Policy Introduction and Purpose

This Policy sets out how the University will process the personal data of its data subjects including staff, students, research participants, suppliers, visitors and other third parties.

Effective Information Management has a crucial role to play in ensuring that the University maintains the trust and confidence of the individuals about whom the University processes personal data (including its own staff), complying with the University’s legal obligations and protecting the University’s reputation. This policy therefore sets out what the University expects from staff in this regard.

Failure to comply with this policy (and therefore legislation) may have severe consequences for the University, including potential fines of up to €20million or 4% of the University’s total worldwide annual turnover, whichever is higher.

Scope and Definitions

This Policy applies to everyone who has a contractual relationship with the University including all employees (both full-time and part-time across all grades) and those engaged via the Variable Monthly Staff (VAM) Payroll and Unitemps/other agency contracts. It also includes visiting professors, consultants/ self-employed carrying out roles which if carried out by an employee would require disclosure. For purposes of this Policy we will refer to everyone covered as “staff”. It also applies to anyone who processes personal data on behalf of the University as a Data Processor as defined by the GDPR.

Compliance with this policy and the related policies and procedures set out in Schedule 1 is mandatory. Any breach of this policy and any related policies and procedures may result in disciplinary action.

All staff, across all departments of the University must read, understand and comply with this Policy when processing personal data when performing their tasks. They must observe and comply with all controls, practices, protocols and training to ensure such compliance.

A glossary of the terms used throughout the Policy can be found in Document IM03 – Glossary of Terms for Information Management. This policy sits within the Information Management Policy Framework and should be read in conjunction with the over-arching policies IM01 – Information Management Policy of Policies and IM02 – Information Management Training Policy.

Responsibilities

Policy responsibilities:

Chief Information & Transformation Officer (CITO) Organisation: responsible for environment scanning and ensuring that the University has a robust policy framework to ensure compliance with legislation, and legislative requirements in territories within which the University may be processing personal data.

The Data Protection Officer (DPO): responsible for informing and advising the University (where it acts as a controller or processor of personal data) of its data protection obligations under the law and to monitor University compliance with the law and with this and any related policies.

The University will identify Information Asset Owners (IAO) for data protection responsibility. These will be individuals in the University who hold the responsibility for ensuring that data in their particular area is processed and shared in line with this Information Management Policy Framework.

Operational Responsibilities

Principles of the Policy

The General Data Protection Regulation 2016/679 (‘GDPR’) is based on a set of core principles that the University and its staff must observe and comply with at all times from the moment that personal data is collected until the moment that the personal data is archived, deleted or destroyed.

The University and its staff must comply with the data protection principles by ensuring that data is:

• Processed lawfully, fairly and in a transparent manner

• Collected only for specified, explicit and legitimate purposes

• Adequate, relevant and limited to what is necessary in relation to the purposes for which it is to be processed

• Accurate and where necessary kept up to date

• Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed

• Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Additionally, the University and its staff must ensure that:

• Personal data is not transferred or exposed outside of the EEA (which includes the use of any website or application that is hosted on servers located outside of EEA) to another country without appropriate safeguards being in place.

• It allows data subjects to exercise their rights in relation to their personal data.

The University and its staff are responsible for, and must be able to demonstrate compliance with, all the above principles.

Lawfulness, fairness and transparency

Lawfulness and fairness

In order to collect and process personal data for any specific purpose, the University and its staff must always have a lawful basis for doing so. Without a lawful basis for processing, such processing will be unlawful and unfair and may also have an adverse impact on the affected data subjects.

There are several ways in which personal data can be potentially lawfully processed. They are where:

• the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

• processing is necessary for compliance with a legal obligation to which the University is subject;

• processing is necessary in order to protect the vital interests of the data subject or of another natural person;

• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University;

• processing is necessary for the purposes of the legitimate interests pursued by the University or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The University is prohibited from processing special category data (as defined by the GDPR) unless, in addition, to one of the grounds above a second ground applies. These grounds set out in the GDPR (as supplemented by the Data Protection Act 2018) are where:

• the data subject has given explicit consent to the processing of their personal data;

• processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the University or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by UK law;

• processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

• processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

• processing relates to personal data which are manifestly made public by the data subject;

• processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

• processing is necessary for reasons of substantial public interest, with a basis in UK law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

• processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services with a basis in UK law or pursuant to contract with a health professional and subject to conditions and safeguards;

• processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, with a basis in UK law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

• processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) [of the GDPR] with a basis in UK law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Where the University processes personal data relating to criminal convictions and offences or related security measures it must do so in accordance with the law and provide appropriate safeguards for the rights and freedoms of data subjects.

