The General Data Protection Regulations or GDPR came into effect in May of the academic year 2018-2019. They impact on how personal data is collected and used by organisations, including across Higher Education, Durham University and St Chad’s College.
As a member of staff at St Chad’s College it is important that you are aware of your responsibilities in relation to the handling, storage and removal of personal data. We therefore ask that you familiarise yourself with the below information and watch the videos provided.
What is personal data?
Under UK GDPR, personal data is defined as:
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular in reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data includes: name, date of birth, National Insurance number, home address, email address, student ID number, dates of enrolment, attendance information, visa and immigration information, student or staff photo, disciplinary information, bank and financial details, exam and assessment results.
Special category data is a subset of personal data that requires even more protection. It includes data relating to:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union-membership;
- health;
- sex life and sexual orientation;
- genetics;
- biometrics.
Examples of special category data includes: open door and disability support records, sick notes and medical fit notes, equality data and trade union membership status.
Please watch the video below which provides an overview of the above.
Data protection principles
Under UK GDPR, personal data must be processed (e.g., collected, organised, altered, stored, used, shared) in accordance with data protection principles. The six principles are summarised below:
Personal data must be:
- processed fairly, lawfully and transparently;
- processed for specified, explicit and legitimate purposes;
- adequate, relevant and limited to what is necessary;
- accurate and, where necessary, kept up-to-date;
- retained for no longer than necessary;
- kept secure.
Please watch the following video.
Key Definitions
Data controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by the Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Data subject: a natural person whose personal data is processed by a data controller or processor.
Data Protection Breach Procedure
The General Data Protection Regulation (GDPR) creates a legal obligation to report certain data protection breaches to the Information Commissioner’s Office within 72 hours of identification.
In order to comply with this requirement, all governors and staff must notify the College’s Data Protection Officer of suspected or actual data protection breaches immediately on identification. The Data Protection Officer for St Chad’s College is the Vice Principal, Victoria Brown.
1. What is a personal data breach?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Examples include:
- theft or other loss of a personal or College owned laptop, tablet, USB drive, mobile phone or other device that stores College owned personal data;
- unauthorised 3rd party access to personal data;
- alteration or deletion of personal data without permission;
- loss of availability of personal data;
- uncontrolled system changes;
- human error e.g. personal data being emailed to the wrong recipient or sent to the wrong recipient by post.
2. On discovery of a breach, what do I need to do?
Notify the Data Protection Officer immediately. When reporting a breach, you must provide:
1. a description of the incident as well as any steps taken to contain it;
2. an indication of the number of individuals affected and who they are likely to be (staff, students, prospective students etc);
3. a description of the likely consequences of the personal data breach.
Other Resources
Legislation:
UK General Data Protection Regulation
Websites: