Data Protection Policy

1. Purpose and scope

The purpose of the Data Protection Policy is to clarify the requirements under data protection legislation which primarily includes the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) in the context of Cardiff University, to outline the associated internal allocation of responsibilities and duties, and to set out the structure within which compliance will be facilitated. This policy supports the University in demonstrating its compliance with data protection legislation to data subjects and the regulator for data protection and privacy in the UK (Information Commissioner’s Office).

This policy applies to members of Cardiff University as defined under Ordinance 2 – Members of the University and any other party engaged where personal data is processed on behalf of Cardiff University.

This policy does not apply where students process personal data on their own behalf as part of their University studies, such as those studying undergraduate and postgraduate taught courses. However, in those circumstances students should ensure that any personal data is handled responsibly and securely, completing data protection impact assessments where required and complying with other University processes (e.g. ethical reviews).

2. Policy

Cardiff University shall at all times act in a manner consistent with the obligations of a Data Controller as defined under the provisions of data protection legislation ensuring privacy is a key consideration in its operations, that any compulsory registrations and payments to regulatory bodies are up to date, and that data subjects’ rights under the legislation are respected.

Where Cardiff University is processing personal data on behalf of another Data Controller, the University will at all times process the data according to the instructions and contractual obligations agreed with that Data Controller and in any case in compliance with Data Processor obligations under data protection legislation.

2.1 Key data protection terms

The following definitions are summarised from UK data protection legislation:

Personal Data means any information about a living individual who can be identified from that data or from that data and other available data. That identifiable individual will be known as a ‘data subject’. This includes, inter alia, information held in paper or digital format, video and audio recordings, and photographic images.

Processing is the undertaking of any operation involving personal data (including to collect, access, maintain, handle, copy, pseudonymise, anonymise, analyse, disclose, or delete) as well as simply storing or hosting personal data.

The Data Controller is the body which alone (or jointly with others) decides the purpose for the processing and how such processing will take place.

The Data Processor is a body that is processing strictly under the instructions of a Data Controller.

2.2 Data subject rights

Cardiff University shall respect the rights of individuals as applicable and as defined in data protection legislation including the right:

• to be informed of processing (Articles 13 and 14)
• of access to their personal data (Article 15)
• to rectification of inaccurate personal data (Article 16)
• to erasure (Article 17)
• to restrict processing (Article 18)
• to data portability (Article 20)
• to object to processing including objection to direct marketing (Article 21)
• relating to automated decision-making including profiling (Article 22)

Further information about these rights, where they may apply and how they may be asserted are available on the Data Protection pages of the Cardiff University website.

Cardiff University shall inform students, applicants, alumni, staff, and other data subjects of how it collects and uses their personal data, with whom their data will be shared, and other relevant information in line with privacy notice requirements. These notices will be communicated to data subjects upon collection of their personal data and upon variation where appropriate and notices will be made available via the Data Protection pages.

Cardiff University shall respect the privacy rights of individuals in relation to electronic communications where direct marketing is undertaken in compliance with the Privacy and Electronic Regulations (PECR).

2.3 Processing personal data

Cardiff University and all its members shall process personal data in accordance with the lawful grounds specified in Article 6 and any relevant conditions specified under Article 9 for special category data and Article 10 for criminal conviction and offences data of the UK GDPR as relevant and the Data Protection Principles as set out in Article 5.

In summary, the data protection principles state that personal data shall be:

1. Lawfully, fairly, and transparently processed;
2. Processed for specified purposes;
3. Adequate, relevant, and not excessive;
4. Accurate and up to date;
5. Not kept longer than necessary;
6. Appropriately secured and protected from unauthorised access, loss, or disclosure.

The University will have due regard to the accountability principle and its obligation to demonstrate compliance with the data protection principles.

2.4 International transfers

The University will not transfer personal data to third countries or international organisations based outside of the UK unless adequately protected and in line with the general principle for transfers as per Article 44 of the UK GDPR. For the purposes of international transfers, adequate protection means that the destination country has either been identified by the UK as having adequate data protection laws, there are binding corporate rules in place with the third-party organisation, appropriate standard contractual clauses have been appended to the contract, or there is an appropriate derogation within the DPA 2018that applies for specific situations.

2.5 Third-party processors

Where third-party organisations are engaged to process personal data on behalf of the University, this shall be undertaken with due regard to the legal and contractual obligations placed on the University as Data Controller and the third-party organisations as Data Processor as per Article 28 of the UK GDPR.

3. Roles and responsibilities

3.1    The University as a corporate body is the Data Controller. Unless otherwise stated, roles and responsibilities are as set out in the Information Security Policy.

