Manchester Metropolitan University

Data Protection

‌At Manchester Metropolitan University we take data protection seriously, and so to help staff understand their responsibilities we will be issuing regular updates on the law and best practice.

The University is responsible for complying with the Data Protection Act 1998 (DPA) whenever personal data is processed.

Under the Data Protection Policy, all staff have a responsibility to comply with the Act in their day-to-day working. The first step staff can take to understand these responsibilities is to complete the University’s Mandatory Data Protection Training Module. The Data Protection Training Module can be accessed on Moodle (you will need to log in using your usual log-in details). To make sure your knowledge is fresh and up to date, all staff must complete the training and the associated quiz at least annually.

For staff who cannot access Moodle or would like quick access to the training content on a regular basis, a powerpoint version is available here: DP Training Module

Keeping your Data Protection knowledge is particularly important as from May 2018 the DPA will be replaced by the General Data Protection Regulation ‘the GDPR’. Please see the GDPR sub-page below for further information about what this change in the law will mean for the University.

Overview of Data Protection and Data Protection Training

The Data Protection Act 1998 applies to anything you do with personal data, such as accessing, sharing, analysing, storing and archiving it etc. The University is a Data Controller which means the University is responsible for compliance with the Act. Under the University’s Data Protection Policy, all staff have responsibility for complying with the Act in their day-to-day working.

There are eight key principles to the Data Protection Act:

To help you understand your responsibilities under the Data Protection Act 1998, all staff must complete the University’s online Data Protection training module annually. The training module can be accessed on the University’s Staff Moodle site, under the Staff Resources area. The deadline for completion of the training is the end of the academic year and staff must retake the test annually. You can also refer to the University’s Data Protection Factsheet for an introduction to the Data Protection Act 1998.

For more practical guidance on Data Protection, please refer to the Staff Guidance Handling Personal Data.

Internal Access Control For Personal Data

All staff are responsible for protecting personal data and complying with the Act in their day to day duties. Below are the key rules for access control over personal data and internal sharing of personal data:

  1. Only share personal data with individuals or other teams if they have a genuine business need to access the data and only share the minimum amount of personal data necessary for their business need.

  2. Make sure systems which store personal data can only be accessed by individuals with a business need for accessing the data. For example, you can make sure shared mailboxes are only accessible by those who require access or save records in folders with restricted access. Contact ICT if you require assistance with putting these measures in place.

  3. If the new team or individual has not previously had access to the data, make sure you inform your Head of Team or Deputy Director and consider whether a Privacy Impact Assessment (see PIA section below).

  4. When you share personal data internally, make sure you inform the other team or individual that the personal data should only be retained for as long as necessary for their purpose.

  5. If you need to transfer personal data from one system to another please ensure that the transfer method is sufficiently secure to protect the data whilst in transit. If you are sending by email please ensure you password protect the dataset. You can contact ICT for advice on secure methods of transferring the data.

  6. Make sure you double-check the email address before sending out an email with personal data even internally. For teams which frequently share high volumes of personal data or regularly work with sensitive personal data it is advisable to turn off your email auto-complete function. (You can do this by going to ‘File’ in the Menu, selecting ‘Options’ then the ‘Mail Tab’. Scroll down to ‘Send Messages and uncheck the use auto-complete list).

External Data Sharing

A contract must always be used where you are instructing another organisation to process personal data on our behalf (either personal data which the University disclose or where the University instruct another organisation to collect personal data on our behalf). That contract will need to include appropriate measures to protect the security of the personal data in question. Please refer to Legal Services for advice on putting in place a contract: legal@mmu.ac.uk.

An Information Processing Agreement may be needed in addition to a contract where there is a regular exchange of personal data, a disclosure of a high volume of personal data or of sensitive personal data. Please refer to Legal Services for advice on using the University’s Information Processing Agreement template. The need for an Information Processing Agreement may already have been identified by undertaking a Privacy Impact Assessment (see section above).

One-Off Disclosures

In some cases, you might be asked to make a one-off disclosure of someone’s personal data to another individual. Before you do so, it is important to consider whether you have a lawful basis for doing so (such as consent). Tips for handling common requests of this nature are below:

Report a Personal Data Breach

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Data means information in any form papers records, emails, faxes etc.

