UCL RECORDS OFFICE UNIVERSITY COLLEGE LONDON DATA PROTECTION POLICY Endorsed by the Information Strategy Committee, 27 November 2008 21 October 2008 University College London is required by law to comply with the Data Protection Act, 1998. It is the commitment of UCL to ensure that every current employee and registered student complies with this Act to ensure the confidentiality of any personal data held by UCL, in whatever medium. This Act came into force on 1st March 2000. The Data Protection Act 1998, [the Act], covers all personal data held on electronic systems and on all forms of media (including, but not limited to paper, microfilm and electronic media). 1. Introduction In order to ensure that UCL continues to comply with the Act, this version of the Policy will become effective from 28 November 2008, and will replace all previous versions of this policy including the latest published version of November 2003. UCL needs to keep certain information about its employees, students, and other users of UCL facilities for business purposes, to allow it to monitor performance, achievements and health and safety, for example. As a Research Institution, UCL also needs to keep information on individuals who are the subjects of research projects. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this UCL must comply with the 8 Data Protection Principles which are set out in the Act. In summary these state that personal data shall be: 1. Processed fairly and lawfully and shall not be processed unless certain conditions are met. 2. Obtained for specified and lawful purposes and not further processed in a manner incompatible with these purposes 3. Adequate, relevant and not excessive 4. Accurate and where necessary kept up to date 5. Kept for no longer than necessary 6. Processed in accordance with data subjects‟ rights 7. Protected by appropriate technical and organisational security, and 8. Not transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. UCL and all staff, students and others who process or use any personal information have a duty to ensure that they follow these principles at all times. In order to ensure that this happens, UCL has developed this Data Protection Policy. Any breach of the Data Protection Policy, whether deliberate or through negligence, may lead to disciplinary action being taken, access to UCL facilities being withdrawn, and even a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the Data Protection Officer. Staff and students also have obligations to inform UCL of changes to their personal information and have rights to know about and to access information held on them by UCL. 2. Definitions and Roles “Personal Data” is defined in the Act as data that relate to a living individual who can be identified from those data; or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller; and includes any expression of opinion about the individual and any indications of the intentions of the data controller or any other person in respect of the individual. “Sensitive Personal Data” is defined in the Act as personal data consisting of information as to: The racial or ethnic origin of the data subject His/her political opinions His/her religious beliefs or other beliefs of a similar nature Whether he/she is a member of a trade union His/her physical or mental health or condition His/her sexual life The commission or alleged commission by him/her of any offence Any proceedings for any offence committed or alleged to have been committed by him/her, the disposal of such proceedings or the sentence of any court in such proceedings. Note 1: the definition of health is considered broadly under the Act; it is not defined exhaustively but includes preventative medicine, medical diagnosis, DNA sequences, medical research, provision of care and treatment and the management of healthcare services. Note 2: personal demographic data are also considered to be sensitive (e.g. home address, salary, and bank financial details). “Data Controller” is the person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. University College London, as a corporate body, is the Data Controller under the Act, and the College Council, as the governing body of UCL, is ultimately responsible for implementation. “Data Protection Officer (DPO)” is the formal office for regulating and advising on the application of the Data Protection Act. The Act covers the processing of personal data recognising that some data is treated as „sensitive‟ data and is subject to special provisions surrounding the collection, storage and access of such information. All personal information collected and stored in any form in an organisation must be registered under the terms of the Act. The DPO has a policy remit in the definition, management and dissemination of UCL personal data. A “data holding” is a collection of one or more data sets that are being processed for permitted purposes under the direction of a clearly identified member of UCL staff (the Data Owner). “Data Owner” is the UCL member of staff with lead responsibility for permitting and managing the retention and processing of a data holding for which UCL is the Data Controller. A Data Owner is accountable for establishing and monitoring measures, in accordance with this policy and the Information Security Policy, to protect any data holdings for which they are responsible, to ensure that data holdings are registered and to ensure that any transfer to third parties is authorized, lawful and uses appropriate, safe transport mechanisms (e.g. strong encryption). “Data Custodian” is the individual unit or person identified by the data owner to be responsible for the collection, creation, modification and deletion of the specified personal data element(s). 