{"id":350,"date":"2020-09-01T13:30:38","date_gmt":"2020-09-01T13:30:38","guid":{"rendered":"https:\/\/www.glos.ac.uk\/information\/?post_type=ht_kb&#038;p=350"},"modified":"2026-02-20T08:40:28","modified_gmt":"2026-02-20T08:40:28","slug":"data-protection-policy","status":"publish","type":"ht_kb","link":"https:\/\/www.glos.ac.uk\/information\/knowledge-base\/data-protection-policy\/","title":{"rendered":"Data protection policy"},"content":{"rendered":"\n<h2 class=\"heading wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>1.1 The University of Gloucestershire (the \u2018University\u2019) collects, holds and processes data about its students, employees, applicants, alumni, stakeholders, contractors and other individuals in order to carry out its business and organisational functions.<\/p>\n\n\n\n<p>1.2 Data Protection legislation defines \u2018personal data\u2019 as any information relating to an identified, or an identifiable natural person (\u2018data subject\u2019). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal data also includes any expression of opinion about the data subject and what is intended for them.<\/p>\n\n\n\n<p>1.3 The University is committed to protecting the rights and freedoms of individuals with respect to the processing of their personal data.<\/p>\n\n\n\n<h2 class=\"heading wp-block-heading is-4--mobile is-4 is-4\">Purpose and Scope<\/h2>\n\n\n\n<p>2.1 The purpose this policy is to ensure compliance with the UK General Data Protection Regulation (GDPR) and related<a href=\"http:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:32016R0679&amp;from=EN\" target=\"_blank\" rel=\"noopener\"> European Union<\/a> (EU)1 and national legislation (\u2018Data Protection legislation\u2019). Data Protection legislation applies to the processing of personal data about living identifiable individuals (\u2018data subjects\u2019).<\/p>\n\n\n\n<p>2.2 The University of Gloucestershire is registered with the Information Commissioner\u2019s Office (ICO) as a Data Controller. The policy incorporates guidance from the ICO, and outlines how the University will discharge its duties and obligations to comply with Data Protection legislation. <\/p>\n\n\n\n<p>2.3 This policy applies to all parts of the University and to all personal data held and processed by the organisation. This includes data held in any system or format, whether electronic or manual. <\/p>\n\n\n\n<p>2.4 This Policy applies to all members of staff except when acting in a private or non-University capacity. The term \u2018staff\u2019 means anyone working in any context within the University. This includes but is not limited to temporary, honorary, visiting, casual, voluntary and agency workers, students employed by the University, and external members of committees. This Policy also applies to all locations from which personal data is stored and accessed including off-campus.<\/p>\n\n\n\n<p>2.7 This policy applies to all students when processing personal data on behalf of the University, but not in any other situation including when acting in a private or non-University capacity.<\/p>\n\n\n\n<p>2.8 This policy also covers any staff and students who may be involved in research or other activity that requires them to process or have access to personal data. If this occurs, it is the responsibility of the relevant School or Unit to ensure the data is processed in accordance with Data Protection legislation and that students and staff are advised about their responsibilities. In addition, students and staff undertaking research must adhere to the Research Ethics: A Handbook of <a href=\"http:\/\/www.glos.ac.uk\/docs\/download\/Research\/handbook-of-principles-and-procedures.pdf\">Principles and Procedures<\/a>, which provides information on ethical approval of research, privacy and confidentiality.<\/p>\n\n\n\n<p>2.9 This policy is not, and should not be confused with, a <a href=\"http:\/\/www.glos.ac.uk\/governance\/information\/Pages\/data-protection.aspx\">Privacy Notice<\/a> (a statement which informs data subjects how their personal data is used by the University).<\/p>\n\n\n\n<p>2.10 This policy should be read in conjunction with responsibilities and obligations outlined in the following documents, which supplement this policy where applicable:<\/p>\n\n\n\n<div class=\"wp-block-group is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-group is-layout-flow wp-block-group-is-layout-flow\">\n<ul class=\"wp-block-list\">\n<li class=\"\">Staff employment contracts and comparable documents which impose confidentiality obligations in respect of information held by the University;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"\">Any other contractual obligations or staff policies which impose confidentiality or data management obligations in respect of information held by the University;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"\"><a href=\"https:\/\/www.glos.ac.uk\/information\/knowledge-base\/records-management-policy\/\">The Records Management Policy<\/a> and <a href=\"https:\/\/www.glos.ac.uk\/information\/knowledge-base\/records-retention-schedule\/\">Records Retention Schedule<\/a> which govern the appropriate retention and disposal of University information;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"\">The University\u2019s <a href=\"https:\/\/www.glos.ac.uk\/information\/knowledge-base\/data-breach-policy\/\">Data Breach Policy<\/a> which sets out the procedure to be followed if a personal data breach takes place;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"\">IT and information security policies, procedures and terms and conditions which concern the confidentiality, integrity and availability of University information including rules about IT acceptable use, user accounts, internet, email, and network and wireless facilities.