Data Protection Policy

Data Protection Act Registration Number: Z1470934

Note: This policy has been written on the basis of the University of Durham’s Data Protection Policy and is a modification of the same. Though the College is registered separately, the College and the University share much data and have similar responsibilities vis-à-vis the same data.

The College holds information on current and past students and employees. It also holds information temporarily on potential students who have applied to the College or to the University. This information is used for administrative purposes including the offering of places in the College and the University, the allocation of rooms in College, for billing, for statistical purposes, and for preparing references. Personal data is shared with the University and retained in the College or the University: this is used to enable the College to contact its alumni (and past employees and Governing Council members) as well as to facilitate the distribution of College publications, newsletters and to otherwise engage in fund-raising and in related marketing purposes.

The College collects and holds data collected via CCTV for one-week as a security measure. It also maintains several websites (within the University network and on a mirror-site outside the University of Durham); these websites contain pictures of (sometimes former) staff and students and they may also contain information about those staff and students; they provide links to the University website, which, in turn, may contain contact and other information about College staff and College students.

A student’s registration with or employment by the College is a matter of public record. The University publishes the name and college of individuals awarded a qualification, and this is recorded in the College. Members of staff have their names published both in the College’s telephone directory (in print and on-line) and in the University Calendar and/or telephone directory (written and electronic). Students’ names are often included in lists posted in departments and the College. Students of the College generally have access to the names of students assigned to particular rooms in College. Registration with the Information Technology Service also means that a student’s or staff member’s name, college, computer user name and electronic mail address will appear in both the University’s and the College’s directory, which can be accessed from within the University and the College, and from anywhere on the world wide web. In exceptional circumstances individuals can opt-out of the electronic mail directory.

Students who apply for an internally-funded or externally-funded bursary, scholarship or other award will be deemed to have given consent for their names to appear on public lists and for their names to be disclosed to the funders in furtherance of the students’ interests.

Information on individuals may be disclosed outside the College either at an individual’s request or in furtherance of an individual’s interest e.g. confirmation for the Student Loan Company, Local Authority or other (foreign) government that an individual is still in attendance in order that he/she can receive his/her Student Loan or other forms of support. The University is required to make returns on individuals to the Higher Education Statistics Agency, and the College is sometimes required to provide additional information to the University to fulfil this requirement. The College and the University will also on occasions make available personal information to other government agencies as required to fulfil its educational mission or to comply with the law. The College is obliged by law to provide certain information to Council Tax Registration Officers in accordance with the terms of the 1992 Act. The College may disclose data to other selected alumni acting for the College.

If a course of study or employment with the College requires a period of study or employment abroad, it will be necessary for the College to transfer personal data to the overseas University or employer. Likewise, specific personal data pertaining to students or staff required to undertake (or opting to undertake) professional placements or employment during their time in College will be transferred to the organisation(s) in which they are placed.

All personal data processed pertaining to students studying for externally-validated ministry courses may be transferred to the Church authorities or the course directors concerned. This includes such personal data as examination marks or allegations of academic misconduct and findings of College or University panels.

The College may occasionally commission photographs around the College and the University at specific College or University events, such as social events, the matriculation ceremony or Congregation, which could include images of students or staff, for inclusion in its promotional material.

The College may distribute promotional material from another organisation when it believes such material could be of interest to recipients. The College does, in certain limited circumstances, pass on information about individuals who owe the College money to an external debt collection agency if it has been unable to recover the debt by the normal internal process.

The College may periodically monitor electronic communications, including access to external websites, to ensure that these systems are being used in accordance with the College’s and University’s regulations, and specifically to try to prevent access to pornographic, racist or illegal material or to prevent harrassment.

Personal data on staff and students is provided by the individual himself/herself normally by an application form and or curriculum vitae and cover letter, supplemented by additional information at registration or a similar process. The College will also add additional information and will notify students and staff that is doing so (most often by publishing a notice to that effect if it is not already addressed in this policy).

The University and the College are required to obtain information about past criminal convictions as a condition of employment for some staff positions and before offering a place to potential students on certain programmes.

Information on an individual’s health may be required as a condition of employment or admission to certain programmes of study, and this may be stored in the staff-member’s personnel file if it is pertinent to health and safety.

Certain information on individuals as defined in the 1984 and 1998 Data Protection Acts is regarded as particularly sensitive data. This includes race and ethnic origin and physical or mental health. The College may hold such information on its staff and students, but it is used for equal opportunities monitoring or for the provision of specific services to individuals: for example, administering sick pay and sick leave schemes, managing absences control policy, checking suitability and fitness for certain types of work, checking suitability and fitness for course places, administering Maternity Leave and pay schemes, managing and maintaining a safe environment, managing duties and obligations under the Disability Discrimination Act.

