Data Protection Policy
The information and guidelines within this policy are important and apply to the entire College Community: the Fellows, Staff and Students (referred to collectively as the 'College Community' in this policy).
Like all educational establishments, the College holds and processes information about its employees, applicants, students, and alumni, as well as school students active in the College’s Schools Liaison Programme, and other individuals for various purposes (for example the administration of the admissions process, the effective provision of academic and welfare services, to record academic progress, to operate the payroll and to enable correspondence and communications, including the provision of references and certificates). In order to comply with the Data Protection Act 1998 ('the 1998 Act'), information must be collected and used fairly, stored safely and not disclosed to any unauthorised person.
Notification to the Information Commissioner
The College has an obligation as a Data Controller to notify the Information Commissioner of the purposes for which it processes personal data. Individual data subjects can obtain full details of the College’s data protection registration from the Assistant Bursar or from the Information Commissioner’s website.
Data Protection Principles
The College, as a Data Controller, must comply with the Data Protection Principles, which are set out in the 1998 Act. In summary these state that personal data shall:
- be processed fairly and lawfully and shall not be processed unless certain conditions are met;
- be obtained for specified and lawful purposes and shall not be processed in any manner incompatible with those purposes;
- be adequate, relevant and not excessive for those purposes;
- be accurate and kept up to date;
- not be kept for longer than is necessary for those purposes;
- be processed in accordance with the data subject’s rights under the 1998 Act;
- be the subject of appropriate technical and organisational measures against unauthorised or unlawful processing, accidental loss or destruction; and
- not be transferred to a country outside the European Union unless that country or territory has equivalent levels of protection for personal data.
'Processing', in relation to personal data, means obtaining, recording or holding the data or carrying out any operation or set of operations on the data, including:
- organisation, adaptation or alteration of the data;
- retrieval, consultation or use of the data;
- disclosure of the data by transmission, dissemination or otherwise making available; or
- alignment, combination, blocking, erasure or destruction of the data.
Data Protection Officer
The College's Data Protection Officer is the Assistant Bursar. All queries about the Policy and all requests for access to personal data should be addressed to the Data Protection Officer (see 'Right to Access Personal Data' below).
Responsibilities of individual Data Users
All members of the College Community who record and/or process personal data in any form (called “Data Users” in this Policy) must ensure that they comply with the requirements of the 1998 Act (including the Data Protection Principles) and with the Policy (including any procedures and guidelines which may be issued from time to time). A breach of the 1998 Act and/or the Policy may result in disciplinary proceedings.
In particular, no member of the College Community may, without the prior written authorisation of the Data Protection Officer:
- develop a new computer system for processing personal data;
- use an existing computer system to process personal data for any new purpose not already covered in this document;
- create a new manual filing system containing personal data;
- use an existing manual filing system containing personal data for a new purpose.
The above does not apply to databases which are maintained by individual Data Users within the College Community for their private domestic uses, for example private address books. However, individual Data Users should consider whether their private domestic uses fall within the scope of the 1998 Act.
'Data Areas' and 'Data Area Contacts'
To aid the efficient administration of the Policy, the data that the College holds/processes has been divided into a number of 'Data Areas'; these are described below, showing who may have access to the data. In each case, there is also specified a 'Data Area Contact'. He or she will be responsible in relation to the data in the Data Area in question (and thus not simply for the files which he or she maintains) for the following:
- informing the Data Protection Officer of proposed processing of personal data within the College which may need to be notified to the Information Commissioner (eg any proposal to create a new database containing personal data);
- providing personal data to the Data Protection Officer in response to a subject access request when requested to do so by the Data Protection Officer; and
- maintaining the security of, and access to, personal data within the Data Area.
The Data Protection Officer may from time to time designate other Data Areas and/or Data Area Contacts.
The Tutor’s file is maintained primarily in respect of a student’s general welfare. These files also contain copies of supervision reports, and may also contain financial and medical data. The purposes for which they are maintained include provision of assistance to the student according to need, and supplying of references for the student in applications for employment, professional training or admission to other educational establishments. The Tutor’s file is kept by the student’s Tutor. Except in the case of particular documentation, which a student has agreed with the Tutor, it should be kept confidential to that Tutor. This file may be consulted on a day-to-day basis by the Master, the Senior Tutor, the student’s own Tutor and/or Director of Studies, and/or their support staff. All other requests for access to a Tutor’s file must be authorised by the Senior Tutor.
