Data Management Policy

Introduction

Destiny College needs to keep certain information about its staff and students to allow it to monitor a range of activities including performance, achievements and health and safety. It is also necessary to process information to ensure that legal obligations to SAAS and SQA are met. To comply with the Law, information must be collected and used fairly, stored safely and not disclosed to any other person with intend or not. To do this, the College must comply with the Data Protection Principles which are set out in the Data Protection Act 1998.

Aim – To obtain, process and retain personal and academic data, either electronically or via hard copy.  To enable access to data or information held by Destiny College while protecting the data from unauthorised use, access and breaches of privacy contravening Destiny College Policy or the Government Data Protection Act 1998.  To provide a framework within which the role profiles of those who manage, maintain or use the data are defined clearly to avoid breaches and clarity of responsibility. To clearly define the use of data transfer between Destiny College and SAAS or SQA.

To do this, the College will ensure data or information is:

  • Obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met;
  • Obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose;
  • Adequate, relevant and not excessive for those purposes;
  • Accurate and kept up-to-date;
  • Not retained for longer than is necessary for that purpose;
  • Processed in accordance with the rights of students or staff;
  • Kept safe from unauthorised access, accidental loss or destruction;
  • Not transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.

The College and all staff or volunteers who process or use any personal information must ensure that they follow these aims always. If at any time staff believe the regulations or this policy is not being adhered to, they must report this to the centre coordinator for investigation.

Actions and Responsibilities

The Centre Coordinator is expected to:

  • Enter data received from staff and students accurately
  • Check the personal details of students at time of applying, induction and certification
  • Making staff and students aware that the College cannot be held responsible for any errors or liable for cost of recertification if they are not informed of changes to personal data.
  • Making staff and student aware of the Data management policy and disseminating any changes to the policy either by change in legislation to the data protection act 1998 or by the College.
  • Any personal data which they hold is kept securely;
  • Personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party; Staff should note that unauthorised disclosure will usually be a disciplinary matter and in some cases, may be considered to be gross misconduct.
  • Ensure all data held, personal or academic is kept:
    • In a locked filing cabinet
    • In a locked drawer
    • If it is computerised, be password protected
    • Kept only on disc, or external hard drive which is itself kept securely
  • Ensure that the centre is approved to offer the qualification prior to delivery
  • Ensure the correct unit and group award codes are used
  • Ensure the unit and group award entry is submitted at the same time
  • Ensure all entries are submitted as soon after candidates enrol
  • Ensure information sent to SAAS is accurate.

All staff are expected to:

Check that any information which they provide to the College about their employment is accurate and up-to-date;

  • Inform the College of any changes to the information which they have provided e.g. changes of address;
  • Ensure any personal data which they hold is kept securely
  • Ensure that personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party; Staff should note that unauthorised disclosure will usually be a disciplinary matter and in some cases, may be considered to be gross misconduct. (Appendix 1 detail investigation procedure regarding any breach)

Heads of Centre are expected to:

  • Supervise any investigation that may arise due to breach of policy.

All students are expected to:

  • Students must ensure that all personal data provided to the College is accurate and up-to-date.
  • They must ensure that changes of address, etc. are notified to the Centre Coordinator.

DATA HELD

All staff and students entitled to:

  • Know what information the College holds and processes about them and why;
  • Know how to gain access to it;
  • Know how to keep it up-to-date;
  • Know what the College is doing to comply with its obligations under the 1998 Data Protection Act.

The College will, therefore annually provide all staff and students with a data notification document which will state what data or information that it holds and processes regarding them, and the reasons for which it is processed.

RIGHT TO ACCESS

Staff and students have the right to access any personal data that is being kept about them either on computer or in hard copy files. In compliance with the Data Protection Act 1998, any person who wishes to exercise this right should complete the College “Access to Information” form (See Appendix 2a&b).  There is no charge for this on each single occasion, however the College has discretion to make a nominal charge for printing or photocopying of information and for student or staff who make multiple requests in a short period.

The correctly completed form should be passed to the Centre Coordinator. The College aims to comply with requests for access to personal information as quickly as possible, however will ensure that it is provided within 21 days unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the student or staff member making the request.

TRANSFER OF INFORMATION

The college can only hold, process and transfer personal data with the consent of the individual.  If the data is particularly sensitive more detailed consent must be received from the student or staff member in what can be held, processed or transferred.  During induction Staff and Students are required to complete a student agreement in which they agree to the College using their basic personal and academic data or information for college use but also for transfer to the SQA and SAAS. The College will also ask for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as asthma or diabetes. The College will only use the information in the protection of the health and safety of the individual and only transfer this information in the event of a medical emergency to emergency services.

Due to the requirements of some courses students or staff may come into contact with children, including young people between the ages of 16 and 18 and vulnerable adults over the age of 18. The College has a duty under the Children Act and other government legislation to ensure that students and staff are suitable. All students must comply with current PVG legislation, the college has a legal obligation to share information with the relevant agencies should it be requested

If staff or students refuse to sign the relevant paperwork, then the College reserves the right to withdraw the staff member from employment and the student from any course.

