The Data Protection Act 2018 (DPA) governs how personal information is used by organisations, businesses or the government. The UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) sit alongside the DPA, all of which set out the legislative requirements for organisations processing personal data.

The Data Protection Legislation is overseen and enforced by the Information Commissioner’s Office (ICO), who is an independent public body responsible directly to Parliament.

The University of Wolverhampton processes personal data relating to potential, existing and previous staff and students, website users, as well as personal data collected for research purposes, collectively referred to in this policy as data subjects. When processing personal data, the University is obliged to fulfil individuals’ reasonable expectations of privacy by complying with UK GDPR and other relevant data protection legislation (data protection law).

The policy details how the university complies with data protection law in respect of the data it processes, whether it is processed or stored electronically or manually. A failure to comply with this policy may result in disciplinary action taken by the University.

This policy seeks to ensure that we:

1. comply with the data protection law and with good practice;
2. protect the rights of individuals as set out in data protection legislation;
3. protect the University’s interests by ensuring the personal data entrusted to us is processed in accordance with data subjects’ rights; and
4. protect the University from risks of personal data breaches and other breaches of data protection law.

This Policy applies to all staff and others working for or on behalf of the University whether in the UK or overseas and includes; governors, secondees, any third-party representatives, agency workers, volunteers, interns, agents and sponsors. Staff employed by the University must ensure that this policy is communicated to any organisation that they work with who may have access to the personal data where the university is data controller.

Non-compliance with this policy and associated polices could potentially expose the University, staff and students to unacceptable data protection risk. To this end the University commits to:

• Information Governance Management: Establishing and supporting robust operational and management accountability structures, with appropriate resources and expertise to ensure information governance issues are dealt with appropriately, effectively and at levels within the organisation commensurate with the type and gravity of the issue in question.
• Staff Empowerment: Embedding a culture of individual responsibility and capability across the University in relation to information management, protection and use as part of ‘business as usual’.
• Training and Awareness: Implementing a system of training and awareness that meets government mandatory requirements, is role based, assessed and capable of equipping employees with the skills and knowledge necessary to do their jobs
• Systems and Processes: Establishing and maintaining information systems and processes to enable the efficient and secure storage and retrieval of information and the management of information risk.
• Policy and guidance: Developing and embedding, policies and guidance documents in relation to the respective areas of information governance that support employees to fully understand the standards, practices and responsibilities required within the information governance framework and to take appropriate action where necessary.
• Audit: Monitoring employees’ compliance with the information governance framework through regular audits.

Automated Decision-Making (ADM): when a decision is made which is based solely on automated processing (including profiling) which produces legal effects or significantly affects an individual. The UK GDPR prohibits Automated Decision-Making (unless certain conditions are met) but not automated processing.

Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to them.

Criminal offence data: any information relating to criminal allegations, convictions and offences. In order to process personal data relating to criminal convictions or offences, staff must have both a lawful basis for processing the information and either legal authority or official authority for processing.

Data Controller: the person or organisation that determines when, why and how to process personal data. It is responsible for establishing practices and policies in accordance with the UK GDPR. The University is the Data Controller of all personal data relating to it and used delivering education and training, conducting research and all other purposes connected with it including business purposes.

Data Protection by Design and Default: The UK GDPR requires controllers to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. In essence, this means we have to integrate or data protection into our processing activities and business practices, from the design stage right through the lifecycle.

Data Protection Impact Assessment (DPIA): tools and assessments used to identify and reduce risks of a data processing activity. DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the processing of personal data.

Data Protection Officer (DPO): the person appointed as such under the UK GDPR and in accordance with its requirements. A DPO is responsible for advising the University (including its employees) on their obligations under Data Protection Law, for monitoring compliance with data protection law, as well as with the University’s polices, providing advice, cooperating with the ICO and acting as a point of contact with the ICO.

Data Processor: A Data Processor (Processor) is responsible for processing personal data on behalf of a Controller and they are required to maintain records of personal data and processing activities. They will have legal liability if they are responsible for a breach. ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

Data Subject: a living, identified or identifiable individual about whom we hold personal data.

Joint Controllers: Joint Controllers are required where both parties need to make decisions about the processing; this needs to be clearly understood and agreed in an appropriate contract/agreement. Where two or more Controllers jointly determine the purposes and means of processing, they shall be joint Controllers. They shall in a transparent manner determine their respective responsibilities for compliance with their obligations, in particular with regards to the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14 UK GDPR, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the Controllers are determined by Union or Member State law to which the Controllers are subject. The arrangement may designate a contact point for data subjects.

