Information Security Policy
UNIVERSITY COLLEGE LONDON
DATA PROTECTION POLICY
Endorsed by the Chair of the Information Strategy Committee – 15 February 2011
1. Purpose and objectives
This policy forms part of University College London’s commitment to the safeguarding of personal data processed by its staff and students. (Processing has a very broad definition, and includes activities such as creating, storing, consulting, amending, disclosing and destroying data.) Its objectives are:
- To help staff and students recognise personal data
- To help them understand their rights and obligations with respect to personal data.
UCL processes the personal data of living individuals such as its staff, students, contractors, research subjects and customers. This processing is regulated by the Data Protection Act 1998 (DPA). The UK’s regulator for the DPA is the Information Commissioner’s Office.
It is the duty of data controllers such as UCL to comply with the data protection principles (see the Annex to this Policy) with respect to personal data. This policy describes how UCL will discharge its duties in order to ensure continuing compliance with the DPA in general and the data protection principles and rights of data subjects in particular. The principles are listed in the Annex to this Policy.
This policy is a supporting policy of the UCL Information Security Policy. Its scope is as defined in section 1.4 of that Policy:
“The policy applies to all staff and students of UCL and all other computer, network or information users authorized by the College or any department thereof. It relates to their use of any UCL-owned facilities (and those leased by or rented or on loan to UCL), centrally managed or otherwise; to all private systems (whether owned, leased, rented or on loan) when connected to the UCL network; to all UCL-owned or licensed data and programs (wherever stored); and to all data and programs provided to UCL by sponsors or external agencies (wherever stored). The policy also relates to paper files and records created for the purposes of UCL business.”
‘”Personal data” means data which relate to a living individual who can be identified—
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual”
Sensitive personal data
- the racial or ethnic origin of data subjects
- their political opinions
- their religious beliefs or other beliefs of a similar nature
- whether they are members of a trade union
- their physical or mental health or condition
- their sexual life
- the commission or alleged commission by them of any offence, and any proceedings for such offences.
Although the DPA does not define ‘health’, the term should be understood broadly, to include preventative medicine, medical diagnosis, DNA sequences, medical research, provision of care and treatment and the management of healthcare services.
Personal demographic data, such as personal addresses and financial data (including salaries) are not sensitive personal data, but should be treated with similar care.
Manual Personal Data
Personal data recorded as part of a relevant filing system in paper or other non-electronic format.
Obtaining, recording or holding personal data. This includes organisation, adaptation or alteration; retrieval, consultation or use; disclosure; and alignment, combination, blocking, erasure or destruction.
Relevant Filing System
Manual personal data structured by reference to individuals in such a way that information relating to a particular individual is readily accessible.
A collection of one or more data sets or files that are being processed for permitted purposes under the direction of a clearly identified member of UCL staff - the Data Owner.
As the organisation which determines the purposes of the processing, UCL is the Data Controller for the personal data that it manages.
Data Protection Officer
The UCL member of staff with lead responsibility for UCL’s compliance with the DPA.
The UCL member of staff with lead responsibility for permitting and managing the retention and processing of a data holding for which UCL is the Data Controller. Data Owners delegate responsibility for personal data elements to Data Custodians.
The individual unit or person identified by the data owner to be responsible for the collection, creation, modification and deletion of specified personal data element(s)
A person appointed by a Head of Department or Division with responsibility and authority to implement the Information Security Policy and supporting policies in respect of a UCL-wide or departmental system, to ensure that the security measures adopted for systems under his/her control meet the requirements of these policies and to carry out the duties as set out in the associated Codes of Practice. In the case of a large system some duties may be delegated, to named persons whose particular duties are set out in writing, although the Custodian retains overall responsibility for the security of that system.
A living individual who is the subject of personal data
Any third party (other than UCL staff and students) who processes personal data on behalf of and on the instructions of the Data Controller.
5. Roles and responsibilities
Information Strategy Committee
The Committee is responsible for defining UCL’s information security policy and for ensuring it is discharged by all academic and administrative departments and divisions through Heads of Departments.
ICT Infrastructure Sub-Committee
ICT Infrastructure Sub-Committee advises the ISC on matters related to compliance with this policy, and is responsible for regularly reviewing it for completeness, effectiveness and usability.
Security Working Group
The Security Working Group acts as a focus for technical and other issues relating to information security and data protection within UCL. It makes recommendations to the ICTISC on strategy and policy matters in relation to data protection, and receives reports from the Data Protection Officer.
