East Durham College - General Data Protection Regulations (GDPR) Policy

POLICY TITLE: General Data Protection Regulations Policy
DOCUMENT NUMBER: 6.1
GROUPING POLICY: Security, Confidentiality & Information
AUTHOR / REVISOR / OWNER: DPO (The Data Protection Officer)
DATE OF CURRENT VERSION: Sept 2022
REVIEW DATE: Sept 2025
IMPACT ASSESSED: Yes
APPROVED BY: CMG
DATE: 9th October 2022

This policy sets out the College’s rules for compliance with the General Data Protection Regulation (GDPR) and specifies the legal conditions that must be satisfied in relation to the obtaining, handling, processing, transportation, and storage of Personal Data.

The personal data may relate to present and past individuals.

This policy does not form part of the formal contract of employment, but it is a condition of employment that employees and contractors will abide by the rules and policies made by the College.  Any failures to follow the policy can therefore result in disciplinary proceedings.

Any member of staff, who considers that the policy has not been followed in respect of Personal Data about themselves or another individual, should raise the matter with their line manager or Data Protection Officer of the College initially.  If the matter is not resolved, it should be raised as a formal grievance.

The requirement to comply with these regulations applies equally to activities performed both on and off college premises.

Introduction and Definitions

As a Data Controller, the College needs to collect and process information including personal information about the individuals that it deals with, to operate effectively and efficiently.

Personal Data

GDPR defines personal data as “any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier”.

This definition provides for a wide range of personal identifiers to constitute personal data including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

GDPR applies to all personal data held electronically and to that personal data held in manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data. 

Personal data that has been pseudonymised e.g., key coded can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to an individual.

Special Categories of personal data

Special Category Data is personal data which the GDPR says is more sensitive, and so needs more protection and is an individual’s:

• Race
• Ethnic Origin
• Politics
• Religion
• Trade Union Membership (within the meaning of the [1992 c. 52.] Trade Union and Labour Relations (Consolidation) Act 1992).
• Genetics
• Biometrics (where used for ID purposes) 
• Sexual Life or Sexual Orientation
• Health

Personal data relating to criminal convictions and offences are not included but similar safeguard apply to its processing (See Article 10 of the GDPR).

Processing of personal data relating to criminal convictions and offences, or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of individuals. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.   

Individuals and organisations that determine the purposes for which and the way personal data is processed are termed “data controllers” and are subject to the GDPR. East Durham College is a data controller.

The act of “processing” personal data is a wide-ranging activity that includes obtaining, recording, holding, or storing personal data and carrying out any operations on it such as adaptation, alteration, use, disclosure, transfer, erasure, and destruction.

Under the GDPR, the data protection principles set out the main responsibilities for organisations.

*Article 5 of the GDPR states that personal data shall be:

1. Processed lawfully, fairly and in a transparent manner in relation to individuals.
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and.
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.”

* Reproduced from the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 APRIL 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) 

Article 5.2 states that: “the controller shall be responsible for and be able to demonstrate compliance with the principles.”

The College will ensure that it always has a nominated Data Protection Officer.

The Principal & Chief Executive has delegated responsibility to the Data Protection Officer to co-ordinate corporate data protection compliance across the College, including managing internal data protection activities, advise on data protection impact assessments, train staff and conduct internal audits.

The Data Protection Officer should be the first point of contact for:

• Queries regarding the College’s data protection responsibilities.
• Information and Advice to College staff regarding data protection compliance.
• Subject access requests.
• Liaison with the Information Commissioner’s Office (ICO), including preparation and submission of the College’s annual data protection notification.

GDPR gives certain rights to individuals regarding their data. These are

• The right to be informed
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• The rights related to automated decision-making including profiling 

The right to be informed requires the College to inform individuals what information is being processed, for what purpose and for how long it will be retained. This is done if the form of a privacy statement which is published on the College website and issued to individuals at various points of contact or when data is being obtained.  The privacy statement is referenced to the ICO GDPR document controller template in the document retention policy.

Individuals may request access to the information processed about them. Such a request is known as a “subject access request” and allows individuals to verify the lawfulness of the processing by the College and request rectification of any errors. 

