Data Protection Policy

The School must process personal information to fulfil its teaching, operational, and statutory obligations, including reporting to the Office for Students (OfS) and the Higher Education Statistics Agency (HESA). This information includes data on applicants, students, employees, alumni, and other stakeholders. The School is committed to transparency and adhering to the Data Protection Act 2018 (DPA) to ensure data security and legal compliance. This policy aims to minimise risks such as breaches, reputational damage, financial penalties, and investigations by the Information Commissioner. A glossary of terms is available in Appendix 1.

The School, as the data controller, is responsible for ensuring compliance with data protection principles under the Data Protection Act (DPA) and must demonstrate this compliance. In collaborative arrangements, data controller responsibilities may be shared as per the agreement. Direct any queries to the Director of Technology. 

When the School engages third parties (Data Processors) requiring access to personal data, such as IT suppliers or specialist service providers, a written agreement must be established. This agreement ensures the processor complies with data protection legislation. Document these agreements in the School or Department's Information Asset Register and have them reviewed by the Data Protection Officer (DPO).

All staff must process personal data, including special category and criminal record data, in line with the data protection principles outlined in Article 5 of the UK GDPR. This includes:

• Ensuring data is processed lawfully, fairly, and transparently.
• Collecting data for specified, legitimate purposes and not processing it further in ways incompatible with these purposes. Further processing for archiving, research, or statistical purposes is permissible.
• Ensuring data is adequate, relevant, and limited to what is necessary for its intended purpose.
• Keeping data accurate and up to date, and rectifying or erasing inaccuracies promptly.
• Storing data in a form that allows identification of individuals only as long as necessary, or for longer periods if for public interest, research, or statistical purposes, with appropriate safeguards.
• Protecting data with adequate security measures against unauthorised processing, accidental loss, destruction, or damage.

Refer to staff central pages or the relevant Privacy Notice for details on data retention schedules.

The School, as a data controller, must implement appropriate technical and organisational measures to uphold data protection principles, including:

• Adopting and enforcing data protection policies.
• Embedding data protection by design and by default.
• Establishing data sharing agreements with third parties as needed.
• Maintaining comprehensive documentation of processing activities.
• Recording and reporting personal data breaches to the Information Commissioner’s Office (ICO) as required.
• Conducting Data Protection Impact Assessments (DPIAs) for high-risk processing activities.
• Fostering a culture that prioritises privacy.
• Ensuring staff receive data protection training and understand their responsibilities.

The Data Governance Group, led by the Director of Technology, will oversee compliance, which will also be subject to Internal Audit.

Each department or school must maintain a record of all personal data assets. While all staff are responsible for documenting the data they process, the Data/Asset Owner and Data Steward are primarily responsible for keeping this record current. The Director or President oversees data processing within their department or school. The Director of Technology will manage the systems for this record-keeping.

The School must establish a lawful basis for processing personal data. The possible bases are:

• Contract: Processing is required to fulfil a contract or to take steps before entering one.
• Legal Obligation: Processing is necessary to comply with legal requirements.
• Vital Interests: Processing is essential to protect someone's life.
• Public Task: Processing is required to perform a public task or official function with a legal basis.
• Legitimate Interests: Processing is necessary for legitimate interests unless these are overridden by the need to protect the individual's data. This does not apply to public tasks.
• Consent: Processing is based on explicit consent given by the individual for a specific purpose.

The lawful basis for processing must be determined before handling data and will be documented in Privacy Notices and Information Asset Registers.

For special category data and criminal records data, which involve higher risks, additional protections are required. Processing of this data must comply with Articles 9 and 10 of the UK GDPR and Schedule 1 of the Data Protection Act 2018. Relevant policies must be in place, and a Data Protection Impact Assessment (DPIA) must be completed and authorised by the Data Protection Officer. Research involving such data must include data protection safeguards in the ethics application process.

All staff, students, and users have the following rights concerning their personal data:

• Information: Be informed about how their data is collected and used.
• Access: Obtain a copy of their data upon request (subject access request).
• Rectification: Request corrections to inaccurate or incomplete data.
• Erasure: Demand deletion or cessation of data processing if it is no longer needed.
• Objection: Object to processing, particularly if based on legitimate interests or for direct marketing.
• Restriction: Request a temporary halt on processing if data is inaccurate or if there is a dispute regarding processing grounds.
• Portability: Where processing is based on consent or contract, request data portability.
• Automated Decisions: Have rights concerning automated decision-making and profiling.

Any requests or queries about data processing or access should be directed to the Data Compliance Team at dataprotection@theschool.ac.uk. Not all rights apply in every situation.

If a data subject is dissatisfied with how their personal data is processed or has questions or concerns, they should first contact dataprotection@theschool.ac.uk. If the issue remains unresolved, they have the right to escalate their complaint to the Information Commissioner’s Office (ICO).

