Data Protection Policy
The ²ÝÝ®ÉçÇø Data Protection Policy sets out your obligations when processing the personal information of others in the course of your employment, work or study at Queen Margaret University.
1. Aim and scope of this policy
1.1 Queen Margaret University (²ÝÝ®ÉçÇø) is committed to protecting personal information and the rights of individuals in line with our obligations under data protection law (including the UK General Data Protection Regulations (UKGDPR) and Data Protection Act 2018 (DPA)).
1.2 This policy sets out the obligations of ²ÝÝ®ÉçÇø to ensure all employees, visitors, students and other third parties are aware of their duties under this policy and the legislative requirements.
1.3 This policy applies to the processing of all personal data by, and on behalf of, the University.
1.4 Annex A contains definitions of key terms.
2. Key Contact
2.1 We have appointed a Data Protection Officer (DPO). Any questions about this policy should be directed to the DPO.
2.2 Contact Details: Cara Dickson, Legal Adviser and Data Protection Officer, dataprotection@qmu.ac.uk.
3. Compliance with this policy
3.1 This policy applies to all employees, students, contractors and workers.
3.2 It is a condition of employment that all employees abide by ²ÝÝ®ÉçÇø policies and procedures.
3.3 It is a condition of the student contract that all students abide by ²ÝÝ®ÉçÇø policies.
3.4 Any breach of this policy may result in disciplinary action.
4. Data Protection Principles
4.1 When processing personal data, ²ÝÝ®ÉçÇø acts as both a controller and a processor of personal data. In both roles, it must adhere to the following data protection principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
5. Lawfulness, fairness and transparency
5.1 We will only process personal data where we have a lawful basis for doing so. We will take into account any additional conditions for processing special category personal data.
5.2 We will handle personal data fairly and in a way that a data subject would reasonably expect.
5.3 We will be clear, open, and honest with data subjects about how we intend to use their personal data.
6. Purpose Limitation
6.1 We will be clear from the start of the processing what the purpose of processing the personal data is.
6.2 Personal data will only be used for a new purpose where it is compatible with the original purpose, we have consent, or we have a clear legal obligation.
6.3 We will clearly set out any purposes for processing personal data in our privacy statements.
7. Data Minimisation
7.1 Personal data will only be collected where it is needed for the specified purpose.
7.2 We commit to regularly reviewing any personal data we hold and deleting it where it is no longer needed.
7.3 Personal data will be anonymised or pseudonymised where appropriate to prevent the identification of individuals where this is not necessary. Data Protection legislation does not apply to anonymised data.
8. Accuracy
8.1 As far as possible, the personal information we process is accurate and up to date.
8.2 Where an inaccuracy is identified the personal data will be corrected as soon as reasonable. Where appropriate, inaccurate data will be deleted.
9. Storage Limitation
9.1 We will only retain personal data for as long as necessary and in line with the ²ÝÝ®ÉçÇø Retention Schedule. Any destruction of personal data will be done securely.
9.2 Personal data may be kept for longer in exceptional circumstances. Where this is the case, the reason will be clearly recorded and the personal data clearly identified.
10. Integrity and Confidentiality (Security)
10.1 We will implement physical and technical measures to protect the confidentiality and integrity of the personal data we process.
10.2 Additional security measures will be applied to special category data and any personal data which is sensitive.
10.3 Personal data will not be removed from ²ÝÝ®ÉçÇø premises without permission. Personal data processed in the course of work duties or research must be stored on ²ÝÝ®ÉçÇø systems and not on personal devices or personal emails.
10.4 We commit to regularly reviewing our security measures to ensure they are in line with most recent technology and best practice.
11. Accountability
11.1 ²ÝÝ®ÉçÇø Senior Leadership Team commits to complying with data protection legislation and principles and ensuring compliance throughout the University.
11.2 We will put in place the following organisational measures to demonstrate accountability:
- Appointment of a DPO.
- Adoption and implementation of this Data Protection Policy .
- Taking a data protection by design and default approach to all of our processing activities.
- Ensuring written contracts are in place with our processors and joint controllers.
- Recording and reporting data breaches.
- Carrying out DPIAs for any new high risk processing activity.
- Providing up to date training and guidance for staff.
12. Individuals’ rights
12.1 Individuals have certain rights as regards their personal data, including:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to objectÌý
- Rights related to automated decision making, including profiling.
12.2 We will appropriately manage and process any rights requests and ensure the rights of individuals are upheld.
13. Roles and responsibilities
Roles and responsibilities of staff, contractors, students and other third parties under this Policy are set out below:
13.1 All staff and contractors of ²ÝÝ®ÉçÇø are responsible for the protection of personal information and are bound by the responsibilities in this policy. Staff are expected to be aware of this policy and their responsibilities and ensuring their knowledge is up to date through completion of the relevant data protection training. Staff must report to the DPO:
- Personal data breaches, near misses, or unauthorised disclosure.
- Rights request, including Subject Access Requests.
- Any new processing activities likely to result in high risk to the rights and freedoms of individuals.
- New and revised data sharing agreements, especially where data is being transferred outside of the EEA.
- Retention periods of personal data.
- Contracts with third parties which involve the disclosure of personal data.
- Activities involving automated processing, profiling or automated decision making.
- Help complying with the relevant law with direct marketing activities.
13.2 All students are bound by this policy where they process personal data during their studies. ²ÝÝ®ÉçÇø is the controller of the personal data processed by students during their studies. All students must be aware of their responsibilities under this policy.
13.3 All staff and students engaged in processing personal data as part of a research project will follow the correct Research Ethics processes to ensure personal data is handled appropriately.
13.4 The DPO is primarily responsible for compliance with the DPA and the UK GDPR. They are responsible for advising senior management on privacy and data protection. They will ensure this policy is reviewed regularly and any accompanying processes, procedures and training are kept up to date.
13.5 The Senior Leadership Team is responsible for ensuring the appropriate resourcing of privacy and data protection at ²ÝÝ®ÉçÇø and that the commitments in this policy are met.
14. Review
This document will be reviewed annually and approved by the ²ÝÝ®ÉçÇø Senior leadership team.
Annex A – Glossary of Terms
Term | Meaning |
Personal information/data |
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified directly or indirectly, in particular reference to an identifier. Some examples are:
Personal information can relate to, for example, past or present employees, workers, contractors, students, suppliers, shareholders, website users or members of the public. Personal information does not include data where the identity has been removed (anonymous data). |
Special category data |
Information about an individual’s racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; health; sex life or sexual orientation; criminal convictions, offences, or alleged offences; genetic data; or biometric data for the purpose of uniquely identifying an individual. |
Processing |
Any activity that involves using personal information. This includes collecting personal information, recording it, storing it, retrieving it, using it, amending it, disclosing it, destroying it, and transferring it to third parties. |
Data Subject |
The legal, living person whose personal data is being processed. |
Processor |
A person, company, authority, or body processing personal data on the instruction and on behalf of the controller. |
Controller |
The person, company, authority, or body responsible, alone, or jointly, for the means and purpose of the processing of personal data. |
Pseudonymisation |
The processing of personal data in a way that the personal data can no longer be attributed to a particular data subject without the use of additional information. |
Ìý