Paralegal College UK
Data Protection Policy
1. Paralegal College is a registered data controller. We have responsibilities to our students, to members of staff, to members of the public, and we are legally bound by data protection legislation.
2. Responsibility for compliance with this policy and the relevant data protection legislation is jointly held by the Director of Studies, the Equality Officer, and the Accreditations and Examinations Officer, and may include the involvement of the IT manager.
3. Any breach of data protection is a very serious matter and may cause the data subject, i.e. our student or staff member or other person, great difficulties, or worse. It is therefore imperative that this data protection policy is strictly adhered to.
4. We need to collect information from our students, such as their name, address, telephone number and date of birth. We may also need to collect information about a student’s parent or employer. In addition, we may need to store information about other people, such as suppliers, other business contacts, and others.
5. In this policy note we set out how data must be collected, handled and stored in order to comply with this policy and in order to comply with data legislation.
6. Staff will be sensitive to the fact that a student who is a minor is accorded greater protections under data protection legislation and that, for some matters relating to that student’s personal data, parental permission will be required.
Purpose of our data protection policy
1. This data protection policy is designed to ensure that we, Paralegal College:
comply with data protection legislation and follow good practice;
protect the rights of staff, students, and other partners, such as organisations we do business with and students’ employers;
are open about how we store and process individuals’ data;
protect ourselves from the risks of a data breach
Relevant data protection legislation
2. The Data Protection Act 1998 c. 29 (hereafter ‘the Act’) describes how all organisations, including Paralegal College, must collect, handle and store personal information. Note that it does not matter how information is stored – the rules apply to all modes of information storage including whether data are stored electronically, on paper, or by any other method.
3. The guiding principle of compliance is that personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
4. Schedule 1 Part 1 of the Act states the eight principles which all data controllers and their staff must follow when processing personal data:
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless—
(a) at least one of the conditions in Schedule 2 (see Appendix) is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4 Personal data shall be accurate and, where necessary, kept up to date.
5 Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6 Personal data shall be processed in accordance with the rights of data subjects under this Act.
7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8 Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Where data may be sent
5. Countries to which personal data, but only with the express permission of the student or other data subject, may be sent:
EEA member states;
Countries which are accredited members of the International Conference of Data Protection and Privacy Commissioners. We take this to be an adequate reflection of the requirements of the eighth principle provided for in the Act. However, first check with the Data Protection Officer.
6. This policy applies to the staff of Paralegal College, to any contractors or subcontractors, to any volunteers, interns or students engaged in work experience.
7. In this policy, a ‘data subject’ is any person whose personal data is held by Paralegal College, including staff, students, and other partners, such as organisations we do business with and students’ employers.
8. This policy aims to protect data subjects of Paralegal College and Paralegal College itself from:
a. Breaches of confidentiality, such as the inadvertent giving out of personal information where it is not expressly authorised by the data subject;
b. Any failure to give the data subject a choice as to how his or her data may be used. This is because it is a principle of our policy that all individuals should be free to choose how Paralegal College uses data relating to them;
c. Any reputational damage: for example, the College could suffer if sensitive data relating to any data subject were obtained by hackers.
9. Every person who works for, is contracted, or sub-contracted, by, or who works with Paralegal College in any capacity whatsoever has some responsibility for ensuring that personal and other data are collected, stored and handled appropriately. The Education Officer, and those marking assessments, are responsible for the safe collection, storage and handling of data in regard to the work they undertake. The Data Protection Officer for Paralegal College is Dr John Olsson.
10. In particular, Dr Olsson is responsible for ensuring the safe collection, storage and handling of data and that Paralegal College meets its legal obligations under data protection legislation.
11. The Data Protection Officer will:
a. keep staff members updated regarding data protection responsibilities, risks and issues;
b. review all data protection procedures and related policies at least once a year, or more frequently in the event of amendments to data protection legislation;
c. arrange data protection training and advice for members of staff and others covered by this policy;
d. handle data protection questons from staff and anyone else covered by this policy;
e. deal with requests from individuals to see the data that Paralegal College holds about them (these are referred to as ‘subject access requests’);
f. check and approve any contracts or agreements with third parties that may handle the company’s sensitive data;
g. approve any data protection statements attached to communications such as emails and letters.
12. The IT manager, Mr Mike Slater, is responsible for:
a. ensuring all systems, services and equipment used for storing data meet acceptable security standards;
b. performing regular checks and scans to ensure that security hardware and software are functioning properly;
c. evaluating any third-party services the company is considering using to store or process data, such as cloud computing services.