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"heading wp-block-heading is-4--mobile is-4 is-4\">Policy Statement<\/h2>\n\n\n\n<p>3.1 The University is committed to complying with Data Protection legislation through its everyday<br>working practices.<\/p>\n\n\n\n<p>3.2 Complying with Data Protection legislation may be summarised as, but is not limited to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"\">understanding, and applying as necessary, the data protection principles when processing personal data;<\/li>\n\n\n\n<li class=\"\">understanding, and fulfilling when necessary, the rights given to data subjects under Data Protection legislation;<\/li>\n\n\n\n<li class=\"\">understanding, and implementing as necessary, the University\u2019s accountability obligations under Data Protection legislation.*<\/li>\n<\/ul>\n\n\n\n<p>3.3 In accordance with Data Protection legislation, additional conditions and safeguards will be applied to ensure that special category data (sensitive personal data) is handled appropriately. Special category personal data is information relating to an individual\u2019s:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"\">race or ethnic origin;<\/li>\n\n\n\n<li class=\"\">political opinions;<\/li>\n\n\n\n<li class=\"\">religious beliefs or other beliefs of a similar nature;<\/li>\n\n\n\n<li class=\"\">trade union membership;<\/li>\n\n\n\n<li class=\"\">genetic data;<\/li>\n\n\n\n<li class=\"\">biometric data (where used for identification purposes);<\/li>\n\n\n\n<li class=\"\">health;<\/li>\n\n\n\n<li class=\"\">sex life or sexual orientation.<\/li>\n<\/ul>\n\n\n\n<p>3.4 Criminal convictions or offences (alleged or proven) are not technically defined as special category personal data but are afforded similar protections.<\/p>\n\n\n\n<h2 class=\"heading wp-block-heading is-4--mobile is-4 is-4\">4. Data Protection Principles<\/h2>\n\n\n\n<p>4.1 Data Protection legislation requires that the University, its staff and others who process or use any personal information, comply with the data protection principles.<\/p>\n\n\n\n<p>4.2 The data protection principles state that personal data should be:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"\">processed lawfully, fairly and in a transparent manner;<\/li>\n\n\n\n<li class=\"\">collected for specified, explicit and legitimate purposes;<\/li>\n\n\n\n<li class=\"\">adequate, relevant and limited to what is necessary;<\/li>\n\n\n\n<li class=\"\">accurate and where necessary kept up to date;<\/li>\n\n\n\n<li class=\"\">kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data is processed;<\/li>\n\n\n\n<li class=\"\">processed in a manner that ensures appropriate security of the personal data.<\/li>\n<\/ul>\n\n\n\n<p>4.3 Accountability is central to Data Protection legislation, and Data Controllers are responsible for compliance with the principles and must be able to demonstrate this to data subjects and the UK regulator, the ICO.<\/p>\n\n\n\n<h2 class=\"heading wp-block-heading is-4--mobile is-4 is-4\">5. Data Subject Rights<\/h2>\n\n\n\n<p>5.1 The rights given to data subjects under Data Protection legislation are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"\">the right to be informed;<\/li>\n\n\n\n<li class=\"\">the right of access to the information held about them (though a Subject Access Request);<\/li>\n\n\n\n<li class=\"\">the right to rectification;<\/li>\n\n\n\n<li class=\"\">the right to erasure;<\/li>\n\n\n\n<li class=\"\">the right to restrict processing;<\/li>\n\n\n\n<li class=\"\">the right to data portability;<\/li>\n\n\n\n<li class=\"\">the right to object;<\/li>\n\n\n\n<li class=\"\">rights in relation to automated decision-making and profiling.<\/li>\n<\/ul>\n\n\n\n<p>5.2 Under Data Protection Regulation legislation, data subjects have the right of access to their personal data held by the University.<\/p>\n\n\n\n<p>5.3 Any individual who wishes to exercise this right should make the request through submitting a <a href=\"http:\/\/www.glos.ac.uk\/governance\/information\/pages\/data-protection.aspx\">Subject Access Request Form<\/a> available on the University\u2019s website at: <a href=\"http:\/\/www.glos.ac.uk\/governance\/information\/Pages\/data-protection.aspx\">http:\/\/www.glos.ac.uk\/governance\/information\/Pages\/data-protection.aspx<\/a> , or by contacting <a href=\"mailto:dataprotection@glos.ac.uk\">dataprotection@glos.ac.uk<\/a>.