At Manchester Metropolitan University we take data protection seriously, and so to help staff understand their responsibilities we will be issuing regular updates on the law and best practice.
The University is responsible for complying with the Data Protection Act 1998 (DPA) whenever personal data is processed. From 25 May 2018, the DPA will be replaced by the General Data Protection Regulation ('GDPR'). The GDPR introduces more stringent requirements in relation to personal data and stricter fines for breaches of the law.
Under the University's Data Protection Policy, all staff have responsibility for data protection compliance in their day-to-day work. To keep up to date with these responsibilities, staff must complete the University's Mandatory Data Protection Training Module on an annual basis.
The training module is available here: DP Training Module.
To complete the training you must also take the Data Protection Quiz
You will need to log in, using the following details:
Password: your MMU network password
The DPA and GDPR apply whenever you do anything with personal data (e.g. share, access, destroy, analyse or store it). Personal data is any information from which an individual can be identified either from that data alone or when that data is matched with other data. Examples of personal data include names, student ID numbers and IP adresses. For further guidance please refer to the Information Commissioner's guidance on determining what is personal data.
The DPA and GDPR are both centred on key data protection principles:
The Information Commissioner's Office is the regulator for Data Protection matters and can issue fine for breaches of the law. From 25 May 2018, the maximum fine for breaching the GDPR will be 20 million euros or 4% of the University's annual turnover (whichever is highest). For more detailed guidance on Data Protection, please refer to the Staff Guidance Handling Personal Data or the sections below.
Under the University's Data Protection Policy, all staff are responsible for Data Protection compliance in their daily duties.
Legal Services are responsible for providing advice and guidance on Data Protection compliance (see key contacts section below). Legal are also responsible for Records Management policy and work closely with the University's Information Security team.
Alongside the above teams, the University has implemented an Information Governance structure of Information Asset Owners and Information Asset Managers. IAOs are appointed at senior leadership level and IAMs at the head of team level. Both IAOs and IAMs are responsible for understanding what information is held in their areas, monitoring and communicating risks to Legal and Information Security and promoting Information Governance compliance in their area.
A list of IAOs and IAMs is below:
All staff are responsible for data protection compliance in their day to day duties. Below are the key rules for access control over personal data and internal sharing of personal data:
1. Only share personal data with individuals or other teams if they have a genuine business need to access the data and only share the minimum amount of personal data necessary.
2. Make sure systems which store personal data can only be accessed by individuals with a business need for accessing the data. For example, you can make sure shared mailboxes are only accessible by those who require access or save records in folders with restricted access. Contact Information Security (email@example.com) if you require assistance with putting these measures in place.
3. If the new team or individual has not previously had access to the data, make sure you inform your Head of Team or Deputy Director and consider whether a Privacy Impact Assessment (see PIA section below).
4. When you share personal data internally, make sure you inform the other team or individual that the personal data should only be retained for as long as necessary for their purpose.
5. If you are emailing a high volume of personal data or sensitive personal data then it is advised that you remove the data from the body of your email and include it in a password protected or encrypted attachment. You can find instructions on how to password protect and/or encrypt documents here.
6. Make sure you double-check the email address before sending out an email with personal data even internally. For teams which frequently share high volumes of personal data or regularly work with sensitive personal data it is advisable to turn off your email auto-complete function. (You can do this by going to ‘File’ in the Menu, selecting ‘Options’ then the ‘Mail Tab’. Scroll down to ‘Send Messages and uncheck the use auto-complete list).
7. You may also find it useful to refer to instructions on how to recall emails and instructions on how to set a delay on delivery of your emails (e.g. so that they are only released from your inbox 5 minutes after sending).
A written contract must always be used where you are instructing another organisation to process personal data on our behalf (either personal data which the University discloses or where the University instructs another organisation to collect personal data on our behalf). That contract will need to include appropriate measures to protect the security of the personal data in question. Please refer to Legal Services for advice on putting in place a contract: firstname.lastname@example.org.
An Information Processing Agreement may be needed in addition to a contract where there is a regular exchange of personal data, a disclosure of a high volume of personal data or of sensitive personal data. Please refer to Legal Services for advice on using the University’s Information Processing Agreement template. The need for an Information Processing Agreement may already have been identified by undertaking a Privacy Impact Assessment (see section above).
In some cases, you might be asked to make a one-off disclosure of someone’s personal data to another individual. Before you do so, it is important to consider whether you have a lawful basis for disclosing (such as consent). Tips for handling common requests of this nature are below:
1. Requests for personal data from the police should be referred to Legal Services via email@example.com. If an urgent request is made out of office hours (e.g. involving immediate risk of harm) please refer to the University Security team on: 0161 247 1334/3545
2. Requests from local authorities for the purpose of assessing council tax exemption can be answered. The request must confirm why the information is required, be in writing and be from an official local authority email address. Only basic details such as name, address and course dates should be made available in response.
3. We don’t usually release students' personal data to parents without a student’s consent, unless there are emergency circumstances. If you are in doubt about whether to make a disclosure contact Legal Services: firstname.lastname@example.org
4. Make sure you double-check the email address before sending out an email with personal data. For teams which share high volumes of personal data or regularly work with sensitive personal data it is advisable to turn off your emal auto-complete. (You can do this by going to 'File' in the Outlook menu, selecting 'Options' then the 'Mail Tab'. Scroll down to 'Send Messages and uncheck the use autocomplete option').
5. We also advise that you remove any personal data from the body of the email and instead include it in a password protected or encrypted attachment. Remember to communicate your password separately. You can refer to instructions on how to password protect and encrypt here.
Personal Data Breach
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Data means information in any form papers records, emails, faxes etc.
