Data Protection

The University of South Wales is registered as a data controller with the Information Commissioner’s Office.

The University undertakes to process personal information within the terms of the Data Protection Act 1998. In accordance with the Act, the University must provide the Information Commissioner with details of the processing of personal data carried out by the University through its formal registration (Reference No: Z6472800)

The University undertakes to maintain data in secure conditions and to process and disclose data only within the terms of its Data Protection notification.

Data Protection Policy Statement for Students (Fair Processing Notice)

The University will process student personal data in order that it can manage its processes, provide education and services and meet certain legal requirements. Processing would include the following actions in relation to personal data: obtaining, recording, storing, organising, maintaining, updating, retrieving, using, disclosing and deleting the personal data. This personal data may include data such as name, address, date of birth, programme and modules studied, fee payments, information about examinations, information relating to services, attendance, assessments and results.

In addition to this, the University may process some sensitive student personal data, such as details about health in order to provide care, and information concerning ethnicity and disability for planning and monitoring purposes. Also, for certain programmes of study, information about past criminal convictions will be processed.

How your personal information is used

The University requires personal data to provide students with: lectures and other academic provision, access and use of the Library and IT facilities, counselling, medical care, accommodation, student misconduct/complaints processes, advice services and pastoral support, alumni operations, financial advice, disability and employability services.

The University utilises personal information to manage student engagement and to conduct internal research into improving education and educational services and quality and performance monitoring.

The University, via its faculties, corporate support departments, allows access to employees and agents of the University (on a need-to-know basis only).

Disclosure of personal information to third parties

The University may disclose appropriate personal data, including sensitive personal data, to third parties, where there is legitimate need or obligation, during or after the period of study. Such disclosure is subject to procedures to ensure the identity and legitimacy of such agencies. These third parties may include the following (please note that this is not an exhaustive list):
The University’s partners and contractors

The University may provide personal information to its partners and contractors. In such cases, the University must ensure that this information is managed in accordance with the Act and only for the purpose for which it was provided to the partner/contractor.

The Students’ Union

Limited personal data will be shared with University of South Wales Students Union for the purposes of administration, welfare and health and safety

Local Authorities

Relevant information will be shared with local authorities for purposes relating to council tax administration.

To assist with the registration of students under the 'Individual Electoral Registation’ system, personal data will be provided to the local authority’s Electoral Services department. This data will be used by the local authority to identify those indviduals who have an entitlement to vote. To complete the registration it will then be necessary for the student to complete their registration online.

Turnitin

The University of South Wales uses Turnitin® for the purposes of checking coursework and academic submissions for plagiarism and appropriate citations. Limited personal information may be disclosed to Turnitin when using this system.

HE funding councils, the Quality Assurance Agency, Higher Education Statistics Agency (HESA), Office of the Independent Adjudicator and other HE bodies

Relevant government departments to whom we have a statutory obligation to release information (including the Higher Education Funding Council for Wales (HEFCW) the Higher Education Statistics Agency (HESA) and Council Tax officers)

Further information on uses of information by HESA can be found on the http://www.hesa.ac.uk/fpn.

Where an external review is requested from the Office of the Independent Adjudicator the University it will be necessary to make available relevant personal for the purposes of an external review.

Tribal Education Limited for the delivery of HEAR

The Higher Education Achievement Report (HEAR) is a digitally signed electronic document that provides learners with a record of their academic and non-academic achievements which have been verified by the University. The University of South Wales is working with a company called GradIntel to provide this service.

Further information on HEAR. sasstudent.southwales.ac.uk/hear/ can be found on the University website.

h5.National Student Survey

The University is required to pass data about its students to the Higher Education Funding Council for Wales (HEFCW) for them to conduct the National Student Survey. This survey gives students the chance to give feedback on their experiences at the University and so informing the choices of prospective students. It is described in detail on the National Student Survey website.

Other Higher Education (HE) institutions

Where students are involved in exchange or placement programmes or where other documentation is required, the University may disclose personal data for general educational, assessment, residency etc. purposes.

Sponsors, loan organisations and scholarship schemes

Where students have a sponsor (who may pay tuition fees, provide other financial support or permit release from work to undertake the programme of study) scholarship scheme or a loan provider, the University may disclose student personal data to these organisations. In such cases information will only be provided where the University is provided with a contractual agreement for the provision of such information or where the student has given permission for such disclosure.

