Data protection & Information Security Policy
Data protection Policy
Context and overview
- Policy prepared by: Mark Johnson
- Version 2.1
- Policy became operational on: 22/05/2018
- Next review date: 20/11/2020
The University of Exeter Students’ Guild is committed to the protection of the personal data of students, employees and other individuals whom we might hold information about.
The Students Guild recognises the General Data Protection Regulations and the Privacy of Electronic Communications Regulations as the primary statutory responsibilities relating to data handling and processing.
To this end, every individual employee handling data collected or administered by the Students’ Guild must take responsibility and due consideration for its appropriate use in line with this policy and the declared processing activities. The specific arrangements for handling, processing and administering data can be found at www.exeterguild.com/privacy
These arrangements apply to all employees and volunteers and overseen by the nominated Data Protection Officer reporting to the Students’ Guild’s leadership team. Any deliberate breach of the data protection policy may lead to disciplinary action being taken, or access to the Students’ Guild’s facilities being withdrawn, or even a criminal prosecution. It may also result in personal liability for the individual.
Any questions or concerns about the interpretation or operation of this policy should be taken up with the Data Protection Officer.
Why this policy exists
This data protection policy ensures The University of Exeter Students’ Guild:
- Complies with data protection law and follow good practice
- Protects the rights of staff, customers and partners
- Is open about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach
Students’ / Casual staff
Committee members, representatives and other student volunteers may handle personal data to administer their activities and services. Students handling such data are required to have completed the data protection and information security training prior to receiving permission to handle any personal data related to Students’ Guild activities and services. When handling personal data students are required to follow the guidance set out in the data protection and information security handbook including the reporting of data breaches, respecting the rights of individuals and secure processing procedures. Details of the training course and handbook can be found at www.exeterguild.com/privacy
Students’ Guild employees
The Guild holds various items of personal data about its employees which are detailed in the relevant privacy notice at www.exeterguild.com/privacy. Employees must ensure that all personal data provided to the Guild in the process of employment is accurate and up to date. They must ensure that changes of address etc are updated by contacting the relevant member of staff within the Finance and Resources HR Department.
During day to day working it is likely that staff will process individual personal data. Prior to handling any data staff are required to have completed the data protection and information security training course. In addition to this staff must maintain a current knowledge of data processing best practice through learning available on the Information Commissioner's Office website at www.ico.org.uk. When handling personal data staff are required to follow the guidance set out in the data protection and information security handbook which can be found in our Guild shared drive (N).
Students’ Guild managers
Guild managers must ensure that staff handling data during their roles have conducted the appropriate training, are processing data within the frameworks agreed and following the guidance set out in the data protection and information security handbook. Managers are also required to conduct termly audits of their relevant spaces and IT infrastructure to identify weaknesses in information security.
Data Protection Officer
The Data Protection Officer is Nigel Gooding. The role of DPO is responsible for:
- Informing and advising the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
- Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments, train staff and conduct internal audits.
- To be the first point of contact for supervisory authorities.
The Data Protection Officer is delegated authority by the Chief Executive to carry out their role with the resources required to be effective in the protection and security of the individual data the organisation handles.
The data protection officer’s contact details are:
Data Protection officer
Data Privacy Advisory Service
10 Oaktree Place
The DPO will oversee all data subject requests to ensure compliance at all times. This includes but is not limited to Data Subject Access Requests, Requests for the Right to be Forgotten, The Right to Rectification etc.
The data controller (Students’ Guild) will be the first point of contact for all requests regarding personal data. These requests will be dealt with internally by the Data Protection Guardian.
The Data Protection Guardian’s contact details are:
University of Exeter Students’ Guild
Students, suppliers and contractors
Students, suppliers and contractors must ensure that all personal data provided to the Students’ Guild is accurate and up to date, and that they have read and understood the relevant terms and conditions of engagement with the Students’ Guild. They must ensure that changes of address etc are updated on the appropriate systems by contacting the relevant staff detailed in the privacy notices at www.exeterguild.com/privacy
Respecting Individuals Rights
The General Data Protection Regulations sets out a series of rights for individuals. Guild employees planning data processing activities must record how these rights are addressed. The data protection and information security handbook details the rights and the organisation’s standardised processes to meet these individual rights.
Processing Special Categories of Data
The Students’ Guild shall only process special categories of data linked to individuals, such as health data, religious and sexual orientation, with the consent of individuals except for where the disclosure is to preserve life or for legal purpose. This data may be analysed in broad terms where no direct link to an individual can be made.
Subject Access Requests
The data protection and information security handbook details the procedures on how subject access requests must be handled. As standard, the Guild does not charge for access requests and will refuse manifestly unfounded or excessive requests. Any individual or department receiving a Subject Access Request must share this with the Data Protection Officer within 5 working days. The Data Protection Officer shall respond to the request immediately and aim to fulfil the request within one month of initial receipt.
Lawful Data Processing
The Students’ Guild shall only process data within the law. Where a lawful process has been identified; Guild employees must make a record of the lawful justification within the privacy notice. The data protection and information security handbook details the procedures on how to record the lawful processing justification.
Students’ Guild staff and volunteers process personal data for Summer Adventures. We have a data sharing agreement in place with Westbank Community Health and Care.
The Students’ Guild processes handles personal data when facilitating the Disclosure and Barring Service applications process. This is done securely and in line with the DBS’s code of practice. The Students’ Guild will keep a record of applications, name and application reference number, for compliance purposes and only retain in accordance with the Guilds’ data retention policy.
The Students’ Guild shall adopt processes to detect data breaches including audits and other appropriate processes. Employees and volunteers shall report and investigate data breaches as outlined in the Cyber Incident Response Plan (CIRP) contained on the back page of the data protection and information security handbook.
Where an employee, casual staff member, supplier or contractor discovers a data breach, they must report this to the Data Protection Guardian within 24 hours. The Information Commissioner’s Office shall be notified by the DPO within 72 hours of the breach where there is a risk to the rights and freedoms of individuals such as discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. Where there is a high risk to the rights and freedoms of individuals they shall be notified directly also. The reporting procedures are detailed in the data protection and information security handbook.
Data Protection by Design
Employees are required to adopt a privacy by design approach to planning data collection and processing. In addition to data collection records, Privacy Impact Assessments (PIAs) and where appropriate Legitimate Interest Assessments (LIAs) shall be completed prior to any data collection or processing. Details of how to conduct PIA’s and LIA’s are contained within the data protection and information security handbook.