Data Area Contact: Senior Tutor
The Director of Studies’ file
The Director of Studies’ file is maintained primarily in respect of a student’s academic progress. This file contains copies of supervision reports, and may also contain material relating to a student’s general welfare, such as correspondence regarding degrading, or examination difficulties.
The Director of Studies’ file is kept by the Director of Studies. Except in the case of particular documentation, which a student has agreed with the Director of Studies, it should be kept confidential to that Director of Studies. This file may be consulted on a day-to-day basis by the Master, the Senior Tutor, the student’s own Tutor and/or Director of Studies, and/or their support staff. All other requests for access to a Director of Studies’ file must be authorised by the Senior Tutor.
Data Area Contact: Senior Tutor
Admissions files are maintained in respect of candidates for admissions. During the admissions process, such files are maintained and kept by the Admissions staff in the Tutorial/Admissions Office and by the Admissions Tutors. For successful candidates, the admissions documentation is incorporated into the student’s Tutorial file. The files of unsuccessful undergraduate candidates are archived for three years (ie the length of time such a student is likely to be in another university). The files of unsuccessful candidates for graduate admissions are destroyed. During the admissions process, admissions files may be consulted by the Master, the Senior Tutor, the Admissions Tutors, any relevant Director of Studies and any other relevant interviewers. All other requests for access to an admissions file must be authorised by the Admissions Tutors or the Senior Tutor.
Data Area Contact: Senior Tutor
Files relating to loans and grants made by the College to students
These are maintained and kept by the Financial Tutor. These files may be consulted on a day-to-day basis by the Financial Tutor, the Bursar, the Finance Manager, and/or their support staff and any of the staff in the Bursary. All other requests for access to any of these files must be authorised by the Financial Tutor.
Data Area Contact: Financial Tutor
Files relating to loans and allowances for Fellows
These are maintained and kept by the Bursar, the Finance Manager and the staff of the Bursary, who may each consult the same on a day-to-day basis. All other requests for access to any of these files must be authorised by the Bursar.
Data Area Contact: Bursar
Files in respect of any disciplinary matters involving students
All such files are maintained and kept by the Dean of Students. A copy of any relevant correspondence may be held on the student’s Tutor’s file, except where the Dean of Students and student have agreed together that the Dean of Students only should maintain a particular record. The Master, the Dean of Students and/or the appropriate staff member in the Tutorial Office may consult the same on a day-to-day basis. All other requests for access must be authorised by the Dean of Students or the Senior Tutor.
Data Area Contact: Dean of Students
Medical files in respect of student health and welfare
Medical files are to be maintained and kept by the College Nurse and/or Mental Health Advisor, who may consult the same on a day-to-day basis. Organisations which employ professional medical staff who make records are the legal owners of these records, but that does not give anyone in that organisation the legal right of access to the information in those records. However, the patient can ask to see their records, whether they are written down or on computer. Relevant letters from GPs about degrading may be copied to the Tutor’s file and the Director of Studies’ file.
Data Area Contact: College Nurse and/or Mental Health Advisor
Personnel files in respect of Fellows
These are maintained and kept by the Master. These files may be consulted on a day-to-day basis by the Master and his Personal Assistant. All other requests for access to any of these files must be authorised by the Master.
Data Area Contact: Master
Personnel files in respect of other employed staff of the College
These are maintained and kept by the HR Manager. These files may be consulted on a day-to-day basis by the HR Manager or the Bursar. All other requests for access to these files must be authorised by the Bursar.
Data Area Contact: Bursar
Files relating to tenancies and leases of College-owned properties
Files relating to student accommodation are maintained and kept by the Housekeeper and her staff, who may each consult the same on a day-to-day basis. All other requests for access must be authorised by the Bursar. Files relating to commercial properties are maintained and kept by the College’s solicitors, Mills & Reeve, who may consult the same on a day-to-day basis. All other requests for access must be authorised by the Bursar.