Credit reference agencies

Information may be passed to credit reference agencies who may keep details of the searches we make about students, and debt collection agencies for specific circumstances.

Parents, guardians and other relatives

Other than in the most exceptional of circumstances, the University will not to disclose a student’s personal data to parents, guardians and any other relative without consent from the student.
In situations where students have provided details of an “in case of emergency” contact in the event of a medical problem or emergency then some personal data may be provided.

Further guidance is available on the “University web pages”:http://uso.southwales.ac.uk/ig/dp/guidance/

Published information and photographs

On the day of graduation, certain information (including the student’s name, course, degree attained) will appear in the Award Programme. Students not wishing for their details to be included must opt out by advising the University of their wish some time in advance of the ceremony. Further information is available on the “Student Administration”: http://sasstudent.southwales.ac.uk/graduation/faq/#dpa.
Photographs and video recordings are taken of graduation ceremonies and by attending attendees permit that any such photos/footage may be publicised on the University’s website.

At the beginning of the academic year each student is required to take a photograph that is then kept on the student’s record and used on their identification card Close up photographs of students are used as a means of identification and photos are used as part of a number of University activities. For example, all ID cards require a photo and the University retains a copy of this photo for the purposes of identification.

Over the course of a student’s time with the University general photos may be taken that may capture academic or student life. Those students not wishing to have their photograph taken should at the outset advise the photographer of their wishes and remove themselves from any pictures. Group photographs taken will assume the permission of individuals pictured for use in University publications and publicity materials, and publications produced by third parties authorised by the University.

Police, crime and taxation

The University may provide information to government departments/agencies on matters relating to the prevention and detection of crime, apprehension and prosecution of offenders and/or the collection of tax (Disclosures to include but not limited to; HMRC, United Kingdom Border Agency, Police)

Information may also be provided to Benefit Fraud Sections within Local Authorities and/or the Department of Work and Pensions, about students if it is necessary for the prevention or detection of a crime or the collection of taxes.

In certain instances the University may be informed by the Police or other agencies when students are arrested, charged, convicted or cautioned and the nature of the offence may require that the information is passed to the University Secretary’s Office for further action.

CCTV

CCTV is in operation across all the University’s properties. Access to the footage is limited to trained staff and to those to who need access to the footage for matters relating to their work or University business.
All staff operating the CCTV system do so in compliance with the appropriate legislation.

Website

The University uses ‘cookies’ to gather information that will improve the user’s experience of the website. The Privacy and Cookies Policy states how information gathered from those viewing its website is used:

http://www.southwales.ac.uk/privacy-and-cookies/

Professional Bodies

Personal data relating to students on specific programmes will be passed to professional bodies which accredit those programmes at the University, those with a regulatory function over our programmes or where qualification on a programme facilitates membership or registration of that body.

If there has been an incident of academic or professional misconduct and/or where the Head of School believes there is a concern related to fitness to practise which may result in a risk to the public, this will also be reported to the appropriate professional body.

Government bodies and NGOs

Many government bodies and NGOs have statutory powers to require the University to provide personal information.

Others may request information relating to their official functions and the University will normally provide the information requested if it is deemed appropriate to do so.

Solicitors

The University receives many requests for personal data from solicitors acting on a student’s behalf. In such cases, before any personal data is disclosed, the university requires the solicitor to provide consent from the student to demonstrate that they are acting on behalf of that student. Solicitors often refer to this as a form of authority.

In rare cases where a solicitor acting on the other side of a legal case requests information, information will only be provided where the University receives consent or a court order.

Court Orders

A court can compel an organisation to provide it with information it holds, in the event that an order is received, the University will provide the information required.

Specific legitimate circumstances

Disclosures to organisations not listed above will be made in specific legitimate circumstances. Consent from the student will be sought where necessary and students will be informed of such disclosures unless exceptional circumstances apply.

How students’ personal data will be used after they have left the University

As well as maintaining student records during a student’s time at the University, it continues to processes personal data in connection with alumni management, external relations and development after they have left. The University may also wish to send information about products or services which may be relevant, and to keep alumni informed about University activities.

