POLICY: School Governance and Management - Data Protection Policy POLICY URL: https://lsi-ac.uk/policy/3721d42b-1889-4707-b205-7bd2b24b53d8 POLICY STATEMENT: The School is committed to protecting personal data and ensuring its lawful handling. Our Data Protection Policy establishes a rigorous framework aligned with the UK Data Protection Act 2018 and GDPR. We uphold fairness, transparency, and confidentiality in all data processing activities, applying these principles to safeguard the privacy of students, staff, and third parties. POLICY PRINCIPLES: ------------------ - Lawfulness : Processing personal data lawfully, fairly, and transparently; - Purpose Limitation : Collecting data for specified, explicit, and legitimate purposes; - Data Minimisation : Limiting personal data collection to what is necessary; - Accuracy : Keeping accurate data and taking steps to erase or rectify inaccuracies; - Storage Limitation : Retaining personal data only as long as necessary for its intended purposes; - Integrity and Confidentiality : Ensuring data is secure and protected against unauthorised or unlawful processing; - Accountability : Demonstrating compliance with data protection principles; - Consent : Obtaining clear consent for processing personal data when required; - Rights : Respecting and facilitating the exercise of individuals’ rights regarding their personal data; - Transparency : Being transparent about data management and processing activities; - Training : Providing adequate training for staff involved in handling personal data; - Review : Regularly reviewing and updating data protection measures and practices. REGULATORY CONTEXT: ------------------ This Policy has been developed in line with the applicable laws, regulations, regulatory advice, and sector best practices, including the following: R1. Competition and Markets Authority (CMA): Higher education: consumer law advice for providers - Advice to help higher education providers understand their responsibilities under consumer protection law, especially regarding undergraduate students. R2. Office for Students (OfS): Regulatory framework for higher education in England - This framework outlines OfS' primary aim to ensure positive outcomes for students, including access, success, and progress in higher education. It covers quality academic experience, progress into employment, and value for money. R3. UK Government: Consumer Rights Act 2015 - A UK law that consolidates consumer rights, covering contracts for goods, services, digital content, and providing remedies for faulty goods and services. R4. Information Commissioner's Office (ICO): Guide for higher education institutions - Provides guidance for higher education providers on their obligations under data protection law. R5. UK Government : Data Protection Act 2018 - Legislation aimed at controlling the processing of personal data, laying down principles with respect to the processing of personal data, and the rights of data subjects R6. Quality Assurance Agency (QAA): The Quality Code - This code represents a shared understanding of quality practice across the UK higher education sector, protecting public and student interests and championing the UK's reputation for quality. METRICS AND KPIS: ------------------ The following metrics will be measured and regularly reviewed as key performance indicators for the School to ensure the effectiveness of this policy and associated operations: M1. Data Breach Incidents: This metric quantifies the number and severity of data breach incidents occurring within the School. It captures details regarding the nature of breaches, data affected, response times, and the outcomes of any investigations or remedial actions. Tracking data breach incidents is critical for identifying security vulnerabilities and assessing the effectiveness of the School's response protocols. Analysing breach patterns aids in proactively strengthening data protection measures and reducing future risks. M2. Data Protection Training Completion: This metric measures the percentage of staff and students who have successfully completed mandatory data protection training. It takes into account the regularity and completion rates of training sessions, as well as any refresher courses undertaken. A high completion rate indicates widespread awareness and understanding of the data protection policy across the School, while lower rates may suggest a need for improved communication or training provisions. Tracking this metric ensures that the School maintains a high level of data protection competence among its members, which is vital for the secure management of personal data. Such training minimises the risk of data breaches and ensures compliance with the Data Protection Act 2018. M3. DPIA Completion Rates: The Data Protection Impact Assessment (DPIA) Completion Rates metric tracks the number of DPIAs conducted versus the number required for 'high risk' data processing activities. It reflects the School's commitment to identifying and mitigating risks at the outset of a project. Recording DPIA completion rates ensures that the School adheres to best practices for data protection by design. It demonstrates a proactive approach to privacy and compliance with regulatory expectations for risk assessment. M4. Subject Access Requests Fulfilled: This metric records the number of data subject access requests received and successfully fulfilled within the statutory timeframe. It reflects the School's efficiency and transparency in providing individuals with access to their personal data, as per their rights under the DPA. By measuring the handling of subject access requests, the School can assess its capacity