Data Protection

Overview

Data Protection is the responsibility of all staff that handle personal information of our staff and our students (data subjects). Below are some key points from the University of Sunderland Data Protection Policy.

The Data Protection Policy applies to all staff who handle personal information for or on behalf of the University of Sunderland.

The University will comply with the principles of the UK General Data Protection Regulations when processing personal information.

Personal data will only be processed where one or more legal basis for processing this data applies.

The University will undertake an assessment of new or significantly changed methods of processing to ensure risks of the processing can be understood and effectively managed.

The minimum information classification applied to personal data will always be restricted, and for special category information, confidential.

The University will ensure that all requests relating to personal data are handled in line with the expectations of the UK General Data Protection Regulations.

In the event of a data breach, the University will assess the severity of the breach and, where applicable, will report the incident to the Information Commissioner's Office no later than 72 hours after becoming aware of the breach.

The University will provide mandatory training in Data Protection to all staff.

1. Introduction and purpose

The University of Sunderland needs to gather and use certain information about individuals. This can include enquirers, applicants, students, staff, and other third parties with whom the University has a relationship or may need to contact. On this basis, the University of Sunderland is a data controller (ICO registration number Z6120473). This policy outlines the procedures for collecting, handling, and storing personal data in accordance with the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy ensures that the University of Sunderland:
- Complies with the principles of the UK GDPR, and any subsequent laws which are passed in England and Wales
- Protects the rights of those individuals on whom the University collects, handles and stores information on
- Is open about how it stores and handles individuals’ data
- Protects itself from the risk of data breach.

The UK GDPR describe how organisations, including the University of Sunderland, must collect, handle and store personal information. These rules apply regardless of whether the data is stored electronically, on paper or on other media. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully. The UK GDPR is underpinned by six important principles that personal data must be:

Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’)
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
Accurate, and where necessary, kept up to date (‘accuracy’)
Kept in a form which permits identification of data subjects for no longer than in necessary for the purposes for which the personal data are processed (‘storage limitation’)
Processed in a manner that ensures appropriate security of the personal data (‘integrity and confidentiality’).

The full principles of data processing from the UK GDPR can be found in Appendix 1.

2. Scope

This policy applies to:

The University of Sunderland
All subsidiary companies of the University of Sunderland
All staff of the University of Sunderland and its subsidiary companies
All contractors, suppliers and other people working on behalf of the University of Sunderland or its subsidiary companies
All data that the University of Sunderland holds in relation to any identifiable individuals.

3. Personal data

Personal Data means any information relating to an identified or identifiable natural living person (‘data subject’); an identifiable natural person can be identified, directly or indirectly, in particular by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.

Data controller means any individual or organisation which either alone or jointly, determines the purposes and means of the processing of personal data.

Data Processor means any individual or organisation which processes personal data on behalf of a controller

Personal data breach means a breach of security or process leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

4. Roles and responsibilities

Everyone who works for or with the University of Sunderland and its subsidiary companies has some responsibility for ensuring data is collected, stored and handled appropriately. Each team that handles personal data must ensure that it is handled and processed in line with this policy and UK GDPR principles. It is essential to note that a breach of this policy could result in disciplinary proceedings and a substantial fine (up to £18.5 million) for the University of Sunderland.

The Board of Governors is ultimately responsible for ensuring that the University of Sunderland and its subsidiary companies fulfil their legal obligations.

The Data Protection Officer is responsible for:

Informing and advising the organisation and its employees of their data protection obligations under UK GDPR
Monitoring the organisation’s compliance with UK GDPR and internal data protection policies and procedures. This will include monitoring the assignment of responsibilities, awareness training, and training staff involved in processing operations and related audits
Advising on the necessity of data protection impact assessments (DPIAs), the manner of their implementation and their outcomes
Serving as the contact point to the data protection authorities for all data protection issues, including data breach reporting
Serving as the contact point for individuals (data subjects) on privacy matters, including subject access requests.

