Version 2.0 (Approved by UEC February 2018)
This policy should be read in conjunction with the University’s Information Governance Glossary.
In order for Durham University to deliver its core learning and teaching functions, operate effectively as a business and meet legislative, contractual and statutory obligations, it needs to process personal data relating to present, past and prospective students, employees, alumni and supporters, suppliers, research subjects and others with whom it has dealings. The University is a data controller and therefore must comply with data protection legislation.
This policy helps provide the demonstrable commitment to, and support of, compliance with data protection legislation by the University Executive Committee. This policy also helps support the University Strategy, since delivery of our core functions is reliant upon accurate, available and usable personal data and the trust of our stakeholders. Compliance with data protection legislation also enables efficient working practices and resource savings and significantly reduces the likelihood of an information security breach and its wider effects including causing harm/distress to data subjects, reputational damage, large potential fines and undertakings from the Information Commissioner.
This policy applies to all those individuals and organisations that process personal data on behalf of the University, including but not limited to:
• Employees, consultants, contractors and temporary workers• Students undertaking a programme of study and also students performing paid or voluntary work for the University• Arms’ length organisations associated with, and officially recognised by, the University• Third parties associated with the University, such as research collaborators.
Lawful processing of personal data is vital to the successful operation and reputation of Durham University, and for maintaining the trust of our students, employees and other stakeholders. The University is committed to protecting the rights and freedoms of individuals in accordance with the provisions of data protection legislation. In order to achieve this, the University shall ensure that personal data is handled appropriately and consistently.
Durham University shall ensure that personal data is:
Durham University, as a data controller, shall be responsible for, and be able to demonstrate, compliance with the principles of data protection legislation.
All processing of personal data by third parties on behalf of the University, where the University is data controller, shall be covered by contract and include adequate data protection clauses.
Ensuring that personal data is shared appropriately is vital to the successful operation and the reputation of the University, and for maintaining the trust of our employees, students and other stakeholders. In order to achieve this, the University shall:
The University shall designate a DPO on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39. The University shall enable the effective performance of the DPO’s tasks and ensure that the DPO is given sufficient autonomy, time, resources and support to carry out their tasks effectively, including active support by senior management.
The University shall also ensure that the DPO is ‘involved properly, and in a timely manner, in all issues which relate to the protection of personal data’, that the opinion of the DPO is given due weight and that the DPO is consulted promptly once a data breach or another incident has occurred.
7.1 University Executive Committee shall ensure that the purposes and means of processing of personal data for which the University is data controller are determined in compliance with legislation.Responsibility for ensuring implementation of, and compliance with, this policy will be in accordance with the University’s line management structure.
7.2 All individuals and organisations that process personal data on behalf of the University shall comply with this policy and associated data protection, information security, information management and information technology regulations, policies, processes and procedures.
7.3 The Data Protection Officer (DPO) is an advisory role and is concerned with the University’s compliance with data protection legislation. The DPO shall:
The DPO shall not determine the purposes of processing personal data, or the means by which any personal data processing activity is done.
7.4 The Senior Information Risk Owner (SIRO) is an accountable role and is concerned with the management of all information assets held by the University. With regards personal data, the SIRO shall have overall responsibility for:
The SIRO shall also play a key role in fostering a data protection culture within the University.
7.5 Information Asset Owners shall:
7.6 Super Information Asset Owners shall:
7.7 Third parties processing personal data on behalf of the University shall comply with this policy alongside any specific terms and conditions agreed contractually.
All breaches of this policy and data protection legislation shall be reported immediately in accordance with the University Information Security Incident and Weakness Reporting Procedure. It may also be appropriate to report the breach in accordance with the University’s Public Interest Disclosure (‘Whistleblowing’) Policy.
Third parties shall report via their University point of contact. Breaches shall be managed in accordance with the University Information Security Incident Management Procedure.
A breach of this policy by an employee or student may result in disciplinary action. A breach by a third party may result in a termination of contract and/or compensation claim.
This policy shall be reviewed by the University’s SIRO and DPO annually or whenever there is a significant change in legislation, strategy or organisation. Major changes shall be approved by UEC.