Individuals may request that no further processing of the data takes place, it may object to the data being processed or request that is erased.

GDPR allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

Not all the rights are absolute and only apply in certain circumstances and requires the College to confirm the lawful basis for processing or comply with the request.

All subject access requests should be addressed to the College Data Protection Officer. Any other staff who receive such a request must immediately forward it to the Data Protection Officer.

They can be made using these forms: 

GDPR Subject Information Access Request - Individual

GDPR Subject Information Access Request - On Behalf of Someone Else

The College will process the request free of charge however if the request is deemed to be manifestly unfounded or excessive, particularly if it is repetitive, the College can refuse to respond or charge an administration fee.

The College may charge a fee to comply with requests for further copies of the same information. The College will not process a request until it is in receipt of the request in writing, proof of identity and any fee to be charged.

Once the College has received all 3 items, the individual will be informed of the decision or information will be supplied within one month of receipt.

Where requests are complex or numerous the College will have the option to extend the period of compliance by a further two months by informing the individual within one month of the receipt of the request and why the extension is necessary.

Staff are required to:

• Abide by the College’s GDPR policy and the GDPR principles 
• Abide by the College’s GDPR Policy when handling data Off-Campus.
• Abide by all supporting documents and policies referred to in this document e.g., the Electronic Communications Policy and Computer Usage Policy.

All members of staff are responsible for ensuring that they adhere to the GDPR during their employment. Staff are also responsible for ensuring that the personal data the College holds about them is accurate and up to date by informing the College of any changes or errors immediately.

Staff who process personal data in connection with their East Durham College employment are permitted to do so under the College’s notification to the ICO and as contained in the ICO GDPR document controller.

Managers of all departments are responsible for ensuring that their staff comply with the College’s GDPR policy and procedures and shall actively promote compliance to their staff. Managers of departments are also responsible for enforcing GDPR compliance in PARs and team meetings and undertake data protection training provided by the College and work with the Quality Department to respond to subject access requests. All staff who process personal data and/or line manage staff who process personal data will be required to undertake general staff training provided by the College.

The Technical Services team, in conjunction with the HR team, will ensure that all staff have access to data as appropriate to their job role.

Learners agree to abide by the College’s GDPR policy each year when they enrol. By enrolling with the College, learners agree to:

• Abide by the College’s GDPR Policy and the GDPR principles
• Abide by the College’s GDPR Policy when handling data Off-Campus.
• Abide by the Electronic Communications policy and Computer Usage Policy.

All learners are responsible for ensuring that they adhere to the GDPR. They are also responsible for ensuring that the personal data the College holds about them is accurate and up to date by informing the College of any changes or errors immediately.

Learners who process personal data in connection with their East Durham College course of study or extra-curricular, social, or other activities undertaken as an East Durham College student or acting as a representative of the student body within their college or department, are permitted to do so under the College’s notification to the ICO.

The processing of personal data by East Durham College’s Student Union is permitted under the College’s notification to the Information Commissioner’s Office and detailed in the ICO GDPR document controller template.

Where a third party such as a consultant or contractor undertakes work on behalf of the College which involves the processing of personal data, the College remains the data controller of that data. The contractor or consultant must satisfy the college that they comply with the GDPR prior to any work being undertaken.

The College will provide GDPR training to all staff and will also make general data protection awareness training and information available to all staff.

The College will notify the Information Commissioner’s Office (ICO) as required of its personal data processing activities to evidence compliance with GDPR. The notification process includes informing the ICO of the following:

• The purposes for which the College processes personal data.
• The types of individuals (or “data subjects”) to whom this personal data relates.
• The types of data (or “data classes”) processed.
• The individuals or organisations to who this personal data is disclosed or intended to be disclosed.
• The countries or territories outside of the European Economic Area, if any, to which personal data is transferred, or intended to be transferred.

The College’s current notification can be viewed on the website of the ICO.

The College will retain detailed evidence of compliance with GDPR by completing the ICO GDPR document controller template contained in the Records Management Policy.

The Data Protection Officer will undertake an annual data protection audit with College Managers to ensure that the College’s notification remains up to date.