to respond to data subjects swiftly and correctly, thereby upholding individuals' rights and the transparent nature of data processing endeavours. SECTION 1: Data Privacy and Security Commitment ------------------ 1.1. Data Protection Compliance Rule (by Director of Technology ): The School must process personal information to fulfil its teaching, operational, and statutory obligations, including reporting to the Office for Students (OfS) and the Higher Education Statistics Agency (HESA). This information includes data on applicants, students, employees, alumni, and other stakeholders. The School is committed to transparency and adhering to the Data Protection Act 2018 (DPA) to ensure data security and legal compliance. This policy aims to minimise risks such as breaches, reputational damage, financial penalties, and investigations by the Information Commissioner. A glossary of terms is available in Appendix 1; This rule ensures the School meets its legal obligations under the DPA while maintaining transparency and security in data handling. By adhering to these standards, the School protects individuals’ privacy, supports effective operations, and mitigates risks associated with data breaches. SECTION 2: Data Controller ------------------ 2.1. Data Controller Responsibilities and Contact Information (by Director of Technology ): The School, as the data controller, is responsible for ensuring compliance with data protection principles under the Data Protection Act (DPA) and must demonstrate this compliance. In collaborative arrangements, data controller responsibilities may be shared as per the agreement. Direct any queries to the Director of Technology; This rule ensures clarity on the School’s role and responsibilities in data protection. It highlights the need for compliance and specifies how data controller duties are determined in partnerships. Providing contact details for queries facilitates easy access to necessary information; Data Processing Notification:; The School maintains up-to-date notification of its data processing activities with the Information Commissioner’s Office (ICO). The registration number is Z5395727. The School is registered as a Data Controller at:; Institution Name: London School of Innovation (LSI); Registration Number: 11942630; Address: 6 Sutton Park Road, Sutton, Greater London, United Kingdom, SM1 2GD; Data Controller: London School of Innovation (LSI); Data Protection Officer (DPO): Director of Technology; Contact Information:; Email: privacy@lsi.ac.uk; Phone: +44 (0)203 507 0033 SECTION 3: Data Processors ------------------ 3.1. Data Processor Agreements and Compliance (by Director of Technology ): When the School engages third parties (Data Processors) requiring access to personal data, such as IT suppliers or specialist service providers, a written agreement must be established. This agreement ensures the processor complies with data protection legislation. Document these agreements in the School or Department's Information Asset Register and have them reviewed by the Data Protection Officer (DPO); This rule ensures that third parties handling personal data are legally compliant with data protection laws. It provides a systematic approach to documenting and verifying data processor agreements, thereby safeguarding personal data and ensuring compliance with legal requirements. SECTION 4: Data Protection Principles ------------------ 4.1. Data Processing Compliance (by Director of Technology ): All staff must process personal data, including special category and criminal record data, in line with the data protection principles outlined in Article 5 of the UK GDPR. This includes:; Ensuring data is processed lawfully, fairly, and transparently; Collecting data for specified, legitimate purposes and not processing it further in ways incompatible with these purposes. Further processing for archiving, research, or statistical purposes is permissible; Ensuring data is adequate, relevant, and limited to what is necessary for its intended purpose; Keeping data accurate and up to date, and rectifying or erasing inaccuracies promptly; Storing data in a form that allows identification of individuals only as long as necessary, or for longer periods if for public interest, research, or statistical purposes, with appropriate safeguards; Protecting data with adequate security measures against unauthorised processing, accidental loss, destruction, or damage; Refer to staff central pages or the relevant Privacy Notice for details on data retention schedules; This rule ensures compliance with UK GDPR by establishing clear guidelines for lawful, fair, and transparent data processing. It provides a framework for maintaining data accuracy, relevance, and security, while also addressing data retention and protection against unauthorised access or damage. 4.2. Data Protection Measures (by Director of Technology ): The School, as a data controller, must implement appropriate technical and organisational measures to uphold data protection principles, including:; Adopting and enforcing data protection policies; Embedding data protection by design and by default; Establishing data sharing agreements with third parties as needed; Maintaining comprehensive documentation of processing activities; Recording and reporting personal data breaches to the Information Commissioner’s Office (ICO) as required; Conducting Data Protection Impact Assessments (DPIAs) for high-risk processing activities; Fostering a culture that prioritises privacy; Ensuring staff receive data protection training and understand their responsibilities; The Data Governance Group, led by the Director of Technology, will oversee compliance, which will also be subject to Internal Audit; This rule ensures the School meets data protection requirements by implementing essential measures. It promotes a robust framework for managing data securely and transparently, facilitates compliance with legal obligations, and strengthens overall data protection practices. 