1 Purpose and Scope
The purpose of the Data Protection Procedures and Standards are to ensure the Employees’ roles and responsibilities with respect to protecting personal data are clearly defined, understood and followed by all Employees. The document also demonstrates how ACLT implements the Data Protection Policy and Standards.
The procedure is applicable to all areas of ACLT and sets out the requirements, standards and expectations for the protection of Personal Data relating to an identifiable Data Subject.
2 Definitions
- Contractors – This includes individuals who are independent contractors or contingent workers.
- Data Protection Officer (DPO) – The Data Protection Officer is responsible for the oversight, development and maintenance of all data protection /privacy functions within ACLT. The DPO ensures compliance with all applicable laws and regulations and with this procedure and standards.
- Data Protection/Privacy Event – Any situation, whether suspected or proven, deliberate or inadvertent, that exposes the Personal Data of a Data Subject to unauthorised individuals.
- Data – Information that is either processed by or intended to be processed by, in response to instructions given for that purpose; or information that is recorded as part of, or with the intention of forming part of, a “relevant filing system” of information that forms part of an accessible record (as defined by the Data Protection Action 2018 or the General Data Protection Regulation).
- Data Controller – A person or organisation that makes decisions in regard to the Personal Data to be processed. The Data Controller decides the purpose for which Personal Data is to be processed, what Personal Data is required and how it is obtained.
- Data Processor - A Data Processor is any person (other than an employee of the Data Controller) that processes Personal Data on behalf of the Data Controller.
- Data Subject – A living individual. Data Subject include, but are not limited to, Students, Employees, Contractors, Tutors and Examiners.
- Employees – Current and former employees of ACLT.
- Personal Data – Recorded information that relates to a living person that can be associated with that person, either from other information in the possession of the organisation holding the data or by cross referencing to information held by a third party. This includes expressions of option about the individual and indication of any intentions of the Data Controller or any other person in regard to the individual. Recorded information can be stored electronically or in a manual filing system.
Examples of Personal Data include:
- Name, home and work addresses
- Date of Birth
- National insurance and passport numbers
- Bank account or credit card details
- Insurance policy details
- Employment records held by the employer
- Images caught on close circuit television (CCTV)
- Student record information
- Student exam results
Processing - in relation to information or data means obtaining, recording or holding the information or data and any operation performed on the information or data such as viewing, amending, sharing, deleting, or storing or any other use that might be done to or with the data.
Sensitive Personal Data - Personal Data of the Data Subject consisting of information as to their racial or ethnic origins, political opinions, religious beliefs, trade union membership, physical and mental health (including disabilities), sexual life, the commission or alleged commission of any offence and any legal proceedings (including the disposal of legal proceedings) or any court sentence in connection with any offence committed or alleged to have been committed by the Data Subject.
Data Subject Access Requests - Data Subject rights to information about the Personal Data relating to them which is in the control of the Data Controller.
3 Roles and Responsibilities
All Employees, students and contractors of ACLT managing and handling Personal Data need to understand their responsibility for good data protection practice and must follow the procedures outlined below.
- Be aware of this policy and comply with it.
- Understand which information they have the right of access to.
- Know the information for which they are owners.
- Know the information systems and computer hardware for which they are responsible.
4 Governance
Responsibility for the production, maintenance and communication of this policy document and any sub-policy documents lies with the University’s Data Protection Officer. Each of the documents constituting the Data Protection Procedures and Standards will be reviewed annually. It is the responsibility of the DPO to ensure that these reviews take place. Any substantive changes made to any of the documents in the set will be communicated to all relevant personnel.
5 ACLT Employees
When a new employee joins ACLT they must undertake the induction training which will include data protection training. This training must be completed within the required timeframe. All ACLT current employees will receive ongoing data protection training where required.
Participation will be tracked and reported to the DPO. All employees are required to:
- Adhere to these procedures and standards, any further guidelines issued and the overarching DP/Privacy Policy.
- Complete the online training.
6 Managers
Managers must ensure that everyone managing and handling Personal Data is appropriately trained to do so and that everyone managing and handling Personal Data is appropriately supervised. At the local level, the manager is responsible for ensuring that: These procedures and standards and any further guidelines are followed. These procedures and standards are fully implemented within their department.
7 Overall Organisations responsibilities – Data Protection Officer (DPO)
The role of the DPO is to:
- Oversee ACLT compliance with the Data Protection Act 2018 and General Data Protection Regulation (GDPR), other applicable statutory laws, ICO regulations and guidance and the DP / Privacy Policy.