Personal Data: any information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal data includes sensitive personal data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed.

Personal Data can include the following:

1. Name and address (postal and email)
2. Date of birth
3. Statement of fact
4. Any expression or opinion communicated about an individual
5. Minutes of meetings, reports
6. Emails, file notes, handwritten notes, sticky notes
7. CCTV footage if an individual can be identified by the footage
8. Employment and student applications
9. Spreadsheets and/or databases with any list of people set up by code or student/staff number
10. Employment or education history
11. Online identifier, IP address

Personal Data Breach: a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed where that breach results in a risk to the data subject. It can be an act or omission.

Privacy by Design and Default: implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the UK GDPR.

Privacy Notices: separate notices setting out information that may be provided to data subjects when the University collects information about them. These notices may take the form of general privacy statements applicable to a specific group of individuals (for example, employee, student and donor privacy notices or the website privacy policy) or they may be stand-alone, one-time privacy statements covering processing related to a specific purpose.

Processing or Process: any activity that involves the use of personal data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties. In brief, it is anything that can be done to personal data from its creation to its destruction, including both creation and destruction.

Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is an example of automated processing.

Pseudonymisation or Pseudonymised: replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.

Special category data: any information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access including a living individuals:

1. Race or ethnicity
2. Religious or philosophical beliefs
3. Political opinions
4. Membership of a trade union
5. Genetic data
6. Biometric data
7. Health data
8. Sex life
9. Sexual orientation

The University as the Data Controller, is responsible for establishing policies and procedures in order to comply with data protection law. The University will ensure all staff are provided with data protection training and promote the awareness of the University’s data protection and information security policies, procedures and processes.

The University Data Protection Officer is responsible for:

1. Advising the University and its staff of its obligations under UK GDPR;
2. monitoring compliance with the UK GDPR and other relevant data protection law, the University’s policies, including managing internal data protection activities, raising awareness of data protection issues, training staff and conducting internal audits;
3. to provide advise on data protection impact assessments;
4. to cooperate with and act as the contact point for the ICO; and
5. May be contacted by people whose personal information is being processed.

The data protection officer shall in the performance of their tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

The Head of Information Governance is the designated Data Protection Officer and responsible for the operation of this policy who can be reached at dataprotection@wlv.ac.uk

Information Asset Owners (IAO) are responsible for ensuring that the data protection act is followed and that personal data is handled and managed appropriately within their area of responsibility. IAO’s are supported by Information Assets Custodians (IAC). IAO’s will be in place throughout the University with at least one in each department or faculty that processes personal information. A list of IAOs and IAC’s can be found on the data protection intranet. Alongside giving advice to staff the IAOs will:

1. Ensure personal data is kept in accordance with the University’s retention schedule;
2. Report new processing activities to the Data Protection team for inclusion on the Records of Processing Activity in accordance with Article 30 of the UK GDPR;
3. Work with project leads to conduct a DPIA for new processing activities which are likely to result in high risks to the rights and freedoms of individuals, such as using systematic profiling, special category or criminal conviction information or systematic monitoring;
4. Work with project managers to ensure privacy notices are put in place where personal information is being collected and processed for a new purpose, with the assistance and approval of the Data Protection Officer;
5. Ensure Data Sharing Agreements or Data Processing Agreements are put in place where data subject’s information is being shared with another data controller or processor, with the assistance and approval of the Data Protection Officer; and
6. Complete entries on the University Records of Processing Activities register.

All Deans of Faculties and Directors of Professional Services are responsible for ensuring that all University staff within their area of responsibility comply with this policy and should implement appropriate practices, processes, controls and training to ensure that compliance.

Staff members who process personal data about students, staff, applicants, alumni or any other individual must comply with the requirements of this policy. Staff members must ensure that:

1. that all information processed is necessary for the purpose for which it is required;
2. all personal data is kept securely in line with the IT department’s prescribed practices;
3. no personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party;
4. personal data is kept in accordance with the University’s retention schedule;
5. any queries regarding data protection, including subject access requests and complaints, are promptly directed to the Information Governance Team;
6. any data protection breaches are swiftly brought to the attention of the Information Governance Team by following the Data Breach Reporting Procedure and that they support the Data Protection team in resolving breaches;
7. Data Sharing Agreements (DSA) or Data Processing Agreements (DPA) are put in place where data subject’s information is being shared with another data controller or processor, with the assistance and approval of the Data Protection Officer;
8. personal information is not transferred to any country where there is no adequacy decision (See UK GDPR Article 45), unless the transfer is subject to an appropriate safeguard provided in the UK GDPR;
9. Advice will be sought from the Information Governance Team where there is uncertainty around a data protection matter,; and
10. They notify their line manager and the Information Governance Team if they believe this policy has been breached.