Staff and learners must only process personal data for the purposes listed within the College’s current notification. Staff or learners who wish to process personal data for any other purpose must discuss their proposal with the Data Protection Officer before they begin so that, if appropriate, the College’s notification can first be amended appropriately. Processing undertaken outside of the College’s notification is unlawful.

Personal data must not be disclosed to any third party (including family members and the police) except in the following circumstances:

• The individual has given consent. This is unambiguously achieved by gaining written consent.
• It is necessary to protect the vital interests of the data subject.
• It is necessary to prevent serious harm to a third party.
• It is required to safeguard national security.
• It is necessary for the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty.
• It is necessary for the discharge of regulatory functions including securing the health, safety and welfare of persons at work.
• It is available to the public anyway by law.
• It is necessary to establish, exercise or defend legal rights.
• It has been published.

The College has legal and statutory responsibility to disclose personal data to some third parties (see Appendices Containing Privacy Notices).

Staff should refer to their departmental procedures or line manager to confirm rules on disclosure and transfer of information.

Staff and learners must ensure that they employ safeguards for personal data proportional to the risks presented in their processing activities. Examples of data breaches are:

• Sending personal data to an incorrect recipient
• Alteration of personal data without permission
• Access by an unauthorised third party
• Loss of a memory stick containing personal information

College staff and learners must not take personal data off-campus unless necessary and with the permission of their line manager. Staff and learners who must take personal data off-campus must abide by the College’s GDPR Policy and any related technical policies or procedures produced by Technical Services.

The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. The college must do this within 72 hours of becoming aware of the breach where feasible.

If the breach is likely to result in a high risk of adversely affecting an individual’s rights and freedoms you must also inform those individuals without undue delay

The College must keep a record of the breach even if not reporting it.

Failure to notify a breach when required to do so can result in a significant fine of up to 10 million Euros or 2% of gross turnover.

Full details are contained in the Identifying and Reporting Data Breaches procedure document.

There are some exemptions to GDPR which are necessary to safeguard:

• National security
• Defence
• Public Security
• The prevention, investigation, detection, or prosecution of criminal offences.
• Other important public interests, economic or financial interests, including budgetary and taxation matters, public health, and security
• the protection of judicial independence and proceedings.
• Breaches of ethics in regulated professions.
• Monitoring, inspection, or regulatory functions connected to the exercise of official authority regarding security, defence, other important public interests, or crime/ethics prevention.
• The protection of the individual, or the rights and freedoms of others.
• The enforcement of civil law matters.

The College will not release personal data to any country or territory outside of the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection to data subjects, except where the transfer of staff or learner personal data to institutions outside of the EEA for the purpose of study, employment or placement is required.

Staff and learners must not transfer data outside of the EEA before contacting the Data Protection Officer to establish whether adequate national data protection laws exist, or adequate organisational policies or agreements have been put in place.

Internet publishing of personal data available outside of the EEA, is in contravention of the GDPR. Such publishing is only permissible either:

• Where the data subject has given consent. This is unambiguously achieved by gaining written consent.
• Where the personal data is already publicly available in another form. In this case it is best practice to inform the individual of the intention to web publish.

Staff and learners must only retain personal data for the length of time they are required for the specific purpose they were collected.

Staff and learners must consult the College’s ICO GDPR document controller template for confirmation of the length of time records should be retained and then, when expired, how to destroy them.

Staff and learners must ensure that the destruction of personal data is carried out confidentially and completely. Where multiple copies of the data exist, all paper and electronic copies must be destroyed. Where personal data is recorded in paper form, the paper must be securely shredded or incinerated.

Further information can be found on the College’s Data Protection web pages and on the ICO website.

Specific queries about GDPR and requests for copies of this policy in alternative format should be addressed to the Data Protection Officer by writing to:

The Data Protection Officer
The Quality Department
East Durham College
Willerby Grove
Peterlee
County Durham
SR8 2RN

1.1 How we use Staff Personal Data

This privacy notice is issued by East Durham College. It is to inform staff how their personal information will be used by East Durham College.

Your personal information is used by East Durham College to exercise its legal functions and meet its statutory responsibilities to provide education and employment.

