Data Protection Policy
Introduction
1. The purpose of the College’s Data Protection Policy is to ensure compliance with data protection law (the UK GDPR and related legislation). Data protection law applies to the storing or handling (‘processing’) of information (‘personal data’) about living identifiable individuals (‘data subjects’).
2. The information and guidelines within this policy are important and apply to all members and staff of the College who shall in this policy be collectively referred to as the “College” in the paragraphs below. The terms “members” and “staff” means anyone working in any context within the College whether permanent, fixed term or temporary, including but not limited to employees, retired but active members, visiting researchers, volunteers, and external members of committees. Non-compliance may result in disciplinary action in accordance with the College’s procedures.
3. Like all educational establishments, the College holds and processes information about its members, employees, applicants, students, alumni and other individuals for various purposes. Privacy notices (statements informing data subjects how their personal data is used by the College) can be found at https://www.magd.cam.ac.uk/administration/policies-and-procedures.
Data Breaches
4. One of the most important accountability obligations concerns personal data breaches - that is, personal data held by the College is lost, stolen, inadvertently disclosed to an external party, or accidentally published. If a personal data breach occurs, this should be reported immediately to a Head of Department, who should then inform:
A. The person responsible for College Data Protection, the Assistant Bursar. The Assistant Bursar will then contact relevant senior members of the College to determine what action is to be taken.
B. If the breach is IT-related in any way, the Head of IT.
C. The Colleges’ Data Protection Officer (DPO) via the online reporting form found at https://app.casc.cam.ac.uk/pdir.
Remedial work can then be done so that the breach can be contained. On occasion, we need to report breaches to relevant external authorities, including the ICO, within a short timeframe.
The Data Protection Principles
5. The College is committed to complying with data protection law as part of everyday working practices. Complying with data protection law may be summarised as but is not limited to:
A. Understanding and applying as necessary, the data protection principles when processing personal data:
The principles in relation to personal data are: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality.
B. Understanding, and fulfilling as necessary, the rights given to data subjects under data protection law:
The data subject rights are: access, rectification, erasure, restriction, data portability, and objection (including in relation to automated decision-making).
C. Understanding, and implementing as necessary, the College’s accountability obligations under data protection law:
The accountability obligations include: implementing appropriate data protection policies, holding relevant records about personal data processing, implementing appropriate technical and organisational security measures to protect personal data, reporting certain personal data breaches to the Information Commissioner’s Office.
The Destruction of Personal Data
6. When personal data is no longer required for the purposes for which it was obtained it should be destroyed. Guidance on the retention of records containing personal data is provided at Annex A.
Data Security and Disclosure
7. All persons within the College, as appropriate to their role and in order to enable the College to comply with data protection law, are responsible for:
A. completing relevant data protection training
B. when processing personal data on behalf of the College, only using it as necessary for their duties and/or other College roles and not disclosing it unnecessarily or inappropriately
C. ensuring that all personal data that they hold is kept securely
D. recognising that data held on disk, laptop, or other portable medium are particularly vulnerable and must be properly safeguarded
E. ensuring that data stored on a computer is password protected as appropriate and secure methods of transmission are used
F. ensuring any other appropriate security measures are taken
G. recognising, reporting internally, and cooperating with any remedial work arising from personal data breaches
H. recognising, reporting internally, and cooperating with the fulfilment of data subject rights access
I. only deleting, copying or removing personal data when leaving the College as agreed with the College Data Controller or other appropriate person
Non-observance of the responsibilities noted above is a disciplinary matter and may be considered gross misconduct. If in any doubt, consult the person responsible for Data Protection in the College, the Assistant Bursar.
Data Subject Access Rights
8. A data subject has the right: to ask us for access to, rectification or erasure of their data; to restrict processing (pending correction or deletion); to object to communications or direct marketing; and to ask for the transfer of their data electronically to a third party (data portability). Some of these rights are not automatic, and the College reserves the right to discuss with the data subject why the College might not comply with a request from a data subject to exercise them. See Annex B.
Data Controller
9. The controller for your personal information is the Magdalene College, Cambridge CB3 0AG. The Data Protection Officer for the College is the Office of Intercollegiate Services Ltd [12B King’s Parade, Cambridge; 01223 768745; college.dpo@ois.cam.ac.uk]: OIS Ltd. should be contacted if you have any concerns about how the College is managing your personal information, or if you require advice on how to exercise your rights as outlined in this statement. The person within the College otherwise responsible for data protection at the time of issue, and the person who is responsible for monitoring compliance with relevant legislation in relation to the protection of personal information, is the Assistant Bursar assistant.bursar@magd.cam.ac.uk.