The Executive Committee (EC), through the Director of Technology, must:

1. Ensure that the purposes and methods of personal data processing, where the School is the data controller, comply with relevant legislation.
2. Oversee the implementation and adherence to this policy in line with the School's management structure.

The Senior Information Risk Owner (SIRO), a member of the Executive Committee (Director of Technology), oversees the organisation's information and data governance. They ensure that information assets and risks are managed effectively and escalated to the Executive Committee when necessary.

The SIRO represents information governance within the organisation, promoting a culture of effective information use and protection. 

• The President and directors must ensure that staff in their areas are informed about this policy and their data protection responsibilities, including completing mandatory training.
• They should foster and promote a culture of data protection compliance within their departments.
• They are accountable for the data processed in their areas and must collaborate with Data/Asset Owners to identify, document, and manage data risks.

• All staff and third parties processing personal data on behalf of the School must comply with this policy and all related data protection, information security, and information management regulations, policies, processes, and procedures.
• Staff should understand their responsibilities, follow guidance, undertake necessary training relevant to their role, and seek advice as needed.
• Academic staff must handle personal data related to student work in line with this policy.
• All staff must report any personal data breaches immediately using the designated breach reporting process.
• Staff are responsible for ensuring their personal data provided to the School is accurate and up-to-date. They must inform the School of any changes or correct inaccuracies. The School is not liable for inaccuracies if the staff member has not provided correct information previously.

• Students must ensure that any personal information they provide to the School is accurate and up-to-date. They should promptly inform the School of any changes or correct inaccuracies.
• The School is not responsible for inaccuracies in student data if the student has not previously provided correct information.
• Students can usually update their records via the AGS (Academic Management System).
• Students processing personal data as part of their studies or employment with the School must follow the School's Data Protection Policy, relevant guidelines, and attend required training.
• Unless otherwise specified by a project’s funding or documentation, the School is the Data Controller for data processed by students in their studies. This includes data from various sources such as photographs, recordings, forms, surveys, and hosted websites. Students should consult with academic supervisors or the DevOps Team to ensure compliance.
• If students process data on behalf of another organisation, such as during a placement, they must adhere to that organisation’s Data Protection policies and provisions.

The School has appointed a Data Protection Officer (DPO) to ensure compliance with data protection legislation. The DPO, who is the Director of Technology, will:

• Enable compliance with data protection laws.
• Provide advice, assistance, and recommendations on data protection risks.
• Support and promote a data protection culture within the School.
• Assist in implementing key aspects of data protection legislation, including data processing principles, data subjects’ rights, data protection by design and by default, records of processing activities, and the security of processing. The DPO will also manage the notification and communication of data breaches.
• Act as the School's primary contact with the Information Commissioner’s Office.

The DPO does not set the purposes or means of personal data processing.

Data protection by design and by default must be applied at all times. This requires:

• Implementing appropriate technical and organisational measures to uphold data protection principles and protect individual rights.
• Ensuring that data protection and privacy are considered by default and incorporated into the design and implementation of systems, services, products, and School practices from the outset and throughout their lifecycle.

The School will:

• Conduct a Data Protection Impact Assessment (DPIA) for high-risk activities. A DPIA must:
  • Describe the nature, scope, context, and purposes of data processing.
  • Identify and assess risks to individuals’ rights and freedoms.
  • Outline additional measures to mitigate these risks.
• Use the School's DPIA template to determine if a DPIA is necessary.
• Consult the data compliance team early in the planning phase to address risks and ensure compliance.
• Obtain Data Protection Officer (DPO) sign-off for DPIAs and involve relevant stakeholders as needed.
• For research projects involving personal or special category data, seek approval from the Data Protection Officer (DPO) and Research Ethics Committee, which includes assessing data protection risks.

The Data Protection Officer (DPO) will review this policy annually, or sooner if there is a significant change in legislation, strategy, or organisational structure.

Major changes to the policy must be approved by the Executive Committee.

The School shall:

• Ensure a Clear Basis for Sharing Data: Confirm that there is a clear, objective, and lawful reason for sharing personal data.
• Verify Necessity: Ensure that sharing personal data is necessary to achieve the identified purpose(s). Use anonymised or pseudonymised data when identification is not required.
• Share Minimal Data: Only share the minimum amount of personal data needed to fulfil the objective(s).
• Provide Privacy Notices: Inform data subjects about who their data is shared with through privacy notices. Obtain consent if data subjects have the option to choose.
• Establish Agreements: Create Data Sharing Agreements or Contracts with third parties where systematic data sharing is involved.
• Handle Police Requests Properly: Direct all Police enquiries or requests for disclosure to the DevOps Team. If there is any doubt about the validity of the request or enquirer, do not disclose any information and refer the request to the DevOps Team.
• Maintain Records: Keep a record of all non-routine disclosures.