4.3. Record-Keeping for Personal Data (by Director of Technology ): Each department or school must maintain a record of all personal data assets. While all staff are responsible for documenting the data they process, the Data/Asset Owner and Data Steward are primarily responsible for keeping this record current. The Director or President oversees data processing within their department or school. The Director of Technology will manage the systems for this record-keeping; Maintaining an accurate record of personal data assets ensures compliance with data protection regulations and supports accountability. This practice helps in effective data management, ensures that data processing is transparent and traceable, and allows for oversight and audits to uphold data protection standards. SECTION 5: Lawful Basis for Processing Personal Data ------------------ 5.1. Lawful Basis and Special Protections for Data Processing (by Director of Technology ): The School must establish a lawful basis for processing personal data. The possible bases are:; Contract: Processing is required to fulfil a contract or to take steps before entering one; Legal Obligation: Processing is necessary to comply with legal requirements; Vital Interests: Processing is essential to protect someone's life; Public Task: Processing is required to perform a public task or official function with a legal basis; Legitimate Interests: Processing is necessary for legitimate interests unless these are overridden by the need to protect the individual's data. This does not apply to public tasks; Consent: Processing is based on explicit consent given by the individual for a specific purpose; The lawful basis for processing must be determined before handling data and will be documented in Privacy Notices and Information Asset Registers; For special category data and criminal records data, which involve higher risks, additional protections are required. Processing of this data must comply with Articles 9 and 10 of the UK GDPR and Schedule 1 of the Data Protection Act 2018. Relevant policies must be in place, and a Data Protection Impact Assessment (DPIA) must be completed and authorised by the Data Protection Officer. Research involving such data must include data protection safeguards in the ethics application process; Identifying a lawful basis ensures that data processing complies with legal requirements and upholds individuals' rights. Special category and criminal records data, due to their sensitivity, require enhanced protection to mitigate risks and ensure compliance with regulatory standards. Proper documentation and DPIAs support transparency and accountability in data processing activities. SECTION 6: Data Subject Rights ------------------ 6.1. Rights of Individuals Regarding Personal Data: All staff, students, and users have the following rights concerning their personal data:; Information: Be informed about how their data is collected and used; Access: Obtain a copy of their data upon request (subject access request); Rectification: Request corrections to inaccurate or incomplete data; Erasure: Demand deletion or cessation of data processing if it is no longer needed; Objection: Object to processing, particularly if based on legitimate interests or for direct marketing; Restriction: Request a temporary halt on processing if data is inaccurate or if there is a dispute regarding processing grounds; Portability: Where processing is based on consent or contract, request data portability; Automated Decisions: Have rights concerning automated decision-making and profiling; Any requests or queries about data processing or access should be directed to the Data Compliance Team at dataprotection@theschool.ac.uk. Not all rights apply in every situation; These rights ensure transparency and control over personal data, aligning with data protection regulations. They provide individuals with the means to manage and safeguard their information effectively. Directing requests to the Data Compliance Team ensures proper handling and compliance with legal requirements. 6.2. Complaints and Queries Regarding Data Processing: If a data subject is dissatisfied with how their personal data is processed or has questions or concerns, they should first contact dataprotection@theschool.ac.uk. If the issue remains unresolved, they have the right to escalate their complaint to the Information Commissioner’s Office (ICO); This process ensures that concerns about data processing are addressed promptly and fairly. Providing a clear pathway for escalation to the ICO guarantees that data subjects have recourse if their issues are not resolved internally, in accordance with data protection regulations. SECTION 7: Data Responsibilities at the School ------------------ 7.1. Oversight and Compliance for Personal Data Processing (by Executive Committee): The Executive Committee (EC), through the Director of Technology, must:; Ensure that the purposes and methods of personal data processing, where the School is the data controller, comply with relevant legislation; Oversee the implementation and adherence to this policy in line with the School's management structure; This ensures that personal data processing aligns with legal requirements and the School's internal management framework, thereby maintaining compliance and accountability in data handling practices. 