3. The Data Protection Officer and the Departmental Coordinators 3.1 The UCL Data Protection Officer is the named contact for the Data Protection Registrar (Email: firstname.lastname@example.org). The UCL DPO will ensure that the UCL Data Protection Registration is kept up to date, based on information received from the Departmental Data Protection Coordinators. The UCL DPO will inform the Data Protection Coordinators of any changes or amendments to the Act, and advise them on the implementation of the Act. The UCL DPO shall investigate reported losses of personal information, calling upon technical support as needed. 3.2 The Head of Department of each Institute, Department, and all other academic or administrative units of UCL is responsible for their department‟s compliance with the Data Protection Act and for ensuring that the personal data held by their department is kept securely and used properly, within the terms of the Act. 3.3 Each Institute, Department, and all other academic or administrative units of UCL shall appoint a Departmental Data Protection Coordinator, to whom, in the first instance, enquiries relating to the holding of personal data should be referred. 3.4 Each Departmental Data Protection Coordinator is delegated the responsibility to take reasonable steps to ensure that the personal data held by their department is kept securely and used properly, within the terms of the Act. This includes: Informing the Data Protection Officer of the types of personal data held in their department, and any changes or new holdings. Ascertaining that appropriate technical and organisational measures are taken within their department to ensure against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, such data, in accordance with the UCL information security policy (http://ucl.ac.uk/cert/swg/policy.html). Keeping the Data Protection Officer informed of changes in the collection, use, and security of personal data within their department. Including in their regular returns, confirmation of compliance with the PCI Data Security Standard relating to the retention of any credit card payment records kept within their department (https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf) Reporting any loss of personal data to the Head of Department and the Data Protection Officer. 4. Staff and Student Responsibilities for Data Protection 4.1 All staff and students are responsible for ensuring that any personal data which they own, manage, process or otherwise access, in whatever form (e.g. electronic, microfilm, paper, etc.), is kept securely, in accordance with this policy, the UCL Information Security Policy (http://ucl.ac.uk/cert/swg/policy.html) and the UCL Records Management Policy (http://www.ucl.ac.uk/efd/recordsoffice/policy/). Data owners must note the responsibilities listed in section 2, including the responsibility to ensure that their personal data holdings are entered in UCL‟s registration either via the Annual Data Holdings Survey or, for research projects, via the normal process for research registration; they should contact the Departmental Data Protection Coordinator, in the first instance. This includes, but is not limited to, personal data for such purposes as teaching, students, research, personnel records, etc. Every Departmental Data Protection Coordinator has copies of the department‟s registration details and should be consulted if a member of staff or student has any doubts about use of personal data within the department. Staff and students have obligations as well as rights under the Act and UCL‟s Data Protection Policy. Further advice may be obtained from the Data Protection Officer (telephone ext. 32589; Email: email@example.com). 4.2 Staff whose work includes responsibility for supervision of students have a duty to ensure that students observe the eight principles of the Act. 4.3 Staff and students must ensure that they are familiar with the Data Protection Policy and must comply with the requirements of section 10 (“Handling of personal data”). Any breach of the Data Protection Policy, either deliberate or through negligence may lead to disciplinary action being taken, or access to UCL facilities being withdrawn, and even a criminal prosecution. 4.4 All staff and students are responsible for ensuring that personal information is not disclosed orally or in writing or otherwise, either accidentally or otherwise to any unauthorised third party. 5. Subject Consent to Processing Sensitive Information 5.1 In many cases UCL can only process personal data with the consent of the individual. In some cases, if the data is sensitive, explicit consent must be obtained. Agreement to UCL processing some specified classes of personal data is a condition of acceptance of a student onto any course, and a condition of employment for staff. 