Data Protection Policy

Last updated: 21st March 2023

University of Chester Data Protection Policy

(General Data Protection Regulation and Data Protection Act 2018)

Purpose and Introduction

1. The purpose of the Data Protection Policy is to meet the University’s legal obligations under data protection legislation, and to promote the culture of respect for individuals and their rights which is expressed in the Christian values which underpin the University’s Mission Statement.
2. In order to fulfil its purpose and to meet its legal obligations to funding bodies and the government, University of Chester must keep personal information relating to both staff and students. In doing so, the University is subject to the provisions of data protection legislation which is concerned with upholding the rights of natural persons in relation to the processing of their personal data.
3. The right to the protection of personal data is balanced against other rights, and staff and students are given a degree of control over the use of their personal data, particularly unforeseen secondary uses, and to provide protection from unwanted or harmful use of their personal data. 
4. The protection given to individuals by the legislation is stated in the six Data Protection Principles. The University is committed to upholding these principles.
5. The University of Chester Data Protection Policy should be read in conjunction with the Data Protection and other Associated Guidance Notes: (link to Guidance Notes)

Status of the Policy

6. Any breach of this Policy will be regarded seriously and may lead to disciplinary action being taken in accordance with the applicable University procedures. Any member of staff or student who considers that the policy has not been applied in respect of their personal data should raise the matter with the relevant department, their head of department, the University Data Controller and/ or the University Data Protection Officer. The Data Protection Officer on behalf of the complainant will investigate complaints and or suspected breaches of either this policy or the Act.

Definitions

7. All terms used in this Policy which are defined by data protection legislation (including the General Data Protection Regulation (EU) 2016/679, the applied GDPR, Data Protection Act 2018 and any relevant Data Protection regulations) bear the same meanings in this Policy. These include the terms listed as appendix A.

The Data Protection Principles

8. Data protection legislation details the main responsibilities of the University as a data controller and processor through the data protection principles which require that personal data shall be:
   1. processed lawfully, fairly and in a transparent manner in relation to individuals;
   2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
   3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
   4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
   5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
   6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
9. The seventh principle of accountability means that as a data controller the University is responsible for, and must be able to demonstrate, compliance with these principles. In processing personal data the University will ensure that these principles are adhered to.

Lawfulness of Processing

10. In order to process personal data the University must also ensure that a valid lawful basis for the processing exists from amongst the following: 
    1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (Consent)
    2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (Contract)
    3. processing is necessary for compliance with a legal obligation to which the controller is subject; (Legal obligation)
    4. processing is necessary in order to protect the vital interests of the data subject or of another natural person; (Vital interests)
    5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (Public task)
    6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. (Legitimate interests)
       1. Point f. above shall not apply to processing carried out by the University as a public authority in the performance of its tasks.
11. When processing personal data the University will ensure that at least one valid lawful basis exists. The University will not process personal data for any purpose which is incompatible with the purpose for which the personal data was initially collected.

Consent

12. Where the processing of personal data is based upon consent as the most appropriate lawful basis for processing the consent shall:
    1. be freely given;
    2. be specific, concise and easily understood;
    3. be informed and unambiguous;
    4. be able to be evidenced and demonstrated;
    5. be based on a positive ‘opt-in’;
    6. be refused without detriment and not a precondition of service;
    7. be able to be withdrawn as easily as given;
    8. be refreshed at appropriate intervals and/or where necessary;
    9. cover all processing activities carried out for the same purpose;
    10. not be valid in the case of a child aged 12 years or younger unless the consent is given by a person with parental responsibility for the child 

Special Categories – Article 9 Data

13. Processing of special category data, being personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, shall not be processed unless a lawful basis for processing, as specified in 10.a to 10.f above, is met and also one the following:
    1. the data subject has given explicit consent to the processing of those personal data for one or more specified purposes;
    2. processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law;
    3. processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
    4. processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
    5. processing relates to personal data which are manifestly made public by the data subject;
    6. processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
    7. processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
    8. processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards;
    9. processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
    10. processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