10. The College may from time to time designate responsibility for particular types of data within the College, these are listed below:
Student Records
11. Tutorial files are maintained in respect of students' academic progress, welfare and financial arrangements. The purposes for which they are maintained include the relevant student's applications for employment, professional training, or admission to other educational establishments. Current Tutorial files are to be kept by the relevant Tutors and Directors of Studies, respectively. All files may be consulted on a day-to-day basis by the Senior Tutor and, where appropriate, the Admissions Tutors, Dean, the student's individual Director of Studies or Tutor, and Academic Office staff.
All other requests for access to a Tutorial file or other related records must be authorised by the Senior Tutor. For more detail on how student information is used see https://www.magd.cam.ac.uk/data-protection-students.
12. Student admissions files are maintained in respect of candidates, and potential candidates, for both undergraduate and postgraduate admissions purposes. During the admissions process such files are maintained and kept by the Admissions Tutors and Academic Office staff. For successful candidates, the admissions documentation is then included in a tutorial file and passed to the relevant Tutor. For unsuccessful candidates, the admissions documentation is retained in accordance with the College retention policy (annex A). During the admissions process, Admissions files may be consulted by the Tutors (as appropriate) the Admissions Tutors (as appropriate), the Director of Studies and any other interviewers.
All other requests for access to Admissions files must be authorised either by the Senior Tutor, or the Admissions Tutors. For more detail on how student applicant information is used see https://www.magd.cam.ac.uk/data-protection-applicants-students.
13. Files relating to student financial matters are maintained by the College Accountant. These files may be consulted on a day-to-day basis by the Senior Tutor, the Postgraduate Tutor, the Bursars and their respective secretaries.
All other requests for access to a student financial file must be authorised by the College Accountant.
14. Files relating to disciplinary matters involving students are maintained and kept by the Dean. Sensitive information may be placed in the student's Tutorial File.
All other requests for access must be authorised by the Dean or Senior Tutor.
15. Medical notes in respect of students are maintained by the Senior Tutor for health and safety reasons to assist in meeting the needs of students with disabilities, or for reasons connected with absences from College, poor performance, and applications to the University or to charities etc. Sensitive information may be placed in the student's Tutorial File. The notes may be consulted on a day-to-day basis by the Senior Tutor and the Senior Tutor's PA.
All other requests for access to these notes must be authorised by the Senior Tutor.
16. Medical files in respect of the day-to-day health and welfare of Fellows, staff and students may be maintained if required by the Health and Wellbeing service.
All requests for access to medical files must be authorised by the Head of Student Wellbeing.
Fellows’ and Staff Records
17. Files relating to Fellows are maintained and kept by the College Office. These files may be consulted on a day-to-day basis by the Master, the President, the Senior Tutor, the Senior Bursar, the College Accountant and those members of the College Office with specific responsibility for payroll functions or Human Resources.
All other requests for access must be authorised by the Senior Bursar or the Senior Tutor. For more information on how Fellows and Senior Members is used please see https://www.magd.cam.ac.uk/data-protection-senior-members.
18. Fellowship Issues. Matters pertaining to the election of Fellows are conducted by the Fellowship Committee and overseen by the Master, the President and the Senior Tutor who is Secretary. Files relating to this process may be consulted on a day-to-day basis by the Master and the President, the Senior Tutor and their secretaries.
All other requests for access to these files must be authorised the Master, President or Senior Tutor. For more detail on how Fellowship application information is used please see https://www.magd.cam.ac.uk/data-protection-applicants-senior-members.
19. Files relating to staff of the College are maintained and kept by the College Office. These files may be consulted on a day-to-day basis by the Bursars and those members of the College Office with specific responsibility for payroll functions or Human Resources.
All other requests for access to these files must be authorised by the Assistant Bursar. For more information on how staff and staff applicants are used please see https://www.magd.cam.ac.uk/data-protection-staff and https://www.magd.cam.ac.uk/data-protection-applicants-staff.