Alumni who do not wish the University to use their personal data in any of these ways, should write to the alumni office: alumni@southwales.ac.uk

The University also conducts the Destination of Leavers from Higher Education (DLHE) survey. This is a national survey collecting information on what leavers from higher education programmes are doing six months after qualifying from their HE course. In order to obtain up to date details, personal data is obtained from across the University.

Providing personal data to the University

Students must ensure that all personal information provided to the University is accurate and up to date. Changes to contact details can be made by logging into the unilife webpages.

Processing personal data

Under the Data Protection Act and the University’s Data Protection Policy students have responsibilities when processing personal data. These include:
• if you are considering processing personal data as part of your studies you must notify and seek approval from your supervisor before any processing takes place
• if you are processing personal data other than as part of your studies and for personal or household purposes you will not be covered under the University’s registration.
In such circumstances you may wish to contact the Information Commissioner to ensure that you are doing so in compliance with the Data Protection Act 1998

Complaints

If you believe that any part of the University is not complying with either the Data Protection Act 1998 or its own Data Protection Policy, you have the right complain to the University’s Data Protection Officer. Complaints should be submitted to:

Rhys Davies,
Information Compliance Officer,
University of South Wales,
Pontypridd,
CF37 1DL
rhys.davies@southwales.ac.uk
Tel:01443 482966

If you are not content with the outcome of its internal processes, you have the right to complain directly to the Information Commissioner’s Office:

Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire
SK9 5AF

Data Protection Policy Statement – Staff data

The University processes data relating to its staff for the following purposes:

  • Staff administration (including recruitment, appointment, to make payments, pension provision and for the management of sickness absence)
  • To provide access and use of University facilities and services (including library services, sports facilities)
  • To enable the University to meet its business and legal obligations (including audit functions, marketing and promotion of the institution, health and safety, course administration)

The University will, where necessary, disclose personal information relating to University employees to external organisations including:

  • Government departments on matters relating to the prevention and detection of crime, apprehension and prosecution of offenders and/or the collection of tax (Disclosures to include but not limited to; HMRC, UK Border Agency, Police)
  • HEFCW and associated agents (Disclosures to include, but not limited to HESA and QAA)
  • Potential employers or providers of education

NB. Disclosures to organisations not listed above will be made in specific legitimate circumstances. Consent will be sought where necessary and employees will be informed of such disclosures unless exceptional circumstances apply.

Under the Data Protection Act 1998, you have a right to request and receive a copy of the current personal information held on you by the University and a right to object to data processing that is inaccurate or, causes substantial unwarranted damage or substantial unwarranted distress. On request the University will also inform you of the credit agencies it has contacted and the personal details it has disclosed to them.

Please e-mail: dataprotection@southwales.ac.uk, if you have any specific questions relating to the Data Protection Policy, or for details of procedures relating to your rights as a data subject.

Please note that we are reliant on you for much of the data we hold: help us keep your record up-to-date by notifying your Faculty Office or the Human Resource Department of any alterations to your address, personal details, or course enrolments.

Obligations Placed Upon the University by the Data Protection Act

The Data Protection Act 1998 is a piece of information rights legislation that covers personal information.

It aims to ensure personal privacy, through giving individuals rights with regards to information about themselves and putting responsibilities on organisations who process this information.

The Act places certain obligations with which the University, as Data Controller, must comply:

  • To notify the Information Commissioner annually of the purposes for which it processes personal data
  • To allow individuals to find out what information is held about them, the purposes for which the information is kept, where we obtain it from and to whom we might disclose it
  • To process personal information in accordance with the Eight Principles of Data Processing as set out in the legislation

To Notify the Information Commissioner

Under the Data Protection Act 1998, the University is required to notify the Information Commissioner of the purposes for which it processes personal data. This notification is renewed annually and recorded in the Data Protection Public Register.

The University must ensure that its notification remains up-to-date and personal data must not be processed unless the activity is covered by the current notification.

The Rights of Individuals

Data Subjects have a number of rights relating to the information held on them as well as what happens to that data:

Right to subject access

The Data Protection Act gives Data Subjects the right to request for, in writing, a copy of information held relating to the individual in electronic format and also in some manual filing systems.

In addition individuals are also entitled to be given a description of the information, what you use it for, who you might pass it on to, and any information you have about the source of the information. This information is provided to individuals at their time of entry into the University and is available on the Information Governance web pages.

