Data protection & Information Security Policy
Context and overview
- Policy prepared by: Mark Johnson, ICT Manager/Data Protection Guardian
- Policy became operational on: 22/05/2018
- Next review date: 04/02/2019
The University of Exeter Students’ Guild is committed to the protection of the personal data of students, employees and other individuals whom we might hold information about.
The Students Guild recognises the General Data Protection Regulations and the Privacy of Electronic Communications Regulations as the primary statutory responsibilities relating to data handling and processing.
To this end, every individual employee handling data collected or administered by the Students’ Guild must take responsibility and due consideration for its appropriate use in line with this policy and the declared processing activities. The specific arrangements for handling, processing and administering data can be found at www.exeterguild.com/privacy
These arrangements apply to all employees and volunteers, and overseen by the nominated Data Protection Officer reporting to the Students’ Guild’s leadership team. Any deliberate breach of the data protection policy may lead to disciplinary action being taken, or access to the Students’ Guild’s facilities being withdrawn, or even a criminal prosecution. It may also result in personal liability for the individual.
Any questions or concerns about the interpretation or operation of this policy should be taken up with the Data Protection Officer.
Why this policy exists
This data protection policy ensures The University of Exeter Students’ Guild:
- Complies with data protection law and follow good practice
- Protects the rights of staff, customers and partners
- Is open about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach
Students’ / Casual staff
Committee members, representatives and other student volunteers may handle personal data to administer their activities and services. Students handling such data are required to have completed the data protection and information security training prior to receiving permission to handle any personal data related to Students’ Guild activities and services. When handling personal data students are required to follow the guidance set out in the data protection and information security handbook including the reporting of data breaches, respecting the rights of individuals and secure processing procedures. Details of the training course and handbook can be found at www.exeterguild.com/privacy
Students’ Guild employees
The Guild holds various items of personal data about its employees which are detailed in the relevant privacy notice at www.exeterguild.com/privacy. Employees must ensure that all personal data provided to the Guild in the process of employment is accurate and up to date. They must ensure that changes of address etc are updated by contacting the relevant member of staff within the Finance and Resources HR Department.
During day to day working it is likely that staff will process individual personal data. Prior to handling any data staff are required to have completed the data protection and information security training course. In addition to this staff must maintain a current knowledge of data processing best practice through refresher courses and learning available on the Information Commissioner's Office website at www.ico.org.uk. When handling personal data staff are required to follow the guidance set out in the data protection and information security handbook which can be found in our Guild shared drive (N).
Students’ Guild managers
Guild managers must ensure that staff handling data during their roles have conducted the appropriate training, are processing data within the frameworks agreed and following the guidance set out in the data protection and information security handbook. Managers are also required to conduct termly audits of their relevant spaces and IT infrastructure to identify weaknesses in information security.
Data Protection Officer
The role of DPO is responsible for:
- Informing and advising the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
- Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments, train staff and conduct internal audits.
- To be the first point of contact for supervisory authorities.
The Data Protection Officer is delegated authority by the Chief Executive to carry out their role with the resources required to be effective in the protection and security of the individual data the organisation handles.
The Data Protection Officer is Nigel Gooding.
The data protection officer’s contact details are:
Data Protection officer
Data Privacy Advisory Service
10 Oaktree Place
The data controller (Students’ Guild) will be the first point of contact for all requests regarding personal data. The email address is email@example.com. The DPO will oversee all data subject requests to ensure compliance at all times. This includes but is not limited to Data Subject Access Requests, Requests for the Right to be Forgotten, The Right to Rectification etc.
Students, suppliers and contractors
Students, suppliers and contractors must ensure that all personal data provided to the Students’ Guild is accurate and up to date, and that they have read and understood the relevant terms and conditions of engagement with the Students’ Guild. They must ensure that changes of address etc are updated on the appropriate systems by contacting the relevant staff detailed in the privacy notices at www.exeterguild.com/privacy
Respecting Individuals Rights
The General Data Protection Regulations sets out a series of rights for individuals. Guild employees planning data processing activities must record how these rights are addressed. The data protection and information security handbook details the rights and the organisation’s standardised processes to meet these individual rights.
