• ABOUT THE COLLEGE
  • ERG Refurbishment Tender Information
  • Courses
  • News
  • Events
  • How to find us
  • Vacancies
  • Publications
  • Get in touch
  • Essential Information
  • The Job Shop
  • Treat yourself
  • Corporate Information
  • Equality, Diversity and Inclusion
  • Safeguarding
  • College History
  • Ofsted
  • Active Inside Out
• YOUNG LEARNERS
  • Welcome
  • Courses
  • Applications
  • Past Results
  • Essential Information
  • Transport
  • 16-18 Bursary Fund
  • The Job Shop
  • Full Time Guide
  • College Videos
  • Supported Learning
  • Student Unions
  • 14 - 16 Learners
  • myNCS
  • 999 Academy
  • Enrichment
  • GCSEs
  • FreshFM
  • Active Inside Out
• UNIVERSITY COURSES
  • Welcome
  • Courses
  • Applying and Contacts
  • Modules
  • Life in North Devon
  • Tuition Fees
  • HE Course Guide
  • University of Plymouth Colleges
  • Scholarships
  • Studying at Petroc
  • Access to Higher Education
  • Staff Scholarly Activity
  • Workbased HE
  • Arts: End of Year Show
• EMPLOYERS
  • Welcome
  • A course to suit you
  • Courses
  • Working with You
  • Benefits of Training
  • Why Petroc?
  • Apprenticeships
  • Contact Us
  • Qualifications
  • Work Based Training
  • Security at Petroc
  • Innovation
  • The Job Shop
• ADULT LEARNERS
  • Welcome
  • Part time Courses
  • Categories & Fees
  • Adult Learner Support Fund
  • How can I enrol?
  • Part Time Course Guides
  • Extra Help
  • Essential Info
  • Supported Learning
  • Essential Skills
  • Arts on Prescription
  • Active Inside Out
• APPRENTICESHIPS
  • Welcome
  • Courses
  • Applications
  • Overview by Area
  • Costs and Funding
  • How Does it Work?
  • Earn and Learn
  • Framework
  • What we offer
  • Qualification Guide
  • Apprenticeship Guide

• Data Protection Policy
• Reporting Absences
• IT Security Policy
• Single Equality Scheme
• Equal Opportunities
• Safeguarding Policy

Data Protection Policy

The 1998 Data Protection Act regulates how organisations may use personal data and protects the rights of individuals with regard to the use of their personal data. The Act establishes eight principles that state that personal data shall be:

1. Processed fairly and lawfully and shall not be processed unless certain conditions are met
2. Obtained for specified and lawful purposes and not further processed in a manner incompatible with that purpose(s)
3. Adequate, relevant and not excessive
4. Accurate and where necessary up to date
5. Kept for no longer than necessary
6. Processed in accordance with the data subject's rights
7. Protected by the appropriate security
8. Not transferred to countries outside the EEA without adequate protection

The use of personal data is also governed by other statutory and common law requirements, including the law of confidence and defamation. Petroc is committed to ensuring that its use of personal data is fully compliant with the law and best practice.

Data Protection has implications both for those who provide personal information to the College (staff, students and others) and for those who may use it in the course of their duties to enable the College to carry out its functions. Some of the requirements are complex and detailed, particularly for those members of staff who are responsible for deciding what personal information is kept and how it is used. For this reason the Policy does not attempt to give detailed guidance. Instead its purpose is to identify how Data Protection issues will be managed by describing rights and responsibilities.

Part A describes the responsibilities of management, staff and students.

Part B describes the rights of data subjects including staff, students and members of the public where the College processes personal information about them.

Part C gives a short explanation of the main terms used in the Policy. The College recognises that good practice in handling personal information will not be achieved simply by agreeing a policy and allocating responsibilities. This Policy is supported by a commitment to ensure that those who are given responsibilities under the policy are provided with the resources, training and guidance that they need to fulfil those responsibilities.

Data Protection Guidelines are available which give further details of the processes to be followed to ensure that this Policy is upheld throughout the College.

Part A - How Petroc will manage Data Protection

This part of the Policy identifies the Data Protection responsibilities of various members of staff and students.

