to the following data protection principles:

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

5.1 We will only process personal data where we have a lawful basis for doing so. We will take into account any additional conditions for processing special category personal data.

5.2 We will handle personal data fairly and in a way that a data subject would reasonably expect.

5.3 We will be clear, open, and honest with data subjects about how we intend to use their personal data.

6.1 We will be clear from the start of the processing what the purpose of processing the personal data is.

6.2 Personal data will only be used for a new purpose where it is compatible with the original purpose, we have consent, or we have a clear legal obligation.

6.3 We will clearly set out any purposes for processing personal data in our privacy statements.

7.1 Personal data will only be collected where it is needed for the specified purpose.

7.2 We commit to regularly reviewing any personal data we hold and deleting it where it is no longer needed.

7.3 Personal data will be anonymised or pseudonymised where appropriate to prevent the identification of individuals where this is not necessary. Data Protection legislation does not apply to anonymised data.

8.1 As far as possible, the personal information we process is accurate and up to date.

8.2 Where an inaccuracy is identified the personal data will be corrected as soon as reasonable. Where appropriate, inaccurate data will be deleted.

9.1 We will only retain personal data for as long as necessary and in line with the QMU Retention Schedule. Any destruction of personal data will be done securely.

9.2 Personal data may be kept for longer in exceptional circumstances. Where this is the case, the reason will be clearly recorded and the personal data clearly identified.

10.1 We will implement physical and technical measures to protect the confidentiality and integrity of the personal data we process.

10.2 Additional security measures will be applied to special category data and any personal data which is sensitive.

10.3 Personal data will not be removed from QMU premises without permission. Personal data processed in the course of work duties or research must be stored on QMU systems and not on personal devices or personal emails.

10.4 We commit to regularly reviewing our security measures to ensure they are in line with most recent technology and best practice.

11.1 QMU Senior Leadership Team commits to complying with data protection legislation and principles and ensuring compliance throughout the University.

11.2 We will put in place the following organisational measures to demonstrate accountability:

• Appointment of a DPO.
• Adoption and implementation of this Data Protection Policy .
• Taking a data protection by design and default approach to all of our processing activities.
• Ensuring written contracts are in place with our processors and joint controllers.
• Recording and reporting data breaches.
• Carrying out DPIAs for any new high risk processing activity.
• Providing up to date training and guidance for staff.

12.1 Individuals have certain rights as regards their personal data, including:

• Right to be informed
• Right of access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to data portability
• Right to object 
• Rights related to automated decision making, including profiling.

12.2 We will appropriately manage and process any rights requests and ensure the rights of individuals are upheld.

Roles and responsibilities of staff, contractors, students and other third parties under this Policy are set out below:

13.1 All staff and contractors of QMU are responsible for the protection of personal information and are bound by the responsibilities in this policy. Staff are expected to be aware of this policy and their responsibilities and ensuring their knowledge is up to date through completion of the relevant data protection training. Staff must report to the DPO:

• Personal data breaches, near misses, or unauthorised disclosure.
• Rights request, including Subject Access Requests.
• Any new processing activities likely to result in high risk to the rights and freedoms of individuals.
• New and revised data sharing agreements, especially where data is being transferred outside of the EEA.
• Retention periods of personal data.
• Contracts with third parties which involve the disclosure of personal data.
• Activities involving automated processing, profiling or automated decision making.
• Help complying with the relevant law with direct marketing activities.

13.2 All students are bound by this policy where they process personal data during their studies. QMU is the controller of the personal data processed by students during their studies. All students must be aware of their responsibilities under this policy.

13.3 All staff and students engaged in processing personal data as part of a research project will follow the correct Research Ethics processes to ensure personal data is handled appropriately.

13.4 The DPO is primarily responsible for compliance with the DPA and the UK GDPR. They are responsible for advising senior management on privacy and data protection. They will ensure this policy is reviewed regularly and any accompanying processes, procedures and training are kept up to date.

13.5 The Senior Leadership Team is responsible for ensuring the appropriate resourcing of privacy and data protection at QMU and that the commitments in this policy are met.

This document will be reviewed annually and approved by the QMU Senior leadership team.