Where members of staff are responsible for overseeing students doing work which involves the processing of personal information (for example in research projects), they must ensure that those students are aware and are in compliance with the Data Protection principles in conducting their research.

Staff should direct any requests for personal information from third parties to dataprotection@wlv.ac.uk.

Managers who employ contractors, short-term or voluntary staff must ensure that they are appropriately vetted for the data they will be processing. The University is responsible for the use of personal data by anyone working on its behalf. Managers should ensure that:

1. any personal data collected or processed in the course of work undertaken for the University is kept securely and confidentially;
2. all personal data is returned to the University on completion of the work, including any copies that may have been made. Alternatively, that the data is securely destroyed and the University receives notification in this regard from the contractor or short term / voluntary member of staff;
3. all practical and reasonable steps are taken to ensure that contractors, short term or voluntary staff do not have access to any personal data beyond what is essential for the work to be carried out properly.

Students are responsible for:

1. reading and understanding the Privacy Notice provided when they apply and enrol at the University; and
2. ensuring that their personal data provided to the University is accurate and up to date.

The University uses various third-party data processors to process data for different purposes on our behalf. Where a third-party data processor is used:

1. They must be provided with the Supplier Security Questionnaire if they are not being procured through a formal tender;
2. a data processor must be chosen which provides sufficient guarantees about its security measures to protect the processing of personal data;
3. reasonable steps must be taken that such security measures are in place;
4. a written contract or data processing agreement establishing what personal data will be processed and for what purpose must be set out as well as setting out the responsibilities and liabilities of each party; and
5. the contract or data processing agreement must be approved by the Data Protection Officer, and must be signed by both parties.

For further guidance about the use of third-party data processors and for a Data Processing Agreement template, please contact the Data Protection Officer by using the Data Protection Assistance Request Form.

When an organisation and its staff process personal data, it should be done in line with the principles set out in the UK GDPR. The University is responsible for, and must be able to demonstrate compliance with, the data protection principles listed below.

The principles require personal data to be:

1. Processed lawfully, fairly and in a transparent manner (Lawfulness, fairness and transparency).
2. Collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes (Purpose limitation).
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data minimisation).
4. Accurate and where necessary kept up to date (Accuracy).
5. Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data is processed (Storage limitation).
6. Processed in a manner that ensures its security, using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage (Security, integrity and confidentiality).
7. The Controller shall be responsible for and be able to demonstrate compliance with the other principles (Accountability).

The consequences of failing to comply with the requirements of the above principles may result in:

• Criminal and civil action against the University and staff;
• Fines and damages against the University and staff;
• Personal accountability and liability;
• Suspension/withdrawal of the University’s right to process personal data by the ICO;
• Loss of confidence in the integrity of the University’s systems and procedures;
• Irreparable damage to the University’s reputation.

The personal data held by the University typically relate to students and staff. These are known as data subjects. They have rights in relation to the way the University handles their personal data. Chapter 3 of the UK GDPR provides the following rights for individuals:

1. Right to be Informed: Individuals have the right to be informed about the collection and use of their personal data. The University must provide individuals with information regarding how their personal data will be processed, given in the form of a privacy notice.
2. Right of Access: Individuals have the right to access their personal data, which is commonly referred to as a Subject Access Request (SAR).
3. Right to rectification: The UK GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
4. Right to Erasure: The UK GDPR introduces a right for individuals to have their personal data erased. The right to erasure is also known as ‘the right to be forgotten’.
5. Right to restrict processing: Individuals have the right to request the restriction or suppression of their personal data. When processing is restricted, the University is permitted to store the personal data, but not use it.
6. Right to data portability: The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
7. Right to object: The UK GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.
8. Rights related to automated decision making including profiling: The UK GDPR has provisions on:
   1. automated individual decision-making (making a decision solely by automated means without any human involvement); and
   2. profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.

 The UK GDPR applies to all automated individual decision-making and profiling.

Some of the above individual rights listed from point C to G are qualified, meaning there will be instances where the University does not need to comply with the requests, depending on the circumstances. Further information on when individual rights apply can be found on the ICO website.

Individuals can exercise their individual rights by contacting dataprotection@wlv.ac.uk. Further information on the Universities identification requirements can be found here.