The definition of personal data can be complex and in the event of a breach it is safest to assume any information about a living individual is personal data and may include;

A personal data breach means a breach or absence of a technological or organisational measure designed to protect the security of personal data. A breach of a technological measure could include a failure to encrypt a mobile device storing sensitive personal data. A breach of an organisational measure could involve a staff member inappropriately accessing personal data due to inadequate processes governing access control or personal data being disclosed to an unintended recipient.

Under the University’s Personal Data Breach Reporting procedure all actual or potential personal data breaches must be reported immediately to Legal Services. Breaches must report a breach by email to dataprotection@mmu.ac.uk copying to legal@mmu.ac.uk. Please make sure you include your contact details (including phone number) in your email.

A loss of a mobile device such as a laptop or mobile device should be reported to the IT Helpdesk on: 0161 247 4646. The theft or suspected theft of such devices must be reported, by the User of the device, to the IT Helpdesk on 0161 247 4646 and the University Security team on 0161 247 1334/3545. If a personal data breach occurs out of hours please contact d.worrall@mmu.ac.uk and s.shanab@mmu.ac.uk. Out of office hours means any time after 5pm Monday - Friday or anytime Saturday or Sunday.

Data Protection Rights

Privacy Impact Assessments

Privacy Impact Assessments (PIA) are an integral part of taking a Privacy by Design approach to processing of personal data.

‘Privacy by Design’ require that organisations consider privacy issues at the outset of projects, processes or systems which involve the processing of personal data and identify measures to mitigate risks to individuals’ privacy rights. A PIA will help you identify the privacy risks or considerations associated with a project and to put in place plans to mitigate any such risks.

All Heads of Teams or Deputy Directors have responsibility for ensuring that their team undertake a PIA where required. The Heads of Team can delegate completion of the PIA to a team member but will need to provide approval for the completed PIA.

PIA’s should be completed in consultation with Legal Services and, where appropriate, Information Security colleagues. Although those teams do not complete the PIA, Legal Services and Information Security can provide advice and support on identifying risks and appropriate mitigating measures. In the first instance, please contact legal@mmu.ac.uk for assistance on completing a PIA. 

To identify whether a PIA is required please complete the University’s PIA Screening Questionnaire. If you answer yes to any of the question in the Screening Questionnaire then the University’s Privacy impact assessment will need to be completed. 

Please note Legal Services can provide support and advice on completing a PIA and Information Security colleagues can advise on the information security measures which may be required to reduce any identified privacy risks

It is important to note that it will become a legal requirement to undertake PIAs for ‘high risk’ processing activities once the General Data Protection Regulation is in force in May 2018. For further detail about the change in law please refer to the section below on the General Data Protection Regulation.

For Students And the Public

The University’s Data Protection Policy is available here

The University’s Data Protection Notice to Students can be accessed here. This notice gives students information about how and why the University uses your personal data whilst you are studying with us.

The University is registered as a Data Controller with the Information Commissioner, the regulator of Data Protection matters. The University’s registration number is Z5710637 . Our registration notice, which provides further information about how we process personal data, can be viewed on the ICO’s website.

Individuals have a number of rights in relation to your personal data including;

The ICO’s website provides further information on scope of these rights and how to exercise them.

Students: If you wish to exercise one of your rights in relation to your personal data please contact: dataprotection@mmu.ac.uk. Please note if you are seeking access to our personal data (a Subject Access Request), then you can use our  request for personal data access form 

to help structure your request. There is a £10 fee for subject access requests and we may require you to confirm your identity. Your request can be delivered to Legal (Legal Department, Financial and Legal Services, 2nd Floor, All Saints Building, M15 6BH) or emailed to dataprotection@mmu.ac.uk.

Other members of the public: If you wish to exercise one of your rights in relation to your personal data please contact the postal or email address above. You may find it useful to use our access to information form for members of the public available here. There will be a £10 fee for making a subject access request and we may require you to confirm your identity.

General Data Protection Regulation

The General Data Protection Regulation will come into force in May 2018 and will supersede the Data Protection Act 1998. The GDPR is very likely to come into force before the U.K’s exit from the European Union and the U.K Government confirmed their intention o implement domestic legislation which mirrors the GDPR.The GDPR will comprise of substantial changes to the way organisations such as the University process personal data. Although much of the basic framework in the DPA will remain, the obligations imposed under the GDPR are stricter, more process driven and require organisations to think about privacy issues at the outset of a project or initiative.

The key changes introduced the GDPR are as follows;