Data Protection Policy
Background. This policy relates to the General Data Protection Regulation, brought into force in May 2018 to replace the Data Protection Act 2018, and supplement the General Data Protection Regulation (Regulation (EU) 2016/679) (“Data Protection Laws”).
The Data Protection Laws are concerned with the rights of individuals to gain access to personal information held about them by an organisation or individual within it, and the right to challenge the accuracy of data held. The Data Protection Laws relate to data held in any form, including written notes and records, not just electronic data.
This document summarises the implication of the Data Protection Laws for Alliance Learning and sets out Alliance Learning’s general Policy on adherence to the Data Protection Laws, and offers specific guidance relating to:
- Procurement, storage, disposal and release of personal data;
- Examination procedures;
- Supplying, requesting and receiving 'confidential' references;
- Applications and interviews.
The data protection principles. The Data Protection Laws require that all staff and others who process or use personal information must ensure that they adhere to the data protection principles. In summary these require that personal data, including sensitive data, shall:
- be obtained and processed fairly, lawfully and in a transparent manner;
- be obtained for a specified, explicit and lawful purpose and shall not be further processed in any manner incompatible with that purpose;
- be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- be accurate and kept up-to-date;
- not be kept for longer than is necessary for those purposes;
- be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
The Data Protection Laws are meant to be permissive rather than restrictive, which means that provided the above principles are adhered to and (e.g., you have a lawful basis for processing the personal data) then you can process the data and disclose it to an allowable body.
Definition of 'data'. Data Protection Laws apply only to information that falls within the definition of personal data. Personal data is any data relating to a living individual that can allow them to be identified directly or indirectly, in particular by reference to an identifier (e.g., name, address, identification number, an online identifier, payroll details, exam results). The information may be held in manual form (e.g., as written notes relating to a person or as part of a filing system, including card index or filing cabinets structured by name, address or other identifier) or in a form capable of being processed electronically.
Sensitive personal data or special category personal data form a subset of personal data that relate to a living person, recording such things as racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, biometric and genetic data. Criminal offence data relating to criminal allegations, proceedings, convictions or related security measures are also a subset of personal data. Data is processed whenever compiled, stored or otherwise operated upon.
Disseminating the examination results of students involves processing data, as does giving and receiving personal references, producing agenda items or minutes for committees at which students are discussed as individuals, etc. Similarly, data about staff is processed when it is committed to manual or electronic records held within the institution.
Registration. Under Data Protection Laws, Alliance Learning as a data controller is required to notify the Information Commissioner of its personal data processing activities. Failure to keep the register entry up to date is a criminal offence. The principal purpose for notification and the public register is transparency and openness. The activities within the purposes for which the data may be held or used together with a general description of the individuals, the types of data, and to whom the data may be disclosed or transferred (an ‘allowable body’) may be viewed at: www.ico.org.uk. Alliance Learning’s registration number is Z5608898.
Procuring personal data. The Data Protection Laws do not allow an individual to prevent an organisation from making use of personal data in the interests of providing education services or employment. For example, staff and students must expect certain information about them to be placed in the public domain (telephone extension number, college affiliation, email address, digital image, etc). The Data Protection Laws require, however, that only necessary data shall be collected. Staff should ensure that they only collect data on individuals that are necessary for the effective functioning of the department. Procedures should be reviewed at intervals to ensure that this is the case, and that unnecessary information is not being requested or retained.
Storing personal data. Personal data must be held securely. In the case of manual data this could be in filing cabinets, locked cupboards or rooms with access restricted to named individuals or categories of individual only. In the case of electronic information, access should be subject to reasonable controls, which might include passwords, encryption, compartmentalised access and access logs. Reasonable steps should be taken to detect and prevent unauthorised access. There should be regular backups to ensure that important data cannot be lost as the result of malfunctioning of a single machine (tapes not taken off site). Particular care should be taken when laptops or PCs are used to process personal data away from Alliance Learning. Advice on recommended retention periods for certain classes of data can be ascertained from the appropriate Executive.
Disclosing personal data. Under certain circumstances personal data may be disclosed to third parties without the permission of the individual concerned. In this context, "third parties" includes family members, friends, local authorities, government bodies and the police. Note that among other circumstances Data Protection Laws permit the release of data. This is stated in our Privacy Notice.
