Data Protection Policy Statement
The Data Protection Act 1998 gives an individual a right of access to the data which organizations hold about them, and specifies how that data can be gathered, used and disseminated. Swansea University is committed to protecting the rights of individuals under the Data Protection Act.
Swansea University's Data Protection policy applies to all students and staff of the University. Any breach of the policy may result in Swansea University, as the registered Data Controller, being liable in law for the consequences of the breach. In addition, breach of the Data Protection Policy by staff or students may be considered to be a disciplinary offence and may be dealt with according to the University's disciplinary procedures.
Swansea University will comply with the Data Protection Act and adhere to the eight data protection principles as described below. The policy is supported by specific guidance and procedures which have been developed to assist staff and students in complying with the requirements of the Act.
Principle 1 - Personal data must be processed fairly and lawfully
Swansea University will ensure that data is obtained fairly by making reasonable efforts to ensure that Data Subjects are told who the Data Controller is, what the data will be used for, how long the data will be kept and any third parties to whom the data will be disclosed. This will be in the form of a privacy statement or data collection notice (see separate guidance on Gathering Personal Data)
In order for processing to be lawful, personal data (which is not Sensitive Personal Data) will only be processed by Swansea University if at least one of the following conditions, set down in Schedule 2 of the DPA, has been met:
- The Data Subject has given his/her consent to the Processing.
- The Processing is necessary for the performance of a contract with the Data Subject, or for taking steps with a view towards entering into a contract.
- The Processing is required under a legal obligation other than a contract.
- The Processing is necessary to protect the Vital Interests of the Data Subject.
- The Processing is necessary for the administration of justice, the exercise of functions under an enactment, the exercise of functions of the Crown or a government department, or any other functions of a public nature exercised in the public interest.
- The Processing is necessary to pursue the legitimate interests of Swansea University or of third parties, and does not prejudice the rights, freedoms or legitimate interests of the Data Subject.
Processing of Sensitive Personal Data is subject to more stringent restrictions under Schedule 3 of the DPA. Processing of Sensitive Personal Data will only be carried out by Swanasea if at least one of the above conditions, applicable to non-sensitive data, has been met and one of the following Schedule 3 conditions can also be met:
- The Data Subject has given his/her explicit consent.
- The Processing is required by law in connection with employment.
- The Processing is necessary to protect the vital interests of the Data Subject or another person.
- The information has been made public by the Data Subject.
- The Processing is necessary for legal proceedings, obtaining legal advice, or establishing or defending legal rights.
- The Processing is required for the administration of justice, the exercise of functions under an enactment, or the exercise of functions of the Crown or a government department.
- The Processing is necessary for medical purposes, and is carried out by a health professional or a person with an equivalent duty of confidentiality.
- The Processing is necessary to trace equality of opportunity between people of different racial or ethnic backgrounds, different religious beliefs, or different states of physical or mental health.
- The Processing is in the substantial public interest; is necessary for the functions of a confidential counselling, advice, support or other service; and consent cannot be given by the Data Subject, Swansea University cannot reasonably be expected to obtain the explicit consent of the Data Subject, or the Processing must necessarily be carried out without consent so as not to prejudice the provision of that counselling, advice, support or other service.
- The Processing is in the substantial public interest, and is necessary for research purposes; provided that the Processing will not support measures or decisions with regard to individuals, and will not cause substantial damage or distress to the data subject or any other person.
Information about how Swansea University processes data relating to students is contained within the Student Data Protection Statement on the University website. This explains to students what Personal Data Swansea University collects about them, how their data will be used by the University, with whom their data may be shared with and what their rights and responsibilities are in regards to their data.
Principle 2 - Personal data will be held for specified and lawful purposes and must not be further processed in a manner incompatible with that purpose or purposes for which they are processed
Swansea University will ensure that Personal Data which is obtained for a specified purpose is not used for a different purpose, unless that use is done with the consent of the Data Subject, is covered Swansea University registration with the Information Commissioner, or is otherwise permitted under the DPA.
