Aberystwyth University - Data Protection Policy

1. Purpose of the Policy

The purpose of this policy is to ensure that the University and its staff and students comply with the provisions of the Data Protection Act 1998, and any other relevant legislation in jurisdictions in which the University operates when processing personal data. The University takes its responsibilities with regard to the management of the requirements of the Data Protection Act 1998 and other Data Protection legislation seriously, and any infringement may be considered under disciplinary procedures.

This document provides the policy framework through which effective compliance can be achieved and audited.

2. Scope / Applicability

This policy applies to staff, students, agents of the University and any authorised processors of personal data held or owned by the University, regardless of where the data is held and, in respect of automatically processed data, the ownership of the equipment used, if the processing is for University purposes.  This policy also applies to personal data retained and processed by Aberystwyth University Students’ Union.

The University needs to process information about its employees, its students and other individuals: for example, to allow it to monitor performance, achievements and health and safety, and so that staff can be recruited and paid, courses organised and legal obligations (e.g. to funding bodies and the government) fulfilled. Such information must be collected and used fairly, stored safely and not disclosed unlawfully.

The University is required to adhere to the eight principles of data protection as laid down by the Act. In accordance with those principles personal data shall be:

  1. Processed fairly and lawfully
  2. Processed for specified purposes
  3. Adequate, relevant and not excessive
  4. Accurate and up to date
  5. Not kept longer than necessary
  6. Processed in accordance with the data subject’s rights
  7. Kept secure
  8. Not transferred outside the countries of the European Economic Area without adequate protection.

3. Responsibility

3.1  University Responsibilities

The University is a data controller under the Data Protection Act 1998 and under equivalent legislation in other jurisdictions and fully recognises its responsibilities for establishing policies and procedures in order to comply with the relevant requirements. 

3.1.1  University-level Committee

The University Executive Group is ultimately responsible for approving and overseeing the operation of this Policy.

3.1.2  University’s Data Protection Officer

The University will nominate an appropriate person as the University's Data Protection Officer, who will be a person of sufficient knowledge and seniority in the University.

The University will ensure that the identity of the University's Data Protection Officer is to be made known to all staff, students, contractors and volunteers and will also draw to their attention this Policy and associated documentation. The Data Protection Officer is responsible for drawing up guidance and promoting compliance with this policy.

The Data Protection Officer has access to all relevant documents relating to a legal compliance request under Data Protection legislation and it is the Data Protection Officer (in consultation, when necessary, with the relevant senior officers) that will make the decisions regarding what information is released or exempted.

The Data Protection and Copyright Manager is currently the nominated Data Protection Officer.              

3.2  Responsibilities of Institute Directors and Heads of Central Service Departments

Institute Directors and Heads of Central Service are responsible for ensuring compliance with the Data Protection Act and other relevant legislation and for ensuring that the requirements of this Policy are met.

Institute Directors and Heads of Central Service must ensure that all new members of staff receive an appropriate introductory briefing on the Data Protection Act and other relevant legislation and that staff members within their areas of responsibility receive refresher courses on Data Protection compliance.

Institute Directors and Heads of Central Service may choose to delegate the management of, but not the responsibility for, Data Protection matters to an appropriate senior member of staff.

The University will perform periodic audits to ensure compliance with this Policy and with relevant legislation and to ensure that the notification to the Information Commissioner is kept up-to-date.

3.3  Staff Responsibilities

3.3.1  It is a condition of employment that staff will abide by the rules and policies of the University. Any failure to follow this Policy may result in disciplinary proceedings.

3.3.2  When staff use personal information about students, other staff members, or other individuals, they must comply with the requirements of this Policy.

3.3.3  Staff must ensure that:

  • all personal information entrusted to them in the course of their employment is kept securely;
  • no personal information is disclosed either verbally or in writing, accidentally or otherwise to any unauthorised third party.
  • no personal information is accessed by staff for any reason other than for legitimate University business
  • any information that they provide to the University in connection with their own employment is accurate and up to date and that they inform the University of any changes, e.g. changes of address.

