Data Protection Policy
Important Notice
This policy applies to set the basic standards regarding the processing of personal data by you in the course of your work for, or study at, Queen Margaret University. It is extremely important that you read this policy and comply with it - non-compliance may constitute a disciplinary offence. This policy will be updated and amended from time to time. You will be notified of changes and a copy will be made available on the intranet.
- Policy Owner: University Secretary
- Approved By: GDPR Steering Group
- Date of Issue: April 2018
- Review Period: Annually or in response to legislative updates.
- Date of last review: May 2021
- Date of last update: May 2021
- Approval of Update: Information Security Strategy Group
- Data Classification: Open
1. Introduction
1.1 Who we are - This Policy sets out how Queen Margaret University (”we”, “our”, “us”, the “Organisation”) handle the Personal Data of our students, customers, suppliers, employees, workers and other third parties.
1.2 Application of this Policy - This Policy applies to all staff and students. You must read, understand and comply with this Policy and attend training on its requirements as required. This Policy sets out what we expect from you in order for Queen Margaret University to comply with Data Protection Law. Your compliance with this Policy is mandatory. Related Policies and Guidelines are available to help you interpret and act in accordance with this Policy. You must also comply with all such Related Policies and Guidelines. Any breach of this Policy may result in disciplinary action.
1.3 Definitions - Capitalised terms have the meanings given to them in the Glossary contained in Appendix 1.
2 Why is data protection compliance important?
2.1 The correct and lawful treatment of Personal Data will maintain confidence in the University, will provide for successful business operations, and will maintain the reputation of the Organisation. As importantly, it also protects the individual Data Subjects, whose Personal Data we Process, from harm. Protecting the confidentiality and integrity of Personal Data is a critical responsibility that we take seriously at all times. If the University fails to comply with Data Protection Law, then it may be subject to substantial sanctions, including orders to suspend Processing and potential fines of up to EUR20 million (approximately £18 million) and reputational damage.
3 Scope
3.1 Personal Data - This Policy applies to all Personal Data we Process (or that a third party Processes on our behalf) regardless of the media on which that data is stored or whether it relates to past or present employees, students, workers, customers, clients or supplier contacts, website users, and members of the public whose Personal Data we Process.
Explanatory Note: The concept of Personal Data is explained in more detail in Appendix 1 but it is important to understand that Personal Data concerns information about individuals – not companies or other legal entities – although information about individuals within those companies and legal entities will be their Personal Data. It is also important to understand that Personal Data is not restricted to information about the personal/home lives of individuals. Information about individuals acting in a work or official capacity may also be Personal Data.
Processing is very widely defined to include all operations relating to Personal Data. This includes all activity from the point of collection to the point of destruction/erasure. Even the mere holding or storage of Personal Data is Processing and, therefore, a regulated activity under Data Protection Law.
3.2 Data protection responsibilities - All individual departments are responsible for ensuring all staff and students comply with this Policy. If you have management responsibility for staff, you are expected to regularly review all the systems, processes and procedures under your control to ensure they comply with this Policy and check that adequate governance controls and resources are in place to ensure proper use and protection of Personal Data.
3.3 Data Protection Officer - The DPO is responsible for the University’s compliance with Data Protection Law and for overseeing (and updating) this Policy and, as applicable, Related Policies and Guidelines. That post is held currently by Irene Hynd, University Secretary, but will be held by the Legal Adviser and DPO once appointed.
3.4 DPO Directions – you must comply with all directions on data protection matters issued by the DPO.
3.5 Queries about this Data Protection Law or this Policy - Please contact the DPO with any questions about the operation of this Policy or Data Protection Law or if you have any concerns that this Policy is not being, or has not been, followed.
3.6 You must contact the DPO immediately in the following circumstances:
3.6.1 if you are unsure whether particular Processing will be within the terms of the relevant Privacy Notice (see Section 5.2 below) or are otherwise unsure of the lawful basis which you are relying on to process Personal Data;
3.6.2 if you are unsure about the retention period for the Personal Data being Processed (see Section 8 below);
3.6.3 if you are unsure about what security or other measures you need to implement to protect Personal Data (see Section 9.1 below);
3.6.4 if there has been a Personal Data Breach (Section 9.2 below);
3.6.5 if you are unsure whether you are permitted to transfer Personal Data outside the EEA (see Section 10 below);
3.6.6 if you receive any communication from an individual which may seek to exercise any rights which he/she may have under Data Protection Law as a Data Subject (see Section 11.1);
3.6.7 whenever you are engaging in a significant new, or change in, Processing activity or plan to use Personal Data for purposes others than for which it was collected (see Section 12.4 below);
3.6.8 if you are considering entering into any contracts with third parties (see Section 12.7 below) which involves the disclosure or sharing of Personal Data; or
3.6.9 If you plan to undertake any activities involving Automated Processing including profiling or Automated Decision-Making (see Section 12.5 below); or
3.6.10 If you need help complying with applicable law when carrying out direct marketing activities (see Section 12.6 below).]