The definition of personal data can be complex and in the event of a breach it is safest to assume any information about a living individual is personal data and may include;
Examples of personal data breaches include:
Under the University’s Personal Data Breach Reporting procedure all actual or potential personal data breaches must be reported immediately to Legal Services. You must report a breach by email to email@example.com copying to firstname.lastname@example.org. Please make sure you include your contact details (including phone number) in your email. If a personal data breach occurs out of hours then please contact email@example.com and firstname.lastname@example.org. Out of office hours means any time after 5pm Monday - Friday or anytime Saturday or Sunday.
Loss of IT Equipment
A loss of a mobile device such as a laptop or mobile device should be reported to the IT Helpdesk on: 0161 247 4646. The theft or suspected theft of such devices must be reported, by the User of the device, to the IT Helpdesk on 0161 247 4646 and the University Security team on 0161 247 1334/3545.
Information Security Incident
There can be other types of indicents which affect the security of information other than personal data. If you need to report an information security incident which does not involve personal data then please contact the Information Security team: email@example.com. The Information Security webpage provides furtger information on the reporting and handling procedures for such incidents.
Privacy Impact Assessments (PIA) are an integral part of taking a Privacy by Design approach to processing of personal data.
‘Privacy by Design’ require that organisations consider privacy issues at the outset of projects, processes or systems which involve the processing of personal data and identify measures to mitigate risks to individuals’ privacy rights. A PIA will help you identify the privacy risks or considerations associated with a project and to put in place plans to mitigate any such risks.
All Heads of Teams or Deputy Directors have responsibility for ensuring that their team undertake a PIA where required. The Heads of Team can delegate completion of the PIA to a team member but may need to provide approval for the completed PIA.
PIA’s should be completed in consultation with Legal Services and, where appropriate, Information Security colleagues. Although those teams do not complete the PIA, Legal Services and Information Security can provide advice and support on identifying risks and appropriate mitigating measures. In the first instance, please contact firstname.lastname@example.org for assistance on completing a PIA.
To identify whether a PIA is required please complete the University’s PIA Screening Questionnaire. If you answer yes to any of the question in the Screening Questionnaire then the University’s Privacy impact assessment will need to be completed.
Please note Legal Services can provide support and advice on completing a PIA and Information Security colleagues can advise on the information security measures which may be required to reduce any identified privacy risks
It is important to note that it will become a legal requirement to undertake PIAs for ‘high risk’ processing activities once the General Data Protection Regulation is in force in May 2018. For further detail about the change in law please refer to the section below on the General Data Protection Regulation.
The University’s Data Protection Policy is available here.
The University’s Data Protection Notice to Students can be accessed here. This notice gives students information about how and why the University uses your personal data whilst you are studying with us.
The University is registered as a Data Controller with the Information Commissioner, the regulator of Data Protection matters. The University’s registration number is Z5710637 . Our registration notice, which provides further information about how we process personal data, can be viewed on the ICO’s website.
Individuals have a number of rights in relation to your personal data including;
The ICO’s website provides further information on scope of these rights and how to exercise them.
Students: If you wish to exercise one of your rights in relation to your personal data please contact: email@example.com. Please note if you are seeking access to our personal data (a Subject Access Request), then you can use our request for personal data access form
to help structure your request. There is a £10 fee for subject access requests and we may require you to confirm your identity. Your request can be delivered to Legal (Legal Department, Financial and Legal Services, 2nd Floor, All Saints Building, M15 6BH) or emailed to firstname.lastname@example.org.
Other members of the public: If you wish to exercise one of your rights in relation to your personal data please contact the postal or email address above. You may find it useful to use our access to information form for members of the public available here. There will be a £10 fee for making a subject access request and we may require you to confirm your identity.
Under the GDPR and DPA appropriate security measures must be in place to protect personal data. Please refer to the University's Information Classification Scheme to identify the measures you need implement to protect data. If you require further advice please contact: email@example.com
Paper records containing personal data must be stored on University premises in securely locked rooms or cabinets.
Staff storing data on the University network (e.g. R-Drive, SAP and QLS) must ensure that access to the data is restricted to only those teams or individuals who need to see it.
Many teams will also use cloud hosting services to store records containing personal data. It is vital however that the University has a written contract which has been approved by the Legal team in place with the cloud hosting provider. Examples of University approved cloud hosted systems include Moodle, Office 365 and Sharepoint. Please refer to the University's Data Storage Control Procedure for more information.
Personal data must only be retained for as long as necessary, after which it must be securely destroyed. The University's Records Retention and Disposal Schedule sets out the retention periods for record containing personal data and/or other types of information. Please ensure you dispose of records in line with this Schedule.
It is important to remember that your emails contain personal data and also require deleting once you no longer need them.
Direct marketing is communication to individuals (or organisations) of material promoting the University's courses, events, services or objectives. In data protection terms, direct marketing is governed by the DPA, GDPR and Privacy and Electronic Communications Regulations. These laws govern when you need consent to send direct marketing, what type of consent you need and give individuals the automatic right to request that you stop sending them direct marketing.
The rules differ slightly dependant on whether we are marketing to individuals in the personal capacity or to organisations or individuals in their professional capacity.
Business to Business Direct Marketing
The note below provides guidance on the data protection requirements for sending direct marketing to organisations and individuals in their professional capacity
Direct Marketing to Individuals
Guidance note coming soon
Content coming soon
Michelle Gretton (FOI and DPA Officer): firstname.lastname@example.org
David Worrall (Acting General Counsel): email@example.com
Laura Jones (Solicitor) firstname.lastname@example.org
For advice please contact email@example.com or refer to the Records Management webpage.
Tom Stoddart (Information Security Manager): firstname.lastname@example.org
Angela Crook (Information Governance Specialist): email@example.com