7.2. Role and Responsibilities of the Senior Information Risk Owner (SIRO) (by Director of Technology ): The Senior Information Risk Owner (SIRO), a member of the Executive Committee (Director of Technology), oversees the organisation's information and data governance. They ensure that information assets and risks are managed effectively and escalated to the Executive Committee when necessary; The SIRO represents information governance within the organisation, promoting a culture of effective information use and protection; This role ensures robust management of information and data risks and fosters a culture of effective information use and protection, supporting the School’s strategic objectives and compliance with data protection regulations. 7.3. Responsibilities of the President and Directors (by Executive Committee): The President and directors must ensure that staff in their areas are informed about this policy and their data protection responsibilities, including completing mandatory training; They should foster and promote a culture of data protection compliance within their departments; They are accountable for the data processed in their areas and must collaborate with Data/Asset Owners to identify, document, and manage data risks; This ensures that all staff are knowledgeable about their data protection responsibilities, promotes a culture of compliance, and maintains effective risk management for data processing across departments. 7.4. Responsibilities of All Staff and Third Parties in Data Protection (by All Staff): All staff and third parties processing personal data on behalf of the School must comply with this policy and all related data protection, information security, and information management regulations, policies, processes, and procedures; Staff should understand their responsibilities, follow guidance, undertake necessary training relevant to their role, and seek advice as needed; Academic staff must handle personal data related to student work in line with this policy; All staff must report any personal data breaches immediately using the designated breach reporting process; Staff are responsible for ensuring their personal data provided to the School is accurate and up-to-date. They must inform the School of any changes or correct inaccuracies. The School is not liable for inaccuracies if the staff member has not provided correct information previously; These rules ensure that all staff and third parties adhere to data protection standards, maintain accurate personal data, and properly report breaches, thereby safeguarding the School's data integrity and compliance with legal requirements. 7.5. Student Responsibilities for Personal Data (by Students): Students must ensure that any personal information they provide to the School is accurate and up-to-date. They should promptly inform the School of any changes or correct inaccuracies; The School is not responsible for inaccuracies in student data if the student has not previously provided correct information; Students can usually update their records via the AGS (Academic Management System); Students processing personal data as part of their studies or employment with the School must follow the School's Data Protection Policy, relevant guidelines, and attend required training; Unless otherwise specified by a project’s funding or documentation, the School is the Data Controller for data processed by students in their studies. This includes data from various sources such as photographs, recordings, forms, surveys, and hosted websites. Students should consult with academic supervisors or the DevOps Team to ensure compliance; If students process data on behalf of another organisation, such as during a placement, they must adhere to that organisation’s Data Protection policies and provisions; These rules ensure that students maintain accurate personal information, comply with data protection policies in their studies and employment, and follow proper procedures when handling personal data, thus aligning with legal and institutional data protection requirements. SECTION 8: Data Protection Officer (DPO) ------------------ 8.1. Role of the Data Protection Officer (DPO) (by Director of Technology ): The School has appointed a Data Protection Officer (DPO) to ensure compliance with data protection legislation. The DPO, who is the Director of Technology, will:; Enable compliance with data protection laws; Provide advice, assistance, and recommendations on data protection risks; Support and promote a data protection culture within the School; Assist in implementing key aspects of data protection legislation, including data processing principles, data subjects’ rights, data protection by design and by default, records of processing activities, and the security of processing. The DPO will also manage the notification and communication of data breaches; Act as the School's primary contact with the Information Commissioner’s Office; The DPO does not set the purposes or means of personal data processing; The DPO ensures the School adheres to data protection laws by offering guidance, supporting compliance efforts, and acting as the liaison with regulatory bodies. This role helps maintain a culture of data protection and ensures proper implementation of legal requirements. SECTION 9: Data Protection by Design and by Default ------------------ 9.1. Embedding Data Protection into System Development (by Director of Technology ): Data protection by design and by default must be applied at all times. This requires:; Implementing appropriate technical and organisational measures to uphold data protection principles and protect individual rights; Ensuring that data protection and privacy are considered by default and incorporated into the design and implementation of systems, services, products, and School practices from the outset and throughout their lifecycle; Data protection by design and by default ensures that privacy and security are integral to systems and processes, rather than being an afterthought. This approach helps to proactively address data protection issues and safeguard individuals' rights effectively. 