University Data Protection Responsibilities

14. The University has a nominated Data Controller (University Secretary) and Data Protection Officer (Institutional Compliance Officer). The Data Controller has overall responsibility for the University’s compliance under the data protection legislation. 
    1. The responsibilities, designation, position, tasks and associated matters relating to the University’s Data Controller, Data Protection Officer and any Data Processors shall be as specified in data protection legislation.
15. After provision of any necessary information from relevant Heads of Department, Deans of Faculty and Directors of Service, the University Data Controller will determine the purposes and means of processing personal data. In doing so the Data Controller, in collaboration with the Chief Information Officer, shall implement appropriate technical and organisational measures to:
    1. demonstrate that processing is performed in accordance with the data protection legislation; 
    2. maintain relevant documentation and the record of processing activities;
    3. implement measures that meet the principles of data protection by design and data protection by default.  Measures may include:
       1. data minimisation;
       2. pseudonymisation;
       3. transparency;
       4. allowing individuals to monitor processing; and
       5. creating and improving security features on an ongoing basis;
    4. complete and use data protection and privacy impact assessments where appropriate;
    5. ensure that any third party data processors provide sufficient safeguards and guarantees in relation to the processing of personal data as detailed in data protection legislation;
    6. Ensure that the carrying out of processing should be governed by a contract as detailed in data protection legislation. 
16. The Data Protection Officer will ensure that the University adheres to the Principles of the data protection legislation by the following means:-
    1. Informing and advising the University (including in particular those members of the University identified as ‘data users’ or ‘data holders’) about their obligations to comply with national/international data protection legislation, and internal data protection issues;
    2. maintaining and updating the University’s Registration/Notification under the data protection legislation and addressing the implications of changes to data management procedure within the University e.g. through the use of new computer systems or recording of information for varying purposes;
    3. act as the first point of contact for supervisory authorities and for individuals whose data is processed;
    4. in accordance with the provisions of the data protection legislation, supplying relevant information on the University’s data holdings when requested by data subjects, providing the proper request procedure is followed and the suitable fee has been paid;
    5. monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, advising on data protection impact assessments; training staff and conducting internal audits;
    6. replying to Access Requests within a reasonable period, not exceeding the legally defined limit;
    7. providing advice where requested as regards the data protection impact assessment and monitor its performance as required;
    8. by ensuring that departments have processes for the secure disposal of personal information when it is no longer required;
    9. ensure that the accuracy of personal data held by the University is maintained by regularly updating the information processed by the University;
    10. in conjunction with the Data Controller and Chief Information Officer ensure that departments maintain the record of processing activities;
    11. regularly ensuring understanding, promotion and implementation by the University of ‘Best Practice’ (i.e. the Data Protection Principles and implications of the Data Protection Act 2018) by means of :-
        1. regularly updating literature for all relevant personnel;
        2. assessing general and particular data protection issues pertinent to the variety of data management undertaken within the University;
        3. promoting a ‘Best Practice’ approach with the persons or organisations dealt with by the University;
        4. incorporation of data protection awareness into the induction process and the inclusion of regular top-up training for staff regularly handling or receiving requests for personal data;
        5. gaining consent to process data collected on identified data subjects where specified under the data protection legislation, and further informing data subjects of their rights under it;
        6. annually reviewing the physical security of personal data held by the University, and publishing a statement on data protection measures undertaken by the University Data Controller and Protection Officer, which may be consulted by other members of the University. These measures will clearly identify the relevant Data Controller, the purposes of data processing and likely disclosures.
17. The University shall ensure that the processing of personal data shall be lawful and in accordance with data protection legislation.

Staff and Students - Rights and Responsibilities

18. Staff, students or any other persons whose personal data is processed by the University are afforded a number of rights as data subjects as follows:
    1. The right to be informed
    2. The right of access
    3. The right to rectification
    4. The right to erasure
    5. The right to restrict processing
    6. The right to data portability
    7. The right to object
    8. Rights in relation to automated decision making and profiling.
19. These rights are enshrined in data protection legislation and uphold the right for persons to protect their personal data.  However, these rights are balanced against other fundamental rights and may be restricted or unenforceable in particular circumstances. 
20. Any request made by a Data Subject in exercise of one or more of the above rights in accordance with the data protection legislation shall be responded to in compliance with the statutory time limits as stipulated. 
21. In processing personal data the University in respect of data protection rights and the principle of fair and transparent processing will ensure that at no time will these rights be unnecessarily undermined. 
22. In line with the principle of transparency information provided to either the public or a data subject shall be concise, easily accessible and easy to understand in clear and plain language and in particular any information given to children shall be easily understood by the children. 
23. In upholding the rights of individuals the University may, as it believes reasonable and necessary:
    1. use all reasonable measures to verify the identity of a requestor including checking against approved photographic identity evidence 
    2. charge a reasonable fee to cover ‘administrative costs’ where the request is manifestly unfounded or excessive or repetitive
    3. refuse to respond but provide an explanation of the reasons for the refusal.
24. The University will provide a response to all requests made within the statutory time frame. 