Data Protection Officer
The Data Protection Officer (email@example.com) has primary responsibility for UCL’s compliance with the DPA. This comprises:
- maintaining UCL’s notification with the Information Commissioner’s Office
- ensuring completion of the Annual Survey of Personal Data Holdings
- handling subject access requests and requests from third parties for personal data
- promoting and maintaining awareness of the DPA and regulations, including training
- investigating losses and unauthorised disclosures of personal data.
The DPO is UCL’s main contact for the Information Commissioner’s Office.
Heads of Department / Division
Heads of Department / Division are responsible for ensuring their staff understand the role of the data protection principles in their day-to-day work, through induction, training and performance monitoring, and for monitoring compliance within their own areas of responsibility. They should also ensure Data Protection Coordinators are designated for their departments or divisions, and provided with appropriate training and support.
Data Protection Coordinators
Coordinators are required to:
- advise staff and students in their departments on the implementation of and compliance with this policy and any associated guidance / codes of practice
- ensure appropriate technical and organisational measures are taken within their departments to ensure against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
- support UCL’s notification with the Information Commissioner’s Office by maintaining the register of holdings of personal data, including databases and relevant filing systems, and the purposes af processing
- keep the Data Protection Officer informed of changes in the collection, use, and security of personal data within their department
- report any loss of personal data to the Head of Department / Division and the Data Protection Officer
- ensure the proper completion of applications for the data protection registration of new research projects before they are submitted to the Records Office
- confirm compliance with the PCI Data Security Standard in relation to the records of credit card payments made through the department.
Data Owners are responsible for:
- establishing and monitoring measures, in accordance with this policy and the information security policy, to protect any holdings of personal data for which they are responsible
- ensuring that those holdings are registered as part of the annual survey of personal data holdings
- ensuring that any transfer of personal data to third parties is authorised, lawful and uses appropriate safe transport mechanisms such as encryption.
- authorising the downloading of electronic personal data on to portable devices or the removal of manual personal data from UCL premises
- informing their departmental Data Protection Coordinator when new holdings of personal data are established or when the purposes of processing change.
Data Custodians should ensure that their processing of personal data is compatible with the data protection principles, including the security and integrity of data sets.
Data processors have a contractual responsibility to act only on UCL’s instructions and to ensure that their processing of personal data provided by UCL is carried out in compliance with this policy and in accordance with the eight data protection principles. There should be a written agreement with data processors which adequately addresses these responsibilities.
Staff and students
All staff and students are responsible for:
- ensuring that their processing of personal data, including research data, in all formats (e.g. electronic, microfiche, paper, etc.) is compatible with the data protection principles
- raising any concerns in respect of the processing of personal data with the Data Protection Officer
- promptly passing on to the Data Protection Officer all subject access requests and requests from third parties for personal data
- reporting losses or unauthorised disclosures of personal data to the Data Protection Coordinator.
In order that UCL can continue to comply with the fourth data protection principle, staff and students should ensure the personal data they provide about themselves is up to date.
6. Security of personal data
All staff and students processing personal data should ensure that the data are secure: appropriate measures must be taken to prevent unauthorised access, disclosure and loss. Staff whose work includes responsibility for supervision of students have a duty to ensure that students observe the eight principles of the Act.
It is rarely necessary to store electronic personal data on portable devices such as laptops, USB flash drives, portable hard drives, CDs, DVDs, or any computer not owned by UCL. Similarly, manual personal data should not be regularly removed from UCL premises. In the case of electronic data, to minimise the risk of loss or disclosure, a secure remote connection to UCL should be used wherever possible.
Downloading personal data on to portable devices or taking manual personal data off-site must be authorised in writing by the Data Owner, who must explain and justify the operational need in relation to the volume and sensitivity of the data. The data must be strongly encrypted. Users should only store the data necessary for their immediate needs and should remove the data as soon as possible. To avoid loss of encrypted data, or in case of failure of the encryption software, an unencrypted copy of the data must be held in a secure environment. The Computer Security Team’s guidance on encryption should be followed: http://www.ucl.ac.uk/isd/common/cst/good_practice/encrypt.
Manual personal data and portable electronic devices should be stored in locked units, and they should not be left on desks overnight or in view of third parties.
In order to comply with the fifth data protection principle personal data should be securely destroyed when no longer required, with consideration for the format of the data. The Computer Security Team’s guidance should be followed for electronic data: http://www.ucl.ac.uk/isd/common/cst/good_practice/secure_disposal_guidelines.
