Data protection policy
Forward College is committed to complying with the General Data Protection Regulation as an academic institution, an employer, and as a service provider.
Data protection legislation regulates “the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information” by data controllers, such as Forward College. It requires Forward College to process, use and store the personal data relating to potential staff and students, current staff and students, former staff and students, contractors, website users, and contacts.
This Policy describes the responsibilities of Forward College in complying fully with the provisions of GDPR and the associated data protection legislation, and in adhering to the six principles of Data Protection.
In order to do this, Forward College commits to:
- Clarifying how personal data is fairly and legally processed;
- Supporting the rights of individuals in compliance with data protection law and good practice;
- Processing personal data in accordance with the rights of data subjects;
- Securing personal data from any breaches.
Any breach of this Policy may lead to disciplinary proceedings.
The execution of this Policy applies to all staff of Forward College.
This Policy relates to all personal data held by Forward College on:
- Students: applicants, current students, former students and alumni…
- Employees: job applicants, past and present employees, contractors, board members, volunteers, consultants, independent examiners…
- Visitors: prospective applicants, brochures requesters, event subscribers and attendees, external speakers, and all other individuals who have expressed an interest in Forward College.
This Policy applies to all personal data processed or controlled by Forward College, regardless of who created the data, data location, ownership of the equipment used, and data content.
The General Data Protection Regulation governs the processing of personal data.
The following definitions are used:
Personal data are data which can identify living individuals. As well as images, names, and contact details it can also include numerical or statistical information from which an individual’s identity may be derived.
Special Category Data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s
sex life or sexual orientation.
A Data Subject is the individual who is the subject of personal data.
A Data Controller determines the purposes for which personal data are processed and may be employed. The controller is ultimately responsible for the personal data, whether they transmit the data to a data processor or not. This includes the responsibilities of responding to Subject Access Requests and
complaints from data subjects.
A Data Processor is any individual or organisation who processes personal data on behalf of – and according to the purposes defined by – the data controller.
The GDPR sets out six data protection principles. Forward College is required to follow these principles in the processing of personal data.
GDPR Principle 1: Lawfulness, Fairness, and Transparency
Forward College will explain to its staff, students, and any other relevant third parties how and for what purpose it is processing personal data, at the point of collection.
Legal Basis for Processing Data
Processing personal data must meet at least one of the following conditions:
- The data subject has given consent to the processing;
- The data processing is necessary for the performance of a contract;
- The data processing is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller;
- The data processing is necessary for the legitimate interests of the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Legal Basis for Processing Special Category Data
In addition to a lawful basis listed above, Forward College is required to have an additional legal basis for processing, as set out in Article 9 of the Regulation.
- Processing is necessary for the purposes of carrying out the obligations, and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law;
- Processing relates to personal data which are manifestly made subject by the data subject;
- Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee;
- Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
GDPR Principle 2: Purpose Limitation
Forward College will only use the personal data it has for the purposes for which it was collected.
Personal data must only be collected for specified, explicitly stated, and legitimate purposes. It must not be further processed in any manner that is incompatible with these purposes, unless the data subject has given consent, or there is a lawful exemption from data protection law requirements.
Provided that prescribed safeguards are implemented, further processing for scientific or historical research purposes will not be regarded as incompatible. This research must not be conducted for the purposes of making decisions about individuals, and it must not be likely to cause substantial damage or distress to an
GDPR Principle 3: Data Minimisation
Forward College will only collect personal data that is relevant to the purposes for which it is required.
Personal data must be adequate, relevant and limited to what is necessary in relation to the purpose for which it is being processed. Employees may only process personal data when required to do so in order to perform their professional duties. Employees must ensure that when personal data is no longer
required for its specified purpose(s), it is deleted or anonymised.
GDPR Principle 4: Accuracy
Forward College will ensure that data is accurate and up-to-date, and will rectify any mistakes quickly.
Personal data must be complete, accurate, recorded in the correct files, and kept up to date where relevant. Forward College must therefore verify the accuracy of any personal data both at the point of collection and at regular intervals going forward. All reasonable precautions must be taken to ensure that inaccurate
records are promptly amended or destroyed.
Where a data subject has requested their personal data to be corrected or erased, Forward College must inform the recipients of that personal data that this has taken place, where it is reasonable to do so.
GDPR Principle 5: Storage Limitation
Forward College will not retain personal data for longer than is necessary.
Personal data must not be stored in such a way that allows data subjects to be identified for longer than it is needed for the legitimate purposes for which it was collected. Personal data records may be kept for longer than necessary, provided it is anonymised.
Data subjects must be informed of the period for which their personal data is stored in the relevant privacy notice. Employees must take all reasonable steps to securely erase or destroy all personal data that is no longer required.
GDPR Principle 6: Integrity and Confidentiality
Forward College will protect its personal data against unauthorised access, loss or destruction. It must implement and maintain appropriate safeguards to protect personal data. These safeguards must take into account the potential risks to data subjects as an outcome of unauthorised or unlawful processing, or
accidental loss, damage, or destruction of their personal data.
All employees must handle personal data in such a way that safeguards it against unlawful processing and accidental loss, damage and destruction, and that preserves confidentiality.
Data Subject Rights
Data subjects have a number of rights under the Regulation. As the data controller, Forward College must comply with these rights. These include:
The right to information
Forward College will adhere to the requirement for fairness and transparency when collecting data from individuals. Specifically, Forward College will provide data subjects with a Privacy Notice to let them know how, and for what purpose, their personal data are processed. Any data processing must be consistent with that purpose.
The right of access
Data subjects have the right to find out what Forward College is doing with their data, to check Forward College is holding it correctly, and to obtain a copy of their data held by Forward College.
The right to rectification
Forward College makes every effort to ensure its data is accurate. If a data subject has reason to suspect that Forward College holds erroneous or outdated data about them, they can request for this to be corrected. Forward College will assess the request and correct any inaccuracies.
The right to objection
Data subjects have the right to object to processing based on legitimate interests, legal obligation, for the purposes of direct marketing or for “scientific or historical research purposes or statistical purposes”. Forward College will assess the request and respond accordingly.
The right to erasure
Data subjects have the right to ask Forward College to remove or delete data held on them. Forward College will assess the request and respond accordingly.
The right to portability
Data subjects have the right to ask Forward College to provide them (or an organisation of their choice) with a re‐usable electronic copy of their data to allow them to transfer it to another provider. This only covers data submitted to Forward College by the subject or data observed from the subject’s use of a service. If technically possible, Forward College will consider transferring
information directly to another provider.
The right to the restriction of processing
Data subjects may, in the course of a dispute with Forward College about the use of their data, ask Forward College to stop using their data if certain criteria apply.
The right in relation to automated decision-making and profiling
If Forward College is making decisions about data subjects through purely automated means, such as a computer algorithm, data subjects can appeal against this decision.
Forward College will ensure that subjects can express their point of view and have members of staff provide a review and explanation of the decision.
Data Protection by design
Forward College is committed to ensuring privacy is built into its processes and outcomes, by implementing appropriate technical and organizational measures in an effective manner. New projects involving personal data are required to carry out a privacy impact assessment to identify privacy risks and plan appropriate mitigation.
All users of personal data within Forward College must ensure that personal data are always held securely and are not disclosed to any unauthorised third party either accidentally, negligently, or intentionally.