Principle 3 - Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
Swansea University will ensure that it collects only the minimum Personal Data necessary for the purpose or purposes specified and will not collect or hold data on the basis that it might be useful in the future.
Principle 4 - Personal data shall be accurate and, where necessary, kept up to date
Swansea University will take reasonable steps to ensure the accuracy of Personal Data which it holds, and will take steps to amend, update or correct inaccurate data when requested to do so by a Data Subject. Data will be inaccurate where it is incorrect or misleading as to any matters of fact.
Principle 5 - Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose
Swansea University will ensure that Personal Data is not kept for longer than is required by the purpose or purposes for which the data was gathered. Staff must ensure that Personal Data is securely destroyed once the purpose or purposes for processing has come to an end and there is no legal requirement or valid operational reason for its continued retention (see separate guidance on Retaining Personal Information).
Swansea University may retain certain data indefinitely for research purposes (including historical or statistical purposes) as permitted under the DPA (see separate guidance on the use of Personal Data in research).
Principle 6 - Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act
Swansea University will ensure that personal data is processed in accordance with the rights of data subjects under the Data Protection Act. These rights include the right to make subject access requests to find out what information is held about them, the purposes for which it will be used, and to whom it has been disclosed. See below for a list of the rights available to data subjects under the Sixth Principle:-
- a right of access to a copy of the information comprised in their personal data;
- a right to object to processing that is likely to cause or is causing damage or distress;
- a right to prevent processing for direct marketing;
- a right to object to decisions being taken by automated means;
- a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and
- a right to claim compensation for damages caused by a breach of the Act.
Principle 7 - Appropriate technical and organisational measures shall be taken to prevent the unauthorised or unlawful processing of personal data and the accidental loss, destruction of, or damage to, personal data
Swansea University will take steps to ensure the security of personal data which are held electronically and in manual form, to prevent the unauthorized disclosure of data to third parties, and loss or damage to data that may affect the interests of data subjects. Please see additional information on Data Security for specific guidance.
Principle 8 - Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data
Swansea University will not transfer personal data outside the European Economic Area unless the transfer is necessary and permitted in line with the Data Protection Act 1998 (see separate guidance on transferring data outside the EEA).
Responsibilities of Staff
All staff, who have responsibilities for the collection, access or processing of personal data, should comply with the provisions of the act in accordance with the principles outlined above. Line managers are strongly encouraged to make sure staff members are aware of the Data Protection Act and the University Data Protection Policy and seek out additional guidance and training via the Information Compliance Officer (DP/FOI).
All staff are responsible for ensuring that any information that they provide to the University in connection with their employment is accurate and up to date.
It is a condition of employment that all employees abide by the Data Protection Policy and failure to do so may therefore result in disciplinary proceedings.
Responsibilities of Students
Students are required to ensure that where they provide their own personal data to the University, it is accurate and up-to-date. Students must comply with the University’s Computing Regulations. Failure to do so may therefore result in disciplinary proceedings.
Data Protection Support
The Information Compliance Officer (FOI/DP) is responsible for the day-to-day data protection queries and requests such as subject access requests, and is a point of contact for issues relating to data protection. The University Compliance Officer is also responsible for producing guidance on good data protection practice and in promoting compliance across the University. The University Compliance Officer will also provide training to individuals/groups upon request or where a need has been identified.
Links to specific Data Protection policy procedures:-
- Requests for Personal Information (Students and Staff)
- Requests from Third Parties for Student Information
- Security of Personal Data
- Data Protection Definitions
- Access to Personal Data (Subject Access Requests)
- Personal Data in the Public Domain
- Student Handling of Personal Data
- Police Disclosures
- Gathering Personal Data
- Retaining Personal Data
- Use of Personal Data in Research
- Examinations and Assessment
- References and Recruitment
- Transfer Outside the EEA
- Data Protection Breaches