Individuals have the right to be informed about the collection and use of their personal data, therefore an important aspect of complying with data protection legislation is being open and transparent with individuals about how their personal data will be used. The supply of this information through documents known as 'privacy notices' takes places in numerous targeted ways, depending on the nature of the interaction with the individual.

When the University collects personal data directly from individuals, privacy information must be provided to individuals at the time their personal data is collected.

If the University obtains personal data from other sources, we must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.

The information provided to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.

Privacy notices must be reviewed regularly and where necessary, updated. There are a few circumstances when providing individuals with privacy information is not required, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.

For advice on whether a privacy notice is required for the processing activity you are undertaking, please contact the DPO using the Data Protection Assistance Request Form. If a new privacy notice is required the DPO can provide access to the University template and guidance.

Individuals have the right to obtain the following from a controller:

• confirmation that you are processing their personal data;
• a copy of their personal data; and
• other supplementary information.

The UK GDPR states that, for information to be personal data, it must relate to a living person who is identifiable from that information (directly or indirectly).

Under the right of access, an individual is only entitled to their own personal data. They are not entitled to information relating to other people, unless:

• their data also relates to other individuals; or
• they are exercising another individual’s right of access on their behalf.

Individuals can make a SAR verbally or in writing to the University, with a copy of their identification. Further information on the Universities identification requirements can be found here. If any individual makes a SAR to a team other than the Information Governance Team, details of the request must be forwarded to dataprotection@wlv.ac.uk immediately. The University has one month to respond to a request, however extensions for complying with such requests can be applied when necessary.

In order to comply with the SAR, the Information Governance Team will approach the appropriate teams or staff members for the requested information. Where staff emails have been requested, staff will be given the opportunity to extract the emails form their own email account. If the staff member cannot provide the emails within the given timeframe, the Information Governance Team will be given remote access to their account to retrieve the requested information.

The information requested through the SAR may be the personal data of two (or more) individuals. If responding to a SAR involves providing information that relates to both the individual making the request and to another individual, an exemption may apply. In such instances, the information may be redacted or withheld from disclosure.

The UK GDPR encourages controllers to provide individuals with remote access to their personal data via a secure system. Whether a controller needs to provide individuals with a copy of their data depends on whether they are able to download a copy of the requested information. If an individual can download a copy of their personal data in a commonly used electronic format, then this satisfies the requirement to provide a copy, as long as the individual does not object to the format. Therefore, if a student or staff member can already access and download a copy of the personal data they have requested, we will inform you where you can access and download it.

For further information about this, please see the following ICO guidance. Guidance on how a SAR can be lodged to the University can be found here.

Third party organisations such as the Police, the local council, the Home Office, or the Department of Work and Pensions amongst others may request personal data of individuals which the University processes if an exemption of the DPA 2018 applies.

The exemptions apply only to the extent that not complying with the SAR is likely to prejudice the purposes listed in the relevant exemption. Further information on applicable exemptions can be found on the ICO website.

Guidance on how a third-party SAR can be lodged to the University can be found here.

A court order is a judgement or ruling that is officially given by a judge and can include a request for information to the University. A judge can request any information they see as relevant to a case and the University is legally obliged to comply by providing the information requested.

Judges provide their own deadlines for court orders, which may be short. If it is not possible for a Department or Faculty to provide the information within the timeframe, this must be communicated to the Information Governance Team Immediately so the courts can be informed.

 Unless there is a good reason not to do so, the information should usually be disclosed unredacted, in its original format, to avoid any doubt about its authenticity. Information that is sensitive or has the potential of causing harm if released will be redacted and provided to the judge in a closed, encrypted file for the judge.

If another team receives a court order, it must be forwarded to the Information Governance Team immediately at dataprotection@wlv.ac.uk, along with any pertinent information that is held.

In the absence of Consent, an appropriate exemption, a legal obligation or other legal basis of processing, personal data should not generally be disclosed to third parties unrelated to the University (e.g. students’ parents, members of the public, private property owners).

Some bodies have a statutory power to obtain information (e.g. regulatory bodies such as the Health & Care Professions Council, the Nursing and Midwifery Council, government agencies such as the Child Support Agency, or Local Councils). Any requests for information of this nature should be referred to the Information Governance team via email at dataprotection@wlv.ac.uk.

Sharing of personal data for research purposes may also be permissible, subject to certain safeguards.

The University is required to implement privacy-by-design measures when processing personal data, by implementing appropriate technical and organisational measures such as pseudonymisation, in an effective manner, to ensure compliance with data-protection principles.