<\/p>\n\n\n\n<h2 class=\"heading wp-block-heading is-2 is-2--mobile\">6. Roles and Responsibilities<\/h2>\n\n\n\n<p>6.1 As a Data Controller (or when acting as a joint Data Controller or a Data Processor), the University has a corporate responsibility for the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"\">complying with Data Protection legislation and holding records to demonstrate this;<\/li>\n\n\n\n<li class=\"\">cooperating with the ICO, as the UK regulator of Data Protection legislation;<\/li>\n\n\n\n<li class=\"\">responding to regulatory \/ court action and paying administrative levies and fines issue by the ICO.<\/li>\n<\/ul>\n\n\n\n<p>6.2 The University Executive Committee is responsible for reviewing and approving this policy.<\/p>\n\n\n\n<p>6.3 University Council is responsible for assessing the overall risk profile of the University and ensuring appropriate resources and processes are in place and implemented to enable compliance with Data Protection legislation.<\/p>\n\n\n\n<p>6.4 The University\u2019s Data Protection Officer is responsible for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"\">monitoring the University\u2019s compliance with Data Protection legislation including managing internal data protection activities, raising awareness, training, and the conduct of internal audit;<\/li>\n\n\n\n<li class=\"\">advising the University on its Data Protection obligations (including the use of Data Protection Impact Assessments);<\/li>\n\n\n\n<li class=\"\">acting as the University\u2019s point of contact for the ICO with regard to Data Protection legislation;<\/li>\n\n\n\n<li class=\"\">acting as an available point of contact for data subjects.<\/li>\n<\/ul>\n\n\n\n<p>6.5 Governance and Secretariat Services (Within the Registrar\u2019s Directorate), in collaboration with other relevant service areas, is responsible for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"\">providing advice, guidance, training and tools \/ methods to assist the University and staff in complying with this policy, in liaison with the Data Protection Officer, and taking account of ICO and other regulatory guidance and relevant case law;<\/li>\n\n\n\n<li class=\"\">publishing and maintaining core Privacy Notices and other University-wide data protection documents;<\/li>\n\n\n\n<li class=\"\">handling Subject Access Requests;<\/li>\n\n\n\n<li class=\"\">advising on, managing and \/ or handling Data Protection Impact Assessments, data subject complaints, and personal data breaches, as advised by the Data Protection Officer.<\/li>\n<\/ul>\n\n\n\n<p>6.6 Directors, Heads of School, and Heads of Professional Departments are responsible for: <\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"\">ensuring that all staff within their areas are aware of this policy, and understand the role of data protection principles in their day-to-day working practices through induction, training, and performance monitoring;<\/li>\n\n\n\n<li class=\"\">ensuring that personal data within their areas is processed in line with this policy and associated policies and procedures;<\/li>\n\n\n\n<li class=\"\">supporting internal and external audits to ensure compliance with Data Protection legislation;<\/li>\n\n\n\n<li class=\"\">developing and reviewing information surveys to document information assets containing personal data in their areas, including databases, relevant filing systems, and the purposes of processing, to inform the University\u2019s Information Asset Register.<\/li>\n<\/ul>\n\n\n\n<p>6.7 Compliance with Data Protection legislation is the personal responsibility of all members of the University who process personal data.<\/p>\n\n\n\n<p>6.8 New members of staff are required to complete mandatory information governance online training as part of their University induction.<\/p>\n\n\n\n<p>6.9 Staff members, as appropriate for their role and in order to enable the University to comply with Data Protection legislation, are responsible for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"\">completing the information governance online training, and refresher training annually and \/ or if their role changes significantly;<\/li>\n\n\n\n<li class=\"\">ensuring that any personal data they process adheres to this policy and any associated information security policies;<\/li>\n\n\n\n<li class=\"\">ensuring any personal data they process complies with the data protection principles;<\/li>\n\n\n\n<li class=\"\">following relevant advice, guidance and tools \/ methods provided in relation to <a href=\"https:\/\/infonet.glos.ac.uk\/departments\/registry\/GSS\/Pages\/Infogov.aspx\" target=\"_blank\" rel=\"noopener\">information governance<\/a>;<\/li>\n\n\n\n<li class=\"\">when processing personal data on behalf of the University, only using it as necessary for their contractual duties and \/ or other University roles and not disclosing it unnecessarily or inappropriately;<\/li>\n\n\n\n<li class=\"\">recognising, reporting internally with immediate effect, and cooperating with any remedial work arising from personal data breaches in accordance with the Data Breach Policy;<\/li>\n\n\n\n<li class=\"\">recognising, reporting internally with immediate effect, and cooperating with the fulfilment of Subject