The College will comply with protocols established for the HE sector by the Information Commissioner.

For further information about the College’s policy on data protection please contact the College Principal.

It is a requirement of all students and staff when using or compiling personal data in the College or using data obtained via the College or the University that all such data and the use of such data held on computers or in manual filing systems must confirm with the legal requirements of the Data Protection Acts, be covered by the College’s notification under the Data Protection Act and conform with the policy outlined above.

Transfer of Data to Third Parties

Introduction

Transfers of personal data held by the College to third parties is permitted when the data subject has given their explicit consent to the transfer, or in those circumstances when the 1998 Act explicitly permits transfer without consent. Transfers of data to the University of Durham, although technically a transfer between third parties, is deemed to have the data subject’s consent by virtue of a student’s registration for a course of study in the University as a member of St Chad’s College: this deemed consent extends also to visiting students.

Data subject consent for transfers of personal data to third parties cannot be inferred from a failure to respond.

Authorised and Unauthorised Third Parties

Releases of personal data to the following would be considered unauthorised:

a person or organisation to whom the data subject has not consented to have the data disclosed; a person or organisation to whom the data subject has consented, though for different data purposes or data than those released.

Unauthorised persons will include

family members, friends and fellow staff or students, local authorities, government bodies, police

If it appears that the enquirer is legitimately allowed to request the information (if they are the data subject or if consent for the release has been provided or is given as an exemption under law, for example) staff members are required always to make a note of the name of the individual making the request, the organisation they represent and, if possible, ask if they could make the request in writing. If the information is required in an emergency, staff should always check the credentials of the individual carefully or phone them back on a general number to check that the details they have provided are correct.

Embassies and High Commissions should be dealt with with extreme caution and data should only ever be released with the data subject’s explicit consent.

If third parties claim access under exemptions provided in the Act or by order of the Secretary of State, they should be required to:

provide reasonable proof of their personal identity and organisational affiliation.

to confirm to our procedures.

to provide written and signed documentation stating the reason they require the information and the exemption they are applying under (Remember: legitimate enquirers will be prepared to provide this.)

Dealing with Subject Access Requests

Data access requests from a data subject:

Staff ought to ensure that they have read and understood all the guidance given in the College’s (and University’s) Data Protection documentation. The Principal ought to be consulted about non-routine requests.

Staff ought to act with appropriate promptness and to follow correct procedures. The College is legally required to provide the requested information within 40 days (unless a permanent or temporary exemption applies – see later) and to provide, wherever possible, a hard copy of the data, or, if a hard copy is not easily available, to make arrangements for the data subject to come into the College to view the data under supervision.

The data subject ought to be directed to:

request access in writing.

pay any required fee, to a maximum of £10, before access is provided (please contact the Principal to check if a fee applies).

provide reasonable information to establish their identity and therefore, their rights to the data requested. This is likely to be achieved by checking addresses against the student records or requesting some form of ID if they present in person to view information.

When requests are made in writing, staff ought to acknowledge receipt of the request immediately.

Staff ought to check that the data are not exempt from subject access. Not all information held by the College is accessible to data subjects. The following are subject to some exemptions:

Examination Marks may be withheld for a prescribed period.

Data that contain information with direct or indirect reference to other individuals who have not given their explicit consent for the release of the data will be exempt if the explicit consent of those individuals cannot be secured for the release of the data or if the identity of those individuals can be ascertained from the information remaining after all the direct or indirect references to those individuals are removed.

References provided to the College by a third party may be withheld if the consent of the referee cannot be secured for the release of the reference intact or if the identity of the referee can be ascertained from the information remaining after all the direct or indirect references to them are removed. This policy may change in accord with changes in law.

References written by members of the University and sent to a third party may be exempt from any subject access request the University subsequently receives.

Any data that is not personal is exempt from the Data Protection Act and therefore subject access.

Any data that does not relate to a living individual, i.e. that which relates to a deceased individual or a company/organisation, is exempt from the Data Protection Act and therefore subject access.

Any information which is not stored in a relevant filing system, i.e. is not filed with reference to the individual concerned, is exempt from the Data Protection Act and therefore subject access.

Data processed prior to 24 October 1998 may be exempt from the Data Protection Act and therefore subject access until October 2007. Staff are encouraged to check with the Principal on requests for data processed before 24 October 1998.