Processing Special Categories of Data
The Students’ Guild shall only process special categories of data linked to individuals, such as health data, religious and sexual orientation, with the consent of individuals except for where the disclosure is to preserve life or for legal purpose. This data may be analysed in broad terms where no direct link to an individual can be made.
Subject Access Requests
The data protection and information security handbook details the procedures on how subject access requests must be handled. As standard, the Guild does not charge for access requests and will refuse manifestly unfounded or excessive requests. Any individual or department receiving a Subject Access Request must share this with the Data Protection Officer within 5 working days. The Data Protection Officer shall respond to the request within one month of initial receipt.
Lawful Data Processing
The Students’ Guild shall only process data within the law. Where a lawful process has been identified; Guild employees and volunteers must make a record of the lawful justification within the privacy notice. The data protection and information security handbook details the procedures on how to record the lawful processing justification.
Students’ Guild staff and volunteers process personal data for Summer Adventures. We are currently reviewing the processes behind the data collection, retention and sharing agreements and will have a policy in place prior to the next Summer Adventures event.
The Students’ Guild shall adopt processes to detect data breaches including audits and other appropriate processes. Employees and volunteers shall report and investigate data breaches as outlined in the Cyber Incident Response Plan (CIRP) contained on the back page of the data protection and information security handbook.
Where an employee, volunteer, supplier or contractor discovers a data breach, they must report this to the Data Protection Guardian within 24 hours. The Information Commissioner’s Office shall be notified by the DPO within 72 hours of the breach where there is a risk to the rights and freedoms of individuals such as discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. Where there is a high risk to the rights and freedoms of individuals they shall be notified directly also. The reporting procedures are detailed in the data protection and information security handbook.
Data Protection by Design
Employees are required to adopt a privacy by design approach to planning data collection and processing. In addition to data collection records, Privacy Impact Assessments (PIAs) and where appropriate Legitimate Interest Assessments (LIAs) shall be completed prior to any data collection or processing. Details of how to conduct PIA’s and LIA’s are contained within the data protection and information security handbook.
Electronically stored personal data must be stored in an encrypted or password protected form to protect against unauthorised access or processing. Physical representation of data, such as paper forms, must be stored within a locked storage unit. When no longer needed, the e-copies should be deleted and any paper copies securely destroyed.
Vital records for the purposes of business continuity must be protected from loss, destruction or falsification by Guild employees or staff, in accordance with statutory, regulatory, contractual, and Guild Policy requirements.
The Students’ Guild has 3 primary platforms for securely storing data online – Office 365, Students’ Guild N Drive and the user’s personal U Drive. Staff and Volunteers are required to store data they handle on one of these platforms only as detailed within the data protection and information security handbook.
Explicit permission from line management must be obtained before removing restricted information, including personal data and confidential information from Guild premises. Restricted information processed on portable devices and media must be encrypted. The password to an encrypted device must not be stored with the device.
Payment Card Industry Compliance
The Students' Guild complies with a set of Payment Card Industry Data Security Standards. This ensures we keep your systems secure so that customers can trust us with their sensitive payment card information. For more information please visit the Security Standards Council website here.
Third Party Contracts
Occasionally the Guild may transfer data to third parties for process in line with guidance contained within the data protection and information security handbook. Prior to data transfer a contract to ensure compliance with relevant legislation must be in place with oversight by the Data Protection Officer.
Permanent staff and casual staff must undertake data protection and information security training to ensure sufficient security awareness. Staff must make best attempts to protect their identity by using a strong password. Account passwords and usernames should not be shared without authorisation from organisational managers.
Digital equipment and media containing information must be secured against theft, loss or unauthorised access when outside the Guilds physical boundaries. In addition, all digital equipment and media must be disposed of securely and safely when no longer required - the data protection and information security handbook outlines the appropriate procedures.
Compliance with the policies and procedures laid down in this document will be monitored. The Data Protection Officer is responsible for ensuring the monitoring, revision and updating of this document is on a yearly basis or sooner if the need arises.