In some cases, the School may be asked to provide notices e.g. from the Higher Education Statistics Agency (HESA) on Collection notices, HESA Student Collection Notices, and HESA Staff Collection Notices.  

Personal data must be stored and shared securely within network conditions, with additional measures applied for special category data where necessary. Data Owners are responsible for ensuring that staff with permissions to access and edit data are trained appropriately on the relevant systems. It is crucial that staff use only School-approved tools for processing personal data, as these tools have been technically assessed and include the correct contractual terms. If there is any uncertainty about a tool's approval status, staff should consult servicedesk@lsi.ac.uk.

In general, freely available tools that do not have contractual agreements are unlikely to be approved or compliant and should not be used. This includes tools such as DropBox, Eventbrite, Mailchimp, and Zoom. The Director of Technology will oversee the systems to ensure compliance with these requirements.

Under Data Protection legislation, transferring personal data outside the UK is generally restricted unless specific conditions or safeguards are met. This ensures that data subjects receive an equivalent level of protection and that their rights are not compromised.

Data may be transferred if:

• It is shared with the EU/EEA, which the UK government considers to have 'adequacy'.
• It is shared with third countries deemed to have adequacy by the EU.
• It involves the use of EU Standard Contractual Clauses (SCC), Binding Corporate Rules (BCR), or other derogations as safeguards for international data sharing.

Colleagues must consult the Data Protection Officer (DPO) to determine the most suitable safeguard. The chosen safeguard must be documented in contracts and/or data sharing agreements (DSA) and recorded in the School or Department’s Information Asset Register. Additionally, data subjects must be informed as per the transparency principle.

For non-UK data transfers, a Data Protection Impact Assessment (DPIA) may be required, as such transfers are considered high risk.

Training is essential to meet Data Protection legislation and the Accountability principle. The School must not only establish appropriate policies and procedures but also demonstrate their implementation and provide comprehensive training at all levels.

Training must:

• Ensure that staff have the skills and knowledge to protect personal data effectively.
• Address data protection risks and reinforce data security.
• Promote a culture of good data protection and information security.
• Include mandatory reading and understanding of relevant policies by all staff.

The Director of Technology will oversee the implementation and effectiveness of these training systems.

The School utilises the Automated Governance System (AGS) to support its strategy of innovation. The AGS facilitates various functions, including:

• Accepting and processing admissions, creating secure student records, including Learning Support Plans.
• Managing programme and module approvals and modifications to ensure a high-quality academic experience.
• Coordinating monitoring and evaluation by collecting metrics for strategy and operations oversight.
• Initiating and processing assessments and standards, including handling extenuating circumstances, marking, scrutiny, examination boards, and conferment.
• Managing misconduct and exclusion processes.
• Ensuring accurate information for consumer protection.
• Supporting student well-being and support.
• Ensuring good governance and compliance.
• Measuring performance effectively.

The AGS operates in line with the School’s regulations and policies, including the IT Regulations, Data Protection Policy, and AI Policy. It supports the School’s mission efficiently while adhering to additional requirements such as the Sustainability & Environmental Policy outlined in the Vision and Values Statement.

The Automated Governance System (AGS) supports the governance of the School by integrating and streamlining processes for Boards, Departments, and Committees. Each entity has a defined role in ensuring the effective operation of the School, as outlined in the School’s regulations and policies. The School acknowledges that a reliable and efficient online system is essential for robust governance.

The Automated Governance System (AGS) is vital for the School to fulfil its data protection obligations. The AGS integrates workflows to ensure data is processed and stored in line with the Data Protection Policy. This includes processing data lawfully, fairly, and transparently, and collecting it for legitimate purposes. The AGS supports secure recording for accountability, asset registers, and effective data stewardship. It ensures data is processed for lawful reasons, such as fulfilling contractual obligations, and upholds the rights of data subjects, including their right to access and obtain copies of their data. The Director of Technology, a member of the Executive Committee and the Senior Information Risk Owner (SIRO), oversees the AGS.

All members of the School are responsible for complying with the Data Protection Act (DPA). Any negligent or intentional breach of the data protection policy by employees or students may lead to disciplinary action following a proper investigation. If a supplier fails to adhere to the policy or related data protection conditions, it may result in termination of the contract and/or claims for compensation. Any questions or concerns regarding the policy's interpretation or implementation should be directed to the Director of Technology. 

The School must promptly identify and report personal data breaches to the Data Compliance team. This includes all breaches, whether accidental, suspected, or confirmed. Breaches must be reported to the Information Commissioner's Office (ICO) within 72 hours if they meet the criteria for ‘reportable breaches’. The Data Compliance team will assess the risk, advise on containment and mitigation, and determine whether the breach needs to be reported to the ICO or affected data subjects. We must also keep records of all breaches.