- for the purpose of protecting the vital interests of the individual (e.g., release of medical data where failure to do so could result in harm to, or the death of, the individual);
- for the prevention or detection of crime;
- for the apprehension or prosecution of offenders;
- for the discharge of regulatory functions, including securing the health, safety and welfare of persons at work;
- Safeguarding issues
- where the disclosure is required by legislation, by any rule of law, or by the order of a court.
Most bodies that may request personal data in such circumstances should be able to provide documentary evidence to support their request. For example, many police forces have a specific procedure for requesting information in support of an ongoing investigation. The absence of such documentation or a warrant may justify refusal to disclose personal data. If in doubt, contact the appropriate Executive.
Employment agencies and prospective employers. Where employment agencies or prospective employers contact institutions to verify details about an individual, such as attendance records and examination results. In most circumstances, the individual concerned would not object to the disclosure of such information, and indeed it would appear to benefit the individual. However, care should be taken to ensure that the third party has a genuine requirement for the information. Depending on the sensitivity of the data being sought it may be appropriate to seek evidence of consent having been given by the person to whom the data relates.
Departmental policies and practices. Clear guidelines should be in place within departments governing who can release what categories of data to whom and under what circumstances. All staff should receive training in these procedures. Personal, sensitive personal data, special category personal data or criminal offence data is collected and processed on the lawful basis of: explicit consent, employment or social security/protection requirements, protecting the vital interests of the individual or another party, the exercise or defence of a legal claim, reasons of substantial public interest, purposes of medical or health care or where the information has been made public by the individual. Any processing will be proportionate and relate to the provision of services by Alliance Learning.
Telephone disclosure is generally unsatisfactory, as verification of such details (and of the identity of the enquirer) can be difficult. For example, a learner's address, telephone number or email should not be given to a telephone enquirer, even if the enquirer claims to be a close relative or friend. If you receive a phone call from a third party requesting information on a member of staff or learner you should not disclose any information about the individual, however hard the caller may press. Assure the caller of your willingness to help them. Offer to attempt to contact the person concerned and take details of the request for information, including the caller's number. Offer to phone the caller back if necessary (this also offers some measure of authentication of the caller).
If necessary, ask them to put their request in writing. Offer to accept a sealed envelope to forward to the individual concerned. Follow similar guidelines when dealing with written requests for information.
Emergencies and dealings with the police. Procedures are in place for dealing with requests for information in emergency situations and in dealing with the police. Such requests should be referred to the appropriate Executive. JISC guidelines indicate that it is not necessary to obtain explicit permission from next of kin etc to store their contact details for use in the event of emergencies, though that information should be kept secure and destroyed when it is no longer needed.
Protecting third parties. In meeting a data subject access request, it is important that personal data relating to other identifiable individuals mentioned in the documents (e.g., other staff or learners) is not revealed unless permission for disclosure is given by the individual(s) concerned.
A data subject enquirer has the right to see notes or comments relating to them that are held by Alliance Learning in manual or electronic form, but the identity of the individual(s) who made those comments should not be revealed without their express permission.
Disposal of personal data. Personal data should be disposed of when no longer needed for the effective functioning of the institution and its members by means that protect the rights of those individuals. The method of disposal should be appropriate to the sensitivity of the data. It is recommended that data on paper be shredded or incinerated, and that electronic data should be destroyed by reformatting or overwriting. Note that 'deleting' a computer file does not equate to destroying the data: such data can often be recovered. Particular care should be taken when computers are transferred from one person to another, or when they are sold or transferred to outside bodies. It is essential that no personal data is recoverable from the hard disks.
Agendas and minutes of meetings. If a learner or member of staff is identified in Agendas or Minutes by name or by some code that can be linked to the identity of the individual, then the content of the papers constitute data about the person and are disclosable under Data Protection Laws. Thus, learners can, on making a Data Subject Enquiry, expect to see the contents of Agendas and Minutes of Meeting in which they are identifiable as individuals. That includes the contents of minutes referring to "closed" agenda items. Departments may wish to revisit their policies on the inclusion of personal data, including comments relating to individuals, in agendas and minutes bearing in mind the necessity of having an adequate record of the reasons for a particular decision about a person. In meeting a data subject access request, it is important that personal data relating to other identifiable individuals mentioned in the documents (staff or learners) is not revealed unless permission for disclosure is given by the individual(s) concerned.