Personal data must not be disclosed unlawfully to any third party. Transfers of personal data to third parties must be authorised in writing by the data owner and protected by adequate contractual provisions or data processor agreements, agree with UCL’s notification and must use safe transport mechanisms.
All losses of personal data must be reported to the Departmental Data Protection Coordinator and the Data Protection Officer. Negligent loss or unauthorised disclosure of personal data, or failure to report such events, may be treated as a disciplinary matter and could be considered gross misconduct.
7. Publication of staff information
UCL will make public as much corporate information as possible. The following types of personal information will usually be published:
- Names of members of the Council and the Provost’s Senior Management Team
- Lists and directories of staff, including name, internal telephone number and UCL email address
- Research expertise and academic achievements of academic and research staff
- Publication of research grants and awards
However, there are circumstances in which, for security and other reasons, agreed subsets of the above data about UCL staff will not be published. This is not within the scope of the Data Protection Act but is subject to UCL’s ex-directory policy..
8. Access to personal data
8.1 Subject access rights
Data subjects have a right of access to their personal data, including some unstructured manual personal data. Subject access requests must be made in writing, including Form 6 (http://www.ucl.ac.uk/efd/recordsoffice/data-protection/) or otherwise and sent to the Data Protection Officer. Data subjects must prove their identity.
Copies will be provided in permanent form promptly and in any event within 40 days. In the case of a request made in relation to examination marks or results, the timescale is extended to the earlier of:
· five months from the day on which the request was received; or
· 40 days from the announcement of the examination results.
Some personal data are exempt from the right of subject access, including confidential references provided by UCL, examination scripts and research data.
UCL does not charge a fee for subject access requests.
Although the DPA applies only to living individuals, data about deceased persons who at the time of processing would be under 100 years old should be treated as personal data, unless the information is the subject of a valid request under Freedom of Information legislation.
It is sometimes necessary for UCL to monitor information and communications. This may include personal data. The circumstances in which monitoring may be carried out, and procedures for doing so, are described in the UCL Policy on Monitoring Computer and Network Use: http://www.ucl.ac.uk/isd/common/cst/swg/policy/public-policy/Monitoring.
8.3 Third party access
In certain circumstances the DPA provides for disclosure of personal data, without the consent of the data subject, to certain organisations. Requests for such disclosures from third parties, such as the police, UK Border Agency, local authorities or sponsors, should be made in writing and handled by the Data Protection Officer. This will ensure the validity of the request and any warrants or orders of court can be checked. Staff disclosing personal data may not be protected by an invalid warrant.
9. Records Management
Records in all formats containing personal data must be created, stored and disposed of in accordance with UCL’s Records Management Policy and any associated procedures and codes of practice. They must be authentic, reliable and usable and capable of speedy and efficient retrieval. They must be retained for no longer than the periods permitted in UCL’s retention schedule and, when no longer required for operational reasons, must be transferred to UCL’s in-house records storage facility or institutional archive (if selected for permanent preservation) or disposed of securely and confidentially.
10. Research using personal data
Personal data processed for research, statistical and historical purposes must not be used to support decisions with respect to data subjects or processed so as to cause them substantial damage or distress. Notwithstanding the fifth data protection principle, such data may be kept indefinitely. They may also be further processed for other research purposes and are exempt from the right of subject access as long as the results of the research do not identify data subjects.
Staff and students using personal data in research must:
- understand how personal data may be used in research
- use the minimum data necessary for the research, including, wherever possible, anonymised or pseudonymised data
- ensure their processing complies with all the data protection principles
- inform Data Protection Coordinators about research before processing of personal data begins
- register all research projects involving personal data with the Records Office before processing begins
- where relevant, inform data subjects about the purposes of the processing and ensure valid written consent is obtained
- ensure all personal data collected are necessary for the purpose(s) of the research
- keep the data securely
- ensure personal data are destroyed confidentially, stored with the Records Office or otherwise disposed of in compliance with agreements with funders.
This document is a part of UCL's information security policy and has been approved by UCL's Information Strategy Committee. It is a condition of employment that employees will abide by the regulations and policies made by UCL. Likewise, these latter are an integral part of the regulations for students.
THE DATA PROTECTION PRINCIPLES
It is the duty of data controllers and data processors to comply with all the data protection principles. These are set out in Schedule 1 of the Data Protection Act 1998, from which the following extract is taken:
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless—
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory
outside the European Economic Area unless that country or territory ensures an
adequate level of protection for the rights and freedoms of data subjects in
relation to the processing of personal data.
 DPA section 1
 DPA section 2
 DPA section 1
 DPA section 1
Page last modified on 14 may 13 11:48