Data Protection Policy - Gathering Data
Whenever the University collects Personal Data directly from a Data Subject, the Data Subject must be provided with a Privacy Notice containing all the information required under the data protection laws (including the identity of the Data Controller, how and why the University will use, process, disclose, protect and retain that personal data).
The Privacy Notice must be provided when the Data Subject first provides the University with the Personal Data. To meet these requirements, paper and electronic forms (including web based forms) created by the University which gather personal data should always include a Privacy Notice.
When Personal Data is gathered indirectly by the University (for example, from a Third Party or publically available source), the Data Subject must be provided with a Privacy Notice, including all the information required under applicable data protection laws, as soon as possible after collecting/receiving the data, but no later than the first communication with the individual or 1 month from receiving the personal data (whichever is earlier), unless this proves impossible or would involve disproportionate effort.
The Privacy Notice must contain:
- The identity and contact details of the University and the Data Protection Officer;
- The purpose of the Processing and the legal basis for the Processing;
- The legitimate interests of the University, where applicable;
- The categories of Personal Data gathered;
- Details of any recipients of the Personal Data;
- Details of any transfers to third countries (i.e. outside the EEA) and applicable safeguards;
- The retention period or criteria used to determine the retention period;
- The rights of Data Subjects (including links to the University's Data Protection web pages);
- The right of the Data Subject to withdraw Consent at any time;
- The right of the Data Subject to lodge a complaint with the relevant supervisory authority (this will usually be the Information Commissioner’s Officer)
- Whether the provision of the Personal Data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data;
- The existence of automated decision making, including profiling, and information about how decisions are made, the significance and the consequences.
- The source the Personal Data originates from and whether it came from a publicity accessible source (this is only required where the University gathers the Personal Data from a Third Party and not from the Data Subject directly).
In order for the processing of data to be lawful the University must have a legal basis for Processing that Personal Data, different legal bases are applicable depending upon whether the Personal Data is Special Category Personal Data or not (see information on the first Data Protection Principle in Data Protection Policy).
To avoid infringement of the third Data Protection Principle (Personal Data shall be adequate, relevant and limited to what is necessary for the purpose or purposes for which they are Processed), forms and other methods of data collection should not gather more Personal Data than are necessary for the task at hand. Staff who are responsible for the design of forms should ensure that there is a clear need for each item of Personal Data requested. Otherwise, the form should be amended to remove that item of Personal Data.
Where Personal Data will be used when marketing to Data Subjects. The University is subject to certain additional rules and privacy laws. Marketing conducted by electronic means e.g. by telephone, fax, email or text message is subject to extra rules set out in the Privacy and Electronic Communications Regulations 2003 (PECR 2003).
Please consult with the Data Protection Officer for further information to ensure that your marketing communications are being conducted in accordance with applicable data protection laws and with PECR 2003.