The Cybersecurity Architect, is responsible for:

Developing technical security standards to be used across the University of Sunderland technical estate
Ensuring teams across the University carry out regular checks and scans to ensure security hardware and software are functioning properly
Evaluating the technical security arrangements of any third-party services the University of Sunderland is considering using to store or process data, using a Supplier Information Security Assessment to gather evidence.

5. Policy details

The University will comply with the principles of the UK General Data Protection Regulations (see Appendix 1) when processing any personal data.

The University will only process personal data where it can match processing activities to one or more of the lawful bases for processing under Article 6(1) of UK GDPR (See Appendix 2) or, in the case of special category personal data, Article 9(1) of UK GDPR (See Appendix 3).

The University will ensure that a record of the processing activity it undertakes is maintained (as required by UK GDPR) and made available to the relevant authority (the ICO in the UK), upon request.

The University will ensure that all new and significantly amended systems are subject to sufficient Data Privacy Impact Assessment (DPIA) assessment, and the risks identified are appropriately managed. For internal processes or systems, this will be in the form of a Privacy Impact Assessment (PIA), and where there is the involvement of an external partner (data processor) who will handle or store information on behalf of the University, a Supplier Information Security Assessment (SISA) will be used to assess their technical security arrangements.

By default, the minimum information classification (please see information classification process), which will be used for records containing personal data, will be restricted, and for those records containing special category data, confidential, the controls outlined in the information classification will be followed.

The University will ensure that all requests made by data subjects in accordance with UK GDPR are handled appropriately and within the prescribed time limits (30 calendar days, from receipt of sufficient evidence of identity, for Subject Access Requests). Where requested to do so, the University will also advise the data subject of the purposes for which the data are to be processed and the recipient or classes of recipients to which the data are or may be disclosed (please see guidance document handling requests from information).

In the event of a personal data breach, the University will use a managed, documented approach to managing the incident, including assessing the severity of the incident, and where applicable, will notify the ICO within 72 hours of becoming aware of the incident (please see guidance document (Handling Data Breaches Guide).

6. Training and education

All staff and contractors of the University of Sunderland and its subsidiary companies who do, or are likely to come into contact with personal data in carrying out their responsibilities, are required to receive Data Protection Training. On this basis, the University will:

Ensure that all new staff and contractors of the University and its subsidiary companies receive appropriate Cybersecurity and Data Protection training as part of their induction, and that, until such training has been undertaken, access to systems and storage media containing personal information will be prohibited
Ensure that all existing staff and contractors of the University and its subsidiary companies undertake appropriate Cybersecurity and Data Protection training, which will be refreshed on a two-yearly basis. Staff who fail to undertake this training will have their IT account suspended, and thus their access to personal information will be revoked until training is complete

This policy came into effect on 25May 2018, when the General Data Protection Regulations and any associated law in England and Wales also came into effect and were enforceable.

Data Protection Policy

Version 2.1 – Revised version 2.0 January 2023

Review due – January 2025

Author – Assistant Director of Strategic Support Services (DPO)

Appendix

There are six processing principles in the UK GDPR; in full, they are:

Personal data shall be:

Processed lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness, fairness and transparency)
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation to safeguard the rights and freedoms of the data subject (‘storage limitation’)
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Appendix 2 – Lawful Bases for Processing Personal Data

Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:

a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes

b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

c) Processing is necessary for compliance with a legal obligation to which the controller is subject

d) Processing is necessary in order to protect the vital interests of the data subject or of another natural person

e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child.

Point (f) shall not apply to processing carried out by public authorities in performance of their tasks.

Appendix 3 – Lawful Bases for Processing Special Category Personal Data

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited, unless one of the following applies:

a) The data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provides that the prohibition referred to in paragraph 1 may not be lifted by the data subject

b) Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subjects

c) Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent

d) Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects

e) Processing relates to personal data which are manifestly made public by the data subject

f) Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity

g) Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject

h) Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care system and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 2

i) Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy

j) Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

2. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another personal also subject to an obligation of secrecy under Union or Member State law or rule established by national competent bodies.