Aberystwyth University - Data Protection Policy
Aberystwyth University (which includes the Aberystwyth Guild of Students) is a data controller under the 1998 Data Protection Act; its designated representative for the purposes of the Act is the Registrar and Secretary. The University needs to process information about its employees, its students and other individuals: for example, to allow it to monitor performance, achievements and health and safety, and so that staff can be recruited and paid, courses organised and legal obligations (e.g. to funding bodies and the government) fulfilled. Such information must be collected and used fairly, stored safely and not disclosed unlawfully. The University must therefore comply with the Data Protection Principles set out in the 1998 Act. In summary these state that personal data shall:
- be obtained and processed fairly and lawfully and not be processed unless certain conditions are met;
- be obtained for a specified and lawful purpose and not be processed in any manner incompatible with that purpose;
- be adequate, relevant and not excessive for that purpose;
- be accurate and kept up to date where necessary;
- not be kept for longer than is necessary for that purpose;
- be processed in accordance with the data subject's rights;
- be kept safe from unauthorised access, accidental loss or destruction;
- not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.
The University and all staff or others who process any personal information about other people must ensure that they follow these principles at all times. That is the purpose of this Data Protection Policy.
2. Responsibilities of Staff
It is a condition of employment that employees will abide by the rules and policies of the University. Any failure to follow the institution's Data Protection Policy may therefore result in disciplinary proceedings. All staff are responsible for:
- checking that any information that they provide to the University in connection with their employment is accurate and up to date;
- informing the University of any changes to information that they have provided about themselves e.g. changes of address.
If, as part of their responsibilities, staff collect or access information about other people (that is, personal data), they must comply with the guidelines for staff.
Any member of staff who considers that the policy has not been followed in respect of personal information about himself/herself should first raise the matter with the Director of Human Resources. If the matter is not resolved it should be raised as a formal grievance.
3. Data Security
All staff are responsible for ensuring that:
- any personal information that they hold about other people is kept securely;
- personal information about other people is not disclosed in any form to any unauthorized third party.
Unauthorized disclosure will usually be a disciplinary matter, and may be considered gross misconduct. Staff can incur criminal liability if they knowingly or recklessly obtain and/or disclose personal information, without the consent of the University. This means using information held by the University for their own purposes, which are outside the legitimate purposes of the University.
4. Student Obligations
Students must ensure that all personal information about themselves that they provide to the University is accurate and up-to-date: e.g. that changes of address are reported to the University without delay.
Students who use the institution’s facilities must comply with the Rules and Regulations of the University and with Information Services’ Regulations and Guidelines: misuse may result in disciplinary proceedings.
5. Rights of Data Subjects
All data subjects are entitled:
- to know what information the University holds and processes about them and why;
- to gain access to it;
- to keep it up to date;
- in certain circumstances, data subjects are entitled to require the University to rectify, block, erase or destroy inaccurate information;
- to prevent processing likely to cause damage or distress;
- to prevent processing for the purposes of direct marketing; (this may be particularly relevant to those with responsibilities for alumni to whom marketing material may be sent regularly);
- the right to compensation where a data subject suffers damage, or damage and distress, as a result of a breach of the DPA.
6. Rights to Access Information
Since 24 October 2001 all data subjects have had the right to access any personal information kept about them by the University, either on computer or in manual files. Some information can be accessed automatically by the data subject. For information not automatically available, a subject access request may be made to the Registrar, using the institution’s DATA PROTECTION ACT 1998 REQUEST FORM FOR ACCESS TO DATA.
The University will make a charge of £10 on each occasion that such access is requested.
The data subject should receive access within 40 days of receipt of a written request, or if later, within 40 days of receipt of the fee, or any information necessary to satisfy the University as to the identity of the person making the request, or to enable the University to locate the information.
7. Publication of Information About the Institution
It is the University's policy to make public inter alia:
- certain information about members of Court and Council and certain staff
- lists of staff
- the institution's internal telephone and electronic mail directory.
Any person who has good reason for wishing details in these lists or categories to remain confidential should consult the Registrar and Secretary.
8. Subject Consent
In some cases the University may only process personal information with the consent of the subject; if the information is sensitive, explicit consent may be needed. It is a condition of registration of students and of employment of staff that they agree to the institution’s processing of specified classes of personal information. See also C iii: Staff Guidelines on Handling Sensitive Student Information.
Sensitive data include information about a person’s racial or ethnic origin; political opinions; religious beliefs; membership of a trade union; physical or mental health; sexual life; criminal convictions or charges. The University processes some information that by this definition is classed as sensitive. Such information may be needed to ensure safety, to comply with the requirements of the government or of funding bodies, or to carry out institutional policies.
9. Examination Marks
Students will be entitled to information about their marks or grades for both coursework and examinations. However, this may take longer than other information to provide.
When a subject access request is made for examination marks, the University is obliged to respond by the earlier of:
- 40 days after the announcement of the results OR
- five months from the receipt of the request, the fee and all reasonably required information.
If the student has not paid fees or charges or has not returned books or equipment, the University may withhold certificates, accreditation or references.
10. Retention of Data
In general, students’ files will be kept centrally for six years after they leave: such files may contain academic or personal information. For historical purposes and to respond to authorized enquirers, the University keeps a record of past students and a summary of their academic record. Information held by departments may be held for shorter periods as appropriate.
In general all information about staff will be kept in accordance with the University’s Records Retention Schedule after their employment ceases. Some information however will be kept for much longer. This will include information necessary in respect of pensions, taxation, potential or current disputes or litigation regarding the employment, and information required for job references. Further details are available from the Director of Human Resources.
Compliance with the 1998 Act is the responsibility of all members of the University. Breach of the Data Protection Policy may lead to disciplinary action or withdrawal of facilities. Any questions about the interpretation or operation of this policy should be referred to the Registrar and Secretary.