Â鶹ËÞÉáµçÊÓ¾ç

Data Protection

Data Protection Statement for Students.

Data Protection Statement for Alumni.

Data Protection Statements for Senior Members and Candidates for Senior Membership.

Data Protection Statements for Staff and Job Applicants.

Data Protection Statements for Event Organisers and Visitors/Guests.

Data Protection Statement for College Nursing Records.

Please visit our Privacy & Cookies page for information on how the College collects and uses your personal information for operating and improving our webpages, analysing their use and ensuring the security of our website.

Data Protection Policy

Personal information, its processing and privacy.

Purpose and scope 

1. The purpose of this policy is to ensure compliance with data protection law in the UK (the General Data Protection Regulation and related EU and national legislation). Data protection law applies to the processing (collection, storage, use and transfer) of personal information (data and other personal identifiers) about data subjects (living identifiable individuals).

2. Under data protection law, the College is identified as a data controller and as such is subject to a range of legal obligations. For clarity, the University of Cambridge and the other Colleges in Cambridge are separate data controllers, with their own policies and procedures. Sharing of personal information between the University and the Colleges is covered by a formal .

3. This policy applies to all staff and members of the College, except when they are acting in a private or external capacity. For clarity, the term staff means anyone working in any context for the College at any level or grade (whether permanent, fixed term or temporary), including employees, retired but active members and staff, visiting Fellows, workers, trainees, interns, seconded staff, agency staff, agents, volunteers, and external members of College committees. Equally, the term member includes senior members and junior members of the College when they are handling or processing personal information on behalf of the College, except when they are acting in a private or external capacity.

4. This policy should be read in conjunction with: 

• policies, procedures and terms of conditions of the College and, where relevant, similar documents of the University of Cambridge with regard to:
   
  • College Statutes and Ordinances; staff employment contracts and comparable documents (which outline confidentiality obligations when processing information of the College);
  • information security;
  • acceptable use of IT facilities (including use of personal devices);
  • records management and retention;
  • any other contractual obligations on the College or the individual which impose confidentiality or information management obligations (which may at times exceed those of College policies with respect to storage or security requirements – e.g. for funded research).
  • all audience-specific Data Protection Statements

5. This policy is reviewed by the Information & Records Working Group and approved by the College Council. It is reviewed every year. The College Council remains responsible for ensuring appropriate resources are in place to achieve compliance with data protection law in line with an appropriate overall risk profile.

Obligations of the College

6. The College upholds data protection law as part of everyday working practices, through:

a) ensuring all personal information (see Annex) is managed appropriately through this policy;

b) understanding, and applying as necessary, the data protection principles (see Annex) when processing personal information;

c) understanding, and fulfilling as necessary, the rights given to data subjects (see Annex) under data protection law;

d) understanding, and implementing as necessary, the College’s accountability obligations (see Annex) under data protection law; and

e) the publication of data protection statements outlining the details of its personal data processing in a clear and transparent manner.

7. The College shall appoint a statutory data protection officer, who will be responsible for:

a) monitoring and auditing the College’s compliance with its obligations data protection law, especially its overall risk profile, and reporting on such annually to the College;

b) advising the College on all aspects of its compliance with data protection law;

c) acting as the College’s standard point of contact with the Information Commissioner’s Office with regard to data protection law, including in the case of personal data breaches; and

d) acting as an available point of contact for complaints from data subjects.

8. The College shall otherwise ensure all members and staff are aware of this policy and any associated procedures and notes of guidance relating to data protection compliance, provide training as appropriate, and review regularly its procedures and processes to ensure they are fit for purpose. It shall also maintain records of its information assets.

9. Individual members and staff are responsible for:

a) completing relevant data protection training, as advised by the College;
b) following relevant College policies, procedures and notes of guidance;
c) only accessing and using personal information as necessary for their contractual duties and/or other College roles;
d) ensuring personal information they have access to is not disclosed unnecessarily or inappropriately;
e) where identified, reporting personal data breaches, and co-operating with College authorities to address them; and
f) only deleting, copying or removing personal information when leaving the College as agreed with the College and as appropriate.

Non-observance of the responsibilities in paragraph 9 may result in disciplinary action against individual members or staff.

10. The obligations outlined above do not waive any personal liability for individual criminal offences for the wilful misuse of personal data under data protection legislation.

Subject Access Requests

The UK General Data Protection Regulation (UK GDPR) provides you - the Data Subject - with a right to receive a copy of the personal information that Â鶹ËÞÉáµçÊÓ¾çCollege holds about you, or to authorise someone to request the information on your behalf. 

Should you wish to make a request for your personal data, please email the College at sar@wolfson.cam.ac.uk  Please include sufficient detail with your request to enable us to identify you, eg your name, connection to the College, matriculation year, the role that you were employed in, the dates you were employed, any other name(s) that you might have been known by at that time, the period to which your enquiry relates etc.  We may ask you for proof of your identity if this cannot be clearly established.

