Help Centre

Privacy Policy

---

1. Data Protection Policy

   
   The University processes large volumes of personal data in relation to its staff and students, to fulfil its purpose and to meet its legal obligations to funding bodies and government. It also processes personal data of participants in research projects.

   To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this, the University must comply with the Data Protection Principles which are set out in the Data Protection Act, 1998 or ‘the Act’ and from 25 May 2018 the General Data Protection Regulation (GDPR).

   This is one of a suite of policies that aims to ensure the University is compliant with GDPR and has a robust Information Governance framework.

   The GDPR introduces strengthened rights for individuals, greater sanctions for breaches and an accountability requirement for data controllers to demonstrate compliance and robust governance.

   The data controller decides on the nature, scope, context and purpose of processing the data, whereas a data processor acts only on instruction from a data controller and processes data on behalf of the data controller.

   The University is a data controller and in some instances may be a data processor.

2. What are Personal Data?

   
   Personal data means information about a living individual, who is identifiable by the information, or who could be identified by the information combined with other data, which the University has or may have in the future.

   Furthermore, any recorded opinions about or intentions regarding a person are also personal data; and this includes both student progress reports and staff review reports.

   Special categories of personal data or sensitive personal data is information relating to mental and physical health, ethnicity or race, religious and political beliefs, trade union membership, sexual orientation or biometric or genetic data.

   The main data the University processes is:
   
   - Staff Data
   - Student Data
   - Research Data
   

3. Principles

   
   Personal data shall be:
   
   - Processed lawfully in a transparent manner
   - Collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes
   - Adequate, relevant and limited to what is necessary
   - Accurate and where necessary, kept up to date and every reasonable step taken to erase or rectify inaccurate data
   - Kept in a form which permits identification of data subjects for no longer than necessary
   - Processed in a manner that ensures appropriate security
   
   From May 2018 there is a new principle of accountability for data protection compliance which means that the University must be able to demonstrate how it is complying with the GDPR.

   The University and all its staff and students who process or use personal information must ensure that they follow these principles at all times. In order to ensure that this happens, the University has developed this Data Protection Policy.

   The legislation covers ALL personal data processed by the University, electronic or hard copy, irrespective of whether these are held by individual members of staff or students in their own separate files (including those held outside the University campus) or in departmental or faculty records systems.

   The GDPR place restrictions on what the University can do with personal data; certain conditions, which include obtaining data subject consent, must be met before processing can take place. The term 'processing' covers almost anything that is done to data by reference to individuals and the practical implications of these restrictions are wide-ranging.

4. Status of the Policy

   
   This Policy has been approved by the University Council and any breach will be taken seriously and may result in disciplinary proceedings.

   Any member of staff or student who considers that the Policy has not been followed in respect of personal data about themselves should raise the matter with the University Data Protection Officer, Vicki Heath, in the first instance. It is a mandatory requirement to report any serious data breaches to the Information Commissioner’s Office within 72 hours. These should be reported in the first instance to the Data Protection Officer who will liaise directly with the ICO.

5. Right to Access Information

   
   Any person who wishes to exercise this right should make the request in writing to the University's Data Protection Officer, using the standard Data Protection Enquiry/Subject Access Request Form via LegalServices@liverpool.ac.uk.

   
   The University aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 30 calendar days of receipt of a completed form unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the individual making the request.

6. Right to Erasure / Be Forgotten

   
   In certain specific circumstances individuals can request deletion of their data. However, the instances where this right will apply to data processed by the University will be very few, especially as the University has legal obligations to keep a central record of all staff and students.

   Any person who wishes to exercise this right should make the request in writing to the University's Data Protection Officer, via LegalServices@liverpool.ac.uk

7. Right to Data Portability

   
   Individuals are also entitled to receive their data in a structured, commonly used and machine readable format so it can be transmitted automatically to another data controller.

   This applies only to information that has been originally provided by the individual themselves and is being processed by automated means for the purpose of a contract (so potentially student or staff data).

