Data Protection Policy

Introduction

1.1 Albion collects, holds, and processes data about its students, employees, applicants, alumni, stakeholders, contractors, and other individuals in order to carry out its business and organisational functions.

1.2 Data Protection legislation defines ‘personal data’ as any information relating to an identified, or an identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Personal data also includes any expression of opinion about the data subject and what is intended for them.

1.3 Albion is committed to protecting the rights and freedoms of individuals with respect to the processing of their personal data.

Purpose and Scope

2.1 The purpose this policy is to ensure compliance with the General Data Protection Regulation (GDPR) and related European Union (EU)1 and national legislation (‘Data Protection legislation’). Data Protection legislation applies to the processing of personal data about living identifiable individuals (‘data subjects’).

2.2 Albion is registered with the Information Commissioner’s Office (ICO) as a Data Controller. The policy incorporates guidance from the ICO, and outlines how Albion will discharge its duties and obligations to comply with Data Protection legislation.

2.3 This policy applies to all parts of Albion and to all personal data held and processed by the organisation. This includes data held in any system or format, whether electronic or manual.

2.4 This Policy applies to all members of staff except when acting in a private or non-Albion capacity. The term ‘staff’ means anyone working in any context within Albion. This includes but is not limited to temporary, honorary, visiting, casual, voluntary and agency workers, students employed by Albion, and external members of committees. This Policy also applies to all locations from which personal data is stored and accessed including off-campus.

2.7 This policy applies to all students when processing personal data on behalf of Albion, but not in any other situation including when acting in a private or non-Albion capacity.

2.8 This policy also covers any staff and students who may be involved in research or other activity that requires them to process or have access to personal data. If this occurs, it is the responsibility of the relevant School or Unit to ensure the data is processed in accordance with Data Protection legislation and that students and staff are advised about their responsibilities.

2.9 This policy is not, and should not be confused with, a Privacy Notice (a statement which informs data subjects how their personal data is used by Albion).

2.10 This policy should be read in conjunction with responsibilities and obligations outlined in the following documents, which supplement this policy where applicable:

Staff employment contracts and comparable documents which impose confidentiality obligations in respect of information held by Albion;
Any other contractual obligations or staff policies which impose confidentiality or data management obligations in respect of information held by Albion;
The Records Management Policy and Records Retention Schedule which govern the appropriate retention and disposal of information;
Albion’s Data Breach Policy which sets out the procedure to be followed if a personal data breach takes place; and
IT and information security policies, procedures and terms and conditions which concern the confidentiality, integrity and availability of information including rules about IT acceptable use, user accounts, internet, email, and network and wireless facilities.

Policy Statement

3.1 Albion is committed to complying with Data Protection legislation through its everyday
working practices.

3.2 Complying with Data Protection legislation may be summarised as, but is not limited to:

understanding, and applying as necessary, the data protection principles when processing personal data;
understanding, and fulfilling when necessary, the rights given to data subjects under Data Protection legislation; and
understanding, and implementing as necessary, Albion’s accountability obligations under Data Protection legislation. *

3.3 In accordance with Data Protection legislation, additional conditions and safeguards will be applied to ensure that special category data (sensitive personal data) is handled appropriately. Special category personal data is information relating to an individual’s:

race or ethnic origin;
political opinions;
religious beliefs or other beliefs of a similar nature;
trade union membership;
genetic data;
biometric data (where used for identification purposes);
health; or
sex life or sexual orientation.

3.4 Criminal convictions or offences (alleged or proven) are not technically defined as special category personal data but are afforded similar protections.

Data Protection Principles

4.1 Data Protection legislation requires that Albion, its staff, and others who process or use any personal information, comply with the data protection principles.

4.2 The data protection principles state that personal data should be:

processed lawfully, fairly and in a transparent manner;
collected for specified, explicit and legitimate purposes;
adequate, relevant, and limited to what is necessary;
accurate and where necessary kept up to date;
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data is processed; and/or
processed in a manner that ensures appropriate security of the personal data.

4.3 Accountability is central to Data Protection legislation, and Data Controllers are responsible for compliance with the principles and must be able to demonstrate this to data subjects and the UK regulator, the ICO.

Data Subject Rights

5.1 The rights given to data subjects under Data Protection legislation are:

the right to be informed;
the right of access to the information held about them (though a Subject Access Request);
the right to rectification;
the right to erasure;
the right to restrict processing;
the right to data portability;
the right to object; and
rights in relation to automated decision-making and profiling.

