Devised: 07/09/21
Agreed: 08/09/21
Review: 01/09/26
Version 1 — Pg 2 / Pg 8 / Throughout — Addition of types of personal data in a college. Inclusion of Special Category Data. Change of branding. — Approved: KM
Version 2 — Pg 3 — Addition of 3 categories to the legal bases for processing data. — Approved: KM
Version 2 — Pg 5 — Addition of the role and responsibility of Trustees and all staff in data protection. — Approved: KM
Personal information is any information that relates to a living individual who can be identified from the information. This includes any expression of opinion about an individual and intentions towards an individual. It also applies to personal data held visually in photographs or video clips (including CCTV) or as sound recordings.
RISE SPACE collects a large amount of personal data every year including:
In addition, it may be required by law to collect and use certain types of information to comply with statutory obligations of Local Authorities (LAs), government agencies and other bodies.
This policy applies to:
RISE SPACE is committed to the protection of all personal and sensitive data for which it holds responsibility as the Data Controller, handling such data in line with the data protection principles and the Data Protection Act (DPA).
Changes to data protection legislation, including General Data Protection Regulations (GDPR), will be monitored and implemented to remain compliant.
The legal bases for processing data are:
The requirements of this policy are mandatory for all staff employed by the provision and any third party contracted to provide services within the provision.
Under GDPR, there are eight data protection principles, or rules for good information handling, all of which will be implemented by RISE SPACE.
Data will be processed fairly and lawfully with transparency.
Personal data shall be obtained only for one or more specific and lawful purposes.
Examples of personal data in a college include:
Personal data shall be adequate, relevant and not excessive.
Personal data shall be accurate and kept up to date.
Personal data shall not be kept for longer than necessary.
Personal data shall be processed in accordance with the rights of data subjects and protected against unauthorised access, loss or destruction.
Appropriate technical and organisational measures shall be taken against unlawful processing and accidental loss or damage.
Personal data shall not be transferred outside the EEA unless adequate protection exists.
Keighly Murphy is the Data Controller and holds responsibility for personal information.
All staff:
Any external Data Processors must confirm GDPR compliance and ICO registration.
ICO guidance can be found here:
https://ico.org.uk
All data within the provision’s control shall be identified as personal, sensitive or both to ensure compliance with legal requirements.
The provision will ask for consent where there is no lawful basis for processing information.
Lawful bases include:
All data breaches must be immediately reported to the Data Controller.
The Data Controller will:
Individuals have the right to:
RISE SPACE may share data where legally required or in the best interests of students or staff.
Examples include:
Any shared data will be password protected where appropriate.
Special category data includes:
Individuals have the legal right to request access to their data.
Requests:
Individuals may request that personal data is erased where no longer required.
Images of staff and students may be used for educational activities.
External publication requires prior consent.
RISE SPACE aims to reduce paperwork and securely store information electronically where possible.
Hard copy records are stored securely.
Sensitive information must not be left unattended or transported insecurely.
RISE SPACE undertakes risk assessments relating to personal data and implements appropriate security measures.
All redundant data will be securely destroyed in compliance with ICO guidance.
IT assets will be professionally cleaned prior to disposal.