- Ensure that these procedures and standards regarding the processing of Personal Data are compliant with the Data Protection Act 2018, GDPR and other applicable statutory laws, ICO Regulations and guidance and the DP / Privacy Policy and Implemented.
- Oversee responses to subject access requests across departments in addition to ACLT nominated officer.
- Ensure relevant data protection / privacy notices are used and relevant consents are obtained
- Keep the relevant registrations up to date with the ICO.
- Investigate and track any Breaches in Data Protection Law and report to the members of the Executive Team and GUS Group Privacy Officer where necessary.
- Promote training and awareness.
- Oversee regular monitoring of Data Protection issues.
- Conduct ad hoc reviews where required.
- Provide guidance and answer any Data Protection queries from the business where required.
- Ensure Data Protection Impact Assessments (DPIA) or other appropriate assessments are carried out where required.
Should there be any issues that cannot be resolved locally the DPO should be contacted. The use of these procedures and standards and any further guidelines may be audited from time to time by the DPO.
8 Processing Personal Data fairly and lawfully
ACLT holds Personal Data about a Data Subject that is sufficient for the purpose it is being held in relation to that Data Subject, and ACLT does not hold more information than needed for that purpose. The minimum amount of Personal Data needed to fulfil the purpose for processing should be identified. Only this information should be held and no more. This is part of the practice known as "data minimisation". Personal Data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Internal data sharing requests between departs should be reviewed by the DPO for reasonableness when Data Protection Policy 4 there is no operating agreement already in existence with the focus being on limiting the amount of Student/Customer and Employee Personal Data shared.
Employees/business owners/project managers must ensure any new projects and/or transmissions of data outside the Business Unit or organisation are referred to the DPO, when there is no operating agreement already in existence. When sharing or transmitting data outside the Business Unit or organisation the least amount of Personal Data necessary to fulfil the operational need should be transmitted. The DPO must assess the risk by completing a DPIA (Data Privacy Impact Assessment) and approve the Personal Data items.
8.1 Privacy Notices Privacy Notices must adequately describe
- ACLT as the Data Controller.
- Why the Personal Data is collected and how ACLT intends to use the Personal Data collected about the Data Subject.
- If ACLT intends to share the Personal Data and who it will be shared with.
- The types of information collected constituting Personal Data and the methods of collection.
- All privacy notices must be reviewed and approved by the DPO and ACLT Legal Team. Privacy notices are updated when there are updates to these procedures and standards or operational practice.
8.2 Personal Data must be processed fairly and lawfully. In practice, it means the following:
- Legitimate grounds must exist for collecting and using the Personal Data. Particular care has to be given in relation to the processing of Sensitive Personal Data; in general Sensitive Personal Data can only be processed with the explicit consent of the Data Subject and must be kept secure at all times.
In instances where it is suspected that a data subject may be suffering from a mental health condition, or be classed as vulnerable, by way of age, disability or otherwise advice should be sought from the DPO, or the mental health subject matter experts.
8.3 Personal Data should not be used in ways that have unjustified adverse effects on the Data Subjects concerned.
- Data Subjects should be provided with appropriate privacy notices when their personal data is being collected to ensure transparency about the intended use of their Personal Data.
- Personal Data should only be handled in ways they would reasonably expect
- The personal data should not be used in any unlawful way or for any unlawful purpose New or changed methods of collecting Personal Data must be reviewed by the DPO before they are implemented to confirm that Personal Data is obtained fairly and lawfully. This may be done by utilising the DPIA (Data Privacy Impact Assessment form) which is available from the Data Protection Officer.
8.4 Processing Personal Data
ACLT must ensure that the Information Commissioner's Office (ICO) is kept informed of all the current uses of Personal Data. This is achieved by a notification given to the Information Commissioner.
If any process is removed this must also be communicated to the DPO.
The DPO is responsible for ensuring that ACLT’s ICO registration remains accurate and up to date. There is an obligation to inform the ICO of any changes to the registration within 28 days from when the change occurred. ACLT’s registration is required to be renewed annually.
Personal Data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
This requirement aims to ensure that organisations are open about their reasons for obtaining Personal Data, and that what they do with the information is in line with the reasonable expectations of the individuals concerned.
8.5 Keeping Personal Data accurate and up to date
Take reasonable steps to ensure the accuracy of any Personal Data obtained and ensure that the source of any Personal Data is clear, carefully consider any challenges to the accuracy of information and consider whether it is necessary to update the information.
