Introduction
Imperial College Union (ICU) is committed to all aspects of data protection and takes seriously its duties, and the duties of its employees, under General Data Protection Regulations 2016 (GDPR).
The purpose of this policy is to set out:
- how the organisation deals with personal data relating to staff;
- the principles under which data will be processed by the organisation;
- and the expectation the organisation has on its staff in relation to their individual responsibilities regarding the processing of data.
This policy should be read in conjunction with the organisation’s Privacy Notices, which specifically set out how the organisation will use information collected in relation to its staff and members.
The College’s Data Protection Officer is responsible for informing and advising Imperial College Union and its staff on its data protection obligations, and for monitoring compliance with those obligations.
If you have any questions or comments about the content of this policy or if you need further information, you should contact the Data Protection Officer via email at dpo@imperial.ac.uk.
Scope
All ICU staff, members and other authorised third parties (including temporary and agency workers, contractors, casual workers, interns and volunteers) who have access to any personal data held by or on behalf of the ICU, must adhere to this policy and associated Privacy Notices.
Definitions
“Personal Data” is any information that relates to an individual who can be identified from that information. Processing is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.
“Special categories of personal data” means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.
Data Protection Principles
We will comply with data protection law. This says that the personal information we hold about you must be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely.
Privacy Notices
ICU will issue privacy notices informing the people from whom we collect information about the personal data that we collect and hold relating to them, how they can expect their personal data to be used and for what purposes.
ICU will take appropriate measures to provide information in privacy notices in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Our central privacy notices are located on our privacy page: Privacy
Other, specific privacy notices will be issued at relevant stages of data collection.
Individual Rights
Data subjects have the following rights in relation to their personal data:
- To be informed about how, why and on what basis that data is processed (at ICU, we customarily do this via our privacy notices)
- To obtain confirmation that their data is being processed and to obtain access to it and certain other information, by making a subject access request
- To have data corrected if it is inaccurate or incomplete
- To have data erased if it is no longer necessary for the purpose for which it was originally collected/processed, or if there are no overriding legitimate grounds for the processing (this is sometimes known as ‘the right to be forgotten’)
- To restrict the processing of personal data where the accuracy of the information is contested, or the processing is unlawful (but the data subject does not want the data to be erased), or where ICU no longer needs the personal data but the data subject requires the data to establish, exercise or defend a legal claim
- To restrict the processing of personal data temporarily where the data subject does not think it is accurate, or where the data subject has objected to the processing
Our privacy notices provide details of how these individual rights can be exercised. In most cases, individuals are advised to contact ICU Systems at: icu.systems@imperial.ac.uk
Subject Access Requests
Individuals have the right to make a subject access request. If an individual makes a subject access request, ICU will provide:
- Confirmation of whether, and where, we are processing their personal data
- Information about the purposes of the processing
- Information about the categories of data being processed
- Information about the categories of recipients with whom the data may be shared
- Information about the period for which the data will be stored (or the criteria used to determine that period)
- Information about the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing
- Information about the existence of the right to complain to the Information Commissioner
- Where the data were not collected from the data subject, information as to the source of the data; and information about the existence of, and an explanation of the logic involved in, any automated processing that has a significant effect on data subjects
Additionally, ICU respects the right of data subjects to request a copy of the personal data being processed.
In certain circumstances, an exemption to the GDPR requirement to grant access to personal data might apply. Such exemptions include where disclosure would simultaneously disclose data about another person (unless that person consents to the disclosure).
To make a subject access request, the individual should visit our Subject Access Request page: Subject Access Request
In some cases, we may need to ask for proof of identification before the request can be processed.
ICU will normally respond to a request within a period of one month from the date it is received. In some cases, such as where large amounts of the individual's data is being processed, it may respond within three months of the date the request is received. ICU will write to the individual within one month of receiving the original request to tell them if this is the case.
If a subject access request is manifestly unfounded or excessive, ICU is not obliged to comply with it. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which the organisation has already responded.
If an individual submits a request that is unfounded or excessive, the organisation will notify them that this is the case and whether or not it will respond to it.
Individual Obligations
Individuals are responsible for helping the ICU keep their personal data up to date. We receive limited data from the College and individuals should let the College know if the information they have provided to the College changes, e.g. if one moves house or changes details of the bank or building society account to which they are paid.
Members of staff may have access to the personal data of other members of staff, students and other clients and suppliers of ICU in the course of their employment or engagement. If so, we expect staff to help meet our data protection obligations to those individuals.
If a staff member has access to personal data, they must:
- Only access the personal data that they have authority to access, and only for authorised purposes;
- Only allow others to access personal data if they have appropriate authorisation to do so;
- Keep personal data secure (e.g. by complying with rules on access to premises, computer access, password protection and secure file storage and destruction and other precautions set out in the College’s Information Security Policy and related Codes of Practice);
- Not remove personal data, or devices containing personal data (or which can be used to access it), from the College’s premises unless appropriate security measures are in place (such as pseudonymisation, encryption or password protection) to secure the information and the device; and
- Not store personal data on local drives or on personal devices that are used for work purposes.
The College’s Data Protection Officer should be contacted if a member of staff is concerned or suspects that one of the following has taken place (or is taking place or likely to take place):
- Processing of personal data without a lawful basis for its processing
- Access to personal data without the proper authorisation
- Personal data not kept or deleted securely
- Removal of personal data, or devices containing personal data (or which can be used to access it), from College premises without appropriate security measures being in place
Data Breaches
If the organisation discovers that there has been a breach of personal data, the data breach team will notify the ICO within 72 hours when a breach has occurred unless the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals.
If the data breach team is unsure whether to report, the presumption should be to report. The data breach team is defined as the team responsible for investigating data security breaches as set out in our general data breach plan. The general data breach plan sets out a comprehensive policy on how ICU reacts to data breaches.
To report a data breach or read our data breach plan, visit our Data Breach page: Data Breach
Data Security
We have put in place measures to protect the security of your information. Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instruction, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Training
Staff need to be trained regarding their data protection responsibilities. Staff who process personal data will be provided with GDPR training as part of their induction process with the College.
Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive any additional appropriate training required to help them understand their duties and how to comply with them.
Storage and Retention
Personal data (and sensitive personal data) will be kept securely in accordance with the College’s Information Security Policy.
Personal data (and sensitive personal data) should not be retained for any longer than necessary. The length of time over which data should be retained will depend upon the circumstances, including the reasons why the personal data was obtained.
The College’s Retention Schedule (which is maintained by the College’s Archives and Corporate Records Unit) sets out the relevant retention period, or the criteria that should be used to determine the retention period – the Retention Schedule is available at: Imperial College London Retention Schedule
Where there is any uncertainty with respect to data retention, staff should consult either the ICU Systems Team or the College’s Data Protection Officer.
Personal data (and sensitive personal data) that is no longer required will be deleted permanently from our information systems and any hard copies will be destroyed securely. Full record of our Information Assets and their corresponding retention schedules will be kept in an Information Asset Register (IAR) in line with the College’s policy.
Data protection Impact Assessments (DPIAs)
Some of the processing that the organisation carries out may result in risks to privacy.
Where processing would result in an elevated risk to individual's rights and freedoms, the organisation will carry out a DPIA to determine the necessity and proportionality of processing. This will be conducted in accordance with College policy.
This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.