Data Area Contact: Bursar
Files relating to suppliers of goods and services to the College, and other third parties not otherwise dealt with in this policy document
These are maintained and kept by the Bursar, the Finance Manager and the staff of the Bursary, who may each consult the same on a day-to-day basis. All other requests for access must be authorised by the Bursar.
Data Area Contact: Bursar
Files relating to Alumni
Manual and computer based files are maintained in respect of current and former Fellows, alumni, and other current, past and potential donors to the College. These files are maintained and kept by the Development Director and the staff in the Development Office, who may consult the same on a day-to-day basis. All other requests must be authorised by the Development Director. For more information see the Data Protection Notice.
Data Area Contact: Development Director
Personal data relating to participation in the schools liaison programme
Personal data of school students from the age of 10 to 18 will be kept for monitoring and tracking, and evaluation purposes as per the ‘Data Protection Information for Schools, Young People and Parents’ (Appendix A). Access to this information will only be through the Schools Liaison Office. All other requests for access to any of these files must be authorised by the Schools Liaison Coordinator.
Data Area Contact: Schools Liaison Coordinator
Certain of the files referred to above are maintained in electronic databases as well as or instead of paper files. Access to such databases is restricted in the same manner as access to paper files in the relevant Data Area. In addition, however, the College’s Computer Officers may have day-to-day access to the electronic databases for the purposes of administering and maintaining the same.
Data Area Contact: Computing Co-ordinator
Data Security and Disclosure
All members of the College Community are responsible for ensuring that:
- any personal data which they hold is kept securely; and
- personal data is not disclosed either orally or in writing or otherwise to any unauthorised third party, and that every reasonable effort will be made to see that data is not disclosed accidentally.
Unauthorised disclosure is a disciplinary matter and may be considered gross misconduct. If in any doubt, consult the Data Protection Officer.
Personal data must be kept securely; examples of how this may be done will include:
- keeping the data locked in a filing cabinet, drawer or room; or
- if the data is computerised, ensuring that the data is password protected or kept only on disk which is itself kept securely; or
- any other appropriate security measure.
Applicants’ and students’ obligations
Applicants and students must ensure that any personal data provided to the College is accurate and up to date. They must ensure that any changes of address or other personal details are notified to the Tutorial Office.
Students must comply with the College’s Network Rules and Penalties.
Data Subject's Consent
Certain types of personal data may be processed for particular purposes without the consent of individual data subjects. However, it is the College’s policy to seek express consent whenever practicable from individual data subjects for the main ways in which the College may hold and process personal data concerning them. This is to allow individuals an opportunity to raise any objections to any intended processing of personal data. The College will consider any such objections but reserves the right to process personal data in order to carry out its functions as permitted by law. Therefore, all Fellows, staff, admissions applicants and students will be asked to sign a consent form regarding particular types of information which the College may in due course hold or process about them.
Right to Access Personal Data
Staff, students and other individuals have the right under the 1998 Act to access any personal data that is being held about them either in an 'automatically processable form' (mainly computer records) or in a 'relevant filing system' (ie any set of information structured in such a way that specific information relating to a particular individual is readily accessible) and to request the correction of such data where they are incorrect. An individual who wishes to exercise this right of access is asked to complete the College's Data 'Subject Access Request' form which is also available from the Bursary and give it to the College’s Data Protection Officer. Any inaccuracies in data disclosed in this way should be communicated immediately to the Data Protection Officer who shall take appropriate steps to make the necessary amendments. The College will make a charge of £10.00 (or such other charge as is permitted from time to time by the 1998 Act) on each occasion that access is requested and this fee should accompany the Data Subject Access Request form. Council has decided that, for the time being, current College members are exempt from this charge; applicants for admission to the College are not exempt. In accordance with the 1998 Act, the College reserves the right to refuse repeated requests where a reasonable period has not elapsed between requests.
The College will normally respond to the request for access to personal data within 40 days (including bank holidays and weekends) of the request or payment of the fee, whichever is the later.
The Freedom of Information Act 2000 gives individuals extended rights of access in certain circumstances to information which is not held on computer or in a relevant filing system. Please contact the Data Protection Officer or the Information Commissioners’ website for further information.