4 Data Protection Principles
4.2 Specific requirements – the remainder of this Policy explains what measures Queen Margaret University has put in place to comply with the data protection principles and what you are expected to do as part of those measures.
5 Lawfulness, fairness, transparency
5.1 General requirements – The data protection principles require us to Process Personal Data lawfully, fairly and in a transparent manner. We must only collect, Process and share Personal Data for specified purposes.
5.2 Privacy Notices - In order to ensure compliance with these requirements, the University has prepared Privacy Notices which explain how the University Processes Personal Data that it collects. It is essential that we Process all Personal Data in accordance with the terms of the relevant Privacy Notice.
5.3 Processing must accord with Privacy Notices - The Privacy Notices have been prepared and approved by the DPO. You should not attempt to alter them or to Process Personal Data other than in accordance with their terms. If you have any queries or concerns concerning any proposed Processing activity and whether it is within the scope of a Privacy Notice then you should consult the DPO before commencing any Processing.
5.4 Communication of Privacy Notices - The information contained within the Privacy Notices must be provided to the individual Data Subjects whose Personal Data we Process and we must ensure that the Privacy Notices are properly communicated to individuals at the point at which their Personal Data is collected. For advice on how to do this please consult the DPO.
5.5 Personal Data provided by third parties - When Personal Data is collected indirectly (for example, from a third party or publically available source), you must provide the Data Subject with all the information required by the Privacy Notice as soon as possible after collecting/receiving the data. Where we receive Personal Data from a third party with whom we have a contractual relationship, we may require that third party to provide the Data Subject with the information contained in our Privacy Notice on our behalf. More generally, you must also check that the Personal Data was collected by the third party in accordance with Data Protection Law and on a basis which contemplates our proposed Processing of that Personal Data.
6 Data minimisation
6.1 General requirements - Under the data protection principles, we must ensure that Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed.
6.2 Staff Use for job duties only - You may only Process Personal Data when performing your job duties requires it. You cannot Process Personal Data for any reason unrelated to your job duties.
6.3 No excessive data - Do not collect excessive Personal Data. Ensure that any Personal Data you collect is actually required for the intended purpose for which you will Process it.
6.4 Data retention and destruction - You must ensure that when Personal Data is no longer needed for specified purposes, it is deleted or anonymised in accordance with the University’s data retention and destruction policy. See also Section 8 of this Policy.
7 Accuracy
7.1 General requirements - The data protection principles require that Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.
7.2 Ongoing checking - You will ensure that the Personal Data we use and hold is accurate, complete, kept up to date and relevant to the purpose for which we collected it. You must check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards.
8 Storage and retention
8.1 General requirements - The data protection principles require that Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed.
8.2 Data retention - We must not keep Personal Data in a form which permits the identification of the Data Subject for longer than needed for the legitimate business purpose or purposes for which we originally collected it including for the purpose of satisfying any legal, accounting or reporting requirements.
8.3 Storage on Organisation systems etc - You must ensure that all Personal Data that you Process as part of your work duties or research study are stored in the University’s systems (or, for paper records, on the University’s premises) in accordance with Relevant Policies and Guidelines. No Personal Data should be held anywhere else.
8.4 Compliance with retention policies - The University maintains retention policies and procedures to ensure Personal Data is deleted after a reasonable time following the end of the purposes for which it was being held, unless law requires such data to be kept for a minimum time. We also provide individual Data Subjects with information concerning basic data retention periods in our Privacy Notices - see Section 5.2 above- which align with these retention policies and procedures. You must perform your work duties in accordance with requirements of the relevant retention policies and procedures in so far as relevant to the Personal Data you Process.
9 Security integrity and confidentiality
9.1 Protecting Personal Data
9.1.1 Personal Data must be secured by appropriate technical and organisational measures against unauthorised or unlawful Processing, and against accidental loss, destruction or damage.
9.1.2 You must
9.1.2.1 perform your work duties in such a way as to protect the Personal Data that we hold;
9.1.2.2 follow all procedures and technologies we put in place to maintain the security of all Personal Data from the point of collection to the point of destruction. You must also comply with the requirements of all Relevant Policies and Guidelines and any directions issued by the DPO; and
9.1.2.3 not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain to protect the Personal Data.
9.2 Reporting a Personal Data Breach
9.2.1 Data Protection Law may require the University to notify any Personal Data Breach to the Information Commissioner's Office and, in certain instances, the individual Data Subjects affected.
9.2.2 We have put in place procedures to deal with any suspected Personal Data Breach and will make appropriate notifications where we are legally required to do so.