5.2 UCL may ask for information about a person‟s health or disability in relation to their work or standing. UCL may also ask for information such as a person‟s criminal convictions, ethnicity, sex, and family details. This is to ensure that UCL is a safe place for everyone, or to operate other UCL policies (such as the sick pay policy or equal opportunities policy) or to comply with legal obligations, e.g. under the Children Act 2004. 5.3 Where information is considered sensitive, all prospective staff and students will be asked to give a signed Consent to Process particular types of information when an offer of employment or a course place is made. Offers of employment or course places may be withdrawn if an individual refuses to consent to this, without good reason. (See form 3, Changes to personal information at http://www.ucl.ac.uk/efd/recordsoffice/data-protection/.) 5.4 UCL policy relating to monitoring of computer and network usage and how it relates to UCL data protection policy can be found at http://www.ucl.ac.uk/cert/swg/public/Monitoring.html 6. Publication of UCL Information 6.1 Information that is already in the public domain is exempt from the 1998 Act. It is the policy of University College London to make public as much information about UCL as possible (see http://www.ucl.ac.uk/foi/introduction/purpose/). 6.2 Personal names, UCL telephone numbers, and Email addresses will be published in the public directory on the UCL World Wide Web, unless the individual concerned registers with the Data Protection Officer that they do not wish their personal details to be disseminated in this way. In that case only post titles and UCL telephone numbers will be published. (See form 4, removal from WebPages at http://www.ucl.ac.uk/efd/recordsoffice/data-protection/.) Individuals finding their personal information on public UCL World Wide Web pages in contravention of their registration should bring this to the attention of the Data Protection Officer in writing who will arrange where applicable for the page(s) to be corrected. 6.3 Those responsible for producing pages on the World Wide Web for public access, whether for general UCL information or for specific departments, are responsible for complying with instructions from the Data Protection Officer, and will make all reasonable effort to ensure that any UCL individual named on that page has not refused permission to publish their name and Email address. 7. Rights to Access Information 7.1 Notification to staff and students of data held and processed: All data subjects including staff, students, and other users of UCL facilities are entitled to know: what personal information UCL holds and processes about them and why. how to gain access to it. how to keep it up to date. what UCL is doing to comply with its obligations under the 1998 Act. A list of the types of personal information held about students by UCL will be given in the Student Handbook. A list of the types of personal information held about staff by the Human Resources Division will be given, on request, by that Division. 7.2 All data subjects including staff, students, and other users of UCL facilities have the right to access any personal data that is being kept about them. Any person who wishes to exercise this right should make their request in writing, using the UCL “Request for Access to Personal Data” form and forward it to the Data Protection Officer. The form must be accompanied by the fee of £10:00, which is the UCL administration charge for this. UCL has discretion to waive the administration charge. (See form 6, Request for personal information at http://www.ucl.ac.uk/efd/recordsoffice/data- protection/.) 7.3 UCL aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 40 days unless there is a good reason for delay. In such cases, the reason for delay will be explained in writing to the data subject making the request. 8. UCL Records Management Policy and Retention of Data 8.1 The Records Management Policy (http://www.ucl.ac.uk/efd/recordsoffice/policy/), which was confirmed as an UCL Policy in 1999, applies to all administrative records and any research data, whatever their format. All Institutes, Departments and Schools within UCL are expected to consult the Records Manager before disposing of non-current records. 8.2 UCL keeps some forms of information for longer than others, in line with Financial, Legal, or Archival requirements. A full list of retention periods is available from the Records Manager (email: firstname.lastname@example.org). 9. Obligations to keep UCL’s Information up to date 9.1 All staff are responsible for: Ensuring that any information that they provide in connection with their employment is accurate and up to date. Using systems provided by UCL to update personal data. Informing the Human Resources Division and their department of any changes to information which they have provided, e.g. changes of address. Informing the Human Resources Division of any known errors or changes. 9.2 All students are responsible for: Ensuring that any information that they provide in connection with their study is accurate and up to date. Using systems provided by UCL to update personal data. Informing the Registrar‟s Division and their department of any changes to information which they have provided, e.g. changes of address. Informing the Registrar‟s Division of any known errors or changes. 