9.2. Conducting Data Protection Impact Assessments (DPIAs) (by Director of Technology ): The School will:; Conduct a Data Protection Impact Assessment (DPIA) for high-risk activities. A DPIA must:; Describe the nature, scope, context, and purposes of data processing; Identify and assess risks to individuals’ rights and freedoms; Outline additional measures to mitigate these risks; Use the School's DPIA template to determine if a DPIA is necessary; Consult the data compliance team early in the planning phase to address risks and ensure compliance; Obtain Data Protection Officer (DPO) sign-off for DPIAs and involve relevant stakeholders as needed; For research projects involving personal or special category data, seek approval from the Data Protection Officer (DPO) and Research Ethics Committee, which includes assessing data protection risks; The DPIA process helps to identify and address privacy issues and risks to individuals’ rights at the design and implementation stages of new systems, services, products, or business practices. This proactive approach ensures that data protection is integrated into the development process, helping to mitigate risks effectively and comply with data protection regulations. The Director of Technology will oversee the implementation and adherence to this process. SECTION 10: Periodic Evaluation and Upkeep of Policy Framework ------------------ 10.1. Policy Review and Approval (by Director of Technology ): The Data Protection Officer (DPO) will review this policy annually, or sooner if there is a significant change in legislation, strategy, or organisational structure; Major changes to the policy must be approved by the Executive Committee; Regular reviews ensure that the policy remains up-to-date with current legislation and organisational changes, maintaining compliance and effectiveness. Significant updates require Executive Committee approval to ensure alignment with overall organisational strategy and governance. SECTION 11: Sharing and Storing Personal Data ------------------ 11.1. Personal Data Sharing and Security (by Director of Technology ): The School shall:; Ensure a Clear Basis for Sharing Data: Confirm that there is a clear, objective, and lawful reason for sharing personal data; Verify Necessity: Ensure that sharing personal data is necessary to achieve the identified purpose(s). Use anonymised or pseudonymised data when identification is not required; Share Minimal Data: Only share the minimum amount of personal data needed to fulfil the objective(s); Provide Privacy Notices: Inform data subjects about who their data is shared with through privacy notices. Obtain consent if data subjects have the option to choose; Establish Agreements: Create Data Sharing Agreements or Contracts with third parties where systematic data sharing is involved; Handle Police Requests Properly: Direct all Police enquiries or requests for disclosure to the DevOps Team. If there is any doubt about the validity of the request or enquirer, do not disclose any information and refer the request to the DevOps Team; Maintain Records: Keep a record of all non-routine disclosures; Proper management of personal data sharing is crucial for maintaining the School’s operational success, protecting its reputation, and preserving the trust of employees, students, and other stakeholders. By following these guidelines, the School ensures that data is shared legally, securely, and only as necessary, in compliance with data protection regulations. 11.2. Storing and Sharing Securely (by Director of Technology ): Personal data must be stored and shared securely within network conditions, with additional measures applied for special category data where necessary. Data Owners are responsible for ensuring that staff with permissions to access and edit data are trained appropriately on the relevant systems. It is crucial that staff use only School-approved tools for processing personal data, as these tools have been technically assessed and include the correct contractual terms. If there is any uncertainty about a tool's approval status, staff should consult servicedesk@lsi.ac.uk; In general, freely available tools that do not have contractual agreements are unlikely to be approved or compliant and should not be used. This includes tools such as DropBox, Eventbrite, Mailchimp, and Zoom. The Director of Technology will oversee the systems to ensure compliance with these requirements; Ensuring that personal data is handled securely and using only approved tools is essential for compliance with data protection regulations. This approach protects the confidentiality and integrity of personal data, preventing unauthorised access and misuse, and thereby safeguarding the School's and individuals' data. SECTION 12: International Data Transfers ------------------ 12.1. Transferring Personal Data Outside the UK (by Director of Technology ): Under Data Protection legislation, transferring personal data outside the UK is generally restricted unless specific conditions or safeguards are met. This ensures that data subjects receive an equivalent level of protection and that their rights are not compromised; Data may be transferred if:; It is shared with