Your information will be securely stored and securely destroyed after is it no longer required for these purposes, as detailed in the ICO GDPR document controller template.

Your information will be shared by the College with organisations contracted to work on its behalf, which could include its pension providers, insurers, or legal consultants. The College may also disclose data to auditors undertaking investigations.

Your information will be shared with the Education and Skills Funding agency (ESFA), the Secretary of State for the Department of Education (DfE) and may be shared with third parties for education, training, employment, and well-being related purposes including research. This will only take place where the law allows it and the sharing is in compliance with data protection legislation.

Personal data is normally initially provided to the College by a member of staff on a job application form. The College will add further data during employment in line with the business purposes specified in its data protection notification.

After employment ends, staff records are retained and disposed of in line with the ICO GDPR document controller template. The personal data of unsuccessful job applicants are also retained and disposed of in line with the College’s the ICO GDPR document controller template.

The following are examples of how a member of staff’s personal data may be used:

• Managing Human Resources processes such as recruitment and promotion.
• Managing the absence control policy.
• Monitoring equal opportunities.
• Providing facilities, such as the IT service and Library service.
• Preventing and detecting crime, such as using CCTV or attaching photos to ID cards.
• Improving the quality of teaching and learning through recording of lessons through the IRIS system.
• Maintaining contact with past employees.
• Fundraising and marketing.
• Making external/statutory returns, such as to Ofsted

1.2 Special Category Data

Special Category Data includes:

• Race
• Ethnic Origin
• Politics
• Religion
• Trade Union Membership (within the meaning of the [1992 c. 52.] Trade Union and Labour Relations (Consolidation) Act 1992).
• Genetics
• Biometrics (where used for ID purposes) 
• Sexual Life or Sexual Orientation
• Health

1.3 Health Information

Information on a member of staff's health may be required as a condition of employment. The College may also, in exceptional circumstances, contact third parties, such as medical professionals or next of kin, concerning the health of a member of staff when it believes it is reasonable and/or in the best interests of the member of staff to do so. The College will attempt to gain the prior consent from the member of staff but where consent cannot or will not be given it may act without consent. The Director of Human Resources should be consulted before any contact is made with third parties.

Personal data is also shared as necessary across the College with respect to the absence monitoring system.

1.4 Visual Images

Each member of staff is required to provide a digital image of themselves for reproduction on their college’s campus I.D. card, which will be used for the purpose of identification.

The College may commission photography on campus or at specific events, such as award ceremonies, for use in its promotional material. Staff may appear on the resulting images, which may be published with staff consent.

1.5 I.T. Facilities

The College routinely logs information about use of IT facilities for statistical purposes and to ensure effective systems operations. The College may also monitor electronic communications to ensure that they are being used in accordance with the College’s Computer Usage Policy and, specifically, to prevent or detect crime. All activities comply with GDPR and the Regulations of Investigatory Powers Act 2000.

1.6 Criminal Convictions and Disclosure and Barring Service (DBS) Checks

The College is required to obtain information about past criminal convictions as a condition of employment for certain posts. The College also undertakes DBS checks on those staff who work with young and/or vulnerable people.

See the Disclosure and Barring Service Policy for Further Details.

2.1 How we use Learner Personal Data

This privacy notice is issued by East Durham College. It is to inform learners how their personal information will be used by East Durham College.

Your personal information is used by East Durham College to exercise its legal functions and meet its statutory responsibilities to provide education.

Your information will be securely stored and securely destroyed after is it no longer required for these purposes, as detailed in the ICO GDPR document controller template.

Your information will be shared with the Education and Skills Funding agency (ESFA), the Secretary of State for the Department of Education (DfE) and may be shared with third parties for education, training, employment, and well-being related purposes including research. This will only take place where the law allows it, and the sharing is in compliance with data protection legislation.

The College may need to disclose learner’s personal data to organisations contracted to work on its behalf, which could include its insurers or legal consultants. In certain circumstances the College passes the personal data of learner debtors to an external debt collection agency if the College has been unable to recover the debt by normal internal processes. The College may also disclose data to auditors undertaking investigations, selected individuals acting on behalf of the College such as external organisations undertaking market research.