Right to prevent processing likely to cause damage or distress

A data subject is entitled to write to the University to prevent processing for a specified purpose if that processing of their personal data is likely to cause unwarranted substantial damage or substantial distress to themselves or another person.

Damage can cover financial loss, loss such as pain and suffering, loss of amenity, and loss of reputation. Distress can cover shock, fear, anxiety or grief.

This right cannot be exercised if the data subject consented to the processing, the processing is part of a contract with the data subject, the processing is necessary to protect the vital interests of the data subject, or the University is under a legal obligation to process that data.

Right to prevent processing for the purposes of direct marketing

An individual is entitled by written notice, to require the University to cease, or not to begin, processing personal data for the purpose of direct marketing. When the University as Data Controller receives such a notice, they must comply as soon as they can. There are no exceptions to this.

The data subject may apply to Court for an order if the data controller fails to comply with the notice.
Direct marketing is defined in the Act for the purposes of this provision as meaning the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.

Rights in relation to automated decision taking

A data subject has the right to require the University not to make a decision that significantly affects them if it is based solely on the processing of data by automatic means.

The examples of this type of activity are assessing credit-worthiness, performance at work or possible employment, and automated assessment for academic work of students. All data subjects will be informed in advance as to whether such processing of their personal data will be undertaken.

Right to take action for compensation if the individual suffers damage by any contravention of the Act by the data controller

Data owners should be aware that a data subject now has the right to compensation either for damage or damage and distress for any contravention of the Act by the University. If the contravention was in relation to artistic or literary purposes or journalism, then compensation can be for distress alone.

A defence allowed in the Act is that the University has taken 'such care as is in all the circumstances was reasonably required to comply with the requirement concerned’. Data owners should therefore ensure that, where the risk to data subjects is clearly foreseeable, appropriate measures should be taken to comply with the Act in those circumstances.

Right to take action to rectify, block, erase or destroy inaccurate data

An individual may apply to the Court for an order that would require the University to rectify, block, erase or destroy data relating to that individual that are inaccurate together with any other personal data relating to the data subject which contain an expression of opinion which the Court finds is based on the inaccurate data. Data is considered as being inaccurate if they are incorrect or misleading as to any matter of fact.

Data owners within the University need to ensure that there are procedures in place for data subjects to correct inaccurate or out of date data, and procedures for staff and students to update basic terms of data.

How to Complain

The University aims to comply fully with its obligations under the Data Protection Act 1998 and takes complaints relating to the institutions adherence to the Act very seriously.

Stage 1

Individuals wishing to report concerns relating to the Data Protection Act 1998, should, in the first instance, contact the University’s Information Compliance Officer who will aim to resolve any issues.

Mr Rhys Davies
Information Compliance Officer
University of South Wales
Pontypridd
CF37 1DL
e-mail:rhys.davies@southwales.ac.uk

Stage 2

If the individual feels the complaint has not been dealt with to their satisfaction, the individual can formally complain to the Records and Information Compliance Manager.

The Records and Information Compliance Manager will review the facts of the complaint and having taken this into consideration will determine whether the University has acted in accordance with/ or contrary to the Act.

Mr. William Callaway,
University of South Wales
Pontypridd
CF37 1DL
e-mail:freedomofinformation@southwales.ac.uk

The Records and Information Governance Manager will contact the individual making the complaint and advise them of the outcome of the investigation into their complaint.

Stage 3

If at any time the complainant is unhappy with the way their grievance is being handled, the complainant can also contact the Information Commissioner’s Office, who regulates the processing of personal information who is responsible for the regulating the processing of personal information

The ICO can be contacted:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Tel: 08456 306060 or 01625 545745
e-mail: mail@ico.gsi.gov.uk.

Processing Personal Information in Accordance with the Eight Data Protection Principles

To comply with the Act, the University must ensure that it processes data in accordance with the Data Protection Principles:

Principle 1 – Personal data shall be processed fairly and lawfully.

All Personal Data processed must satisfy at least one of the conditions of Schedule 2 of the Act. The requirements of Schedule 2 can be summarised as follows:

  • The Data subject has consented to the processing.
  • To perform a contract to which the data subject is a party or to take steps at the request of the data subject so that such a contract can be entered into.
  • To comply with a legal obligation imposed on the data controller otherwise than by a contract.
  • To protect the vital interests of the data subject.
  • For the administration of justice.
  • For the exercise of any function conferred by an enactment.
  • For the exercise of any functions of the Crown, a Minister of the Crown or a government department.
  • For the exercise of any function of a public nature exercised in the public interest.
  • For the data Controller or any third party to whom the Data is disclosed to pursue their legitimate interests.
  • Other specific circumstances that may be ordered by the Secretary of State from time to time.