the EU/EEA, which the UK government considers to have 'adequacy'; It is shared with third countries deemed to have adequacy by the EU; It involves the use of EU Standard Contractual Clauses (SCC), Binding Corporate Rules (BCR), or other derogations as safeguards for international data sharing; Colleagues must consult the Data Protection Officer (DPO) to determine the most suitable safeguard. The chosen safeguard must be documented in contracts and/or data sharing agreements (DSA) and recorded in the School or Department’s Information Asset Register. Additionally, data subjects must be informed as per the transparency principle; For non-UK data transfers, a Data Protection Impact Assessment (DPIA) may be required, as such transfers are considered high risk; These measures ensure that personal data remains protected to the same standard when transferred outside the UK, maintaining data subject rights and compliance with data protection laws. Documenting safeguards and informing data subjects helps uphold transparency and accountability in data management practices. SECTION 13: Training on Data Protection ------------------ 13.1. Training for Data Protection Compliance (by Director of Technology ): Training is essential to meet Data Protection legislation and the Accountability principle. The School must not only establish appropriate policies and procedures but also demonstrate their implementation and provide comprehensive training at all levels; Training must:; Ensure that staff have the skills and knowledge to protect personal data effectively; Address data protection risks and reinforce data security; Promote a culture of good data protection and information security; Include mandatory reading and understanding of relevant policies by all staff; The Director of Technology will oversee the implementation and effectiveness of these training systems; Effective training ensures that the School complies with Data Protection laws and effectively manages data protection risks. By embedding a culture of good data protection practices and reinforcing key policies, the School protects personal data and upholds accountability. SECTION 14: Automated Governance System (AGS) Policy ------------------ 14.1. Automated Governance System (AGS) Use: The School utilises the Automated Governance System (AGS) to support its strategy of innovation. The AGS facilitates various functions, including:; Accepting and processing admissions, creating secure student records, including Learning Support Plans; Managing programme and module approvals and modifications to ensure a high-quality academic experience; Coordinating monitoring and evaluation by collecting metrics for strategy and operations oversight; Initiating and processing assessments and standards, including handling extenuating circumstances, marking, scrutiny, examination boards, and conferment; Managing misconduct and exclusion processes; Ensuring accurate information for consumer protection; Supporting student well-being and support; Ensuring good governance and compliance; Measuring performance effectively; The AGS operates in line with the School’s regulations and policies, including the IT Regulations, Data Protection Policy, and AI Policy. It supports the School’s mission efficiently while adhering to additional requirements such as the Sustainability & Environmental Policy outlined in the Vision and Values Statement; The AGS enhances the School's ability to innovate and deliver its mission effectively by streamlining key administrative functions. By integrating various processes into a single platform, the School ensures compliance with relevant regulations and supports its commitment to sustainability and effective performance measurement. 14.2. Governance Support through AGS: The Automated Governance System (AGS) supports the governance of the School by integrating and streamlining processes for Boards, Departments, and Committees. Each entity has a defined role in ensuring the effective operation of the School, as outlined in the School’s regulations and policies. The School acknowledges that a reliable and efficient online system is essential for robust governance; The AGS facilitates effective governance by centralising and managing key processes for various institutional bodies. This ensures adherence to established regulations and policies while maintaining a high level of operational efficiency. The system is crucial for the School to function effectively and uphold its governance standards. 14.3. Data Protection Compliance through AGS (by Director of Technology ): The Automated Governance System (AGS) is vital for the School to fulfil its data protection obligations. The AGS integrates workflows to ensure data is processed and stored in line with the Data Protection Policy. This includes processing data lawfully, fairly, and transparently, and collecting it for legitimate purposes. The AGS supports secure recording for accountability, asset registers, and effective data stewardship. It ensures data is processed for lawful reasons, such as fulfilling contractual obligations, and upholds the rights of data subjects, including their right to access and obtain copies of their data. The Director of Technology, a member of the Executive Committee and the Senior Information Risk Owner (SIRO), oversees the AGS; The AGS helps the School comply with data protection principles by providing secure and transparent data management. It ensures adherence to legal requirements, supports accountability, and safeguards data subject rights. The Director of Technology’s oversight guarantees that the system operates effectively within the framework of data protection laws and