Your consent is required to capture, retain and process some of your personal data and you have the opportunity to opt-in to give consent. 

The College may, to protect the vital interests of the learner or another person, contact third parties, such as medical professionals or next of kin, concerning the health of a learner when it believes it is reasonable and/or in the best interests of the learner to do so. The College will attempt to gain the prior consent from the learner to do so but where consent cannot or will not be given it might act without consent.

The following are examples of how a learner’s personal data may be used:

• Administering study, such as recording of achievements, determination of award.
• Providing learner support services, such as counselling or careers advice or services for learners with disabilities.
• Providing facilities, such as the IT service and Library service.
• Contacting learners electronically, such as by SMS text messaging, to forward high priority or emergency information.
• Administering finance, such as payment of fees.
• Monitoring equal opportunities.
• Preventing and detecting crime, such as using CCTV or attaching photos to ID cards. A learner involved in serious misconduct may have their details passed to the Police.
• Improving the quality of teaching and learning through recording of lessons through the IRIS system.
• Fundraising and marketing of the College
• Processing learner academic appeals and learner discipline cases
• Personal information on a learner’s health may be required prior to admission to certain programmes of study or as a condition of employment for work placement or fieldwork for health and safety or insurance purposes.

The College may commission photography on campus or at specific events, such as award ceremonies, for use in its promotional material. Students may appear on the resulting images, which may be published with their consent which is collected at enrolment.

3.1 How we use Personal Data of Persons who are neither Staff nor Students

This privacy notice is issued by East Durham College. It is to inform individuals how their personal information will be used by East Durham College.

Your personal information is used by East Durham College to exercise its legal functions and meet its statutory responsibilities.

Your information will be securely stored and securely destroyed after is it no longer required for these purposes, as detailed in the ICO GDPR document controller template.

Your information will be shared with the Education and Skills Funding agency (ESFA), the Secretary of State for the Department of Education (DfE) and may be shared with third parties for education, training, employment, and well-being related purposes including research. This will only take place where the law allows it and the sharing is in compliance with data protection legislation.

Your consent is required to capture, retain and process some of your personal data and you have the opportunity to opt-in to give consent. 

The College may, to protect the vital interests of the individual, contact third parties, such as medical professionals or next of kin, concerning the health of an individual when it believes it is reasonable and/or in the best interests of the individual to do so. The College will attempt to gain the prior consent from the individual but where consent cannot or will not be given it might act without consent.

Examples of individuals covered by this privacy statement are:

3.2 Enquirers

The College holds personal data about individuals who make enquiries about the Courses it runs to correspond with them.

3.3 Contact with Schools and Other Colleges

East Durham College holds records of all major organised events involving contact with schools and colleges, including details of participants. Personal data of each participant is held by the College to organise and administer marketing and induction events.

3.4 Visitors to the College, including the College Salon, Restaurant, College Gym and EDC Travel

The college holds personal data about individuals for the purpose of safeguarding, security and making reservations in the salon and restaurant.

 3.5 Nursery Children and adults with parental responsibility

The College holds personal data about children registered in the nursery and that of their parents/adults with parental responsibility to comply with their legal requirements. Some information requested outside of the legal requirements will be requested by consent. 

 3.6 College Governors

The College holds personal data about individuals serving as Governors of the College to comply with their legal requirements. Some information requested outside of the legal requirements will be requested by consent. Each governor is required to provide a digital image of themselves for reproduction on their College’s I.D. card, which will be used for the purpose of identification.

The College may commission photography on campus or at specific events, such as award ceremonies, for use in its promotional material. Governors may appear on the resulting images, which may be published with their consent.

• Freedom of Information Policy
• Electronic Communications Policy
• Computer Usage Policy
• Information Security Policy
• Records Management Policy
• Staff Guidance for Data Protection
• Working from Home Policy
• Disclosure and Barring Service Policy

This document is issued and controlled by Quality & Standards and may only be modified by the designated group after proposed modifications have been accepted by the College Management Group. The latest version of the policy will be maintained on the College Extranet.

Please feedback to Quality & Standards any constructive suggestions on how any aspect of the policy may be clarified or improved.