Informed

25. All data subjects shall be informed about how their personal data is processed and retained including the obtaining, collection, purposes and use, including for how long the data is retained and who it is shared with.   
26. In compliance with data protection legislation the University will publish a general privacy statement. Which will include the following:
    1. The name and contact details of the organisation.
    2. The name and contact details of any representative (if applicable).
    3. The contact details of the data protection officer (if applicable).
    4. The purposes of the processing.
    5. The lawful basis for the processing.
    6. The legitimate interests for the processing (if applicable).
    7. The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).
    8. The recipients or categories of recipients of the personal data.
    9. The details of transfers of the personal data to any third countries or international organisations (if applicable).
    10. The retention periods for the personal data.
    11. The rights available to individuals in respect of the processing.
    12. The right to withdraw consent (if applicable).
    13. The right to lodge a complaint with a supervisory authority.
    14. The source of the personal data (if the personal data is not obtained from the individual it relates to).
    15. The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).
    16. The details of the existence of automated decision-making, including profiling (if applicable).
27.  The University will also publish detailed privacy notices for specific departmental or thematic processing as required and the provision of an information retention schedule. 
28.  Relevant guidance will be provided by the Data Protection Officer regarding the publication of privacy notices but in essence the expectation will be that departments should provide a privacy notice as above.

Access

29. Individuals as Data subjects will be granted access to their personal data in compliance with data protection legislation for the purposes of awareness and verification of the lawfulness of the processing. Data subjects are also entitled to information detailing the following:
    1. the purposes of the processing;
    2. the categories of personal data concerned;
    3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
    4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
    5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
    6. the right to lodge a complaint with a supervisory authority;
    7. where the personal data are not collected from the data subject, any available information as to their source;
    8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
30. Staff and students will be provided with access to personal data held in digital form by the University through the University’s intranet. The University has published guidance on how to make a request for data in such form and the Data Protection Officer will assist requestors in how to focus their request as necessary. 
31. Requests for access will be dealt with on behalf of the applicant by the Data Protection Officer and will be completed in line with the statutory time limits.
32. The University reserves the right to refuse a request or to charge a fee as it deems necessary and in compliance with data protection legislation.
33. The University will use all reasonable measures to verify the identity of a requestor including checking against approved photographic identity evidence. 

Rectification

34. Where a data subject reasonably believes that the personal data held by the University may be inaccurate they have the right to request that the data is rectified or corrected. 
35. Staff and students are given access to personal data for their own management through portal and MyHR.  The University requires staff and students to check and correct their data on an annual basis at the time of student enrolment and in the case of staff as part of the Staff Record check.
36. Where a request for rectification is received reasonable steps will be taken to check the accuracy of the data and rectify it where the personal data is factually inaccurate, incorrect or misleading. 
37. The University regards comments made by examiners as feedback during the assessment process as academic opinion and will not be subject to rectification unless there is a clear error of fact. 
38. Where personal data is being considered for rectification following a request the personal data shall also be considered as restricted below.

Erasure

39. Data subjects may request that the data held by the University is erased where
    1. the personal data is no longer necessary for the purpose for which it was originally collected or processed;
    2. consent is the lawful basis for holding the data, and the individual has withdrawn consent;
    3. the lawful basis for processing relied upon legitimate interests, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue the processing;
    4. processing the personal data for direct marketing purposes and the individual objects to that processing;
    5. the personal data has been unlawfully processed (ie in breach of the lawfulness requirement of the 1st principle);
    6. it is to comply with a legal obligation; or
    7. the personal data has been processed to offer information society services to a child.
40. The University in considering the request will not erase data where it believes the processing is necessary:
    1. to exercise the right of freedom of expression and information;
    2. to comply with a legal obligation;
    3. for the performance of a task carried out in the public interest or in the exercise of official authority;
    4. for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
    5. for the establishment, exercise or defence of legal claims.
41. In the case of special category data the right to erasure will not apply:
    1. if the processing is necessary for public health purposes in the public interest (eg protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or
    2. if the processing is necessary for the purposes of preventative or occupational medicine (eg where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (eg a health professional).