Data held for statistical or historical record purposes only is exempt from the Data Protection Act and therefore from subject access.

Staff are required to verify that they are indeed authorised to release the data. When in doubt, they must consult the Principal as he or she is responsible for data held in the College: the Principal will be able to determine what information within their area of responsibility staff may release. Staff are urged not to let themselves feel pressured into releasing data when they are not sure whether it is appropriate to do so or whether they are the appropriate person to release it.

Staff should data subjects that they can appeal to the Principal if they are not satisfied with the response they have received to their access request. Such appeals should be submitted in writing.

Staff must never allow data subjects to remove original documents from the College or to let data subjects have access to original documents or computerised files unless they are supervised at all times by a member of College staff.

Guidance for NEITE’s Board of Examiners

This document includes:

What constitutes personal data in examinations and what information does a candidate have a right of access to?

Releasing Examination Marks.

Board of Examiners’ Minutes and Examination Board Reports.

Collective Data.

Releasing Data to Third Parties.

Charging for the Release of Information.

What constitutes personal data in examinations and what information does a candidate have a right of access to?

Personal data in examinations includes any commentary (including marks and examiner’s comments) made by the examiner or moderator about the candidate’s performance and the consequences of that performance if it is held in a relevant filing system. This includes expressions of personal opinion made by anyone other than the candidate.

Any information recorded by the candidate during or as part of an examination is exempt from subject access once it has been submitted. This will obviously include answers to questions and supporting documentation.

Furthermore, data subjects do not have any rights under the Data Protection Act to any explanation about the marking system for the examination or how specific marks or comments were arrived at as this does not constitute personal data.

Access to personal data can not be denied on the grounds that the comments of the examiner(s) and the candidate’s work appear together. In such cases the candidate’s work will need to be deleted or “blanked out” before the script is released to the data subject.

Releasing Examination Marks.

Under the Act, requests for access to information received from data subjects must be complied with within 40 days of the request being received by the data controller (the relevant day). Examination marks are, however, given temporary exemption from this requirement.

This temporary exemption applies where the relevant day (see definitions) falls before the day on which the results are to be announced. In such cases, the period for compliance will be extended to:

the end of five months beginning with the relevant day

the end of 40 days beginning with the date of the announcement or publication of the results

whichever is earlier.

If more than 40 days pass between the subject access request and compliance with the request (under the exemption given above) then the College must give access to any additional information if the information requested has changed between the date of request and the date of compliance.

Board of Examiners’ Minutes and Examination Board Reports.

The Act only applies to data which is held in relevant filing systems (see definitions). Relevant filing systems are defined as files relating to the individual. Clearly Boards of Examiners’ minutes and Examination Board results will be filed with reference to the Board and not the individuals discussed or considered at the Board. The Act is, therefore, unlikely to apply to these documents. However, this is still a matter of debate within the sector and current advice states that, where possible, sections of the Board of Examiners’ minutes should be made available to data subjects if requested, provided that disclosure does require the disclosure of information relating to other data subjects. All enquiries relating to access to Boards of Examiners minutes must be referred to the Principal.

Collective Data.

It is likely that some documents filed with reference to individuals will occasionally contain information relating to other named or identifiable individuals. For example, a memorandum may deal with more than one student and be copied to each of the students’ files. In such cases, the data subject would only have a right of access to the information that related to them and not to the data relating to the other students. In fact, to release the document unedited would constitute a breach of the Data Protection Act in respect of the other named students. When releasing information which includes references to other individuals, all references to that individual, including details which may lead to their identity being indirectly revealed, must be removed before the document is released. This can be done by editing, cutting and pasting or “blanking out” the relevant information. Where it is not possible to release any of the information without revealing the identity of another data subject, then the data controller needs to seek the consent of the other data subject to the release of their information to the data subject making the subject access request. Where consent is not given or can not be reasonably sort, the College has the right to refuse access to the information concerned.

Releasing Data to Third Parties.

There are very few incidences where data can be legally released to a third party without the data subject’s explicit consent. Where the information is a matter of public record, in this case the degree result or highest exit qualification, the information may be released. However, any other information, such as examination marks or timetable and personal details, must not be released to any third party without the data subject’s explicit, written consent. Written consent must be submitted by the data subject to the College in advance of any release of data to third parties.

Staff should contact the Principal for advice if they are unsure how to proceed.

Charging for the Release of Information.

Certain information may only be provided to data subjects if a small fee (up to a maximum of £10) is paid. These fees are set and levied centrally. Advice on whether information should be released without a fee and what fee applies must be sought from the Principal.

Reviewed and updated 25 November 2014