Data protection policy
Policy overview
The University of Essex is committed to full compliance with the Data
Protection Act 1998 ["the Act] and recognises in full the rights and
obligations established by the Act in relation to the management and
processing of personal data. This policy sets out what the University does
in practice to meet its data protection obligations.
Data Protection Act responsibility
In accordance with the University’s standard records management practice,
the Records Management Office is responsible for the general development,
promotion, and adherence to this policy, although ultimate responsibility
for compliance lies with each Head of Department[1].
Using information and guidance provided by the Records Management Office,
all University staff who are likely to process personal data in any way are
expected to:
- understand and adhere to the eight Data Protection
Principles set out in the Act;
- read, understand and manage personal data in accordance
with the
staff and
student data protection "collection notices”, which set
out the purposes for collecting an individual’s personal
information, how it is used while in the University’s
possession, and the process for retaining the information;
- manage all records in accordance with the relevant
records retention schedule to ensure personal
information is not retained longer than necessary; and
- dispose of and/or destroy confidentially where necessary
those records that have reached the end of their retention
period.
Each Department also nominates an individual to join the
Records Management
Network. As part of this Network, the individual is responsible for
liaising with the
University Records
Manager on all matters relating to the Act. Where necessary, the nominee
reports directly to the Head of Department on data protection issues.
The University has no responsibility for the management of personal data
processed by the University of Essex
Students’ Union (SU), which has sole responsibility for its own
compliance with the Act. The SU provides a separate notification to the
Information
Commissioner and is responsible for responding to requests for access to
information in its possession. Separate policies are published that cover
information sharing between the
University and the SU, and
interaction in relation non-academic disciplinary activity.
University compliance with the Data Protection
Principles
The University is committed to the eight Data Protection Principles set
out in the Act. Specific procedures, processes and mechanisms are in place
to ensure that the management of personal data adheres to these principles.
The University Records Manager provides a central and focal point for
promoting good management of personal data and for upholding the rights
established in the Act. The Records Management Office publishes online
information about the Act and its provisions, including an online Data
Protection Act
Good Practice Guidance. All online information is published via
designated data protection webpages.
Staff and students are provided with a collection notice when they
commence employment or register as a student (also published online), which
sets out the purposes for collecting an individual’s personal information,
how it is used while in the University’s possession, and the process for
retaining the information. Personal data are only ever processed in
accordance with this statement.
Subject Access Requests are managed in accordance with specified and
established procedures. The procedures are published online.
The Records Management Office establishes, implements and monitors
adherence to records management policies,
procedures and accompanying
retention
schedules to ensure personal data are not retained longer than
necessary.
In order to prevent unauthorised processing, or accidental loss, damage
or destruction, records that hold personal data are stored in locked filing
cabinets, access to University drives, applications and servers is managed
by password only, and the University operates strict Electronic Information
Security and Records Disposal Policies.
Annual notification
The University Records Manager is responsible for submitting the annual
notification to the
Office of the Information Commissioner. There are three separate
notifications, covering:
- University of Essex;
- University of Essex Commercial Services Limited;
- University of Essex Pension Scheme.
The notification process confirms that the University is processing
personal data and describes in general terms the categories of data being
held. Hard copies of the University’s notifications are held in the
Albert Sloman Library.
Subject access requests
The University recognises the right of all Data Subjects to access
information held about them by the University and has an established
procedure for responding to requests for access to such information.
Data Subjects (or their nominee) are asked to submit a written request to
the University Records Manager. It is usually University policy to make a
charge of £10 for each Subject Access Request made under the Act. The
University aims to comply with requests for access to personal information
as quickly as possible, and ensures that information is provided within the
statutory 40-day limit unless there is good reason for delay.
The University reserves the right not to release any information, and the
40-day deadline period does not commence, until the University has received
payment, the University has received adequate information to identify the
individual requesting the information, and the University is satisfied that
the request is a genuine request made by or with the knowledge and consent
of the Data Subject.
Data Subjects are always informed about the progress of their request,
including any decision not to release any data or any reason(s) for delaying
a response.
Complaints procedure
The University has in place a specific complaints procedure to ensure
individuals concerned about any aspect of the management of personal data at
the University are able to raise their concerns in a fair and equal way.
This
complaints procedure procedure is published online and/or available from
the Records Management Office upon request.
Data protection awareness
The Records Management Office is responsible for ensuring that adequate
and appropriate knowledge of the Act and the University’s legal obligations
is available across the University. The means for performing this function
include the Records Management webpages, adhoc training sessions to relevant
groups, the new staff induction programme, adhoc individual advice as
appropriate, and the
Records Management
Network.
Records Management Network
The
Records Management Network is made up of representatives from all parts
of the University. Through the Network, each part of the University is able
to raise relevant data protection issues with the Records Management Office,
and the University Records Manager is provided with a tool to enable
communication as appropriate and the means to measure data protection
compliance across the University.
The Network’s specific terms of reference are:
- To raise the profile and understanding of effective
records management throughout the University and to ensure
that good practice is adopted;
- To ensure University-wide compliance with key pieces of
legislation, such as the Data Protection Act 1998 and the
Freedom of Information Act 2000; and
- To ensure effective implementation of and adherence to
the University’s
records management policies in
all parts of the University.
Policy review
In accordance with the University’s standard records management practice,
the policy is reviewed every three years to ensure it meets effectively the
University’s operational and legal requirements.
Policy Agreed: Spring 2005
Policy Effective from: October 2005
Policy due for renewal: Spring 2008
[1] In this context, "Department” is
defined in the widest sense and encompasses
administrative sections, major centres and
other significant units in the University.
Further information