SMT

The Senior Management team is responsible for ensuring that the College is fully compliant with the law and best practice for handling personal information. SMT will

• Approve College policies & procedures for handling personal information 
• Review developments in good practice and Codes of Practice issued by the Information Commissioner having a bearing on College activities, updating College policies and procedures, as appropriate 
• Allocate resources to enable the Data Protection Policy to be practically and proactively applied within the College 
• Ensure that the College's information strategy is matched to its business needs and that the appropriate links are made between Data Protection, IT Security, Information Security, Records Management and Freedom of Information and that a co-ordinated approach to these issues is adopted and maintained

Data Protection Officer

The Data Protection Officer is responsible for maintaining the College's Data Protection systems. The Data Protection Officer will:

• Maintain the College's Data Protection Notification
• Undertake audits of uses of personal data as appropriate
• Liaise with the Information Commissioner and respond to assessments
• Make recommendations to SMT regarding Data Protection Policy and good practice
• Provide a Data Protection training programme
• Provide general guidance and advice and dissemination of information regarding Data Protection
• Deal with subject access requests and co-ordinate responses to complaints
• Co-ordinate and advise on all non-routine requests for disclosure of personal information
• Monitor and report on compliance

Managers

Good personal data handling is one aspect of delivering excellent customer service. The key to achieving high standards in handling personal information is recognising that the primary responsibility for complying with legislation and good practice lies with the staff who are responsible for deciding how the personal information is used. Managers of each area of the College will

• Ensure they are satisfied with the legality of holding and using the information 
• Ensure that the use of personal data complies with all appropriate College policies 
• Ensure that the staff they manage receive appropriate Data Protection training
• Refer any non-routine requests for disclosure, requests for subject access and requests to cease processing to the Data Protection Officer immediately, being aware of the time limits for responding to the requests

IT Services

All staff and users of personal data have some responsibility for the security of that data. IT staff have an important role in ensuring the security of computerised data. In particular they will

• Be responsible for advising the College on the state of technological development with regard to IT security
• Back up data on the College's IT systems
• Implement virus detection and hacking preventative measures
• Under instruction from SMT or the Data Protection Officer, place appropriate restrictions on access so that individuals only have access to personal data in which they have a legitimate business interest
• Require the use of passwords and ensure they are changed regularly
• Promote policies for the use of College IT facilities including email, intranet and internet.
• Investigate breaches of IT security

Human Resources

An important aspect of security is ensuring the reliability of staff. Human Resources can contribute to this in a number of ways. They will

• Ensure that the College's Employment Practices are consistent with the Employment Practices Code of Practice
• Ensure that Data Protection obligations are reflected in the College's Disciplinary Procedures and contracts of employment
• Ensure that all staff are aware of the types of personal information that the College will routinely make public (eg name, post, qualifications, telephone or email) and that individuals have the right to object to that disclosure when they consider it may cause them substantial damage or distress
• Provide advice to managers and others on the application of the Criminal Records Bureau Code of Practice

Other Staff

All staff are likely to have access to some personal information in the course of their duties. They will

• Respect the privacy and confidentiality rights of all data subjects
  
• Be careful that personal information is not disclosed either orally or in writing, accidentally or otherwise, to any unauthorised third party. This includes making sure that casual access to data is not possible on screen or otherwise
  
• Only use personal information for approved purposes and ensure that they comply with any instructions and guidelines about the use of personal data
  
• Inform the Data Protection Officer of any proposed new uses of personal data
  
• Keep all personal data secure and not remove it from college premises without the permission of their line manager
  
• Comply with all College policies regarding the use of IT facilities
  
• Check that the information they provide to the College in connection with their employment is accurate and up-to-date and inform the College of changes to or errors in information held

Students

Students will not normally process personal data on behalf of the College. However, from time to time there may be circumstances where this happens and it is the responsibility of the tutor to ensure that guidelines are followed appropriately. For periods of work experience within the college, there is a process which should be followed before students have access similar to that of a member of staff, details of which can be obtained from the Data Protection Officer. It is the responsibility of the work experience supervisor to ensure that this process is followed and they should also be prepared to limit access to information where they feel it is inappropriate in a given circumstance.
At all times students will

• Respect the privacy and confidentiality rights of all data subjects
  
• Not seek to gain unauthorised access to personal information
  
• Comply with all College policies regarding the use of IT facilities
  
• Check that the information they provide to the College in connection with their studies is accurate and up-to-date and inform the College of changes to or errors in information held

Part B Data Subject's Rights

Right of subject access

Subject to certain exemptions a data subject has the right

• To be told by the College whether it or someone else on its behalf is processing his/her personal information, and if so
  
• To be given an intelligible description of the personal data, the purposes for which it is being processed and the likely recipients and sources of that personal data
  
• To receive a copy of the personal data - All requests for access must be made in writing to the Data Protection Officer and the College has the right to charge a fee of £10 per request. The College will respond promptly to the request and, in any case, within the legal time limits.