The University must ensure therefore that by default only personal data which is necessary for each specific purpose is processed. The obligation applies to the volume of personal data collected, the extent of the processing, the period of storage and the accessibility of the personal data. In particular, by default, personal data should not be available to an indefinite number of persons. All staff should ensure that they adhere to those measures.

The University must conduct Data Protection Impact Assessments (DPIAs) in respect of high-risk processing before that processing is undertaken.

A DPIA should be conducted by staff members in consultation with the DPO and their IAO in the following circumstances:

1. the use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes);
2. automated processing including profiling;
3. large scale processing of sensitive (special category) data; and
4. large scale, systematic monitoring of a publicly accessible area.

A DPIA must include:

1. a description of the processing, its purposes and the Data Controller’s legitimate interests if appropriate;
2. an assessment of the necessity and proportionality of the processing in relation to its purpose;
3. an assessment of the risk to individuals; and
4. the risk-mitigation measures in place and demonstration of compliance.

 To conduct a DPIA please contact the DPO for access to the University template and guidance by completing the Data Protection Assistance Request Form.

The UK GDPR requires the University to keep full and accurate records of all personal data processing activities. Accurate corporate records must be kept and maintained which reflect the University’s personal data processing, including records of data subjects’ Consents and procedures for obtaining Consents, where Consent is the legal basis of processing.

These records should include, at a minimum, the name and contact details of the University as Data Controller and the DPO, clear descriptions of the personal data types, data subject types, processing activities, processing purposes, third-party recipients of the personal data, personal data storage locations, personal data transfers, the personal data’s retention period and a description of the security measures in place.

To comply with this requirement, the University keeps a Record of Processing Activity document. This is a working document but is reviewed on an annual basis with the University IAO’s.

 The work of the University requires the sharing of personal data between the University and external third parties. Information is shared and processed with many third parties including, but not limited to, collaborative research partners, system suppliers, service suppliers, other Universities and partner organisations.

The Data Protection law, notably the UK GDPR applies equally to Controllers and Processors. The University is generally a Controller of personal data and its partners, suppliers and agents can sometimes be Processors or Joint Controllers.

If the University as Data Controller uses a third party to process personal data, then it must only use Data Processors that can give sufficient guarantees that they will implement appropriate technical and organisational measures to ensure their processing will meet UK GDPR requirements and protect data subjects’ rights. Data Processors must complete the Supplier Security Questionnaire to satisfy this requirement if they have not been procured through a formal tender.

Whenever the University uses a processor to process personal data on its behalf, a written contract (usually a data processing agreement) must be in place between the parties. Similarly, if the Processor uses another organisation (i.e. a sub-Processor) to help it process personal data for the University, it needs to have a written contract in place with that sub-Processor, which is substantially the same as the contract.

Contracts between Controllers and Processors ensure they both understand their obligations, responsibilities and liabilities. Contracts also help them comply with the UK GDPR and assist Controllers in demonstrating to individuals and regulators compliance.

If the University is sharing personal data with an external organisation who are also a Data Controller a data sharing agreement should be in place between the University and the other Data Controller. This agreement will help all the parties be clear about their roles; set out the purpose of the data sharing; cover what happens to the data at each stage; and sets standards.

The University data processing and sharing agreement templates can be viewed on the Information Asset Owner/Custodian SharePoint area. To access the templates, please contact the DPO by completing the Data Protection Assistance Request Form.

When personal data is being shared, it may be necessary to complete a DPIA to ensure a structured risk assessment is carried out and determine whether additional safeguards need to be introduced. Please refer to section 14 for information on how DPIA’s can be completed.

The UK GDPR restricts data transfers to countries where there is no adequacy decision in order to ensure that the level of data protection afforded to individuals by the UK GDPR is not undermined. Personal data is transferred when it originates in one country across borders when you transmit or send that data to a different country and process it in a different country.

An individual may only transfer personal data to a country without adequacy, (as defined by the UK GDPR Article 45) if one of the following conditions applies:

1. the UK Government has issued a decision confirming that the country to which the personal data is being transferred, ensures an adequate level of protection for the data subjects’ rights and freedoms. The countries currently approved can be found here;
2. appropriate safeguards are in place such as and International Data Transfer Agreement, binding corporate rules, standard contractual clauses approved by the UK Government, an approved code of conduct or a certification mechanism, a copy of which can be obtained from the DPO;
3. the data subject has provided explicit Consent to the proposed transfer after being informed of any potential risks; or
4. the transfer is necessary for one of the other reasons set out in the UK GDPR including:
   • the performance of a contract between the University and the data subject (e.g. students’ mandatory year abroad in an overseas institution/placement);
   • reasons of public interest;
   • to establish, exercise or defend legal claims; or
   • to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving Consent.