Teaching and Examining
Exam scripts and comments on scripts. Examination scripts are exempt from data subject access because they are statements from the learners, not data about them. Hence a learner could not use Data Protection Laws to obtain a copy of an exam script they had produced.
But examiner's comments on the content of scripts are disclosable, whether recorded on the script or held separately. This applies to external as well as internal examiners, and is true even of material marked 'blind' (because codes must exist somewhere that allow the identity of the learner to be determined). Learners have the right of access to data consisting of the marks given, and any comments on which they were based.
All comments committed to writing should therefore be fair and defensible. It is recommended that they should relate to the script rather than the learner. Thus it is reasonable to write "good argument" or "weak argument" (provided those judgements can be defended if challenged) but not advisable to write "good learner" or "weak learner". Departments should be aware that Minutes of Examinations Meetings are also disclosable under Data Protection Laws where they mention individual learners.
Publishing examination results. The practice of publishing qualification results and interim pass/fail assessment lists via posting on notice boards or inclusion in the local press is permissible if consent is obtained from the learners. This is now done centrally. Learners have the right to withhold such consent.
If a learner wishes to obtain results by telephone, then a procedure should be established to ensure that the caller is indeed the individual concerned (e.g., a password).
Feedback on teaching and training. The contents of feedback relating to individual tutors constitute personal data relating to the tutor and is therefore disclosable to the tutor under Data Protection Laws. This applies to feedback on tutorials, as well as to feedback concerning a staff member's performance as a supervisor etc. As always, any disclosure of such information would need to be done with the permission of the individual(s) who provided it, or in such a way that it was not possible to determine their identity.
Supplying, Requesting and Receiving 'Confidential' References
Supplying personal references. Personal references (and other personal data) supplied for specified purposes, including education, training or employment, are exempt from subject access. Thus, if you write a 'confidential' reference for an individual, you cannot be required to disclose its contents in response to a data subject enquiry.
The exemption from disclosure does not, however, apply to the individual or organisation that receives the reference. They can be expected to disclose a reference, particularly if they judge that it is possible to conceal the identity of the referee (e.g., by blanking out their name, address, etc). If it is not possible for the identity of the referee to be concealed, then they should not disclose the reference without the express consent of the supplier, because to do so would be to disclose personal data about the supplier.
If you would be opposed to having your reference released, it is recommended that you should mark your reference PRIVATE AND CONFIDENTIAL and include in it the following statement:
"Alliance Learning accepts no legal responsibility for this reference which is given in strictest confidence. You are reminded under Data Protection Laws that you should not disclose the contents of this reference without first obtaining our/my consent or ensuring the source is not identifiable".
This statement might also be written onto forms on those occasions when the request for a reference comes in the shape of a form to be filled in rather than a request for an open reference.
Note, though, that the inclusion of a disclaimer clause does not discharge you from a duty of care, and be aware that such a clause will not guarantee that all or part of the reference will not be disclosed. Ultimately, a court of law has the power to force disclosure of a reference (as in fact has always been the case). Hence you should always assume that a reference might be disclosed as a result of litigation if a court orders it, and you should include nothing in a reference that you could not defend and justify in court.
With this in mind:
- Always ensure the accuracy of any statements you make in a reference;
- Ensure that any opinions you express are clearly differentiated from the factual statements and are themselves based on verifiable information;
- Do not make any statements that you are not qualified to make. For example, it is better to write "From information provided about the post and my knowledge of the learner I consider X to be well suited for the position" than "X will be a success in the post".
- Avoid emotive language, especially if the comments are negative. Also avoid 'coded' language (e.g., "X has studied here for three years, during which time he has done his work entirely to his own satisfaction.").
- Avoid telephone or verbal references. Wherever possible, provide a written reference.
- Take particular care if you are asked to provide a reference for a learner or other individual who is not known to you. Make it clear that your knowledge of the person is limited and avoid being drawn into expressions of opinion.
- Consider revisiting a difficult reference before sending it (or asking a colleague to review it).
- Note that it is acceptable for an individual to refuse on reasonable grounds to provide a reference for a particular individual. There may be occasions when it is better to decline to provide a reference. If you are unable or unwilling to give a reference you should, however, communicate your refusal carefully without, in effect, implying a negative reference.
- An alternative to refusal is to provide a strictly factual reference which makes no evaluative comments at all about the individual concerned. Making unjustifiably positive statements about an individual could result in legal action against you if an external organisation appoints that individual then finds them to be unsuited to the post.
