- Executive Board
- Data Protection Officer
- Information Asset Owners
- Line Managers
- General Principles
- Commitment to Data Protection
- Data Subject Rights
- Enforcement of this Policy and Sanctions
- Monitoring and Review
- Related Policies and Standards
- 1.1 The UK General Data Protection Regulation (referred to as the UK GDPR) and the Data Protection Act 2018 (referred to as the DPA) place specific responsibilities on organisations which process personal data and provide individuals to whom that data relates with certain rights.
- 1.2 The University of Bradford, in order to conduct its business, necessarily handles substantial amounts of personal data, a great deal of which falls into the special categories (for definitions of such terms please refer to section 3 below). The University must therefore ensure that this processing is performed in accordance with the UK GDPR and DPA but in doing so, has to also ensure that its business processes remain workable.
- 1.3 The University takes its duties with respect to personal data very seriously, and is committed to ensuring that it complies with the UK GDPR and DPA.
- 1.4 The University also needs to abide by the data protection principles to maintain the confidence and trust of the individuals and organisations that it collaborates with.
- 1.5 The objectives of this policy are to establish:
- the University’s commitment to data protection and to its compliance with the UK GDPR and DPA;
- the role of Data Protection Officer; and
- general principles and responsibilities in relation to the processing of personal data.
- 2.1 This policy applies to all University employees, associates, students, contractors and others who process personal information on the University’s behalf and in the course of their duties, responsibilities and studies.
- 3.1 All specific terms in this Policy are as defined by Article 4 of the UK GDPR or elsewhere in the UK GDPR or DPA. The following summarises those and other definitions:
- controller: an organisation (or person) which determines the purposes and means of the processing of personal data.
- data protection legislation: UK GDPR, DPA and supporting instruments, regulations and codes of practice.
- data subject: an identifiable natural living person.
- DPA: the Data Protection Act 2018, c. 12, as amended as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019)
- personal data: any information relating to an identified or identifiable person (‘data subject’).
- privacy notice: a document fulfilling the requirements of Articles 13 and 14 of the UK GDPR which lay out data subjects’ right to be informed about the processing of their personal data (including the purposes for which personal data is collected and used, how it is used and disclosed, how long it is kept, and the controller’s legal basis for processing).
- processing: any activity performed on personal data including collecting, recording, organising, structuring , storing, adapting, retrieving, consulting, use, disclosure, combination, erasure and destruction.
- processor: an organisation (or person) which processes personal to data on behalf of a controller.
- record of processing activity: a formal record of how personal data is processed covering areas such as processing purposes, data sharing and retention. Full details of what is required are listed in Article 30 of the UK GDPR.
- special categories of personal data: as defined by Article 9 of the UK GDPR:
- personal data revealing:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- the processing of genetic data;
- biometric data processed for the purpose of uniquely identifying a data subject;
- data concerning health; and
- data concerning a person’s sex life or sexual orientation.
- personal data revealing:
- UK GDPR: the UK General Data Protection Regulation (i.e. EU GDPR (Regulation (EU) 2016/679 (General Data Protection Regulation) as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019).
- 4.1 The University Secretary will, on behalf of the Executive Board, ensure that a Data Protection Officer (DPO) is appointed to maintain oversight of the University activities falling within the scope of the data protection legislation and accepted good practices.
- 4.2 The Executive Board, following the advice and guidance of the University Secretary, will ensure that the office of DPO has the resources, expertise and authority to carry out the tasks outlined in this policy.
- 4.3 The DPO officer will not receive any instructions regarding the exercise of those tasks nor will be dismissed or penalised for performing the tasks outlined below.
Data Protection Officer
- 4.4 The DPO shall be involved, properly and in a timely manner, in all issues which relate to the protection of personal data and shall report on matters relating to compliance with data protection legislation to the Executive Board with regular reports and in the event of exceptional events.
- 4.5 As required by Article 39 of the UK GDPR, the office of DPO will as a minimum be responsible for the following tasks:
- to inform and advise the University and its employees of their obligations in respect of compliance with data protection legislation;
- to monitor compliance with data protection legislation and with the University’s policies in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- to provide advice relating to, and monitor performance of, data protection impact assessments;
- to cooperate with and act as the contact point for the Information Commissioner’s Office.
- 4.6 The DPO shall ensure that information asset registers and the record of processing activities are maintained.
- 4.7 The DPO shall ensure privacy notices are in place for all processing of personal data.
- 4.8 The DPO shall, in the performance of their tasks, have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
- 4.9 The DPO will serve as the principal contact in the event of any suspected or actual breach of the data protection policy, will be involved in any investigation and be consulted in relation to any reports provided to the Executive Board or other parties.
Information Asset Owners
- 4.10 Information Asset Owners (IAOs) are those senior managers heading faculties and professional services. The IAO is responsible for ensuring that business information is handled and managed appropriately within their faculties or professional service. This must include all personal data used by the University.
- 4.11 IAOs must determine (both initially and in the case of any significant changes) what data is captured, used and stored, who needs to use it and why and how long it should be kept. IAOs must advise the DPO of data processed and held.