   Any person who wishes to exercise this right should make the request in writing to the University's Data Protection Officer, via LegalServices@liverpool.ac.uk

8. Responsibilities of Staff and Students

   
   All staff and students are responsible for:
   
   - Checking that any personal data that they provide to the University is accurate and up to date.
   - Informing the University of any changes to information which they have provided, e.g. changes of address (students) or updating changes through the CORE HR portal (staff).
   - Checking any information that the University may send out from time to time, giving details of information that is being kept and processed.

   If, as part of their responsibilities, staff collect information about other people (e.g. about students’ personal circumstances, or about members of staff in their department or research group), they must comply with this Policy.

9. Personal Research Data

   
   Staff are responsible for applying this policy to any personal data they acquire during research studies undertaken by themselves or by students under their supervision.

   Any staff or student research project that collects personal data from participants in the study must have formal ethical approval before it begins. Participants must be informed on how the data being collected will be stored, preserved and used in the long term, and give their consent to this use of their data.

   Wherever possible, Personal data collected during research studies should be held in a fully anonymised form that protects the confidentiality of its participants.

10. Data Security

    
    It is the responsibility of the University to ensure that appropriate technical and practical measures are taken to safeguard personal data held from loss, damage or destruction. Failure to do so could result in financial and reputational damage to the University.

    The need to ensure that data is kept securely means that precautions must be taken against physical loss or damage, and that both access and disclosure must be restricted. All staff are responsible for ensuring that they adhere to the University’s Information Security Policy. Generally staff should ensure that:

    - Any personal data which they hold is kept securely
    - Personal data is not disclosed either orally or in writing or otherwise to any unauthorised third party.
    

    All staff are required to complete the Information Governance training module upon employment and at regular intervals afterwards.

    All personal information in the form of manual records should be:

    - Kept in a locked filing cabinet; or
    - Kept in a locked drawer.
    

    If information is computerised, it should be:

    - Securely stored on the MWS drive and documents additionally password protected, so that only authorised people can view or alter confidential data; or
    - Kept in a restricted access folder and only sent electronically if encrypted.
    

    To avoid unauthorised disclosure, care must be taken to site PCs and terminals so that they are not visible except to authorised people. Screens should not be left unattended when personal data is being processed and should be locked when they are unattended. Similarly, care must be taken to ensure that manual records, e.g. staff or student files, or printouts containing personal data, are not left where they can be accessed by unauthorised staff.

    When manual records, or printouts containing personal data, are no longer required, they should be cross-cut shredded and placed into normal rubbish bins or disposed of securely in the confidential waste consoles provided in some buildings or via the collection service provided by Records Management (see www.liverpool.ac.uk/csd/records-management/storage-and-disposal/confidential-waste/)

    Particular care must be taken of any data taken away from the University, for example manual records to be used at home, or computerised data to use on portable computers or home machines. Ensure that all work is kept confidential and, in the case of computerised information, that files are not exposed to risk from virus infection.

11. Third Party Providers

    
    The University contracts with third parties certain functions that involve the processing of personal data, such as the payroll function.

    It is a requirement in these circumstances for a written contract to exist between the University and the third party which specifies what processing the third party is authorised to undertake on behalf of the University and action the third party must take in the event of a security breach or a subject access request.

12. The Data Controller and Data Protection Officer

    
    The University is the data controller under the Act and GDPR and the University Council is therefore ultimately responsible for implementation. However, day to day matters will be dealt with by the University designated Data Protection Officer, Vicki Heath, Legal & Compliance.

13. Compliance

    
    Compliance with the Act and the GDPR is the responsibility of all members of the University and any breach of the Data Protection Policy may lead to disciplinary action being taken, or access to University facilities being withdrawn, or even a criminal prosecution by third parties.

    Any questions or concerns about the interpretation or operation of this policy should be taken up in the first instance with the University Data Protection Officer.