policies. SECTION 15: Data Protection Policy Violations and Response Procedures ------------------ 15.1. Compliance and Consequences for Data Protection (by Director of Technology ): All members of the School are responsible for complying with the Data Protection Act (DPA). Any negligent or intentional breach of the data protection policy by employees or students may lead to disciplinary action following a proper investigation. If a supplier fails to adhere to the policy or related data protection conditions, it may result in termination of the contract and/or claims for compensation. Any questions or concerns regarding the policy's interpretation or implementation should be directed to the Director of Technology; Strict adherence to the DPA is essential for maintaining data protection standards. Disciplinary actions and potential contract terminations are necessary to address breaches and ensure compliance. Clear channels for addressing questions ensure that policy implementation is consistent and well-managed. SECTION 16: Data Breaches ------------------ 16.1. Reporting and Managing Personal Data Breaches (by Director of Technology ): The School must promptly identify and report personal data breaches to the Data Compliance team. This includes all breaches, whether accidental, suspected, or confirmed. Breaches must be reported to the Information Commissioner's Office (ICO) within 72 hours if they meet the criteria for ‘reportable breaches’. The Data Compliance team will assess the risk, advise on containment and mitigation, and determine whether the breach needs to be reported to the ICO or affected data subjects. We must also keep records of all breaches; Failure to handle and report breaches properly can lead to substantial fines from the ICO, up to £17,500,000 for severe cases. Timely reporting is crucial to fulfil legal obligations, minimise risks to individuals, and mitigate potential damage. Prompt action and proper reporting help avoid significant penalties and ensure compliance with data protection laws; What is a data breach?; A personal data breach involves a security incident that results in the destruction, loss, alteration, unauthorised disclosure, or access to personal data. The impact and risk of a breach depend on various factors, including the type and amount of data, the circumstances of the breach, and the speed of the response. Examples of data breaches include:; Loss or theft of data or devices (e.g., external hard drives, laptops); Inadequate access controls allowing unauthorised use; Accidental emailing of personal data to incorrect recipients; Equipment failure or unforeseen events (e.g., fire or flood); Hacking, phishing, or ‘blagging’ (deceptive methods to obtain information); For further guidance, please contact dataprotection@theSchool.ac.uk. SECTION 17: Further Guidance ------------------ 17.1. Guidance on Data Protection Compliance (by All Staff): Staff must seek guidance from the Director of Technology for advice on data protection matters, including processing special category and criminal convictions data, handling data rights requests, and reporting data breaches. If there is any uncertainty about how to handle data protection issues, staff must seek guidance from the Director of Technology; The Director of Technology provides expert advice to ensure compliance with data protection laws and best practices. Their guidance helps staff manage sensitive data correctly, adhere to legal requirements, and handle data protection issues effectively. This ensures the School remains compliant with relevant legislation and protects the rights of data subjects; Related Links:; The Information Commissioner’s Office provides a guide to UK data protection legislation on their website; Basic data protection concepts; The Data Protection Act 2018 is available at UK legislation website; For further questions, contact the Director of Technology. SECTION 18: Appendix 1: Terminology and Definitions in Data Protection ------------------ 18.1. Glossary: The following definitions clarify key data protection terms within the context of the School:; ; Data: Information processed automatically, recorded with the intention of being part of a relevant filing system, or recorded as part of such a system; ; Data Breach: A breach of security leading to the destruction, loss, alteration, unauthorised disclosure, or access to personal data; ; Data Controller: The individual or entity that determines the purposes and means of processing personal data. For the School, this is the institution itself; ; Data Processor: An individual or entity that processes personal data on behalf of the Data Controller, following their instructions. Data Processors have specific obligations under legislation; ; Data Protection Act 2018 (DPA): The UK legislation that sets the data protection framework, working alongside the UK GDPR; ; Data Protection Impact Assessment (DPIA): An assessment conducted by the Data Controller to evaluate the impact of proposed data processing on personal data protection; ; Data Protection Officer (DPO): An individual appointed under the DPA to oversee compliance, provide advice, and liaise with the supervisory authority. Contact the DPO at dataprotection@theSchool.ac.uk; ; Data Subject: An identifiable natural person, directly or indirectly identifiable by identifiers such as a name, identification number, or online identifier. This includes staff, students, visitors, research participants, mailing list subscribers, and applicants; ; Data Subject Access Request (DSAR): A request made by or on behalf of a Data Subject to access their personal data as granted under data protection legislation; ; General