Restrict

42. The University shall restrict processing where a request is made by a Data subject and one of the following applies:
    1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
    2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
    3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
    4. the data subject has objected to processing pursuant to Article 21(1) pending verification of whether the legitimate grounds of the controller override those of the data subject.
43. Personal data shall be considered as restricted where a data subject requests rectification of their data or indicates their right to object to the processing of their data.
44. Whilst the data is restricted the University will not further process the personal data other than to hold or store the data unless:
    1. the individual has given consent;
    2. it is for the establishment, exercise or defence of legal claims;
    3. it is for the protection of the rights of another person (natural or legal); or
    4. it is for reasons of important public interest.
45. Once the need for the restriction has passed the University will inform the data subject of such prior to lifting the restriction.
46. Further guidance regarding this right will be published. 

Portability

47. The University will provide, upon request, personal data which:
    1. an individual has provided to the University;
    2. where the processing is based on the individual’s consent or for the performance of a contract; and
    3. where the processing is carried out by automated means.
48. The data will be provided free of charge in a structured, commonly used and machine readable form.

Object

49. The data subject shall have the right to object at any time to the processing of personal data where the processing is:
    1. based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
    2. direct marketing (including profiling); and
    3. for purposes of scientific/historical research and statistics.
50. Where a data subject objects to processing under paragraph 49.a above on “grounds relating to his or her particular situation” the university will stop processing the personal data unless:
    1. compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual can be demonstrated; or
    2. the processing is for the establishment, exercise or defence of legal claims.
51. Where the objection is under paragraph 49.b above the university will cease processing the data as soon as the objection is received. 
52. Where the right to object is exercised under paragraph 49.c above on “grounds relating to his or her particular situation” the University will stop processing the personal data unless the processing is necessary for the performance of a public interest task. 
53. The right to object will be communicated to individuals ‘at the point of first communication’ and in the privacy notice and be ‘explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information’.

Automated Decisions and Profiling

54. The university will not subject data subjects to decisions based solely on automated processing, including profiling, which in turn may produce legal effects  concerning or significantly affecting the individual(s), unless the automated processing:
    1. is necessary for entering into, or performance of, a contract between the data subject and a data controller;
    2. s authorised by EU or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
    3. is based on the data subject’s explicit consent.
55. Where solely automated processing, including profiling, is or will be undertaken the relevant department shall:
    1. carry out, publish and submit to the Data Protection Officer a Data Protection Impact Assessment;
    2. give to those individuals concerned specific details about the processing;
    3. take steps to prevent errors, bias and discrimination;
    4. provide meaningful information about the logic involved in the decision-making process, as well as the significance and the envisaged consequences for the individual;
    5. use appropriate mathematical or statistical procedures;
    6. ensure that individuals can:
       1. obtain human intervention;
       2. express their point of view; and
       3. obtain an explanation of the decision and challenge it;
    7. put appropriate technical and organisational measures in place, so that inaccuracies can be corrected and the risk of errors minimised;
    8. secure personal data in a way that is proportionate to the risk to the interests and rights of the individual, and that prevents discriminatory effects.
56. Where any individual, who is subject to the solely automated processing, believes that the processing may have a serious negative impact upon them and raises a concern, the department will:
    1. consider any challenges and requests for a review of any decisions made based upon the processing. 

Responsibilities

57. All staff and students are responsible for:-
    1. ensuring that any personal data that they provide to the University is accurate and that any changes are notified promptly;
    2. checking and making appropriate notification of change in respect of any information that the University may send out from time to time in order to keep its data holdings accurate;
    3. ensuring that they advise their own emergency contacts that the University is holding those contact details.
58. Any member of staff or student who fails to abide by the University’s data protection and/or information security policies, procedures and/or protocols may be subject to disciplinary action under the relevant disciplinary policy.