Guidelines for staff
13. You will be able to access data covered by this policy only if you need it for your work.
14. You must not share data informally with colleagues. If you require data you do not currently have, you must request it from the Data Protection Officer.
15. Paralegal College will provide training to all employees to help them understand their responsibilities when handling data.
16. You must keep all data secure by:
a. taking sensible precautions;
b. using strong passwords;
c. never sharing passwords;
d. never disclosing personal data to unauthorised people, either within Paralegal College or externally;
e. updating and reviewing data, for example regarding students’ assignment progress; examinations passed, etc;
f. requesting help from the Data Protection Officer whenever you are in doubt about some aspect of data protection for whatever reason.
17. If you are storing data on paper, when that data is not needed it must be kept in a locked filing cabinet or other storage system. Data stored on removable media must be kept locked securely when not in use.
18. Data must not be on display if and when unauthorised people are in your office.
19. Shred data printouts and dispose of securely when they are no longer required.
20. Do not leave printed sheets on a printer where they may be seen or taken by unauthorised persons.
21. Electronically stored data must be password protected. The computer you use for Paralegal College work must not be available for use by others.
22. Passwords must be changed regularly.
23. Data must be backed up frequently and backups must be tested.
24. Do not store or save data to any mobile device such as a laptop, smartphone or tablet.
25. Servers and computers which contain data must be protected by approved security software and a firewall.
Data use and protection
26. Lock your computer when you leave it unattended.
27. Do not share data informally. Especially, do not send data by email.
28. If data is to be transferred electronically it must be encrypted.
29. Transfer of personal data must be in accordance with the eight principles of the Act, as stated above.
30. Do not save copies of personal data to your own computer.
Accuracy of data
31. We are required to take reasonable steps to ensure the accuracy of any personal data we hold.
32. This is particularly important with regard to important personal data, for example, but not limited to, the person’s address.
33. Everyone working with personal data on behalf of Paralegal College is required to take reasonable steps to ensure that data is kept as accurate and up to date as possible.
34. Do not keep ‘spare copies’ of data on your computer.
Subject access requests
35. Any data subject of Paralegal College is entitled to:
a. ask what information we hold about them, and why we hold that information;
b. ask us how to gain access to that information;
c. be informed as to how we keep that information up to date, and be informed that we require that information to be kept up to date, and how to inform us of changes in the data;
d. be informed as to how we are meeting our data protection obligations.
36. Note that Paralegal College does not charge for subject access requests. At the time of a data access request, we must respond within 14 days of the request or sooner if possible. It is important that the identity of the person making the subject access request is verified by our security procedures.
37. For the avoidance of doubt, a data subject may only make a subject access request in relation to him/herself.
Law enforcement and other official requests for data
38. Personal data may be disclosed to law enforcement agencies without the data subject’s permission. However, this must be strictly in accordance with the law. See Part IV of the Act, ‘Exemptions’.
Provision of information
39. Paralegal College aim to ensure that individuals are aware that their data is being processed and that they understand:
a. how their data is being used;
b. how to exercise their rights in respect of their data.
40. The College has a privacy statement setting out how data relating to individuals is used by the company. It is available on the College website.
41. As a matter of policy the College never sells, rents, hires, or allows access to any personal or other data of an individual to any other person or organisation. We will never part with the personal data of students, staff or others unless we are required to do so under a legal obligation, or in those cases where the individual has given his / her express written permission to disclose their data to, for example, a parent or guardian or employer, or to another person, educational institution or prospective employer specifically named and authorised by the individual, and then only to the extent expressly authorised by the student.
Appendix: Schedule 2 of the Act
Conditions relevant for purposes of the first principle: processing of any personal data
1 The data subject has given his consent to the processing.
2 The processing is necessary:
(a) for the performance of a contract to which the data subject is a party, or
(b) for the taking of steps at the request of the data subject with a view to entering into a contract.
3 The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
4 The processing is necessary in order to protect the vital interests of the data subject.
5 The processing is necessary:
(a) for the administration of justice,
[F1 (aa) for the exercise of any functions of either House of Parliament,]
(b) for the exercise of any functions conferred on any person by or under any enactment,
(c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or
(d) for the exercise of any other functions of a public nature exercised in the public interest by any person.
Material used in this document was taken from:
1. The guidance given at ico.org.uk, as well as documents downloaded from the ICO’s website, and
2. the internet company Techdonut on 19 January 2017