There are special provisions within the Act for processing of sensitive personal data. Within the context of the data protection, sensitive personal data relates to the following:

  • The racial or ethnic origin of the data subject
  • Their political opinions
  • Their religious beliefs or other beliefs of a similar nature
  • Their membership of a trade union
  • Their physical or mental health or condition
  • Their sexual life
  • The commission or alleged commission by the individual of any offence
  • Any proceedings for any offence committed or alleged to have been committed by the individual, the disposal of such proceedings or the sentence of any court in such proceedings.

When handling sensitive personal information, the data controller must ensure that in addition to complying with one of the conditions of the Schedule 2 conditions listed above, they must also comply with one of the following conditions:

  • Explicit consent has been received from the data subject;
  • Processing is required to comply with employment legislation;
  • Processing is necessary to safeguard the vital interests of the data subject or another person; The information has already been made public by the data subject;
  • Processing is necessary in connection with legal proceedings;
  • Processing is necessary for the administration of justice;
  • Processing is necessary for medical reasons;
  • Processing is necessary for ethnic monitoring.

The University will, in the course of its work regularly process personal information relating to both staff and students that is sensitive in its nature. Within the context of the University, Departments such as Finance could process information relating to staff membership of the trade unions whilst Campus Services could process sensitive information involving specific student requirements.

Principle 2 – Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

The use of modern information systems with integrated databases enables more sharing of data and reduces the need for multiple collection points for that data. Consequently, data owners should exercise great care in ensuring that data processed for one purpose is not processed for a different purpose in breach of this Principle.

Principle 3 – Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Data owners should ensure that only relevant data is processed. Neither the University nor its staff can collect personal information on the premise that it might be useful at some stage in the future. If there is no reason to collect the data for a specified purpose, then it should not be collected.

Principle 4 – Personal data shall be accurate and, where necessary, kept up to date.

It is essential that checks for accuracy are made for maintenance of the University’s data. Data owners should put in place procedures for ensuring that the data is verified for accuracy and the data is kept up to date. A basic minimum would be annual updating for both staff and student data, together with rapid updating for specific items of data.

Principle 5 – Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

Personal data should not be kept for longer than is required for the purpose for which it has been acquired. The University has policies and procedures in place which cover the retention of personal data relating to data subjects and further guidance can be obtained from the University Records Manager.

Principle 6 – Personal data shall be processed in accordance with the rights of data subjects.

The Data Protection Act 1998 gives the data subject increased rights of access to personal data held on them. The Act also provides strict time limits in which data controllers must respond to access requests from individuals.

Subject to some exceptions, requests for personal information must be dealt with within 40 days of the access request being received in the University.

Principle 7 – Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

The University as Data Controller must ensure the security and safekeeping of all personal data whether it is held on computer or within manual files. This includes physical security from unauthorised access as well as protection against accidental loss, destruction or damage.

Principle 8 – Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The European Economic Area (EEA) consists of the 15 European member states together with Iceland, Liechtenstein and Norway. Transfers for any other states will not be legal unless their local laws provided data subjects with the same or greater levels of protection as the Data Protection Act.

In order to transfer personal information to a country outside of the EEA, University staff should contact the Information Compliance Officer to receive further clarification.

Privacy and Electronic Communications Regulations 2003

The Privacy and Electronic Communications Regulations 2003 regulate direct marketing activities by electronic means (by telephone, fax, email/other electronic methods) and the security and confidentiality of these communications, together with rules governing the use of ‘cookies’ and ‘spyware’.

All direct marketing undertaken by the University must be undertaken in compliance with the Privacy and Electronic Communications Regulations 2003.

Cookies

The University website collects certain personal information through the use of Cookies. Further information on the type of data collected and the University’s policy on Cookies is available on the University’s Website Privacy Policy pages.

Further Information

Queries about Data Protection should be directed to:

Information Governance
University of South Wales
Pontypridd
CF37 1DL
Email: dataprotection@southwales.ac.uk