ACLT informs Data Subjects that they have the right to amend or delete incorrect data in the privacy notices provided to Employees and customers. ACLT also contractually obliges Data Subjects who are our students/customers to notify us of any changes in their details. ACLT performs data quality reviews on an ad hoc basis or when required to ensure that the data managed or processed is accurate and up to date. This includes reviews, data integrity controls and process review.
8.6 Retaining Personal Data
Review the length of time the Personal Data is kept; consider the purpose or purposes for holding the information when deciding whether (and for how long) to retain it; securely delete information that is no longer needed for this purpose or these purposes and update, archive or securely delete information if it becomes out of date.
Personal Data must be destroyed according to guidelines specified within ACLT retention Policy.
9 The Rights of the Data Subject
Personal Data shall be processed in accordance with the rights of Data Subjects under the DPA.
The rights of the Data Subject are:
Right of access – Data subjects have a right to access to your data and to certain information about the processing of that personal data. This information must usually be provided to you free of charge within a month of receiving your request. Exceptions to this are:
- Examination scripts which are specifically exempt from the data subject’s access rights under the General Data Protection Regulation. In general, students are entitled to know their examination marks but are not entitled to see their examination scripts. However, students are entitled to see associated examiner’s comments and minutes of any examination appeals panels, which are not exempt from disclosure.
- Examination marks that have been requested before the results are announced have to be disclosed either within 5 months of the date of the request or within 30 days of the date the results are published, whichever is earlier. In practice, this exemption prevents disclosure of exam results before they are officially announced.
Right of rectification - you have the right to ask for your personal data to be corrected if it is inaccurate and completed if it is incomplete.
Right to be forgotten - in certain circumstances you can ask us to erase your personal data. It is unlikely to be possible to accept your request if, for example, we have a contractual or other legal duty to retain your information.
Right to restriction of processing - in certain circumstances you have a right to restrict the processing of your personal data. This may include when you dispute its accuracy (until the accuracy is proved); if you have objected to the processing (when it was necessary for our legitimate interest) and we are considering whether our legitimate interest overrides your own; or if we no longer need the data but you need us to keep it in order to establish, exercise or defend a legal claim.
Right of portability - in certain circumstances, you have the right to move, copy or transfer your data to another data controller or to yourself. This right is only relevant if the data is being processed on the basis of consent or for the performance of a contract and the processing is carried out by automated means. This right is different from the right of access and the types of information you can get under the two separate rights may be different.
Rights in relation to automated decision making - you may have the right to challenge and request a review of a decision that was made by automated means.
Right to object - in certain circumstances, you have the right to object to the processing of your data when it is being processed on the basis of our legitimate interest. We must stop processing the data unless we can demonstrate that our legitimate interests override your own, or if the processing is necessary for legal reasons. You have an absolute right to object to processing your data for direct marketing purposes including profiling relevant to direct marketing. If you object to us processing your data for direct marketing purposes, we must accept your request and stop the processing as soon as we receive your objection.
9.1 Right of Access to Personal Data
The Data Protection Act 2018 gives Data Subjects the right to access the personal information that is processed about them. This right is commonly referred to as subject access. Some types of Personal Data are exempt from the right of subject access and so cannot be obtained by making a Data Subject Access Request (DSAR). If there is any doubt in the types of data that can be supplied under a DSAR, the matter should be referred to the DPO for clarity.
Under this right the Data Subjects is entitled to:
- Be informed by any Data Controller whether Personal Data which relates to the individual is being processed by or on behalf of that Data Controller.
- Be given a description of the information constituting Personal Data of which the individual is the Data Subject. Be given a description of the purposes for which their Personal Data is being or is to be processed.
- Be given a description of the recipients or classes of recipients to whom their Personal Data is being or may be disclosed.
- Be provided a copy of the information constituting any Personal Data of which the individual is the Data Subject in a form that is capable of being understood.
- Be provided details of any information available to the Data Controller as to the source of the Personal Data (where available) in a form that is capable of being understood.
- Be provided (if specifically requested by the Data Subject) with the logic involved where the processing by automatic means of Personal Data of the Data Subject for the purpose of evaluating matters relating to the Data Subject e.g. performance at work, creditworthiness, has constituted or is likely to constitute the sole basis for any decision significantly affecting the Data Subject
Approved by ACLT Board: October 2022
Next review: July 2023