Processing of Personal Data by Employees
4.1 Processing Under the University's Notification to the UK Information Commissioner
4.1.1 The University is a data controller for the purposes of the Act and as such is required to notify the Office of the UK Information Commissioner (ICO) of the purposes for which personal data is processed.
4.1.2 This notification should cover University employees who are processing personal data on behalf of the University and as a legitimate part of their employment e.g. in research, teaching, consultancy or administration.
4.1.3 This applies whether they are processing the data at work or home and either on an occasional or regular basis. All work related documents are University records irrespective of where they are physically stored.
The purposes for which the University processes data can be viewed at the website for the UK Information Commissioner.
4.2 Employee Access to and Use of Personal Data
4.2.1 All personal data collected, held and processed in any medium including on computer, online and in structured and unstructured manual files, is subject to Data Protection Legislation and the University's Code of Practice.
4.2.2 All employees' access to and use of personal data is limited strictly to the purposes legitimately associated with their roles.
4.2.3 All employees must ensure that personal data is not communicated to other persons or bodies unless:
- required to do so by law
- for the proper purposes of University business; or
- with the consent of the individual concerned.
Any such disclosures of information must be consistent with Data Protection Legislation, the University's notification to the ICO, this Code of Practice and any associated guidance.
4.3 Temporary Staff
Where a temporary member of staff is engaged, it is the responsibility of the member of staff who has arranged the temporary employment to ensure that:
- any such temporary staff member signs an Oath of Confidentiality, on the day they commence employment at the University before being given access to any personal data.
- the provisions of section 4.5 below are strictly adhered to
4.4 Special Categories of Personal Data
4.4.1 Some personal data is classed as special categories of personal data. This data is subject to further and more stringent regulations under Data Protection Legislation which require that it may be processed only in certain circumstances.
4.4.2 Personal data is regarded as special category if it includes any of the following types of information about an identifiable, living individual:
- racial or ethnic origin;
- political opinions;
- religious beliefs;
- trade union membership;
- physical or mental health;
- sexual life;
- sexual orientation;
- biometric data;
- genetic data
4.4.3 Special category personal data may only be processed if at least one of the following conditions is met:
- Explicit consent has been given by the individual
- Processing is required to comply with employment legislation
- Processing is necessary to safeguard the vital interests of the individual or another person
- The information has already been made public by the individual
- Processing is necessary in connection with legal proceedings
- Processing is necessary for reasons of substantial public interest
- Processing is necessary for the purposes of preventive or occupational medicine
- Processing is necessary for reasons of public interest in the area of public health
- Processing is necessary for archiving purposes in the public interest, scientific or historical research or statistical purposes
Further guidance on processing sensitive personal data is provided in Section 8 of this code.
4.5.1 All Heads of Schools, Service Areas and other University staff who are responsible for employees processing personal data must ensure that:
- there is a level of security in place which is appropriate to the risks represented by the processing and the nature of the data to be protected
- security of data is assured irrespective of where or by whom data is stored or processed throughout the whole procedure, including the transmission of that data
- an employee who is required to have access to the Student Records System, SITS in order to carry out their duties and who is also an enrolled student at the University, has signed the relevant oath of confidentiality
- data has been retained in accordance with the University's retention schedules and may be retrieved in response to a data subject access request
4.5.2 All employees processing personal data are responsible for ensuring that:
- appropriate measures are taken to prevent personal information (in whatever format) from being divulged to unauthorised persons
- appropriate care is taken in disposing of printed information containing personal information in accordance with the University's guidance on the Safe Disposal of Confidential Waste
- within individual work areas, the current general guidance on handling personal information is followed, together with any specific additional measures that may apply
- the Information Governance Manager is informed of any personal data that is being or is intended to be handled, which is not notified, or of any changes in the way the data is being handled, which might affect the University's notification under Data Protection Legislation. For anyone handling personal data that they do not themselves control, this responsibility will be met by checking with the person who controls the data.
4.5.3 Employees are not permitted to remove personal data from the University with the intention of processing this data elsewhere except where:
- the personal data is used or processed to carry out the duties of the member of staff and for no other purpose and such use is recognised and authorised by the relevant Head of School or line manager
- the processing is carried out only for a purpose included in the University's notification with the ICO the University's Information Security policy and Manual and Physical Data Security policy are strictly complied with to ensure that adequate security is maintained.
4.5.4 Any failure to observe the responsibilities referred to in 4.2 to 4.5 above will be regarded seriously and may result in disciplinary action being taken.
4.6 Processing Outside the University's Notification
4.6.1 Where employees process personal data for which the University is not the data controller e.g. for their own personal or domestic purposes this will be exempt from notification.
4.6.2 For other purposes e.g. commercial exploitation of personal data unrelated to the University's notification for University academic work, this may require separate notification to the ICO by the individual. Guidance on this must be sought from the relevant Head of School or the University's Information Governance Manager.