The University of Warwick is committed to protecting the privacy rights of individuals who entrust the University with their personal data. The Data Protection Policy outlines the University’s commitment to transparency, accountability, promoting good information governance, and compliance with both the GDPR and the Data Protection Act 2018.
The University is regulated by the Information Commissioner's Office (ICO) and has the registration number Z5856740 on the ICO's public register.
Data Protection Principles
The University strives to comply with the data protection principles. The principles are that personal data shall be:
- processed lawfully, fairly and in a transparent manner (the lawfulness, fairness and transparency principle);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the purpose limitation principle);
- adequate, relevant and limited to what is necessary in relation to purposes for which they are processed (the data minimisation principle);
- accurate and, where necessary, kept up to date (the accuracy principle);
- kept in an identifiable format for no longer than is necessary (the storage limitation principle); and
- processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage, using appropriate technical and organisational measures (the integrity and confidentiality principle).
The University is responsible for, and must be able to demonstrate, compliance with these principles. The University is proactive in its approach to data protection and has in place a number of appropriate technical and organisational measures. The University recognises that data protection is an ongoing obligation which must be regularly reviewed.
The measures put in place by the University include:
- appointing a Data Protection Officer;
- implementing policies, procedures, processes and training to promote and embed data protection by design and default;
- conducting Legitimate Interests Assessments;
- conducting Data Protection Impact Assessments on processing activities;
- engaging with suppliers to complete an Information Security Workbook when work they are conducting on behalf of the University involves the processing of personal data;
- implementing appropriate privacy provisions in written agreements when sharing personal data or engaging a data processor to conduct work on the University’s behalf;
- maintaining a record of processing activities; and
- applying pseudonymisation techniques.
Lawful bases for processing personal data
Any processing of personal data must be carried out on one of the following bases:
- Consent: The data subject has given consent to the processing for one or more specific purposes.
- Necessary for the performance of a contract: The processing is necessary for the performance of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract.
- Legal obligation: The processing is necessary for compliance with a legal obligation to which the data controller is subject.
- Vital interests: The processing is necessary in order to protect the vital interests of the data subject or of another natural person e.g. medical emergencies.
- Necessary for the performance of a public task or in the exercise of the data controller's official authority: The processing is necessary for the performance of a public function prescribed by law.
- Necessary for the purposes of the legitimate interests pursued by the controller or a third party: The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Data controllers should undertake a legitimate interests assessment which involves a careful assessment of the underlying processing to ensure it properly balances the interest of the data controller against any potential intrusion to the data subject's privacy. In particular, consideration should be given to whether the individual would reasonably expect that processing for that purpose would take place. The University can only rely on this basis when performing non-public tasks.
Special categories of personal data
The processing of special category data is subject to greater controls and includes personal data revealing:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data (for the purpose of uniquely identifying a natural person);
- data concerning health; or
- data concerning a natural person's sex life or sexual orientation.
Greater controls also exist in relation to the processing of personal data concerning criminal convictions. Special categories of personal data may only be processed where one of the following conditions applies:
- Explicit consent: The data subject has given explicit consent.
- Obligations and rights relating to employment: The processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the data controller or the data subject in the field of employment, social security or social protection law or a collective agreement.
- Vital interests: The processing is necessary to protect the vital interests of the data subject or another natural person where the data subject is physically or legally incapable of giving consent.
- Legitimate activities of certain non-profit bodies: The processing is carried out in the course of the legitimate activities of certain non-profit bodies, only relates to members or related persons of that body and the personal data is not disclosed outside that body without consent.
- Public information: The processing relates to personal data which is manifestly made public by the data subject.
- Legal claims: The processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
- Substantial public interest: The processing is necessary for reasons of substantial public interest, on the basis of law, and is proportionate to the aim pursued, respects the essence of the right to data protection, and provides suitable and specific measures to safeguard the fundamental rights and interests of the data subject.
- Healthcare: The processing is necessary for the purposes of preventative or occupational medicine, the assessment of the working capacity of an employee, medical diagnosis, the provision of health or social care, or the treatment or management of health or social care systems, subject to suitable safeguards.
- Public health: The processing is necessary for public health purposes and is based on law.
- Archiving: The processing is necessary for archiving, scientific or historical research purposes, or statistical purposes and is based on law.
Data Protection Officerdpo@warwick.ac.uk
The University of Warwick
Coventry CV4 8UW