Data Protection in a Tutorial Context Office of Intercollegiate Services 24 September 2018

Over the next 30 minutes… What is considered personal data? Processing personal data in College setting Key compliance requirements Benefits of compliance Points of special interest to the College (not an exhaustive list) Record v Personal information Records management Subject Access Requests Freedom of Information Requests References What to do if something goes wrong How to stay on the right side of compliance

What is considered personal data? Special categories of personal data Personal data about an individual’s: * race; * ethnic origin; * political opinions; * religious or philosophical beliefs; * trade union membership; * genetic data; * biometric data (where used for identification); * health data; * sex life; or * sexual orientation require a higher level of protection. “Extra” Special category of personal data Information relating to criminal convictions and offences, which also require high level of protection Personal data Under GDPR, it means: “any information relating to an identified or identifiable natural [living] person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

Processing personal data in College setting Adapted from Tutors’ and Senior Tutors’ role descriptions

Key compliance requirements Documentation Transparency Data Protection statement/policy Privacy notice Information Asset Register/Data Register Retention Schedule Breach notification procedure Breach handling process Practice guidance (e.g. writing references, managing records, dealing with subject Access requests, etc.) Making key Data Protection documentation available to stakeholders Website v Intranet Training and awareness Monitoring compliance (e.g. reviews, spot checks, etc.) Making processes responsive to data subject rights Publication scheme

Benefits of compliance Confidence in College’s management practices and perceived transparency Increased confidence in the College around respecting and safeguarding students Enhanced reputation Administrative efficiencies (e.g. reduced off-site storage cost for records) Shared ownership (and accountabilities)

Points of special interest to the College (not an exhaustive list) Record v Personal information Record Anything recorded information created, received or management in the course of the College’s day-to-day activities or as part of its legal obligations – regardless of nature, format or medium  Property of the College/Data Controller and must (post GDPR) be managed in accordance with Data Protection legislation as set out in College policies and procedures, including retention and disposal Subject to disclosure (e.g. Freedom of Information, Environmental Information Regulations, and Subject Access Requests) Personal information Any recorded information not relating to any aspect of the College’s functions, activities or legal obligations, which is clearly personal in nature and content

Points of special interest to the College (not an exhaustive list) Records Management Tutor’s Guide – Annex A: Records management as a Tutor Continuous activity Everyone’s responsibility High organisational risk factor under GDPR Retention schedule Records Management policy More information on OIS and University webpages

Points of special interest to the College (not an exhaustive list) Subject Access Requests Freedom of Information Requests More information on OIS webpages References Tutor’s Guide – Annex A: Records management as a Tutor Tutor’s Guide – Annex B: Writing references for students University webpages What to do if something goes wrong Breach reporting procedure Refer to local guidance OIS webpages

How to stay on the right side of compliance College policies and procedures If in doubt, ask What would I do if it was my personal data?

Questions?