- 4.12 IAOs are also accountable for ensuring that:
- 4.12.1 staff and students within their areas are aware of the Data Protection Policy;
- 4.12.2 adequate resources are made available to ensure that their staff (and students) are able to work in accordance with this policy;
- 4.12.3 all new staff (and students), be they permanent, temporary, employed by the University or contractors or agency staff are all inducted appropriately in terms of data protection and undertake the specified levels of training; and
- 4.12.4 the business processes and practices in their area comply with this Policy.
- 4.13 Line managers are responsible for the day-to-day implementation and must make sure that members of staff are aware of this policy and University procedures relating to the correct handling of personal data.
- 4.14 All employees whether directly handling personal data or not must comply with data protection legislation and University procedures.
- 4.15 All employees must also complete all mandatory training provided by the University.
- 4.16 Employees must only use personal data in connection with legitimate University business or as instructed by their line manager.
- 4.17 Employees must not use any personal data to which they have access for personal or other non-University related purposes.
- 4.18 A member of staff must not access or amend any record or data which relates to, or is about, themselves.
- 4.19 Employees must report any breaches or suspected breaches in accordance with the University’s data breach reporting procedures.
- 4.20 All students who process personal data in the course of their studies must comply with this policy and any other policies and procedures which may in place for their programme of study including the Ethics Policy and related documents.
- 4.21 Students undertaking research involving people and the processing of personal data must ensure that all such processing is in accordance with the requirements of data protection legislation. Research supervisors are responsible for ensuring that post-graduate research students are aware of and follow University policy.
- 4.22 Where necessary students shall be required to undertake training in the principles of the data protection legislation and the University processes designed to ensure compliance with the legislation.
5. General Principles
Commitment to Data Protection
- 5.1 The University is committed to complying with data protection legislation and good practice including:
- 5.1.1 Registering as a Controller with the Information Commissioner;
- 5.1.2 Processing personal data lawfully;
- 5.1.3 Processing personal data only where there is a demonstrable organisational purpose;
- 5.1.4 Processing only the amount of personal data required for the relevant organisational purpose;
- 5.1.5 Processing of personal data shall be restricted to those with a demonstrable need to process it;
- 5.1.6 Personal data shall be retained no longer than necessary and a schedule of retention periods of different categories of information shall be maintained;
- 5.1.7 The publication of privacy notices for all processing of personal data;
- 5.1.8 Maintaining a record of processing activity;
- 5.1.9 Respecting individuals’ rights in respect of their data;
- 5.1.10 Keeping personal data secure;
- 5.1.11 Transferring any information to third parties and/or overseas only where there are formal arrangements to ensure adequate protection;
- 5.1.12 Adopting a privacy by design and by default approach and undertaking data protection impact assessments; and
- 5.1.13 Reporting breaches of data protection, as required, to the Information Commissioner.
Data Subjects Rights
- 5.2 The DPO will publish guidance on the website advising how data subjects may exercise their rights in respect of their personal data held by or on behalf of the University
- 5.3 Where it is feasible to do so, individual faculties and professional services should provide data subjects with informal access to the personal data they hold.
- 5.4 A formal centralised Subject Access Request process for a data subject’s general right of access to personal data held by the University shall be managed by the Legal and Governance Department. Requests can be made via firstname.lastname@example.org.
- 5.5 The University shall ensure it is satisfied as to the identity of the data subject when they make such requests and that it received proof of authorisation where requests are made on the behalf of a data subject by a third party.
- 6.1 The Policy will be uploaded onto the University website and communicated to the University community.
7. Enforcement of this Policy and Sanctions
- 7.1 Compliance with this policy is the responsibility of all members of staff, associates, students, contractors and other third parties who process personal information on the University’s behalf and in the course of their duties, responsibilities’ and studies.
- 7.2 Anyone found to be acting in breach of this policy or who is negligent in their responsibilities to enforce it may be subject to disciplinary or capability procedures.
- 7.3 In serious cases, breaches of this Policy may be grounds for invocation of the Staff Capability and/or Disciplinary Policy and Procedure, and in the case of students, the Academic Misconduct Regulations, Fitness to Practise and/or Student Disciplinary Regulation and Procedure.
- 7.4 Any questions about the interpretation or operation of this policy should be referred to the Data Protection Officer.
8. Monitoring and Review
- 8.1 The impact of this Policy shall be reviewed by the Data Protection Officer.
- 8.2 This Policy shall be reviewed every two years from the date of approval.
9. Related Policies and Standards
- Information Security Policy and subsidiary policies
- Data Breach Procedure
- Data Protection Impact Assessment Procedure
- Privacy Notices
- Regulation on the appropriate use of University IT services
- Records Retention and Disposal Policy
- Staff Capability Policy and Procedure
- Staff Disciplinary Policy
- Student Disciplinary Regulation and Procedure
- Academic Misconduct Regulations
- Fitness to Practise Procedure
Policy Version Control Table
|Version 2.3 (minor updates from v2.1) presented to Executive Board for approval 21 June 2023.
|21 June 2023
|22 June 2023
|Next Review Date:
|01 July 2024
|Applicable Statutory, Legal or National Best Practice Requirements:
|UK General Data Protection, Data Protection Act 2018
|Equality Impact Assessment Completion Date:
|16 May 2018
You can download a PDF version of the Data Protection Policy here: Data Protection Policy