8. Privacy and Data Protection by design and default

59. A Data Protection and Privacy Impact Assessment (DPIA) should be undertaken where a university department is considering processing personal data for a new purpose, purchasing or using a new software package or new technology which, taking into account the nature, scope, context and purpose of the processing may result in a risk to the rights and freedoms of any data subjects.
    1. Advice should be sought from the Data Protection Officer when and where a DPIA may be necessary.
    2. Departments should also, where possible consult with data subjects as to their views on the proposed processing and likely impact upon their privacy.
60. A DPIA must be undertaken where:
    1. a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
    2. processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences;
    3. a systematic monitoring of a publicly accessible area on a large scale particularly by CCTV or some other electronic surveillance device;
    4. using systematic and extensive profiling or automated decision-making to make significant decisions about people or undertake large scale profiling;
    5. processing special category data or criminal offence data on a large scale;
    6. using new technologies;
    7. using profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit;
    8. processing biometric or genetic data;
    9. combining, comparing or matching data from multiple sources;
    10. processing personal data without providing a privacy notice directly to the individual;
    11. processing personal data in a way which involves tracking individuals’ online or offline location or behaviour;
    12. processing children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them;
    13. processing personal data which could result in a risk of physical harm in the event of a security breach.
61. In undertaking a DPIA the department should consider:
    1. a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
    2. an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
    3. an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 59 above; and
    4. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with data protection legislation taking into account the rights and legitimate interests of data subjects and other persons concerned.
62. All staff as data processors are expected and required to:
    1. maintain the information privacy rights and freedoms of data subjects
    2. minimise the risk of data breaches;
    3. uphold the protection of personal data;
63. In considering these rights staff should:
    1. ensure that they complete any necessary data protection training as required and necessary;
    2. ensure that they read and abide by any relevant university information security or data protection guidance, briefing notes or management instructions;
    3. comply with the University’s Data Protection Policy when handling personal data relating to others;
    4. ensure that personal information relating to others is only processed when necessary and for authorised reasons;
    5. ensure that when handling personal information concerning others, that information is handled in a secure manner, e.g. is not stored on the ‘C drive’ of a computer, and that personal files are not left unattended in an insecure environment such as being left overnight on a desk or a car seat;
    6. ensure that unless they have the relevant authorisation, they do not intentionally or inadvertently release personal information to any third parties;
    7. ensure that they report any suspected breaches as necessary promptly; 
    8. seek to minimise any unnecessary collection, processing or retention of personal data.

Security of Data

64. The University will ensure that appropriate technical and organisational measures are implemented to ensure a level of security appropriate to risk.
65. In order to ascertain what appropriate technical and organisational measures to implement the University shall, from time to time, undertake a number of data and information risk assessments including internal audit.
66. Appropriate measures shall include but not be limited to:
    1. minimising the processing of personal data;
    2. the pseudonymisation and encryption of personal data;
    3. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    4. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
    5. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;
    6. the publication and implementation of various user and information security policies and procedures.
67. The Data Controller, Chief Information Officer and Data Protection Officer shall publish policies and guidance relating to the security of data and information.
68. Departments will be responsible for the security of the data that they process and as such departments need to ensure that they implement particular measures to minimise any risks around the processing of personal data in order to prevent data breaches. 

Preventing Data Breaches

69. All personal data breaches will be notified to the Information Commissioner’s Office within 72 hours of becoming aware of the breach where necessary.
70. Where the breach may have a high risk of adversely affecting the rights and freedoms of individuals they shall also be notified without delay. 
71. Departments should ensure that they have suitable arrangements in place for the prevention, detection, recording and notification of suspected breaches to the Data Protection Officer. 
72. Specific European guidelines have been adopted in relation to personal data breach notification.  These guidelines are available from: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612052. Guidance may also be obtained from the Information Commissioner’s Office at: https://ico.org.uk/for-organisations/report-a-breach/.
73. The University will publish specific guidance relating to the reporting and management of data breaches. 