9.2.3 If you know or suspect that a Personal Data Breach has occurred, do not attempt to investigate the matter yourself. Immediately contact the DPO and follow the security incident response plan. You should preserve all evidence relating to the potential Personal Data Breach.
Note that Personal Data Breaches should be notified immediately you become aware of them ie on a 24 x 7 basis. Any delay may be seriously prejudicial, both in terms of protecting the Personal Data concerned but also in terms of our obligations to notify the occurrence Personal Data Breach.
[Explanatory Note: The maximum period allowed by Data Protection Law to notify a regulator is 72 hours from the point that the Organisation becomes aware of the breach. It is vital that breaches are notified immediately, whether within or outside business hours.]
10 Transfers
10.1 General requirements - Data Protection Law restricts data transfers to countries outside the EEA in order to ensure that the level of data protection afforded to individuals by Data Protection Law is not undermined. You transfer Personal Data originating in one country across borders when you transmit, send, view or access that data in or to a different country.
10.2 Restrictions on transfers outside the EEA - You may only transfer Personal Data outside the EEA if one of the following conditions applies:
10.2.1 the European Commission has issued a decision confirming that the country to which we transfer the Personal Data ensures an adequate level of protection for the Data Subjects’ rights and freedoms;
[Explanatory Note: Countries for which the European Commission has issued adequacy decisions can be found at https://ec.europa.eu/info/strategy/justice-and-fundamental-rights/dataprotection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en. The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as providing adequate protection.]
10.2.2 appropriate safeguards are in place such as binding corporate rules (BCR), standard contractual clauses approved by the European Commission (sometimes called 'model form clauses'), an approved code of conduct or a certification mechanism, a copy of which can be obtained from the DPO;
10.2.3 the Data Subject has provided Explicit Consent to the proposed transfer after being informed of any potential risks; or
10.2.4 the transfer is necessary for one of the other reasons set out in Data Protection Law including the performance of a contract between us and the Data Subject, reasons of public interest, to establish, exercise or defend legal claims or to protect the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving Consent and, in some limited cases, for our legitimate interest.
10.3 Role of the DPO - Where you wish to transfer outside the EEA, it is your responsibility to ensure that the transfer concerned satisfies these requirements. In practice, this means that you need to check with the DPO to confirm that the proposed transfer is permissible before you do it. You must follow any guidelines or directions you are given by the DPO.
11 Data subject’s rights and requests
11.1 Individual Rights - Data Subjects have rights when it comes to how we handle their Personal Data. These include rights to:
11.1.1 withdraw Consent to Processing at any time (where we Process Personal Data on the basis of consent);
11.1.2 receive certain information about our Processing activities;
11.1.3 request access to their Personal Data that we hold;
11.1.4 prevent our use of their Personal Data for direct marketing purposes;
11.1.5 ask us to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed or to rectify inaccurate data or to complete incomplete data;
11.1.6 restrict Processing in specific circumstances;
11.1.7 challenge Processing which has been justified on the basis of legitimate interests or in the public interest;
11.1.8 request a copy of an agreement under which Personal Data is transferred outside of the EEA;
11.1.9 object to decisions based solely on Automated Processing, including profiling (ADM);
11.1.10 prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else;
11.1.11 be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms;
11.1.12 make a complaint to a regulator; and
11.1.13 in limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used and machine readable format.
11.2 Notify DPO - Where you receive a communication from any individual which seeks (or might be construed as seeking) to exercise any rights in relation to Personal Data, you must immediately notify the DPO and follow the DPO's instructions. Do not attempt to deal with the communication beforehand.
12 Specific activity
12.1 General Requirements - Under Data Protection Law, we must implement appropriate technical and organisational measures in an effective manner, to ensure compliance with data protection principles. We must also be able to demonstrate we comply with them. This Section sets out what we require you to do so that we may discharge these responsibilities.
12.2 Record Keeping - Data Protection Law requires us to keep full and accurate records of all our data Processing activities. As part of your work duties, you must keep and maintain proper and accurate records of the work that you do and, as part of that, the Personal Data that you Process.
12.3 Training and Audit
12.3.1 You must undergo all mandatory data privacy related training when requested to do so.
12.3.2 Where you have management responsibility for other Personnel,
12.3.2.1 you must ensure your team undergo similar mandatory training.
12.3.2.2 you must regularly review all the systems and processes under your control to ensure they comply with this Policy and check that adequate governance controls and resources are in place to ensure proper use and protection of Personal Data.
12.4 Data Protection Impact Assessment (DPIA)
12.4.1 When we are considering:
12.4.1.1 projects to implement major system or business change programs involving the Processing of Personal Data including:
-
-
- use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes);
- Automated Processing including profiling and ADM;
- large scale Processing of Sensitive Data; and
- large scale, systematic monitoring of a publicly accessible area.
