Data Protection Policy Statement
Edinburgh Napier University ("the University") is committed to protecting the rights and freedoms of individuals with respect to the processing of their personal data. This is done in accordance with:
- Data Protection legislation ("the legislation"), now known as the UK GDPR. The Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2019 amended the EU-General Data Protection Regulation 2016 (GDPR) and together with the UK Data Protection Act 2018 the legislation is now known as the "UK GDPR" and referred to as "the legislation" below
- Associated legislation
- Case law and the spirit of the legislation
- The University's notification with the UK Information Commissioner
1. All individuals, including employees, students, agents, associates, contracted parties, both paid and unpaid, etc. processing personal data on behalf of the University are required to comply with:
- The legislation
- The University's Data Protection Code of Practice, Information Security and Manual Data Security Policies
- Associated University policies, procedures and guidance on the provisions and practical implementation of the legislation
2. These requirements apply to all personal data created and received, regardless of where it is held and irrespective of the ownership of the equipment used, if the processing is for the University's purposes.
3. Any breach of the University's policies, procedures or guidance may result in the University being legally liable for the consequences and internal disciplinary action being taken.
1. All employees and agents processing personal data for and on behalf of the University are responsible for ensuring that any processing of personal data carried out by them complies with the legislation.
2. All line managers are responsible for ensuring that the processing of personal data carried out in their School/Service Area is compliant with the legislation and that employees reporting to them are aware of their responsibilities under the legislation and have received training.
3. Governance Services and the Data Protection Officer are responsible for overseeing compliance, developing guidance and providing advice and training to employees.
4. The University Secretary has overall responsibility for ensuring that the University complies with data protection and associated legislation.
The Data Protection Legislation sets out six principles governing the use of personal information with which all University users must comply unless an exemption applies. These principles ensure that personal information is:
1. Fairly and lawfully processed
2. Processed for limited purposes
3. Adequate, relevant and not excessive
4. Accurate and up to date
5. Not kept for longer than necessary
6. Kept secure
Additionally, there are requirements to:
7. Keep written records of processing to demonstrate compliance
8. Process personal data in line with individuals' rights
9. Not transfer personal data to other countries without adequate protection