3.3.4  When members of staff are responsible for supervising students doing work which involves the processing of personal information (e.g. in research projects), they must ensure that those students are aware of the Data Protection Principles and, in particular, the requirement to obtain the data subject's consent where appropriate.

Staff who are unsure about who are the authorised third parties to whom they can legitimately disclose personal data should seek advice from their line manager or the Data Protection and Copyright Manager.

3.4  Contractors, Casual Staff and Volunteers

Institute Directors and Heads of Central Service who employ contractors, casual staff or volunteers must ensure that they are made aware of their obligations under the legislation and the requirements of this Policy.

4. Detailed Policy

4.1  Data Subject Access Requests

The University is required to permit individuals to access their own personal data held by the University via a Data Subject Access Request. Any individual wishing to exercise this right should do so in writing to the Data Protection and Copyright Manager and a charge may be made for this request. A standard form is available from the Data Protection and Copyright Manager (or on the University’s Information Compliance web pages).

The University aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within the 40 day limit set down by the Data Protection Act (UK) and within any relevant time periods set by other jurisdictions.

Individuals will not be entitled to access information to which any exemptions apply. However, only those specific pieces of information to which the exemption applies will be withheld, and information covered by an exemption will be subject to review by the Data Protection and Copyright Manager

The University may charge any appropriate fee allowed for by legislation to make a Data Subject Access Request, however the University reserves the right to review this fee at any time.

4.2  Consent to process

It is a condition of the registration of students, and of the employment of staff, that individuals agree to the institution’s processing of specified classes of personal data, including sensitive data. Sensitive data classes include information about: a person’s racial or ethnic origin; political opinions; religious beliefs; membership of a trade union; physical or mental health; sexual life; criminal convictions or charges. The University needs to process some information that, by this definition, is classed as sensitive. Such information may be needed to ensure safety, to comply with the requirements of the government or of funding bodies, to provide support for staff or students or to implement institutional policies.

4.3  Information Collection and Use:

University website

Information collected on the Aberystwyth University website is owned by Aberystwyth University (including any subsidiary companies).  The University will not sell, share or rent this information to others in ways which differ from what is stated on the University’s website or in any prior agreement.

4.4  Data Security Breaches

Any breach of the Data Protection Act or other equivalent legislation and of the requirements of this Policy should be reported to the Data Protection and Copyright Manager as soon as possible. 

A report of a suspected breach will be dealt with in accordance with the University’s Procedures for Suspected Breaches of Data Protection.

4.5  Examination Marks

Students will be entitled to information about their marks or grades for both coursework and examinations. However, this may take longer than other information to provide.

When a subject access request is made for examination marks, the University is obliged to respond by the earlier of:

  • 40 days after the announcement of the results OR
  • five months from the receipt of the request, the fee and all reasonably required information.

If the student has not paid fees or charges or has not returned books or equipment, the University may withhold certificates, accreditation or references.

Unless students are informed in advance and given the chance to opt out, the publication of individuals’ exam results in either online or in a publicly accessible area of the University would not be acceptable under the requirements of the Act and this Policy. Students should be informed as early as possible in the academic year what the procedure will be for accessing their examination results.

4.6  Sharing of data with third parties

The sharing of personal data will comply with those details set out in staff contracts, the Data Processing Declaration, and the annual notification to the Information Commissioner’s Office.

Staff, students and others whose personal data may be held by the institution, should note that the University has a duty under the Counter-Terrorism and Security Act 2015 to have due regard to the need to prevent people from being drawn into terrorism, and that this duty may involve the passing of information to the police / security services. 

5. Relevant Legislation, Codes of Practice and Industry Standards

Data Protection Act 1998

Data Protection Act (Mauritius) 2004

Counter-Terrorism and Security Act 2015

Freedom of Information Act 2000

Limitation Act 1980

Information Commissioner’s ‘Employment Practices Code’

6. Related Policies and Procedures

Relevant University policies include, but are not limited to:

Records Management Policy

Freedom of Information Policy

Information Security Policy

Procedures for Suspected Breaches of Data Protection

Guidance for staff on sharing students’ confidential information