Data Protection Act

How the university processes your personal data under GDPR

Designed to protect the rights of the individual and to allow individuals access to their own personal data (with a few exemptions), the regulation lays out seven principles which must be complied with.

The principles state that processing of personal data requires:

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

In order to comply with the seven principles at least one of the conditions below must be met for the processing of personal data to take place:

• The individual has consented to the processing
• Processing is necessary for the performance of a contract with the individual
• Processing is required under a legal obligation (other than one imposed by the contract)
• Processing is necessary to protect the vital interests of the individual
• Processing is necessary to carry out public functions
• Processing is necessary in order to pursue the legitimate interests of the data controller or third parties (unless it could unjustifiably prejudice the interests of the individual)

To demonstrate compliance all new university processing has been subject to a Data Protection impact assessment (DPIA) which is also known as a Privacy Impact Assessment (PIA). Information about the PIA Form and Guidance is available, or feel free to get in touch with us if you have any queries.

How the university processes special category personal data under GDPR

Specific provision is made under the Legislation for the processing of sensitive personal information, called special category data.

Special Category data includes:

• racial or ethnic origin
• political opinions
• religious or other beliefs
• trade union membership
• physical or mental health conditions
• sex life

For sensitive personal information to be considered processed fairly, at least one of several extra conditions must be met. The full list is in the legislation but for example includes:

• Having the explicit consent of the individual
• Being required by law to process the data for employment purposes
• Needing to process the information in order to protect the vital interests of the individual or another person
• Dealing with the administration of justice or legal proceedings

How the university handles suspected data breaches

As well as a Data Protection Officer (DPO), the University has a team of Data Protection Co-ordinators (DPC) who report and investigate all suspected data breaches, as well as keeping the staff in their team/area up to date with any developments relating to Data Protection.

When a suspected breach occurs, or a situation arises that would constitute a “near miss”, staff inform the Faculty/Departmental Data Protection Coordinator who assess the severity of, and any risks to individuals’ data rights associated with the breach. DPCs can then offer advice on how to proceed and offer steps to mitigate against reoccurrence. In the event of breaches involving large amounts of data, or particularly sensitive data the DPO is contacted to investigate further. A central log is maintained in order to identify any individuals or teams that may require further guidance or training. This informs reports that can be submitted to the Information Commissioners Office.

IT Security issues report to IT via IT Service Desk.

For information on what to do in the event of a breach, see the Data Security Breach Management Procedure, speak to your area Data Protection Coordinator, or drop us a line to Recordsmanager@northampton.ac.uk.

All staff must complete mandatory data protection training provided and monitored by Staff Development.

The Data Protection Officer (DPO) is employed to oversee the University’s data protection strategies and implementation. They are the officer that ensures that an organisation complies with the requirements of Data Protection legislation.

Along with the DPO, the Records Management team assist with matters relating to compliance with such regulations. This is done through activities such as:

• Organising, facilitating and supporting Data Protection Audits in order to ensure that the processing of personal data that occurs is in line with the principles of the Data Protection Act/UKGDPR
• Advising teams on best practice
• Ensuring all new processing or systems used to process data are subject to a Data Privacy Impact Assessment
• Advising on the development of Data Sharing agreements
• Assisting in the development of Privacy notices
• Complying with Data Rights requests
• Investigation of suspected Data Breaches and the management thereof
• Reporting to the Information Commissioners Office
• Helping to facilitate implementation of the Records Retention Schedule
• Facilitation of safe, secure and confidential destruction of records at the end of their lifecycle

• Privacy policy and notices – details of how your personal data is processed and the legal basis.
• Data Protection and GDPR Policy
• Information Commissioners Office – an independent authority set up to uphold information rights and a good source of information regarding Data Protection
• Guidance for the use of external web services
• Data Protection on the Government website
• Guidance for better data protection compliance page