5.2 Under Data Protection Regulation legislation, data subjects have the right of access to their personal data held by Albion.

5.3 Any individual who wishes to exercise this right should make the request in writing Director of Operations.

Roles and Responsibilities

6.1 As a Data Controller (or when acting as a joint Data Controller or a Data Processor), Albion has a corporate responsibility for the following:

complying with Data Protection legislation and holding records to demonstrate this;
cooperating with the ICO, as the UK regulator of Data Protection legislation; and
responding to regulatory / court action and paying administrative levies and fines issue by the ICO.

6.2 Albion’s Board of Directors is responsible for reviewing and approving this policy.

6.3 Audit and Risk Committee is responsible for assessing the overall risk profile of Albion and ensuring appropriate resources and processes are in place and implemented to enable compliance with Data Protection legislation.

6.4 Albion’s Data Protection Officer is responsible for:

monitoring Albion’s compliance with Data Protection legislation including managing internal data protection activities, raising awareness, training, and the conduct of internal audit;
advising Albion on its Data Protection obligations (including the use of Data Protection Impact Assessments);
acting as Albion’s point of contact for the ICO with regard to Data Protection legislation; and
acting as an available point of contact for data subjects.

6.5 Governance Team, in collaboration with other relevant service areas, is responsible for:

providing advice, guidance, training, and tools / methods to assist Albion and staff in complying with this policy, in liaison with the Data Protection Officer, and taking account of ICO and other regulatory guidance and relevant case law;
publishing and maintaining core Privacy Notices and other Albion-wide data protection documents;
handling Subject Access Requests; and
advising on, managing and / or handling Data Protection Impact Assessments, data subject complaints, and personal data breaches, as advised by the Data Protection Officer.

6.6 Trustees, Directors and Deans are responsible for:

ensuring that all staff within their areas are aware of this policy, and understand the role of data protection principles in their day-to-day working practices through induction, training, and performance monitoring;
ensuring that personal data within their areas is processed in line with this policy and associated policies and procedures;
supporting internal and external audits to ensure compliance with Data Protection legislation; and
developing and reviewing information surveys to document information assets containing personal data in their areas, including databases, relevant filing systems, and the purposes of processing, to inform Albion’s Information Asset Register.

6.7 Compliance with Data Protection legislation is the personal responsibility of all members of Albion who process personal data.

6.8 New members of staff are required to complete mandatory information governance online training as part of their induction.

6.9 Staff members, as appropriate for their role and in order to enable Albion to comply with Data Protection legislation, are responsible for:

completing the information governance online training, and refresher training annually and / or if their role changes significantly;
ensuring that any personal data they process adheres to this policy and any associated information security policies;
ensuring any personal data they process complies with the data protection principles;
following relevant advice, guidance and tools / methods provided in relation to information governance;
when processing personal data on behalf of Albion, only using it as necessary for their contractual duties and / or other Albion roles and not disclosing it unnecessarily or inappropriately;
recognising, reporting internally with immediate effect, and cooperating with any remedial work arising from personal data breaches in accordance with the Data Breach Policy;
recognising, reporting internally with immediate effect, and cooperating with the fulfilment of Subject Access Requests;
when engaging with students who are using personal data in their studies and research, advising those students of relevant advice, guidance, and tools / methods to enable them to handle such personal data in accordance with this policy; and
ensuring they do not disclose personal data to a third party without establishing prior consent of the individual has been provided. This also includes information that would confirm whether or not an individual is or has been an applicant, student, or employee of Albion. Albion may have a duty to disclose personal data to authorised bodies, such as the police and other organisations in order to comply with its legal or statutory obligations under Data Protection legislation. Any requests to disclose personal data for reasons relating to national security, crime and taxation should be directed to the Director of Operations, who will respond on behalf of Albion.

6.10 The responsibilities outlined under paragraph 6.9 apply to individual students when processing personal data on behalf of Albion.

6.11 Any breach of this policy may be treated as misconduct under Albion’s relevant disciplinary procedures and could lead to disciplinary actions or sanctions.

Policy Review

7.1 This policy will be updated as necessary to reflect best practice, relevant case law, and to ensure compliance with any changes or amendments to Data Protection legislation.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.