Alternatively, you may find it easiest to complete a and return it to sar@wolfson.cam.ac.uk or by post to the Data Protection Officer, Â鶹ËÞÉáµçÊÓ¾çCollege, Cambridge  CB3 9BB.

There is not normally a charge for a Subject Access Request, but the College may charge if your request is lengthy to process or if you make repeated requests. 

The College will aim to provide you with a copy of the information we hold about you within one calendar month of receiving a valid request.  In rare circumstances where we cannot meet that deadline, we will contact you within that calendar month to tell you the reasons why and give you a realistic date of when we will provide the information. This should be no longer than 3 months from the original date of a valid application.  We will keep you up to date with progress if this is the case. 

If you are requesting access to, or copies of, CCTV images, please contact the Business Services & IT Manager as soon as possible, as footage is only retained for 30 days. The College’s CCTV Policy gives further details.

Requests for personal information on behalf of someone else

If you wish to make an enquiry on behalf of somebody else, please complete the .  Please note, that written authorisation and valid proof of identity is required from the data subject before a request can be processed.  Without the necessary authorisation, the requested information will not be provided.  You must also provide two items of evidence of your identity.

Complaints

If you are unhappy about the way in which your subject access request has been handled (usually if your request for information has been denied, in whole or in part), you should complain to the College in the first instance by email to the President (president@wolfson.cam.ac.uk).  Such a complaint is known as a request for an 'internal review' and will be handled by a Senior Officer rather than the person who handled your original request.  

If you require further assistance, you may contact the College’s Statutory Data Protection Officer:

Statutory Data Protection Officer
Office of Intercollegiate Services
12b King’s Parade
Cambridge

CB2 1SJ

Tel: 01223 768745
Email: college.dpo@ois.cam.ac.uk

.

If you are not content with the outcome of an internal review, you may apply to the Information Commissioner's Office, the independent body which oversees the Freedom of Information Act (FOIA) who will investigate your enquiry and decide whether your request for information has been dealt with in accordance with the requirements of the FOIA:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF 

)

How we use your personal information to handle your Subject Access Request

The Data Protection Officer will use your personal information to log, consider and answer your Subject Access Request.  We will liaise with colleagues internally (including those collating the information requested) as well as, on occasion, external advisors and/or third parties who may need process your data on behalf of the College.  

If you pursue a complaint to the Information Commissioner’s Office, we will share your information as necessary in answering regulatory enquiries and making submissions.

These uses of your personal information are necessary to fulfil our legal obligations in handling such requests.

Annex

Legal Definition of personal information

Personal information is defined as data or other information about a living person who may be identified from it or combined with other data or information held. Some ‘special category data’ (formerly sensitive personal data) are defined as information regarding an individual’s racial or ethnic origin; political opinion; religious or other beliefs; trade union membership; physical or mental health or condition; sexual life; or criminal proceedings or convictions, as well as their genetic or biometric information.

Data Protection Principles

The data protection principles state that personal data shall be:

processed (i.e. collected, handled, stored, disclosed and destroyed) fairly, lawfully and transparently. As part of this, the College must have a ‘legal basis’ for processing an individual’s personal data (most commonly, the processing is necessary for the College to operate a contract with them, the processing is necessary to fulfil a legal obligation, the processing is in the legitimate interests of the College and does not override their privacy considerations, or they have consented to the processing); processed only for specified, explicit and legitimate purposes; adequate, relevant and limited; accurate (and rectified if inaccurate); not kept for longer than necessary; processed securely.

 

Accountability

The College is required under law to:

comply with data protection law and hold records demonstrating this; implement policies, procedures, processes and training to promote ‘data protection by design and by default’; have appropriate contracts in place when outsourcing functions that involve the processing of personal data; maintain records of the data processing that is carried out across the College; record and report personal data breaches; carry out, where relevant, data protection impact assessment on high risk processing activities; cooperate with the Information Commissioner’s Office (ICO) as the UK regulator of data protection law; respond to regulatory/court action and pay administrative levies and fines issued by the ICO.

Data Subject Rights

An individual’s rights (all of which are qualified in different ways) are as follows:

the right to be informed of how their personal data are being used. This right is usually fulfilled by the provision of ‘privacy notices’ (also known as ‘data protection statements’ or, especially in the context of websites, ‘privacy policies’) which set out how an organisation plans to use an individual’s personal data, who it will be shared with, ways to complain, and so on; the right of access to their personal data; the right to have their inaccurate personal data rectified; the right to have their personal data erased (right to be forgotten); the right to restrict the processing of their personal data pending its verification or correction; the right to receive copies of their personal data in a machine-readable and commonly-used format (right to data portability); the right to object: to processing (including profiling) of their data that proceeds under particular legal bases; to direct marketing; and to processing of their data for research purposes where that research is not in the public interest; the right not to be subject to a decision based solely on automated decision-making using their personal data.

 

Last updated: 23 May 2018