introduction
spring needs to keep certain information about its employees, students and other users to allow it to monitor performance, achievements, and health and safety, for example. It is also necessary to process information so that staff can be recruited and paid, courses organised and legal obligations to funding bodies and the government complied with. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this, spring must comply with the Data Protection Principles which are set out in the Data Protection Act 1998 [“the 1998 Act”]. In summary, these state that personal data shall:
· be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met;
· be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose;
· be adequate, relevant and not excessive for those purposes;
· be accurate and kept up to date;
· not be kept for longer than is necessary for that purpose;
· be processed in accordance with the data subject’s rights;
· be kept safe from unauthorised access, accidental loss or destruction;
· not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.
spring and all staff who process or use any personal information are required to follow these principles at all times. In order to ensure that this happens, spring has developed the Data Protection Policy.
status of the policy
This policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and policies made by spring from time to time. Any failures to follow the policy can, therefore, result in disciplinary proceedings.
Any member of staff, who considers that the policy has not been followed in respect of personal data about him/herself, should raise the matter with one of the designated data controllers initially. If the matter is not resolved, it may be raised as a formal grievance.
notification of data held and processed
All staff, students and other users are entitled to:
· know what information spring holds and processes about them and why;
· know how to gain access to it;know how to keep it up to date;
· know what sprng is doing to comply with its obligations under the 1998 Act.
spring will, therefore, provide all staff and students and other relevant users with a standard form of notification. This will state all the types of data spring holds and processes about them, and the reasons for which it is processed. spring will try to do this at least once every 2 years.
responsibilities of staff
All staff are responsible for:
· checking that any information that they provide to spring in connection with their employment is accurate and up to date;
· informing spring of any changes to information, which they have provided, i.e. changes of address;
· checking the information that spring will send out from time to time, giving details of information kept and processed about staff;
· informing spring of any errors or changes. spring cannot be held responsible for any errors unless the staff member has informed spring of them.
If and when, as part of their responsibilities, staff collect information about other people (i.e. about students’ course work, opinions about ability, references to other academic institutions, or details of personal circumstances), they must comply with the guidelines set out below.
data security
All staff are responsible for ensuring that:
· any personal data which they hold is kept securely;
· personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third parties.
Staff should note that unauthorised disclosure will usually be a disciplinary matter.
Personal information should be:
· kept in a locked filing cabinet; or
· kept in a locked drawer; or
· if it is computerised , be password protected; or
· kept only on disk which is itself kept securely.
responsibility of students
Students must ensure that all personal data provided to spring is accurate and up to date. They must ensure that changes of address etc are notified to the MIS Assistant.
rights to access information
Staff/students and other users of spring have the right to access any personal data that is being kept about them, either on computer or in certain files. Any person who wishes to exercise this right should complete the spring ‘Access to Information” form and give it to one of the data controllers / Heads of Team.
In order to gain access, an individual may wish to receive notification of the information currently being held. This request should be made in writing, using the standard form.
spring reserves the right to make a charge of £5 on each occasion that access is requested by past employees and past students. There will be no charge for current staff/students.
spring aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 14 days, unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the data subject making the request.
publication of spring information
Information that is already in the public domain is exempt from the 1998 Act. It is spring policy to make as much information public as possible, and, in particular, the following information will be available to the public for inspection:
· Names and a contact point for College Corporation;
· List of staff;
The spring internal telephone list will not be a public document.
Any individual who has good reason for wishing details in these lists or categories to remain confidential should contact one of the designated data controllers.
subject consent
In many cases, spring can only process personal data with the consent of the individual. In some cases, if the data is sensitive, express consent must be obtained. Agreement to spring processing some specified classes of personal data is a condition of acceptance of a student on to any course and a condition of employment for staff. This includes information about previous criminal convictions.
Some jobs or courses will bring the applicants into contact with children, including young people between the ages of 16 and 18. spring has a duty under the Children’s Act and other enactments to ensure that staff are suitable for the job, and students for the courses offered. spring also has a duty of care to all staff and students and will, therefore, make sure, through appropriate procedures, that employees and those who use spring facilities do not pose a threat or danger to other users.
processing sensitive information
It is necessary for spring to ask for and to process information about a person’s health, criminal convictions, race, gender and family details. This information will be used for the protection of the health and safety of the individual and to operate spring policies such as the Sick Pay or Equal Opportunities Policies.
In the case of students, it is also important to know about the particular health needs such as allergies to specific forms of medication or any condition such as asthma or diabetes. This is necessary for appropriate action to be taken in the event of a medical emergency.
Staff and students are, therefore, required to give express consent for spring to process this information and offers of employment or course places are made on the understanding that this consent is given.
the data controller and the designated data controller(s)
spring, as a body corporate, is the data controller under the Act, and the Corporation is, therefore, ultimately responsible for its implementation. The Nominated Data Controller is Guy Blagdon [Director of Finance]
spring has a number of designated data controllers who deal with day-to-day issues:
Lesley Siddall - Assistant Principal [Human Resources & Quality]
David Penrose – Assistant Principal [Curriculum & ILT] and Child Protection Officer
Maria Jolliffe – Head of Human Resources
Martin Dennison – Personnel Officer
Matt Rushton – Senior CIS Officer
Adrian Bruce – CIS Officer
Jill Freed - Examinations Officer
Margaret Cowley – CIS & Examinations Assistant
retention of data
students -
spring will keep some forms of information for longer than others. Because of storage problems, information about students cannot be kept indefinitely, unless there are specific requests to do so. In general, information about students will be kept for a maximum of ten years after they leave spring. This will include:
· Name and address;
· Academic achievements, including marks for coursework and
· Copies of any reference written.
All other information, including any information about health, race or disciplinary matters, will be destroyed within two years of the course ending and the student leaving spring.
staff -
spring will need to keep information about staff for longer periods of time. In general, all information will be kept for three years after a member of staff leaves spring. Some information, however, will be kept for much longer. This will include information necessary in respect of pensions, taxation, potential or current disputes or litigation regarding the employment, and information required for job references. A full list of information with retention times is available from Human Resources.
conclusion
Compliance with the 1998 Act is the responsibility of all members of spring. Any deliberate breach of the Data Protection Policy may lead to disciplinary action being taken, or access to spring facilities being withdrawn. Any questions or concerns about the interpretation or operation of this policy should be taken up with one of the designated data controllers. |