Right to prevent processing likely to cause unwarranted damage or distress

A data subject is entitled to request in writing that the College does not process personal data where such processing is likely to cause unwarranted damage or distress to him/her.
This right does not apply where

• The data subject has given consent previously to the processing or
  
• The processing is necessary for the purposes of fulfilling a contract with the data subject, fulfilling a legal obligation of the College or for protecting the data subject's vital interests.

Right to prevent direct marketing

A data subject is entitled at any time to request in writing that the College does not process personal data for the purposes of direct marketing.

Rights in relation to automated decision making

Subject to certain exemptions, a data subject is entitled at any time, in writing, to require that the College ensures no decision which significantly affects him/her is based solely on the processing of personal data by automatic means. Where a decision which significantly affects the data subject is based solely on such automatic processing, the College must notify him/her that the decision was taken on that basis. Any human intervention in an automated process is deemed to show that the decision is not solely automatic. A data subject is entitled to request to be told the logic behind any automated decision making process.

Rights to compensation

Where a data subject suffers damage or damage and distress as a result of the breach of any of the requirements of the Act, he/she may apply to the Courts for compensation. Compensation for distress alone can only be claimed where the College breaches any requirements of the Act when processing his/her personal data in relation to journalistic, artistic or literary purposes.

Rights to request rectification, blocking, erasure and destruction of inaccurate data

A data subject may apply to the Court for an order requiring the College to rectify, block, erase or destroy data relating to him/her if they are inaccurate.

A data subject may request that the Information Commissioner assesses whether or not it is likely that any processing of personal data has been or is being carried out by the College in non-compliance with the Act. Depending on the Commissioner's assessment, Information Notices may be served or the Commissioner may take enforcement action.

Part C - Glossary

Data

Data is information which is processed by a computer or manually held which forms part of a relevant filing system. A relevant filing system is a system that is structured either by reference to an individual or by criteria relating to individuals so that specific details relating to a particular individual may be easily selected from that system. Data can be written information, photographs or information like fingerprints, voice recordings, etc. From 2005 the definition of data under the Freedom of Information Act extends to include unstructured manual data but there are transitional arrangements for Data Protection which allow the existing definition of relevant filing systems to stand for existing systems until 2007.

Personal Data

Personal data is information that relates to a living individual who can be identified from that data and other information in or likely to come into the possession of the Data Controller.

Sensitive Personal Data

Sensitive personal data is personal data of the following specific nature: racial or ethnic origin; political opinions; religious beliefs or beliefs of a similar nature; membership of Trade Unions; physical or mental health or condition; sexual life; commission or alleged commission of any offence; proceeding of any offence committed or alleged, the disposal of such proceedings or the sentence of the court.

Processing

Processing is anything done with the data including holding and viewing it. If you have personal data you should assume you are processing it.

Implicit consent

The data subject may be asked to agree implicitly to the disclosure of information about themselves to certain named third parties. In the case of a student this consent is given when they sign an enrolment form or agree to the terms via an online process. In the case of staff this is implicitly given by signing the contract.

Explicit consent

Where sensitive personal data is to be disclosed to a third party, explicit consent must be sought from the data subject before the disclosure can take place. This consent is for the named disclosure and cannot be taken as consent for other or further processing of the data in this way. It needs to be collected each time such a disclosure is to be made.

Data Subject

The Data Subject is the individual who is the subject of personal data. This will include staff, students, suppliers of goods, visitors, contractors, etc.

Data Controller

The Data Controller is the legal person or body who determines the purposes for which and the manner in which any personal data are, or are to be, processed. The College is the Data Controller.

Data Processor

The Data Processor is any person other than an employee of the Data Controller who processes data on behalf of the Data Controller

Third Party

A Third Party is any person other than the Data Subject, the Data Controller, the Data processor or other person authorised to process data for the Data Controller.