RETENTION OF INFORMATION

The College cannot keep Information regarding students indefinitely, unless there are specific requests to do so by relevant authorities or the SQA.
Information about students will be kept for a maximum of six years after they leave the College (two years accessible, four years in archive). This will include:

  • Name and address and contact information including email address
  • Copy of application form
  • Copies of any reference written.
  • Any forms completed by the student
  • Guidance and student support documentation
  • All financial information in relation to fees
  • Academic achievements, including marks for coursework
  • List of students registered with SQA for each qualification offered by the centre.
  • Students evidence, electronic and hard copy.
  • Student’s assessments, including the name of the assessor the location of in class assessments, date and submission and assessment decision.
  • Internal Verification activity on the students work
  • Which students certificated and claimed certificates.

DISPOSAL OF INFORMATION

After two years student data or information, which is stored in a locked filing cabinet in a locked office, will be moved into the College archive which is a locked cabinet in a locked store.  After a further four years student data or information the retention period will be lapse and information or data will be destroyed immediately by a suitable method, either by shredding, pulping or burning by the college.

APPENDIX 1

Investigations

It is understood that in certain cases the SQA may wish to allocate their own staff to join or lead an investigation. However, all investigations either internal or cases involving the SQA will adhere to the following principles:

Confidentiality – by their very nature investigations usually necessitate access to
information that is confidential to a centre or individuals. All material collected as part
of an investigation must be kept secure and not normally disclosed to any third
parties (other than the regulators or the police, where appropriate).

Impartiality – investigations will be undertaken by a senior manager and assessed against the specific facts/evidence of the case in arriving at a decision about intention and culpability.

Rights of individuals – where an individual is suspected of breach of data management they should be informed of the allegation made against them (preferably in writing) and the evidence that supports the allegation. They should be provided with the opportunity to consider their response to the allegation and submit a written statement or seek advice, if they wish to. They should also be informed of what the possible consequences could be if the breach is proven and of the possibility that other parties may be informed e.g. SQA, the police, SAAS and other professional bodies. The appeals process should also be communicated to them (Appeal process is available in the student & staff handbooks)

Staff Interviews – these interviews should be carried out in line with Centre policy and procedures. Centre staff may request that they are accompanied by a friend or
colleague and these requests should be processed in line with Centre disciplinary
policy.

Candidate Interview – where a student is to be interviewed and they are a minor or vulnerable adult, the Centre should consider the need to have a parent or
representative present or to have the permission of a parent prior to the interview
taking place.

Retention and storage of evidence and records – all relevant documents and evidence regarding any accusation should be retained for a period not in excess of 5 years. (archived after 2 years)

Decisions and action plans – all conclusions and decisions should be based on evidence. A course of proposed action should be identified, agreed between the Centre and SQA (if required), implemented and monitored to the point of completion. The actions should address the improvements that are required to the centre’s policies and procedures as well as any action that is related to staff or other resources.

Proportionality – any decision on the outcome must reflect the weight of evidence and the minor or major nature of the case – the student does not have to admit malpractice. The outcome may be referred to the Student Disciplinary Policy.

APPENDIX 2a

ACCESS TO INFORMATION – STAFF

Under the provisions of the 1998 Data Protection Act, individuals have a range of rights in connection with access and processing of data held about them. If you wish to exercise your rights, you must complete this form and pass it to the Centre Coordinator. The College aims to comply with requests for access to personal information as soon as possible, but will ensure that it is provided within 21 working days unless there is good reason for a delay. In such cases, the reason for the delay will be explained in writing to you.

I, ………………………………………………………………………………………, wish to have access to: (delete as appropriate):

All the data which the College currently has about me, either electronically or by hard copy.

Or

Data which the College has about me in the following categories – please indicate which applies:

  • Academic or employment references; Disciplinary records;
  • Health and medical matters;
  • Political, religious or trade union information;
  • Any statement of opinion about my performance or abilities;
  • Personal details including name, address, date of birth etc;
  • Other information – please specify

Signed……………………………………………………

Dated……………………………………………………

APPENDIX 2b

ACCESS TO INFORMATION – STAFF

Under the provisions of the 1998 Data Protection Act, individuals have a range of rights in connection with access and processing of data held about them. If you wish to exercise your rights, you must complete this form and pass it to the Centre Coordinator. The College aims to comply with requests for access to personal information as soon as possible, but will ensure that it is provided within 21 working days unless there is good reason for a delay. In such cases, the reason for the delay will be explained in writing to you.

I, ………………………………………………………………………………………, wish to have access to: (delete as appropriate):

All the data which the College currently has about me, either electronically or by hard copy.

Or

Data which the College has about me in the following categories – please indicate which applies:

  • Academic marks or course work details
  • Academic or employment references;
  • Disciplinary records;
  • Health and medical matters;
  • Political, religious or trade union information;
  • Any statement of opinion about my performance or abilities;
  • Personal details including name, address, date of birth etc;
  • Other information – please specify

Signed……………………………………………………

Dated……………………………………………………

X