Queen's University Belfast is required by law to comply with the Data Protection Act 2018 (DPA 2018). This document is the University's policy in response to the requirements of the 2018 Act and the Genderal Data Protection Regulation (GDPR).
The University is committed to ensuring that all employees, registered students, agents, contractors and data processors comply with the 2018 Act, regarding the processing and confidentiality of any personal data held by the University. To do this Queen's University must comply with the Data Protection Principles contained within the 2018 Act.
Data Protection Principles
The Data Protection Principles, which have changed under GDPR and the DPA 2018 are as follows:
1. Lawfulness - Personal Data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
2. Purpose - Personal Data must be collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
3. Data Minimisation - Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
4. Accuracy - Personal Data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purpose for which it is processed, is erased or rectified without delay.
5. Storage - Personal data which is kept in a form which permits identification of data subjects must be kept for no longer than is necessary for the purposes for which the data is processed. Personal data may be stored for longer periods where it is processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
6. Security - Personal Data must be processed in a manner that, through the use of technical or organisational measures, ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
8. Accountability - The data controller is responsible for, and must be able to demonstrate, compliance with the other data protection principles.
Queen's University staff and students, or others who process or use any personal information on behalf of the University, must ensure that they follow these principles at all times.
All staff and students have an individual responsibility to ensure that they adhere to the University's Data Protection Policy and the 2018 Act.
Any breach of the University's Data Protection Policy or the 2018 Act by a member of staff or student can be considered as a disciplinary matter. It may also be a criminal matter for which the University and the individual concerned could be held criminally liable.
|Data||Information which is being used or held in a computerised system, or a 'relevant filing system' i.e. a manual filing system that is structured in such a way that data contained within it is readily accessible.
Data can be written information, photographs, fingerprints or voice recordings.
|Personal Data||Information that identifies and relates to a living individual, and includes any expression of opinion or intention about the individual|
|Processing||Anything which can be done with personal data
i.e. obtaining, recording, holding, organising, adapting, altering, retrieving, consulting, disclosing, aligning, combining, blocking, erasing, destroying etc.
|Data Subject||An individual who is the subject of personal data. This will include: staff, current and prospective students, graduates, suppliers of goods and services, business associates, conference delegates, survey respondents etc.|
|Data Controller||Refers to Queen's University Belfast. This includes university staff who collect and process personal data on behalf of the University, and students who are collecting and processing personal data or as part of their studies.|
|Data Processor||Any person (other than an employee of the University) who processes personal data on behalf of the University.
e.g. printing agency
|Recipient||Any person or organisation to whom personal data are disclosed.|
The University will register as a Data Controller and a Data Processor and will notify the Information Commissioner of:-
(i) The personal data that it will process.
(ii) The categories of data subject to which personal data relates.
(iii) The purposes for which the personal data will be processed.
(iv) Those people to whom the University may wish to disclose the information.
(v) Any countries or territories outside the European Economic Area to which the University may wish to transfer the personal data.
(vi) A general description of security measures taken to protect the data.
Upon request, the University shall notify all staff, students and other relevant data subjects of the types of personal data held by the University about them, and the reasons for which it is processed.
The information currently held by the University and the purposes for which it is processed, form the official notification that has been submitted to the Information Commissioner's Office. When processing for a new or different purpose is introduced the individuals affected by that change will be informed and the official notification will be amended.
Further details can be obtained from the University's Data Protection Officer and the Information Compliance Unit.
The security of personal information in the possession of the University is of paramount importance and is, therefore, addressed in various policies and procedures throughout the institution. In addition to the principles and procedures contained within this section of the policy, staff and students are also advised to read and adhere to the University's Information Security Policy.
All personal data held on behalf of the University, whether electronically or on paper, must be kept securely, no matter whether it is kept by an individual, School or the University Administration and Support Directorates. Personal data must not be disclosed to any unauthorised third party by any means, accidentally or otherwise. Staff are reminded that it is the individual's responsibility to adhere to this policy document. It is University policy that unauthorised disclosure may be viewed as a valid reason for disciplinary action.
School / Department Responsibilities
Key post holders have responsibility for ensuring that:
All staff must ensure that:
All students must ensure that:
The University shall not be held responsible for errors of which it has not been informed.
The Data Protection Act 2018 places an obligation on the University to exercise care in the disposal of personal data, including protecting its security and confidentiality during storage, transportation, handling, and destruction.
All staff have a responsibility to consider safety and security when disposing of personal data in the course of their work. Consideration should also be given to the nature of the personal data involved (how sensitive is it?), and the format in which it is held.
The Data Protection Act 2018 places an obligation on the University not to hold personal data for longer than is necessary. The link here to the Information Commissioner's Office provides general guidance on retention of personal data.
Staff should ensure that they are familiar with the University's Data Protection Policy and official Data Protection Notification.
Staff whose work involves the processing of personal data must ensure they observe the eight data protection principles of the 1998 Act and comply with the University's Data Protection policy and any amendments or supplementary guidance issued from time to time.
Staff whose work includes responsibility for supervision of students' academic work have a duty to ensure that students observe the eight principles of the 2018 Act and comply with the University's Data Protection policy and any amendments or supplementary guidance issued from time to time.
All staff should ensure that any holding or processing of personal data is included in the University's official data protection notification.
All staff and students are responsible for ensuring that:
Disclosure of Personal Data
Staff who are unsure as to the nature of authorised third parties, to whom they can legitimately disclose personal data, should check the University's official data protection notification and if still in doubt seek advice from their line manager or the Data Protection Co-ordinator.
All staff should note that unauthorised disclosure will usually be a disciplinary matter. It may also be a criminal matter for which the University and the individual concerned could be held criminally liable.
The 2018 Act introduces a new category of sensitive personal data, which is subject to additional safeguards.
Sensitive personal data is any personal data, which includes information on;
Data may be processed if one of a number of other conditions are met. The University, may process sensitive personal data without the subjects' explicit consent if the processing is necessary:
Disclosure of such information without consent is permitted only in "life or death" circumstances, e.g., if a data subject is unconscious, a tutor can tell medical staff that the data subject has a medical condition.
Sensitive personal data must be protected with a higher level of security.
It is recommended that sensitive records are kept separately in a locked drawer or filing cabinet, or in a password-protected computer file.
The following principles should be applied to the processing of incoming and internal mail:
The University is responsible for the use made of personal data by anyone working on its behalf, whether as, an agent, or in a voluntary capacity, or as a consultant or contractor undertaking work for the University. Anyone in this position, must:
The Eighth Data Protection Principle prohibits the transfer of personal data to any country outside the European Economic Area (EEA) (EU Member States, Iceland, Liechtenstein and Norway,) unless that country ensures an adequate level of protection for data subjects.
Queen's University Belfast is committed to Equality, Diversity and Inclusion.
For more information please read our Equality and Diversity Policy.
Queen's University Belfast is registered with the Charity Commission for Northern Ireland NIC101788
VAT registration number: GB 254 7995 11