Data Protection and Processing

1. Introduction

UCM Education is fully committed to compliance with the requirements of the UK GDPR and supplemented by the DPA (Data Protection Act) 2019. We will therefore follow procedures that aim to ensure that all employees, contractors, agents, consultants, partners or other parties who have access to any personal data held by or on behalf of us, are fully aware of and abide by their duties and responsibilities under the Act.

2. Statement of Policy

In order to operate efficiently, UCM collects and uses information about people with whom we work. These may include current, past and prospective employees, clients, customers and suppliers. In addition, we may be required by law to collect and use information in order to comply with the requirements of central government.

UCM holds data on individuals for the following general purposes:
• Staff administration
• Advertising, marketing and public relations
• Accounts and records

The data will be processed in compliance with the 6 principles of fair processing in Article 5, GDPR. UCM will:
• Be transparent in relation to employees.
• Tell employees what we are collecting the data for and be specific about what our purposes for processing data are.
• Only collect what we need for the stated, legitimate purposes.
• Keep the personal data up-to-date and accurate. Inaccurate data will be deleted or rectified.
• Not keep data in a form that allows identification of the data subject for longer than is necessary for the legitimate purposes notified to the employee.
• Keep the data secure.

Personal data means data relating to a living individual who can be identified from the data or from the data together with other information, which is in the possession of, or is likely to come into the possession of, UCM. Data will only be processed in compliance on the following legal basis:
• Legitimate interest
• Legal obligation
• Consent

Data will be reviewed on a regular basis, and at least annually, to ensure that it is accurate, relevant and up-to-date. Employees who process data are responsible for ensuring that any changes to old or inaccurate data takes place in a timely fashion.

Data subjects are entitled to obtain access to their data on request. All requests to access data by data subject, whether staff or other members, should be referred to the Data Protection Officer. Where a request is granted, the information will be provided within 30 days of the date of the request.

Any requests for access to a reference given by a third party must be referred to the Data Protection Officer and should be treated with caution, even if the reference was given in relation to the individual making the request. This is because the person writing the reference also has a right to have their personal details handled in accordance with data protection laws and not disclosed without their consent.

3. Levels of Data Protection

The UK GDPR together with the DPA 1998 provides conditions for the processing of any personal data. However, there are much stronger controls on the processing of special categories of sensitive data.

Personal data is defined in section 2, above. Sensitive personal data is defined as data consisting of information relating to:
• Racial or ethnic origin
• Political opinion
• Religious or other beliefs
• Trade union membership
• Physical or mental health or condition
• Sexual orientation
• Biometric data
• Genetic data
• Criminal proceedings or convictions

4. Handling of Personal and/or Sensitive Information

UCM will, through appropriate management and the use of strict controls, fully observe conditions regarding the fair collection and use of personal information by:
• Meeting its legal obligations to specify the purpose for which information is used.
• Collecting and processing appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements.
• Ensuring the accuracy and quality of information used.
• Applying strict checks to determine the length of time information is held.
• Taking appropriate technical and organisational security measures to safeguard personal information.
• Ensuring that personal information is not transferred to countries outside the UK.
• Ensuring that the rights of people about whom the information is held can be fully exercised.
• Ensuring that everyone processing personal information is appropriately trained to do so.
• Responding to queries about handling personal information promptly and courteously.
• Regularly assessing and evaluating our methods of handling personal information.
• Regularly assessing and evaluating individual performance of handling personal information.
• Carrying out data sharing under a written agreement, setting out the scope and limits of the sharing. Any disclosure of personal data will be in compliance with approved procedures.

All staff within UCM will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure and, in particular, will ensure that:
• Paper files and other records or documents containing personal data are kept in a secure environment.
• Personal data held on computers and computer systems is protected by the use of secure passwords, which have forced changes periodically, where possible.
• Individual passwords should be such that they are not easily compromised and should never be disclosed.
• Computer screens are not left open when unattended by individuals who are accessing personal information.
• Personnel files and other personal data should be stored in a place in which any unauthorised attempts to access them will be noticed. They should not be removed from their usual place of storage without good reason.
• Personnel files should always be locked away when not in use and when in use should not be left unattended.
• Care should be taken when sending personal data in the mail.
• Destroying or disposing of personal data counts as processing. Therefore care should be taken in the disposal of any personal data to ensure that it is appropriate.

All contractors, consultants, partners or other servants or agents of UCM must:
• Ensure that they and all of their staff who have access to personal data held or processed for or on behalf of UCM are aware of this policy and are fully trained in and are aware of their duties and responsibilities under law. Any breach of any provision of the UK GDPR will be deemed as being a breach of any contract between UCM and the individual, company, partner or firm.
• Permit, on request, data protection audits by us of data held on our behalf.
• Indemnify UCM against any prosecutions, claims, proceedings, actions or payments of compensation or damages, without limitation, in respect of breaches of data protection law.
• Confirm that they will abide by the requirements of the UK GDPR with regard to information supplied by us.

5. Rights of Data Subjects

Under the UK GDPR legislation, data subjects have the following rights with regard to their personal information:
• the right to be informed about the collection and the use of their personal data
• the right to access personal data and supplementary information within 30 days
• the right to have inaccurate personal data rectified, or completed if it is incomplete
• the right to erasure (to be forgotten) in certain circumstances
• the right to restrict processing in certain circumstances
• the right to data portability, which allows the data subject to obtain and reuse their personal data for their own purposes across different services
• the right to object to processing in certain circumstances
• rights in relation to automated decision making and profiling
• the right to withdraw consent at any time (where relevant)
• the right to complain to the Information Commissioner

6. Notification to the Information Commissioner

The Data Protection Officer will review the Data Protection Register annually, prior to notification to the Information Commissioner. Any changes to the Register will be notified to the Information Commissioner within 28 days. To this end, any changes made between reviews will be brought to the attention of the Information Officer immediately.