Schedule 1 of the Data Protection Act 2018 provides further information as to when special category and criminal convictions and offence data can be lawfully processed. It also places an obligation on the University to have in place a document that:

1. explains the University’s procedures for securing compliance with the data protection principles set out above in connection with the processing of special category/ criminal offence data in reliance on the condition in question, and

2. explains the University’s policies as regards the retention and erasure of personal data processed in reliance on the condition, giving an indication of how long such personal data is likely to be retained.

The University holds a Record of Processing Activities. Where it relies on one of the grounds set out in schedule 1 to justify processing personal data it must record:

1. which condition is relied upon

2. how the processing satisfies Article 6 of the GDPR (lawfulness of processing), and

3. whether the personal data is retained and erased in accordance with the document referred to above and, if it is not, the reasons for not following the document.

In terms of fairness personal data should be used in a way reasonably expected by the data subject – they should not be surprised to learn that their personal data has been collected, consulted, used or otherwise processed by the University.

The Information Asset Owner (IAO) must identify and document the lawful basis relied upon by it in relation to the processing of personal data for each specific purpose or group of related purposes.

The lawful basis relied upon must be identified before any processing takes place.

The GDPR defines Consent of a data subject as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them”

There is no hierarchy of lawful bases I.e. one that should be used in preference over another. Always use the most appropriate basis.

Consent may not be the most appropriate lawful basis, depending on the circumstances.

Where consent is the basis for processing a data subject must be able to withdraw their consent as easily

as they gave it.

Once consent has been given, it will need to be updated where the University wishes to process the personal data for a new purpose that is not compatible with the original purpose for which they were collected.

If the University is unable to demonstrate that it has obtained consent in accordance with the above requirements, it will not be able to rely upon such consent.

Transparency

The concept of transparency runs throughout the GDPR and requires the University to ensure that any information provided by the University to data subjects about how their personal data will be processed is concise, easily accessible, easy to understand and written in plain language. Where the University has not been transparent about how it processes personal data, this will call the lawfulness and fairness of the processing into question.

All privacy notices and fair processing notices should be reviewed by Legal and Compliance Services (GDPR@warwick.ac.uk)

Purpose limitation

The University must only collect and process personal data for specified, explicit and legitimate purposes that have been communicated to data subjects before the personal data has been collected and should correspond with the appropriate lawful basis the University is seeking to rely on.

The University and its staff must ensure that it does not process any personal data obtained for one or more specific purposes for a new purpose that is not compatible with the original purpose. Where the University intends to do so, it must inform the data subjects before using their personal data for the new purpose and, where the lawful basis relied upon for the original purpose was consent, obtain such consent again.

There are certain exceptional circumstances under which the data may be repurposed. Please obtain advice from the DPO/team.

Data minimisation

The personal data that the University collects and processes must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is to be processed.

Accuracy

The personal data that the University and its staff collects, and processes must be accurate and, where necessary, kept up –to date and must be corrected or deleted without delay when the University discovers, or is notified, that the data are inaccurate.

Staff must ensure that staff update all relevant records if staff become aware that any personal data are inaccurate. Where appropriate, any inaccurate or out-of-date records should be deleted or destroyed.

Storage limitation

The personal data that the University collects and processes must not be kept in a form that identifies a data subject for longer than is necessary in relation to the purposes for which it was collected (except in order to comply with any legal, accounting or reporting requirements).

Storing personal data for longer than necessary may increase the likelihood and severity of a data breach and may also lead to increased costs associated with such storage.