- File copies of references provided and keep them securely. Remember, though, that you, as provider of the reference, cannot be required to disclose a reference under the Data Protection Laws though the recipient might be.
Requesting and receiving a reference. From time to time Alliance Learning seek references from external organisations about prospective employees. In order to protect the interests of those who provide us with references, it is recommended that the following clause be included in any letter requesting a reference:
"Your reference will be treated as confidential unless you indicate that you wish it to be disclosed on request or we obtain your explicit and written consent to disclose the reference or we are obliged to disclose it by virtue of a statutory order."
Offers of places, employment etc. should not be made contingent upon the receipt of satisfactory references. Withdrawal of an offer after references are received could provoke legal action. Normally wait until references are received before making any offer. If exceptionally an offer is made before references are received then the person to whom the offer is made must be informed that confirmation of the offer is subject to references satisfactory to Alliance Learning.
If you are ever asked to provide access to a reference you have received from a third party, refer the person making the request to the appropriate Executive. Never disclose all or part of a confidential reference yourself.
References for former learners. It is Alliance Learning’s policy that former learners can expect references to be provided by the main department(s) in which they studied, although the content of such references will depend on the information still available within the department(s). If the department is in doubt as to whether the former learner has given the department as a reference source, the former learner should be contacted before a reference is provided.
Applications and Interviews
Notes made in the course of interviews constitute personal data and are therefore subject to access under Data Protection Laws. They should be fair, reasonable and defensible. Interview notes relating to successful applicants may be retained while the individual is at Alliance Learning, and hence disclosable in response to a data subject request. It is recommended that interview notes relating to unsuccessful applicants should be securely disposed of once it is clear that an individual is not going to be selected or appointed. It is recommended that all personal data relating to unsuccessful applicants should be retained for at least 6 months after it has become clear that the individual will not be selected or appointed, but not retained for longer than necessary once that period has elapsed.
Photograph, Videos and Closed-Circuit Television
Images of identifiable individuals constitute personal data in terms of Data Protection Laws. Photographs of individuals should not be displayed in departments, used in teaching material, promotional material, etc., displayed on web sites, or in any other way made public without the permission of the individual(s) concerned. The same restrictions apply to video images (or audio recordings) used, for example, in teaching or promotion.
If you allow others to take photographs or videos at an event you are organising, you are advised to mention this in your publicity and advise those who are attending in advance. If they object for any reason, it is up to you to ensure that they are not photographed or videoed.
Alliance Learning employs closed-circuit television as part of its security systems. This will be done within the Code of Practice on the use of CCTV issued by the Information Commissioner’s Office.
Personal data relating to learners past or present should not be passed to marketing organisations without the learner's express permission.
Information under this heading is ‘sensitive personal data’ or ‘special category personal data’. Doctors or persons with an equivalent duty of confidentiality (learner counsellors etc) can hold data without contravening the law. Departments can take account of medical information when considering performance in order to fulfil legal obligations or to protect the interests of the data subject.
Responsibilities of Staff and Learners
Alliance Learning expects all its staff and learners to comply fully with this Data Protection Policy and Data Protection Laws. Disciplinary action may be taken against any employee or learner who breaches any of the instructions or procedures following from this Policy.
Staff are responsible for:
- ensuring that any information they provide to Alliance Learning in connection with their employment is accurate and up-to-date
- informing Alliance Learning of any errors or changes to information which they have provided (e.g. change of address)
- checking the information Alliance Learning sends out from time to time giving details of information kept and processed about staff
- Staff must inform their relevant line manager immediately of any security incidents such as a data loss (paper or electronic); suspected system hacking or theft, to minimise the risk to data protection.
Learners must likewise ensure that any information they provide to Alliance Learning is accurate and is kept up-to-date.
Anyone responsible for creating or maintaining web pages should note this Policy and the provisions of the Data Protection Laws which relate to any personal data that may be held on web pages or accessed via them.
For example: Individuals, any member of staff, applicant or a student wishing to report concerns should, in the first instance, contact firstname.lastname@example.org who will aim to resolve any issue:
The Hurst Building, Horwich Loco Estate
Chorley New Road
The individual also has the right to complain to the Information Commissioner’s Office:
Information Commissioner’s Office
Tel: 0303 123 1113