Staff must seek guidance from the Director of Technology for advice on data protection matters, including processing special category and criminal convictions data, handling data rights requests, and reporting data breaches. If there is any uncertainty about how to handle data protection issues, staff must seek guidance from the Director of Technology.

The following definitions clarify key data protection terms within the context of the School:

• Data: Information processed automatically, recorded with the intention of being part of a relevant filing system, or recorded as part of such a system.

• Data Breach: A breach of security leading to the destruction, loss, alteration, unauthorised disclosure, or access to personal data.

• Data Controller: The individual or entity that determines the purposes and means of processing personal data. For the School, this is the institution itself.

• Data Processor: An individual or entity that processes personal data on behalf of the Data Controller, following their instructions. Data Processors have specific obligations under legislation.

• Data Protection Act 2018 (DPA): The UK legislation that sets the data protection framework, working alongside the UK GDPR.

• Data Protection Impact Assessment (DPIA): An assessment conducted by the Data Controller to evaluate the impact of proposed data processing on personal data protection.

• Data Protection Officer (DPO): An individual appointed under the DPA to oversee compliance, provide advice, and liaise with the supervisory authority. Contact the DPO at dataprotection@theSchool.ac.uk.

• Data Subject: An identifiable natural person, directly or indirectly identifiable by identifiers such as a name, identification number, or online identifier. This includes staff, students, visitors, research participants, mailing list subscribers, and applicants.

• Data Subject Access Request (DSAR): A request made by or on behalf of a Data Subject to access their personal data as granted under data protection legislation.

• General Data Protection Regulation 2018 (GDPR): Applies to organisations within the EU and those outside the EU that offer goods or services to EU individuals. From 1 January 2021, this is mirrored in the UK by the UK GDPR, alongside the DPA 2018.

• Inaccurate Data: Data that is incorrect or misleading as to a matter of fact.

• Notification: The entry on the public register maintained by the Information Commissioner’s Office detailing the types and range of information processed by the School. The School’s registration number is Z5395727.

• Personal Data: Any information relating to an identified or identifiable natural person, including identifiers such as names, contact details, or identification numbers. Personal data can be in various formats, including paper, electronic, emails, photos, or videos.

• Privacy Notice: A statement provided to data subjects explaining who the Data Controller is, how their information will be used, to whom it may be disclosed, and other necessary information to ensure fair processing, as outlined in Articles 13 and 14 of the UK GDPR.

• Processing: Any operation performed on personal data, including obtaining, recording, holding, organising, adapting, altering, disclosing, or deleting data.

• Protective Measures: Appropriate technical and organisational measures to safeguard personal data, such as pseudonymisation, encryption, ensuring system resilience, and regularly evaluating these measures.

• Special Category Data: Data related to:

  • Racial or ethnic origin
  • Political beliefs
  • Religious or similar beliefs
  • Trade union membership
  • Genetics
  • Biometrics (used for identification)
  • Physical or mental health or condition
  • Sex life or sexual orientation

  Note: Data protection rules for sensitive (special category) data do not apply to criminal allegations, proceedings, or convictions. Separate safeguards are outlined in Article 10.

For further details on key definitions, visit the ICO's guide: ICO Key Definitions

When using social media, do not publish colleagues' or students' personal information. Ensure that all processing aligns with the Data Protection Policy and the Data Protection Act 2018.

All uploads, storage, and communications must be lawful and fair. Before using a social media account, inform all parties about the type of information being shared, its purpose, and who will have access to it. Familiarise yourself with privacy settings and adjust them according to the content and intended audience. Obtain and document appropriate informed consent.

Ensure that passwords and access controls for School social media accounts are strong and secure. Avoid using the same password for School systems and social media sites. Change passwords regularly and never share them. Devices with stored social media login details should lock or log out automatically. If a device with login details is lost or stolen, change the passwords for all affected accounts and inform other account managers.

Be cautious with social media postings to avoid revealing personal information such as your location or contact details. Only accept invitations from known contacts and verify identities if unsure. Avoid clicking on unsolicited links to prevent installing malicious software.

Be aware that social media applications may share your profile data with third parties. Review privacy settings regularly. Adhere to the IT Regulations, including the Social Media Policy and Social Media Guidelines.

The School operates a CCTV monitoring system to detect and deter crime and assist the Police and civil authorities during major emergencies. This system will be managed to respect individuals’ privacy rights.

All CCTV footage is owned by the School, which holds the copyright. Cameras will be placed in public view with clear signage indicating their presence and purpose. Recorded footage will be retained according to the School's Records Retention Schedules. After the retention period, if the footage is not needed for evidence, it will be recycled. If the footage is required for legal proceedings, it will be kept for the duration necessary for the case.