Guidance notes

74. The Data Controller, Information Officer and Data Protection Officer shall as necessary and from time to time publish relevant guidance notes, protocols and policy in relation to data protection and information security, these guidance notes shall include but not be limited to:
    1. Data Protection Legislation Guidance
    2. Guidelines on Acceptable Use of Computing Facilities
    3. Information Security Framework and Policy
    4. Mobile Phone and Own Devices Policy
    5. Cookies Policy
    6. Email Good Practice Guidance for Staff
    7. Privacy Notice
    8. Privacy Impact Assessments
    9. Legitimate Interest Assessments
    10. Records of Processing Activities
75. These guidance notes support this policy and should be adhered to as necessary. 

Contacts

76. For further details about any Data Protection matter within the University, please contact the Institutional Compliance Officer in the first instance.
77. Subject access requests should be made in writing or by using the appropriate form, and submitted to the Institutional Compliance Officer.

University Data Protection Officer & Institutional Compliance Officer
Data Protection Officer University of Chester Parkgate Road Chester CH1 4BJ 01244 511000 ext. 1610. dataprotection@chester.ac.uk

Appendix A – Definitions

‘Binding Corporate Rules’	Personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;
‘Biometric Data’	Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or fingerprint data;
‘Consent’ – of the data subject	Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘Controller’	The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘Data Concerning Health’	Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
‘Enterprise’	A natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
‘Filing System’	Any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
‘Genetic Data’	Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
‘Group Of Undertakings’	A controlling undertaking and its controlled undertakings;

 

‘Identifiable natural person’	An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as: a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘Personal Data Breach’	A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
‘Personal Data’	Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘Processing’	Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as:
	collection recording organisation structuring storage adaptation or alteration retrieval	consultation use disclosure by transmission dissemination or otherwise making available, alignment or combination restriction erasure or destruction;
‘Processor’	A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘Profiling’	Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s:
	performance at work economic situation health personal preferences		interests reliability behaviour location or movements
‘Pseudonymisation’	The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
‘Public Authority / Body’	A public authority as per the Freedom of Information Act 2000, at the time when that “public authority” or “public body” is performing a task carried out in the public interest or in the exercise of official authority vested in it.
‘Recipient’	A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.  However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
‘Representative’	means a natural or legal person established in the Union who, designated by the controller or processor in writing represents the controller or processor with regard to their respective obligations under this Regulation;
‘Restriction Of Processing’	means the marking of stored personal data with the aim of limiting their processing in the future;
‘Supervisory Authority’	Office of the Information Commissioner.
‘Special Categories’ – Article 9	Personal data revealing: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation the processing of which is prohibited.
‘Third Party’	A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

Appendix B - Email Good Practice Guidance for Staff

• Email should not be used as an alternative to face to face communication.
• Consider whether personal data needs to be in an email or attachment at all.
• Emails may be forwarded by recipients without the knowledge or authorisation of the original sender. It should be assumed that communications received are intended for the recipient only unless the sender says otherwise. 
• If personal information must be sent by email or attachment and damage or distress would be caused if it were lost, stolen or disclosed inadvertently, consider whether it should be encrypted. LIS will be able to assist with encryption.
• When emailing a student, do not forward an email from a member of staff or another student. Compose a new email instead.
• Do not discuss or disclose personal data relating to staff or students to third parties over the telephone.  Third parties will include parents, employers and the police.
• Do not publish others’ personal data on websites, Portal or social networking sites.
• Check emails and email addresses carefully and do not trust autocomplete.
• Do not copy e-mails to a range of recipients unnecessarily.  
• For regular bulk transfers of personal data alternatives to email may be available.  Ensure that you encrypt pen drives used for this purpose.
• Do not send emails that could be regarded as offensive or intemperate to or about other people, their private lives or anything else that could amount to misconduct or bring the University into disrepute.
• Email containing defamatory, racist, sexist or otherwise illegal contents it may be used to support an action against both the author and in certain circumstances the University.
• Use strong passwords - these are at least eight characters and have a combination of upper and lower case letters, numbers and the special keyboard characters like the asterisk or currency symbols.
• Think!  Would you be happy if your personal data was divulged? 
• The "Good Practice Guidelines for the use of Email and Related Services", provides further guidance on the conventions and good practice in e-mail and network use and are recommended for adoption by all University users.
• Consult the University’s Data Protection Page on Portal at http://ganymede.chester.ac.uk/index.php?page_id=202627
• If you are unsure do not hesitate to ask for assistance from the Data Protection Officer (DPO@chester.ac.uk).