Disclosure outside of the European Union
The College may, from time to time, wish to transfer personal data to countries outside the European Union in accordance with purposes made known to individual data subjects. For example, the names and contact details of staff on a website may constitute a transfer of personal data world-wide. Accordingly, the consent form signifies an individual’s consent to the inclusion of such data on an authorised College website. If an individual wishes to raise an objection to this disclosure then written notice should be given to the Data Protection Officer.
Other personal data, even if it would otherwise constitute fair processing, must not (unless certain exemptions apply or protective measures are taken) be disclosed or transferred outside the European Union to a country which does not ensure an adequate level of protection for the rights and freedoms of data subjects.
Sensitive Personal Data
The College may, from time to time, process 'sensitive personal data' relating to admissions candidates, Fellows, students and staff of the College. 'Sensitive personal data' is information as to a data subject’s racial or ethnic origin, political opinions, religious beliefs or beliefs of a similar nature, trade union membership, physical or mental health or condition, sexual life, offences or alleged offences, and information relating to any proceedings for offences committed or allegedly committed by the data subject, including the outcome of those proceedings. Currently, the College envisages the need to process sensitive personal data of a type specified in the consent forms set out in the Schedule to this policy for the purposes specified. For example, data relating to the ethnic origin of students of the College may be processed for the purposes of equal opportunities monitoring or to identify any necessary dietary requirements and possible sources of financial assistance. Medical records need to be processed for the provision of healthcare and general welfare, to identify any necessary dietary and accommodation requirements and to assist in meeting the needs of members of the College Community with disabilities. In exceptional circumstances, the College may need to process information regarding criminal convictions or alleged offences in connection, for example, with any disciplinary proceedings or other legal obligations.
In other circumstances, where sensitive personal data is to be held or processed, the College will seek the explicit consent of the member of the College Community in question unless one of the limited exemptions provided in the 1998 Act applies (such as to perform a legal duty regarding employees or to protect the data subject’s or a third party’s vital interests).
The College operates CCTV cameras in order to assist with security for members of the College Community and in respect of College property. If you have any queries regarding the operation of the CCTV system, please consult the CCTV Policy and/or speak to the Estates Manager/Head Porter. If you wish to access any personal data about you on the CCTV system, you are asked to complete and return an Access to Personal Data form (with the £10.00 fee, if applicable) with as much information as possible to enable the data to be located (including, if possible, details of the relevant camera, date and time).
It is permissible and appropriate for the College to keep records of internal communications which are relevant to an individual’s ongoing relationship with the College, whether as a Fellow, member of staff or student, including information concerning performance and conduct issues, provided such records comply with the Data Protection Principles.
It is recognised that email is used for such communications and that such emails should form part of the College’s records. It goes beyond the scope of this policy document to address the appropriate use of email in the proper functioning of the College, and the limitations and legal implications with this method of communication. However, all members of the College Community need to be aware that:
- the 1998 Act applies to emails which contain personal data about individuals which are sent or received by members of the College Community (other than for their own private purposes as distinct from College purposes);
- subject to certain exceptions, individual data subjects will be entitled to make a data subject access request and have access to emails which contain personal data concerning them, provided that the individual data subject can provide sufficient information for the College to locate the personal data in the emails; and
- the legislation applies to all emails from and to members of the College Community which are sent and received for College purposes, whether or not the emails are sent through the College email system or on an individual’s own email account.
The individual files relating to members of the College Community are the basis of the alumni records and detailed historical archives of the College, and are retained indefinitely for reference and research purposes. At some point after a member of the College Community leaves the College, his or her files will be transferred (except in the case of a Fellow) to the College’s Archives. The timing of this will differ from Data Area to Data Area, and within each Data Area will depend upon a number of factors.
Thereafter the files may be consulted on a day-to-day basis by the Bursar or the Bursar’s staff, or the College Archivist. The Development Director and the Development Office staff may have day-to-day access to archived files for alumni purposes. All other requests for access to any archived file must be authorised by the Bursar or the College Archivist. Personal data, which is contained in archived files, may be processed for research purposes (including statistical, historical or biographical purposes). Such processing will be carried out in such a manner to comply with the Data Protection Principles (so far as applicable).
This policy was last revised and adopted by the College Council on 27 February 2017.