3.2     The senior officer responsible for the University’s compliance with data protection legislation is the Senior Information Risk Owner (SIRO). In addition to their responsibilities in the Information Security Policy, the SIRO will be responsible for:

• nominating a designated Data Protection Officer for the University in line with its obligations as a Data Controller and public authority
• considering whether a serious personal data breach should be reported to the Information Commissioner’s Office giving due regard to the advice of the Data Protection Officer;
• where an assessment identifies it appropriate to do so, acting as an escalation point for authorisation of proposed University activity where personal data is to be processed in such a way that a Data Protection Impact Assessment (or equivalent risk assessment) identifies it as a major risk (as defined within the University’s Risk Management Framework)

3.3     The Data Protection Officer is responsible for:

• advising on and monitoring compliance with data protection legislation and University obligations at a University level including awareness raising, training and audits
• co-operating with and being the primary contact point for the Information Commissioner’s Office
• advising on Data Protection Impact Assessments and identified risks and controls
• overseeing the facilitation of data subjects’ rights
• assessing and advising on reported information security incidents and any associated investigations
• for developing specific policy and supporting guidance on data protection issues for members of the University
• reporting annually on matters related to data protection compliance to the Governance Committee

3.4     In addition to their responsibilities in the Information Security Policy, Senior Business Owners Data Leads are responsible for acting as an escalation point for authorisation of a proposed University activity where personal data is to be processed in such a way that a Data Protection Impact Assessment (or equivalent risk assessment) identifies it as a significant risk (as defined within the Risk Management Framework).

3.5     In addition to their responsibilities in the Information Security Policy, Business Owners are responsible for acting as an escalation point for authorisation of a proposed University activity where personal data is to be processed in such a way that a Data Protection Impact Assessment (or equivalent risk assessment) identifies it as a moderate risk (as defined within the Risk Management Framework) and for notifying the Senior Business Owner.

3.6     Each College, School, and Professional Service team shall be responsible for:

• establishing their own protocols for processing personal data with support from the Data Protection Officer where required.
• monitoring their own compliance with the University policy on data protection with support from the Data Protection Officer where required.
• ensuring at least one individual from each College/School/Professional Service team is nominated by the College Registrar/School Manager/Professional Service Head to assist the Data Protection Officer in facilitating data subject rights including collating data as required in response to subject access requests

3.7     All individuals shall:

• process personal data where authorised by the University in line with this policy and with the data protection principles as outlined at 4.3 above, ensuring there is a lawful basis in place
• ensure that any personal data shared or otherwise disclosed to third party organisations is done so securely and in line with the Information Handling procedures, ensuring that legally compliant data processing agreements are in place with data processors where procuring or renewing services
• report personal data losses, unauthorised disclosures or access, and breaches of this policy, to IT Support as soon as they are discovered and assist the Data Protection Officer in addressing the incident as per the Information Security Incident Management procedure
• successfully complete the mandatory annual Information Security training and any other non-mandatory data protection as required by the SIRO or where role-based training has been identified
• complete Data Protection Impact Assessments where required to do so
• maintain personal data in line with good records management practice as set out in the Records Management Policy and Information Handling procedures, ensuring that information is readily accessible to comply with data subject rights and assist promptly with any requests
• provide information to support the University’s Record of Processing Activities and Information Asset Register where appropriate
• upon ceasing as a member of the University, ensure that any personal data they are custodian for is transferred to a new custodian to ensure ongoing availability
• seek advice from their line manager and/or University IT and/or the University’s Data Protection Officer where they are unsure as to appropriate security measures or data protection measures

3.7.1    All individuals shall not:

• knowingly or recklessly expose or otherwise make available personal data to unauthorised access, alteration, disclosure, or loss
• disclose personal data or otherwise make it available (including verbal disclosures) to a third party either by action or inaction where it is known that the third party is not entitled to receive that data
• access personal data records for private interest and/or gain, even where access to the record system itself has been granted to the same member for business purposes

Any infringement of data protection legislation may expose the University and/or the individual to legal action, claims for substantial damages and fines from the Information Commissioner’s Office. Unauthorised processing of personal data is a potential disciplinary matter which may be considered under the relevant disciplinary code, and serious breaches may constitute ‘good cause’ for dismissal and/or constitute a criminal offence.

4. Monitoring and review

4.1     The policy will be reviewed annually as part of the Information Security Framework schedule of review. Monitoring of compliance with this policy is undertaken through Annual Assurance Return assessment, consultation on Data Protection Impact Assessments, investigation of Information Security Incidents, assessment of software as part of the IT Requirements Consultation, and data protection audits.

4.2     The Governance Committee shall receive an annual report from the Data Protection Officer to include summaries of compliance with data subject rights, statistics on information security incidents, completion of mandatory information security training, and an overview of the University’s data protection risk management.

Related policies and procedures

This policy forms part of the Information Security Framework. It should be read in conjunction with:

• Information Security Policy
• Data Protection Impact Assessment/other Risk Assessment

It also has a relationship with other University policies, specifically:

• Information Security Incident Management Policy and Procedure
• Confidentiality Policy
• Records Management Policy
• Procurement Policy
• Photographic Identification Code of Practice