Access Requests;<\/li>\n\n\n\n<li class=\"\">when engaging with students who are using personal data in their studies and research, advising those students of relevant advice, guidance and tools \/ methods to enable them to handle such personal data in accordance with this policy;<\/li>\n\n\n\n<li class=\"\">ensuring they do not disclose personal data to a third party without establishing prior consent of the individual has been provided. This also includes information that would confirm whether or not an individual is or has been an applicant, student or employee of the University. The University may have a duty to disclose personal data to authorised bodies, such as the police and other organisations in order to comply with its legal or statutory obligations under Data Protection legislation. Any requests to disclose personal data for reasons relating to national security, crime and taxation should be directed to <a href=\"mailto:dataprotection@glos.ac.uk\">dataprotection@glos.ac.uk<\/a>, who will respond on behalf of the University.<\/li>\n<\/ul>\n\n\n\n<p>6.10 The responsibilities outlined under paragraph 6.9 apply to individual students when processing personal data on behalf of the University.<\/p>\n\n\n\n<p>6.11 Any breach of this policy may be treated as misconduct under the University\u2019s relevant disciplinary procedures and could lead to disciplinary actions or sanctions.<\/p>\n\n\n\n<h2 class=\"heading wp-block-heading is-4--mobile is-4 is-4\">Policy Review<\/h2>\n\n\n\n<p>7.1 This policy will be updated as necessary to reflect best practice, relevant case law, and to ensure compliance with any changes or amendments to Data Protection legislation.<\/p>\n\n\n\n<p>7.2 This policy was approved by University Executive Committee in May 2018.&nbsp;The policy was last reviewed in August 2021.&nbsp; It is next scheduled for review in August 2024, or sooner if there is any significant change in Data Protection legislation.&nbsp;&nbsp;<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p class=\"has-is-7-font-size is-7\">* The accountability obligations include: implementing appropriate data protection policies; implementing data protection by design and default in projects, procurement and systems; using appropriate contracts with third party Data Controllers and Data Processors; holding relevant records about personal data processing; implementing appropriate technical and organisational security measures to protect personal data; reporting certain personal data breaches to the ICO; conducting Data Protection Impact Assessments where required; and ensuring adequate levels of protection when transferring personal data out of the European Economic Area<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction 1.1 The University of Gloucestershire (the \u2018University\u2019) collects, holds and processes data about its students, employees, applicants, alumni, stakeholders, contractors and other individuals in order to carry out its business and organisational functions. 1.2 Data Protection legislation defines \u2018personal data\u2019 as any information relating to an identified, or an identifiable natural person (\u2018data subject\u2019). [&hellip;]<\/p>\n","protected":false},"author":59,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","format":"standard","meta":{"_acf_changed":false,"_searchwp_excluded":"","footnotes":""},"schools":[],"campuses":[],"subject_area":[],"ht-kb-category":[5],"ht-kb-tag":[],"class_list":["post-350","ht_kb","type-ht_kb","status-publish","format-standard","hentry","ht_kb_category-governance-and-structure"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.glos.ac.uk\/information\/wp-json\/wp\/v2\/ht-kb\/350","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.glos.ac.uk\/information\/wp-json\/wp\/v2\/ht-kb"}],"about":[{"href":"https:\/\/www.glos.ac.uk\/information\/wp-json\/wp\/v2\/types\/ht_kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.glos.ac.uk\/information\/wp-json\/wp\/v2\/users\/59"}],"replies":[{"embeddable":true,"href":"https:\/\/www.glos.ac.uk\/information\/wp-json\/wp\/v2\/comments?post=350"}],"version-history":[{"count":17,"href":"https:\/\/www.glos.ac.uk\/information\/wp-json\/wp\/v2\/ht-kb\/350\/revisions"}],"predecessor-version":[{"id":20379,"href":"https:\/\/www.glos.ac.uk\/information\/wp-json\/wp\/v2\/ht-kb\/350\/revisions\/20379"}],"wp:attachment":[{"href":"https:\/\/www.glos.ac.uk\/information\/wp-json\/wp\/v2\/media?parent=350"}],"wp:term":[{"taxonomy":"schools","embeddable":true,"href":"https:\/\/www.glos.ac.uk\/information\/wp-json\/wp\/v2\/schools?post=350"},{"taxonomy":"campuses","embeddable":true,"href":"https:\/\/www.glos.ac.uk\/information\/wp-json\/wp\/v2\/campuses?post=350"},{"taxonomy":"subject_area","embeddable":true,"href":"https:\/\/www.glos.ac.uk\/information\/wp-json\/wp\/v2\/subject_area?post=350"},{"taxonomy":"ht_kb_category","embeddable":true,"href":"https:\/\/www.glos.ac.uk\/information\/wp-json\/wp\/v2\/ht-kb-category?post=350"},{"taxonomy":"ht_kb_tag","embeddable":true,"href":"https:\/\/www.glos.ac.uk\/information\/wp-json\/wp\/v2\/ht-kb-tag?post=350"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}