Your Responsibilities Under GDPR
As most people know, a new Data Protection Act came into force on 25 May 2018. The Act incorporates the EU’s General Data Protection Regulation (GDPR). It regulates the processing of personal data and gives individuals more say over how their data are used.
For these purposes:
- "personal data" refers to data by which a living individual may be directly or indirectly identified
- "processing" data includes obtaining, recording or holding those data or using them to carry out any operations.
Morley collects a lot of personal data about:
- people who have enrolled on a course
- people who apply for funding or support from the College
- visitors to the college website
- people who request course guides, course specifications, send an enquiry, or apply online
- people who register to attend events that we run
- people who sign up to promotional competitions that we run
- individuals who register to become Friends of Morley
- users of the College Moodle VLE system
- people who work for the College (in a paid or unpaid capacity) or apply to do so.
We can only process those individuals’ personal data in strict compliance with the new Act.
The Legal Framework
We are required to ensure that all personal data that we process are:
- processed lawfully, fairly and in a transparent manner in relation to individuals
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- accurate and kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
We are only allowed to process data if we have a lawful reason to do so. This might be because we have a contract with the person concerned, because we have a legal obligation to process their data, or because we have a legitimate business reason for doing so. Where none of those conditions applies (there are other possible reasons that are less relevant to Morley) we need to seek the consent of the "data subject" – the person whose data we want to process.
As well as the right to withhold that consent, the Act gives data subjects a number of rights, including the right to be informed about the data that are held, to have those data rectified if they are inaccurate, and to have them deleted if there is no compelling reason for continuing to process them.
What have we done?
We have published a privacy notice (it’s close to the bottom of every website page) and a separate notice for staff and job applicants (in the Policies section of the website). These privacy notices tell people how we process their data and what their rights are.
We have also published a revised Information and Data Protection Policy, which sets out our overall approach to the processing of personal data, and we have updated our Information Systems Acceptable Use Policy. An Information and Data Retention Policy will shortly be published, which sets out the basis on which we hold on to data, including data that we have no immediate use for but may nevertheless need to retain.
The Information and Data Protection Policy contains a helpful, one-page set of Employee Guidelines. These will be updated when the policy is reviewed in March.
What Can You Do?
Data security is everybody’s responsibility. The penalties for failure to comply with the Data Protection Act are potentially huge. But compliance shouldn’t be difficult if everybody is aware of the risks. Here are a few suggestions that will prevent you from being the subject of a referral to the Information Commissioner.
- Avoid contacting students – and particularly former students – by means other than official channels unless you have their express written consent to do so. Failure to do so is breaking the law!
- Make sure that you are entitled to process any data that you are collecting, holding or working with. If in doubt, consult your line manager or the Data Protection Officer.
- If you work with files or documents containing personal data, keep them on the College server and don’t download them. If you are working remotely, log in to your college account.
- Only share data outside the College when you know that you have the consent of the data subject or subjects or another lawful reason. Don’t include non-Morley email addresses in ‘cc’ boxes. If you need to send the same email to a number of people at non-Morley addresses, and you don’t have their express consent to share their addresses, use the ‘bcc’ function. Better still, distribute information through Moodle.
- If you have to work with hard copies of documents, keep them secure. Don’t leave them lying around where they can be seen. Deliver hard copy forms directly to the intended recipient or, if using a pigeonhole, enclose the form or forms in a closed envelope (sealed if the data are particularly sensitive).
- Regularly delete any data that you aren’t personally required to keep. This includes data contained in emails.
If you have any questions, please contact DPO@morleycollege.ac.uk.