-
12.4.1.1.2 any other activity which will involve (or may potentially involve) the Processing of Personal Data which has not been collected before or the Processing of Personal Data in new ways or for new purposes;
then the DPO must be advised accordingly at an early opportunity in order that he/she can consider the proposed project or activity and determine whether a Data Protection Impact Assessment is required. The DPO may require you to complete pre-DPIA screening questions in order to determine whether a full DPIA is required. No Processing of Personal Data pursuant to such a project or activity may be undertaken meantime without the approval of the DPIA.
12.4.2 You must comply with any directions given by the DPO and the terms of the Data Protection Impact Assessment Policy, which forms part of the Relevant Policies and Guidance.
12.5 Automated Processing (including profiling) and Automated Decision-Making
12.5.1 Specific restrictions apply under Data Protection Law in relation to Automated Decision Making.
12.5.2 A DPIA must be carried out before any Automated Processing (including profiling) or ADM activities are undertaken.
12.6 Direct Marketing
12.6.1 We are subject to certain additional rules and privacy laws when marketing to our customers, particularly where the marketing activity is conducted electronically, eg by email, telephone, fax or SMS.
12.6.2 Such direct marketing must only be done in accordance with the Alumni and Marketing Privacy statements.
12.7 Sharing Personal Data
12.7.1 Generally we are not allowed to share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place.
12.7.2 You may only share the Personal Data we hold with another employee, agent or partner organisation if the recipient has a job-related need to know the information and the transfer complies with any applicable cross-border transfer restrictions.
12.7.3 You may only share the Personal Data we hold with third parties, such as our service providers if:
12.7.3.1 they have a need to know the information for the purposes of providing the contracted services;
12.7.3.2 sharing the Personal Data complies with the Privacy Notice provided to the Data Subject;
12.7.3.3 the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
12.7.3.4 the transfer complies with any applicable cross border transfer restrictions; and
12.7.3.5 a fully executed written contract that contains GDPR approved third party clauses has been obtained; and
12.7.3.6 the DPO has authorised the data sharing. Do remember that the proposed sharing of Personal Data may require the conduct of a DPIA beforehand.
The DPO may issue authorisations of a specific or general nature regarding the sharing of Personal Data with specific third parties and where these have been issued you must ensure that you comply with their terms.
13 Changes to this Policy
13.1 This Policy may be changed from time to time.
13.2 Where changes are made we will notify you but it is your responsibility to check back regularly to obtain the latest copy of this Policy, which can be found on the QMU Intranet.
Appendix 1 – Glossary of Terms
Automated Decision-Making (ADM): when a decision is made which is based solely on Automated Processing (including profiling) which produces legal effects or significantly affects an individual. Data Protection Law prohibits Automated Decision-Making (unless certain conditions are met) but not Automated Processing.
Automated Processing: any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of Automated Processing.
Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear positive action, signifies agreement to the Processing of Personal Data relating to them.
Controller: the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with Data Protection Law. We are the Data Controller of all Personal Data relating to our Personnel and Personal Data used in our business for our own commercial purposes.
Data Subject: a living, identified or identifiable individual about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.
Data Privacy Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity. DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the Processing of Personal Data.
Data Protection Officer (DPO): the person required to be appointed in specific circumstances under Data Protection Law. Where a mandatory DPO has not been appointed, this term means a data protection manager or other voluntary appointment of a DPO or refers to the Organisation data privacy team with responsibility for data protection compliance.
Data Protection Law: all data protection laws applying to the Processing of Personal Data by the Organisation, including the GDPR and, in the United Kingdom, the new Data Protection Act 2018;
EEA: the 28 countries in the EU, and Iceland, Liechtenstein and Norway.
Explicit Consent: consent which requires a very clear and specific statement (that is, not just action).
General Data Protection Regulation (GDPR): the General Data Protection Regulation ((EU) 2016/679).
Personal Data: any information identifying a Data Subject or information relating to a Data Subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data includes Sensitive Personal Data and Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.
Personal Data Breach: any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that we or our third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.
Personnel: all employees, workers [contractors, agency workers, consultants,] directors, members and others.
Privacy by Design: implementing appropriate technical and organisational measures in an effective manner to ensure compliance with Data Protection Law.
Privacy Notices: the privacy notices referred to in Section 5.2 as updated from time to time.
Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
Pseudonymisation or Pseudonymised: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonymise so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.
[Explanatory Note: A simple form of pseudonymisation would involve replacing employee names and other identifiers from a list and replacing them with an employee number.]
Sensitive Personal Data: information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and Personal Data relating to criminal offences and convictions.
Appendix 2 – Data Protection Principles
- Personal data shall be:
-
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall…not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes…subject to implementation of the appropriate technical and organisational…in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
- The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).