The University has a range of standard transfer agreements and clauses and you should seek guidance from the Information Governance team by completing the Data Protection Assistance Request Form before any transfer of personal data takes place.

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity, or availability of personal data. There will be a personal data breach whenever any personal data is accidentally or deliberately lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals. Breaches can be a result of both accidental and deliberate causes.

The UK GDPR requires that the University report to the ICO any personal data breach where there is a risk to the rights and freedoms of the data subject. Where the personal data breach results in a high risk to the data subject, they must also be notified unless subsequent steps have been taken to ensure that the risk is unlikely to materialise, security measures were applied to render the personal data unintelligible (e.g. encryption) or it would amount to disproportionate effort to inform the data subject directly.

Where a staff member knows or suspects that a personal data breach has occurred, they are required to report the data breach immediately after discovery to the Information Governance Team. The team will investigate and risk assess the breach in accordance with the University.

Staff and students should not attempt to contact the data subject/s whose data has been compromised because of the personal data breach, unless they have been advised to do this by the Information Governance Team.

Further information regarding personal data breaches and the way they are investigated at the University can be found in the Data Breach Incident Management Policy.

The University is subject to certain rules and privacy laws when performing marketing activities to applicants, students, alumni and any other potential user of its services.

For example, a data subject’s prior Consent is required for electronic direct marketing (for example, by email, text or automated calls). Please the Information Governance Team for further information regarding requirements when obtaining consent by using the Data Protection Assistance Request Form. 

The limited exception for existing customers (e.g. current students) known as “soft opt in” allows organisations to send marketing texts or emails if they have obtained contact details in the course of a sale to that person, they are marketing similar services (e.g. a post-graduate course or a professional qualification), and they gave the person an opportunity to opt out of marketing when first collecting the details and in every subsequent message.

The right to object to direct marketing must be explicitly offered to the data subject at all stages of communication and in an intelligible manner so that it is clearly distinguishable from other information.

A data subject’s objection to direct marketing must be promptly honoured. If a data subject opts out at any time, their details should be suppressed as soon as possible. Suppression involves retaining just enough information to ensure that marketing preferences are respected in the future.

For electronic marketing the University must follow PECR guidance. Different rules apply to marketing by post. A detailed marketing procedure guide can be found here (to follow).

Individuals who wish to make a complaint relating to how the University handles personal data can do so either via email at dataprotection@wlv.ac.uk, or via post at Information Governance Team, University of Wolverhampton, Wulfruna Building, Wulfruna Street, Wolverhampton, WV1 1LY.

The University must regularly test its systems and processes to assess compliance with data protection laws. During the annual meetings with University IAO’s to discuss the records of processing activity document, the DPO will assess compliance of systems and processes.

Data Protection Review Forms are also sent to IAO’s and IAC’s quarterly, in order to review compliance with data protection law, outside of the formal annual meeting. Each Directorate and Faculty must regularly review all the systems and processes under its control to ensure they comply with data protection law.

Working from home

When working from home staff should still comply with this policy and the data protection legislation. When working from home staff should follow the Working From Home Guidance available on the Data Protection Intranet here.

Training

The University is required to ensure that all employees undergo adequate training to enable them to comply with data protection law.

All employees must undergo all mandatory data privacy related training annually, links to which can be found on the Organisational Development webpage here. More tailored training must be completed on request, including before staff can access reports containing personal data from Tableau and Business Objects.

University IAO’s and IAC’s undergo training following being assigned the role of IAO/IAC, in order to get a more in-depth understanding of data protection law and compliance requirements, including their responsibilities in relation to the role.

There are no exceptions to this policy.

Amendments

This Policy was approved by the University’s Executive Board in March 2024.  The University may change this Policy at any time, and where appropriate. Where a policy is not due for review, but is found to require updating, it will remain published, unless the reasons for review render it obsolete.

This policy should be read in conjunction with the following policies and guidance:

Data Breach Incident Management Policy

Acceptable Use of IT Facilities

Encryption Policy

Information Security Policy

Retention Schedule

For general queries, please contact the University xxx by email or phone.
Email: dataprotection@wlv.ac.uk

For general queries, please contact the University Corporate Compliance Team via email:  compliance@wlv.ac.uk.