The University will maintain policies and procedures to ensure that personal data are deleted, destroyed or anonymised after a reasonable period of time following expiry of the purposes for which they were collected. Please see IG03 Information & Records Management Policy for more information.

All privacy notices and fair processing notices must inform data subjects of the period for which their personal data will be stored or how such period will be determined.

Staff must observe and comply with the University’s Information & Records Management policy.

Security, integrity and confidentiality

The personal data that the University and its staff collects and processes must be secured by appropriate technical and organisational measures against accidental loss, destruction or damage, and against unauthorised or unlawful processing.

Staff are responsible for ensuring the security of the personal data processed by staff in the performance of staff duties and tasks. Staff must ensure that staff follow all procedures that the University has put in place to maintain the security of personal data from collection to destruction.

Staff must ensure that the confidentiality, integrity and availability of personal data are maintained at all times:

• Confidentiality: means that only people who need to know and are authorised to process any personal data can access it

• Integrity: means that personal data must be accurate and suitable for the intended purposes

• Availability: means that those who need to access the personal data for authorised purposes are able to do so

Staff must ensure that they observe and comply with our Information Management Framework at all times.

Staff must not attempt to circumvent any administrative, physical or technical measures the University has implemented as doing so may result in disciplinary action and in certain circumstances, may constitute a criminal offence.

Reporting personal data breaches

In certain circumstances, the GDPR will require the University to notify the Information Commissioners Office (ICO), and potentially data subjects, of any personal data breach.

The University will notify the ICO and/or data subjects where the University is legally required to do so should a breach occur.

If staff know or suspect that a personal data breach has occurred, staff must immediately to report it and take all appropriate steps to preserve evidence relating to the breach. If necessary staff should obtain data protection advice from the DPO. 

Staff must observe and comply with the University’s personal data breach procedure. The Data Protection Officer maintains the University’s data breach log including actual, suspected or near misses.

Sharing personal data

Staff are not permitted to share personal data with third parties unless there is a lawful basis to do so and any processing is in accordance with the relevant data protection principles such as data minimisation. Usually the sharing will have been communicated to the data subject in a privacy notice or fair processing notice beforehand. Consideration should be given to the drafting of a data sharing agreement. In ‘joint controller’ sharing situations there must be an agreement.

Where a third party is processing the personal data on our behalf, the University must undertake appropriate due diligence on them and enter into an agreement with the processor that complies with the GDPR’s requirements for such agreements (“data processing agreements”). The Data Protection Officer can offer advice in relation to these agreements.

The transfer of any personal data to an unauthorised third party would constitute a breach of the Lawfulness, fairness and transparency principle and, where caused by a security breach, may constitute a personal data breach. Do not share any personal data with third parties, including the use of freely available online and cloud services for work-related purposes, unless staff are certain it is appropriate and legal to do so.

Staff should seek advice from Legal and Compliance Services if they are unsure (GDPR@warwick.ac.uk).

Transfers outside of the European Economic Area (EEA)

The GDPR prohibits the transfer of personal data outside of the EEA in most circumstances in order to ensure that personal data are not transferred to a country that does not provide the same level of protection for the rights of data subjects as countries within the EEA do.

In this context, a “transfer” of personal data includes transmitting, sending, viewing or accessing personal data in or to a different country.

The University and its staff may only transfer personal data outside of the EEA in a number of certain situations.

Staff must ensure that staff do not transfer any personal data outside of the EEA unless the University has agreed to this in advance.

Staff should seek advice from Legal and Compliance Services if they are unsure (GDPR@warwick.ac.uk).

Data Subject Rights Requests

The GDPR provides data subjects with a number of rights in relation to their personal data.

Staff must immediately forward any request made by a data subject (even if staff are uncertain whether it represents a request) to infocompliance@warwick.ac.uk.

The University will only have one month to respond in most circumstances.

All staff must observe and comply with the University’s data subject access request procedureLink opens in a new window

Research exemptions

Some of the rules outlined above do not apply when personal data is being used for research purposes due to an exemption contained in the GDPR and Data Protection Act (DPA) 2018.