Data Protection Regulation 2018 (GDPR): Applies to organisations within the EU and those outside the EU that offer goods or services to EU individuals. From 1 January 2021, this is mirrored in the UK by the UK GDPR, alongside the DPA 2018; ; Inaccurate Data: Data that is incorrect or misleading as to a matter of fact; ; Notification: The entry on the public register maintained by the Information Commissioner’s Office detailing the types and range of information processed by the School. The School’s registration number is Z5395727; ; Personal Data: Any information relating to an identified or identifiable natural person, including identifiers such as names, contact details, or identification numbers. Personal data can be in various formats, including paper, electronic, emails, photos, or videos; ; Privacy Notice: A statement provided to data subjects explaining who the Data Controller is, how their information will be used, to whom it may be disclosed, and other necessary information to ensure fair processing, as outlined in Articles 13 and 14 of the UK GDPR; ; Processing: Any operation performed on personal data, including obtaining, recording, holding, organising, adapting, altering, disclosing, or deleting data; ; Protective Measures: Appropriate technical and organisational measures to safeguard personal data, such as pseudonymisation, encryption, ensuring system resilience, and regularly evaluating these measures; ; Special Category Data: Data related to:; Racial or ethnic origin; Political beliefs; Religious or similar beliefs; Trade union membership; Genetics; Biometrics (used for identification); Physical or mental health or condition; Sex life or sexual orientation; Note: Data protection rules for sensitive (special category) data do not apply to criminal allegations, proceedings, or convictions. Separate safeguards are outlined in Article 10; For further details on key definitions, visit the ICO's guide: ICO Key Definitions; Understanding these key definitions ensures that all members of the School are aware of their data protection obligations and the terminology used in data management. This clarity helps in the correct handling of personal data, compliance with legal requirements, and effective communication regarding data protection matters. Accurate definitions are essential for implementing appropriate measures to protect personal data and to respond correctly to data breaches and other data protection issues. SECTION 19: Appendix 2: Data Privacy Considerations for Social Media ------------------ 19.1. Social Media and Data Protection (by All Staff and Students): When using social media, do not publish colleagues' or students' personal information. Ensure that all processing aligns with the Data Protection Policy and the Data Protection Act 2018; All uploads, storage, and communications must be lawful and fair. Before using a social media account, inform all parties about the type of information being shared, its purpose, and who will have access to it. Familiarise yourself with privacy settings and adjust them according to the content and intended audience. Obtain and document appropriate informed consent; Ensure that passwords and access controls for School social media accounts are strong and secure. Avoid using the same password for School systems and social media sites. Change passwords regularly and never share them. Devices with stored social media login details should lock or log out automatically. If a device with login details is lost or stolen, change the passwords for all affected accounts and inform other account managers; Be cautious with social media postings to avoid revealing personal information such as your location or contact details. Only accept invitations from known contacts and verify identities if unsure. Avoid clicking on unsolicited links to prevent installing malicious software; Be aware that social media applications may share your profile data with third parties. Review privacy settings regularly. Adhere to the IT Regulations, including the Social Media Policy and Social Media Guidelines; Adhering to these rules helps protect personal information and ensures compliance with data protection legislation. Proper management of social media accounts prevents unauthorised access, reduces the risk of data breaches, and protects both individual and organisational data from malicious activities. Understanding and applying these practices supports a secure and responsible use of social media in alignment with legal and institutional requirements. SECTION 20: Appendix 3: Data Protection Implications of CCTV Surveillance ------------------ 20.1. CCTV Monitoring and Data Protection (by All Staff and Students): The School operates a CCTV monitoring system to detect and deter crime and assist the Police and civil authorities during major emergencies. This system will be managed to respect individuals’ privacy rights; All CCTV footage is owned by the School, which holds the copyright. Cameras will be placed in public view with clear signage indicating their presence and purpose. Recorded footage will be retained according to the School's Records Retention Schedules. After the retention period, if the footage is not needed for evidence, it will be recycled. If the footage is required for legal proceedings, it will be kept for the duration necessary for the case; This approach ensures that CCTV monitoring supports security and emergency response while adhering to privacy laws and data protection principles. By clearly marking camera locations and following a defined retention schedule, the School balances security needs with respect for individual privacy and legal requirements.