10. Handling of Personal Data 10.1 All staff and students involved in the use of personal data are strongly recommended to visit the UCL Data Protection website (http://www.ucl.ac.uk/efd/efm_www/recordsoffice/dataprotection/) to ensure they manage, process and use personal data to the required standards of UCL, and direct any queries to their Departmental Data Protection Coordinator or contact the Data Protection Officer at email@example.com. Personal data holdings must be registered each year via the Annual Data Holdings Survey. 10.2 Transfer of personal data to third parties must be authorized by the data owner, comply with the data protection registration and must use safe transport mechanisms (e.g. strong encryption). 10.3 Downloading of any personal data onto mobile devices (such as laptops, mobile phones and iPods), removable devices (such as USB drives, CDs, and DVDs), or any computer not owned by UCL must be authorized by the data owner in writing. The data owner must confirm that the volume and sensitivity of the data are proportionate to the business need. Downloaded data and any non- anonymised data products must be strongly encrypted. The Computer Security Team will issue and keep under review guidance on what constitutes an acceptable standard of encryption. 10.4 To avoid loss of encrypted data, an unencrypted copy of the data must be held in a secure environment. 10.5 Data owners should consider whether remote access to UCL servers(s) using secure connections offers a lower risk solution than downloading personal data. 10.6 All losses of personal data must be reported to the Departmental Data Coordinator and the UCL Data Protection Officer. 10.7 Staff and students who are undertaking research projects using personal data must ensure that: Each research subject is informed of the nature of the research and consents to their personal information being used. Their departmental coordinator is informed of the proposed research before it begins, and ensures that UCL is licensed to undertake this kind of research. All information is kept securely in accordance with the UCL information security policy. 10.8 All research involving the use of personal data where the Principal Investigator, as the Data Owner, is employed by UCL or involving any personal data held within UCL must be registered with the UCL Data Protection Office. It is the responsibility of the Principal Investigator to ensure that: The Data must be collected, stored and used in accordance with the Principles of the Act. Individuals must be asked for a signed consent to their data being processed for research. This consent should also cover the scope of the processing and any possible future distribution outside UCL. Data received from third party organisations should be anonymised before receipt or should be accompanied by a signed declaration from the Head of the organisation that it has been collected in accordance with the Act. Data to be shared with a third party organisation should, if possible, by anonymised before transfer. Un-anonymised Data should not be shared with a third party organisation unless the Head of the organisation provides a signed declaration undertaking to use the Data in accordance with the Act. The Data Protection Officer must be informed of all agreements regarding the transfer of personal data, to ensure that they comply with the Act and the UCL Data Protection requirements. Personal data used for research Projects must be stored and disposed of in accordance with the Act and the UCL Records Management Policy (http://www.ucl.ac.uk/efd/recordsoffice/policy/). 10.9 Research Purposes Exemption: Data collected fairly and lawfully for the purpose of one piece of research can be used for other research, providing that the data used for the research does not identify the individual, or fresh approval has been obtained from all participants in the research. Such data must not be processed to support measures or decisions with direct consequences for the individuals concerned, or in a way which is likely to cause substantial damage or distress to any data subject. Records of questionnaires and contacts may be kept, in line with UCL Records Management Policy, in order that the data can be revisited and/or reanalysed. This exemption is only applicable to academic research, and cannot be used to provide information about a particular individual. 10.10 Incoming and Internal Post: Items which are marked “Personal” or “Private and Confidential”, or which appear to be of a personal nature, should be opened by the addressee only, or by that person‟s nominated representative. Unless postal items are marked in this way they will be presumed not to contain confidential information, as designated by the Data Protection Act (1998). Staff and students are discouraged from using their UCL address for non-UCL matters. 10.11 Any member of UCL staff receiving a request for information from a representative of a law enforcement agency (including requests supported by a warrant) should refer the request immediately to the UCL Data Protection Officer. The DPO is best placed to check the validity of warrants. Staff disclosing personal data may not be protected by an invalid warrant.
Pages to are hidden for
"UCL - DOC"Please download to view full document