ULSTER UNIVERSITY GENERAL DATA PROTECTION REGULATION POLICY 2019/2020 1 INTRODUCTION and DEFINITIONS The General Data Protection Regulation (“GDPR”) came into force across the European Union and together with the Data Protection Act 2018 (“DPA”), replaced the UK Data Protection Act 1998. The purpose of the GDPR and DPA is to enhance and strengthen the protections afforded to individuals’ rights and freedoms especially their right to privacy with respect to the processing of personal data. Due to the nature of business at Ulster University (“University”) it is required to hold and process, both electronically and manually, large amounts of personal data. The GDPR and DPA provide a framework to ensure that personal information processed and stored by the University whether in hard copy or electronic format is handled properly both on and off campus. 1.1 Definitions and Meanings 1.1.1 “ Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of the Processing of personal data. The University is a data Controller. 1.1.2 “Data Subject” means an identified or identifiable natural person about whom Personal Data is held. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, ID number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For the University, Data Subjects include current, past and present students and staff (including affiliated and visiting staff), and other third parties such as suppliers, contractors, consultants or referees. 1.1.3 “Personal Data” means any information relating to a Data Subject. It includes, by way of example only, name, date of birth, images and photographs. 1.1.4 “Processing” means any operation which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 1.1.5 “Processor “ means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller. 1.1.6. “Special Categories of means personal data revealing racial or ethnic origin, Personal Data” political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a person, data concerning physical or mental health or data concerning a person’s sex life or sexual orientation. 1.2 APPLICATION The GDPR works in two ways. Firstly, it sets out the main responsibilities for organisations in relation to the Processing of Personal Data whereby they must comply with the six principles contained within the GDPR. The second area covered by the GDPR provides a Data Subject with important rights, including the right to be informed, the rights of access, rectification, erasure, restriction of processing, data portability, objection and rights in relation to automated decision making and profiling (see section 12 below). 2 REGISTRATION The University as a Controller must provide prescribed information to the Information Commissioner’s Office (“ICO”) as well as pay a data protection fee annually. The ICO is the independent supervisory authority set up to promote and oversee compliance with data protection legislation in the UK. You can inspect the University’s details on the ICO’s data protection register at: https://ico.org.uk/about-the-ico/what-we-do/register-of-data-controllers/ The ICO has the right to carry out investigations in the form of a data protection audit on the University. 3 POLICY STATEMENT The University is committed to protecting the rights of individuals in accordance with the provisions of the GDPR and DPA. 4 AIMS OF THE POLICY The aims of this Policy are to set out the University’s strategy for ensuring compliance with the GDPR and DPA, to ensure that all staff, students or third party Processors engaged by the University, are aware of their rights and responsibilities under the GDPR and DPA and to minimize the risk to the University of any potential breach of the GDPR or DPA. A breach of the GDPR or DPA could result in damaging valued relationships with stakeholders as well as causing reputational damage to the University and the individual. This Policy relates to all Personal Data as defined by the GDPR held by the University and applies equally to information held in paper and electronic format stored in hard files, on PCs, laptops and other fixed or portable data storage devices. The Policy also applies to photographic material and CCTV footage. 5 THE DATA PROTECTION OFFICER AND OTHER STAFF CONTACTS The University will ensure that it has in place at all times a designated Data Protection Officer. The University Secretary, Mr Eamon Mullan, is the University’s designated Data Protection Officer. The Data Protection Officer has the primary responsibility for coordinating Data Protection compliance across the University, including reporting, and is the ultimate arbitrator within the University in respect of Data Protection matters. The Data Protection Officer is supported by the Policy Co-ordinator. The Data Protection Officer and Policy Co-ordinator are the first point of contact for queries and advice on responsibilities and compliance under the GDPR and DPA; for requests and objections by Data Subjects including subject access requests (see section 12); and for liaising with the ICO 2 and other agencies where appropriate. Contact details for these officers are attached at Appendix 1. In addition, the Vice-Chancellor, Deputy Vice-Chancellors, Chief Operating Officer, Deans, Provosts, Heads of School, Research Institute Directors and Directors/Heads of professional services departments play a key role in assisting the University’s Data Protection Officer and are responsible for having in place appropriate procedures to ensure compliance with the GDPR and DPA within their areas of responsibility across the University. A list of these senior officers is attached at Appendix 2. These officers have nominated a suitable representative(s) (“Data Protection Nominee(s)”) who have undertaken specialist data protection training and work with the Data Protection Officer and Policy Co-ordinator to respond to requests and objections by Data Subjects including subject access requests (see section 12 below) and in relation to implementation and dissemination of good practice. Contact details for the Data Protection Nominees are also attached at Appendix 2. 6. GDPR PRINCIPLES The University is committed to the six data protection principles contained within the GDPR. These principles represent best standards of practice with respect to the transmission, retention and disposal of Personal Data. All staff, students and others who process or use any Personal Data must comply with these principles. These state that Personal Data must: i) be processed lawfully, fairly and in a transparent manner in relation to the Data Subject (“lawfulness, fairness and transparency”). (Further details in relation to “lawfulness” and having a “lawful basis” for Processing is contained in section 7 below); ii) be collected for specified, explicit and legitimate purposes and not be further processed in a manner that is incompatible with those purposes (“purpose limitation”); iii) be adequate, relevant and limited to what is necessary in relation to the purpose(s) for which they are processed (“data minimisation”); iv) be accurate, kept up to date and if inaccurate erased or rectified (“accuracy”); v) be kept for no longer than is necessary for the purpose(s) for which the Personal Data is Processed (“storage limitation”); and vi) be Processed securely, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”). The University, as Controller, is responsible for and must be able to demonstrate compliance with the six data protection principles. 7. LAWFUL BASIS FOR PROCESSING For Processing of Personal Data to be lawful, all staff, students and others who process Personal Data must identify specific grounds for the Processing. This is called a “lawful basis” and there are six options Article 6 of the GDPR which depend on the purpose of the Processing and the relationship with the Data Subject. Article 6 of the GDPR is available online at: https://gdpr-info.eu/art-6-gdpr/ If Special Categories of Personal Data are being Processed, this is more sensitive and so requires more protection and so both (i) a “lawful basis” for general Processing (under Article 6 of the GDPR) is required, plus (ii) an additional condition for Processing under Article 9 GDPR. Article 9 GDPR is available online at : https://gdpr-info.eu/art-9-gdpr/ 3 A “lawful basis” must be established before Processing begins and should be documented. If no “lawful basis” applies then the Processing will be unlawful and in breach of the GDPR principles. The “lawful bases” for Processing as set out in Article 6 of the GDPR are as follows : (i) Consent: the individual has given clear consent to process their Personal Data for a specific