Data Protection Policy
Data Protection Policy
Southampton City College (SCC) is committed to protecting the rights and privacy of individuals, including students, employees and others, in accordance with the General Data Protection Regulation (GDPR) May 2018.
SCC needs to process certain information about its employees, governors, students, parents and guardians and other individuals with whom it has a relationship for various purposes such as, but not limited to:
- 1. The recruitment and payment of employees.
2. The administration of programmes of study and courses.
3. Student enrolment.
4. Examinations and external accreditation.
5. Recording student progress, attendance and conduct.
6. Collecting fees.
7. Complying with legal obligations to funding bodies and government including local government.
To comply with various legal obligations SCC must ensure that all this information about individuals is collected and used fairly, stored safely and securely, and not disclosed to any third party unlawfully.
This policy applies to all employees, governors and students of SCC. Any breach of this policy or of the Regulation itself could be considered an offence and the College’s disciplinary procedures may be invoked.
As a matter of best practice, other agencies and individuals, such as counselling services, working with SCC and who have access to personal information, will be expected to read and comply with this policy. College Managers who are responsible for dealing with external organisations will take the responsibility for ensuring that such bodies sign a contract which among other things will include an agreement to abide by this policy.
This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments to the GDPR and other relevant legislation.
3. General Data Protection Regulation (GDPR)
GDPR legislation comes in to force on the 25th May 2018.
The GDPR regulates the processing of personal data, and protects the rights and privacy of all living individuals (including children), for example by giving all individuals who are the subject of personal data a general right of access to the personal data which relates to them. Individuals can exercise the right to gain access to their information by means of a ‘subject access request’. Personal data is any information relating to a living individual and may be in hard or soft copy (paper/manual files; electronic records; photographs; CCTV images), and may include facts or opinions about a person.
4. Responsibilities under the GDPR
SCC will be the ‘data controller’. Under the terms of the legislation, this means it is ultimately responsible for controlling the use and processing of the personal data.
- Data Protection Officer (DPO) - is available to address any concerns regarding the data held by college and how it is processed, held and used.
- Data Protection Governor - a nominated governor who oversees this policy.
- The Senior Management Team - responsible for all day-to-day data protection matters, and will be responsible for ensuring that all employees and relevant individuals abide by this policy, and for developing and encouraging good information handling within the college.
The Senior Management Team is also responsible for ensuring that the College’s notification with the Information Commissioners Office is kept accurate. Details of the College’s notification can be found on the Office of the Information Commissioner’s website. The College’s data registration number is: Z9375329.
- Employees - Compliance with the legislation is the personal responsibility of all employees of the College.
- Data Subjects - individuals who provide personal data to the College are responsible for ensuring that the information is accurate and up-to-date.
5. Data Protection Principles
The legislation places a responsibility on every data controller to adhere to the six principles of GDPR and ensure data is:
- a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
6. Lawful bases for collecting and processing
SCC is able to process data if any ONE of the following lawful bases for collecting and processing that data is met.
- (a) Consent: the individual has given clear consent to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract with the individual, or because they have asked the College to take specific steps before entering into a contract. (I.e. a contract of employment or an enrolment on a course)
(c) Legal obligation: the processing is necessary to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Where consent is chosen as the lawful basis, the indication of consent must be unambiguous and involve a clear affirmative action (i.e. an opt-in).
SCC will ensure that forms (whether physical or electronic) used to gather data on an individual will explain the use of that data, how the data may be used and also clearly state when an individual needs to consent to the processing.
SCC will include the specified DfE statement on its student enrolment form and update this when required following the ESFA’s technical guidance:
SCC will include a link to the Office for Students privacy notice on HE enrolment forms. The privacy notice can be found here.
CCTV systems operate within SCC. Images are recorded for the purpose of crime prevention and public safety based on our legitimate interest of protecting the safety and wellbeing of employees, governors, students and visitors to the College. Images are erased after one month.
7. Subject Access Rights
Individuals have a right to access any personal data relating to them which are held by the College. Any individual wishing to exercise this right should apply in writing to the DPO. Any employee receiving a subject access request should forward this to the DPO.
The College will provide the requested data free of charge, but reserves the right to charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive, or requests further copies of the same information already provided.
Under the terms of the legislation, any such requests must be met within one month of receipt.
8. Disclosure of Data
SCC will only disclose data as notified in its Privacy Notice and where a data sharing agreement is in place with the third party. Therefore employees and governors should exercise caution when asked to disclose personal data held on another individual or third party.
Legitimate disclosures may occur in the following instances:
- The individual has given their consent to the disclosure
- Academic data shared with parents/ guardians
- The disclosure has been notified to the ICO and is in the legitimate interests of the College
- The disclosure is required for the performance of a contract
- Where legislation permits disclosure without the consent of the individual
In no circumstances will SCC sell any of its databases to a third party.
9. Publication of College Information
SCC publishes various items which will include some personal data, e.g.
• Internal telephone directory.
• Event information.
• Photos and information in marketing materials.
It may be that in some circumstances an individual wishes their data processed for such reasons to be kept confidential or restricted to college access only. Therefore SCC will offer an opportunity to opt-out of the publication of such data when collecting the information.
It is the policy of SCC to ensure that senders and recipients of email are made aware that under Data Protection and Freedom of Information Legislation, the contents of email may have to be disclosed in response to a request for information. One means by which this will be communicated will be by a disclaimer on the College’s email.
Under the “Regulation of Investigatory Powers Act 2000, Lawful Business Practice Regulations” any email sent to or from the College may be accessed by authorised College employees, other than the recipient, for system management and security purposes.
11. Data Breach Reporting
As soon as a data breach is discovered it must be reported to the DPO who will notify the ICO within 72 hours. The Data Breach Procedure will be followed.
12. Data Protection Officer (DPO)
The DPO will be the Vice Principal Finance & Resources.
They can be contacted using the email address DPO@southampton-city.ac.uk or in writing at:
- Southampton City College
St Mary Street
13. Status of this Policy
This policy was approved by the Board in May 2018.
The operation of this policy will be kept under review by the Data Protection Officer and future reviews approved by the Senior Management Team.
Date approved: May 2018
Approved by: Board
Date of Review: April 2019
Date of next review: April 2021