20. Files in respect of teaching officers. The Senior Tutor maintains payment data concerning supervisions. Other wages-related files are maintained and kept by the College Accountant and College Office staff with specific responsibility for payroll functions. These files may be consulted on a day-to-day basis by the Bursars, the College Accountant, and those members of College Office staff with specific responsibility for payroll functions.
All other requests for access to these files must be authorised by the Senior Tutor, Senior Bursar or College Accountant.
Library Records
21. Files relating to Fellows and students maintained by the College Librarian. These are maintained and kept by the College Librarian to record the whereabouts of library books. These files may be consulted on a day-to-day basis by the College Librarian and the library staff.
All other requests for access must be authorised by the College Librarian.
Other Tenancy Records
22. Files relating to tenancies of College properties, suppliers of goods and services to the College, and other third parties not otherwise dealt with in this policy document. These are maintained and kept by the Senior Bursar, the Assistant Bursar/College Accountant. These files may be consulted on a day-to-day basis by the Senior Bursar, the Assistant Bursar, the Bursars’ Secretaries, and appropriate College Office staff.
All other requests for access must be authorised by the Senior Bursar or the Assistant Bursar.
Alumni Records
23. Alumni. For information on how the College handles and uses alumni data, please refer to https://www.magd.cam.ac.uk/alumni-data-protection .
The Role of the Head of IT in Data Protection
24. When files/information is stored electronically on a computer the Head of IT is to ensure that the computer software includes protection against computer viruses. The information held is to be backed-up regularly and protected against unauthorised access, with the back-up system stored separately. The computer is to be password protected and is to be stored in a locked office whenever unattended.
The security of personal data held on computers
25. The important role played by the IT Department in Data Protection does not absolve other computer users from personal responsibility. All reasonable steps should be taken to ensure that personal data held on computers is secure and necessary. The following guidelines are to be followed:
A. access to computer files should be restricted using privilege levels and passwords
B. strong passwords should be used (further advice on what is deemed a strong password can be obtained from the Head of IT) and the number of attempted logins limited
C. equipment should be sited in a secure location where access can be restricted to authorised persons. Members of the public should not be able to view terminal screens
D. terminals should be locked (Ctrl-Alt-Del) when left unattended and logged off when finished with or at the end of the day
E. redundant data should be wiped or overwritten
F. appropriate backup and storage should be observed
G. removable disks should be locked up after use
H. for large amounts of sensitive data, it might be necessary to keep a copy in a fireproof safe at a separate location.
I. network systems can be accessed by experienced persons. Whenever possible, personal data should be encrypted to prevent unauthorised access
J. computer printout containing personal information should be shredded before disposal; it should not be used as scrap paper.
K. special care must be taken over the security of laptops as these are often targeted by thieves.
The use of CCTV within the College
26. The College operates a number of CCTV cameras within the College in order to provide a safe and secure environment for members of the College, its employees and visitors, and to protect the College’s property. Please see https://www.magd.cam.ac.uk/cctv-code-of-practice for the Magdalene College CCTV code of practice.
27. It is permissible and appropriate for the College to keep records of internal communications which are relevant to an individual's ongoing relationship with the College, whether as a Fellow, member of staff or student, including information concerning performance and conduct issues, provided such records comply with the Data Protection principles. It is recognised that email is used for such communications and that such emails should form part of the College's records.
28. All those working within the College need to be aware that the data protection law applies to emails which contain personal data about individuals which are sent or received by members of the College (other than for their own private purposes).
29. Subject to certain exceptions, individual data subjects will be entitled to make a data Subject Access Request and have access to emails which contain personal data concerning them, provided that the individual data subject can provide sufficient information for the College to locate the personal data in the emails. The legislation applies to all emails from and to members of the College which are sent and received for College purposes, whether or not the emails are sent through the College email system or on an individual's own email account.
Disclosure outside of the UK
30. We may transfer personal data that we collect from you to third-party data processors in other countries, but we will only do so if appropriate data protection agreements and safeguards have been put in place, or it is otherwise lawful to transfer the data.
Complaints Procedure
31. Data subjects wishing to complain about the College’s handling of data protection issues should do so in writing to the person responsible for College Data Protection, the Assistant Bursar. The Assistant Bursar will seek to resolve any issue to the satisfaction of the data subject. You retain the right at all times to lodge a complaint about our management of your personal data with the Information Commissioner’s Office at https://ico.org.uk/concerns/.