If staff are unsure if an exemption will be valid staff must, before starting the processing activity, seek clarity from Legal and Compliance Services (GDPR@warwick.ac.uk).

Accountability and record-keeping

The University is responsible for and must be able to demonstrate compliance with the data protection principles and the University’s other obligations under the GDPR. This is known as the ‘accountability principle’.

The University must keep full and accurate records of all its processing activities in accordance with the GDPR’s requirements.

Information Asset owners (IAO) must review annually all the systems and processes under their control to ensure that they are adequate and effective for the purposes of facilitating compliance with the University’s obligations under this policy.

All staff must ensure that they have undertaken the necessary training provided by the University and, where they are responsible for other members of staff, that they have done so.

All staff must ensure that they observe and comply with all policies and guidance which form the University’s Information Governance Framework.

Data Protection Impact Assessments

A Data Protection Impact Assessment (DPIA), is a process to help identify and minimise the data protection risks involved in projects, processes and activities involving the processing of personal data. DPIA’s are required for processing likely to result in high risk to the individuals and their personal data, and where new technologies are involved. In practice, the University requires the DPIA for any projects or processes involving the use of personal data, including new systems, solutions and some research studies.

A DPIA must:

• describe the nature, scope, context and purposes of the processing

• assess necessity, proportionality and compliance measures

• identify and assess risks to individuals

• identify any additional measures to mitigate those risks.

DPIAs need to be assessed and signed off by the CITO Organisation. Before signing off the advice of the DPO must be sought.

The University’s Data Protection Impact Assessment Policy (IG06) provides full details and a template for conducting a DPIA.

Direct marketing

In addition to the University’s obligations under the GDPR and Data Protection Act 2018, the University is also subject to more specific rules in relation to direct marketing by email, fax, SMS or telephone.

The University must ensure that it has appropriate consent from individuals to send them direct marketing communications, and that when a data subject exercises their right to object to direct marketing it honours such requests promptly.

Staff must ensure that staff understand the University’s legal obligations in relation to direct marketing before embarking upon any direct marketing campaign. If unsure, please seek advice Legal and Compliance Services (GDPR@warwick.ac.uk).

Cookies and similar technologies

The University hosts a number of websites. It makes use of ‘cookies’ and other tracking technologies. A cookie is a small text file that is downloaded onto ‘terminal equipment’ (eg a computer or smartphone) when the user accesses one of our websites. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions. Staff involved in website development must ensure that the University:

• tells people the cookies (or other ‘trackers’) are there

• explain what the cookies or trackers are doing and why; and

• get the person’s consent to store a cookie on their device/ use the tracking technology.

If unsure, please seek advice from Legal and Compliance Services if they are unsure (GDPR@warwick.ac.uk).

Further advice regarding this Policy

The Chief Information & Transformation Officer (CITO) and Data Protection Officer (DPO), or other relevant local contacts, can be contacted for general advice.

Exemptions

Exemptions to this policy may only be granted by the CITO or their designate. Activities that have received prior approval by the Research Ethics Committee will be exempt, but the CITO must be notified.

This policy may have an impact on users of assistive technology or assistive software due to their disability. These individual cases will be considered on a case by case basis.

Compliance Monitoring

Compliance to this policy will be monitored on an ongoing basis. The compliance focus will be on:

• Breach Reporting (including any reportable breaches to the ICO)

• Data Subject Requests

• Granting of Research exemptions

• Transfers of data outside of the EEA

• Compliance with Direct Marketing standards (through randomised auditing)

Compliance performance will be reported monthly to the University Information Management Committee.

A failure to comply with this policy will be deemed to be a disciplinary offence, and will be subject to the University Information Management Executive Committee escalation process (see link above) and may lead to proceedings being taken through the University Disciplinary Process.

Schedule 1 – Related Policies

This Policy forms part of a broader Information Governance Framework with other policies, guidance and procedures listed here. Compliance with these is mandatory. A failure to comply with this policy will be deemed to be a disciplinary offence and may lead to proceedings being taken through the University Disciplinary Process.

Further information on data protection policy, procedures and issues, including specific practical guidance on issues of particular relevance to University staff, can be found on University’s website.