Appropriate policy document

Manchester Metropolitan University (the University) is committed to protecting all personal data that we process. We ensure that our processing activities are compliant with the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA) and associated legislation.

Whenever the University processes special categories of personal data or criminal conviction data, we must meet a condition within Article 9 of the GDPR, in addition to Article 6.

Under the DPA, if we are relying on certain Article 9 conditions, we also have to recognise a valid condition within Schedule 1, Part 1, 2 or 3. Section 10 of the DPA clarifies under which conditions for processing we must also be able to identify an appropriate Schedule 1 condition (1). These are as follows:

• 9(2) b – Employment, social security and social protection
• 9(2) g – Substantial public interest
• 9(2) h – Health and social care
• 9(2) i – Public health
• 9(2) j – Archiving, research and statistics
• Article 10 - Criminal conviction data

The DPA further outlines an additional condition that must be complied with depending on which condition within Schedule 1 Part 1, 2 or 3 the University is using; essentially, where the below two conditions apply, the University must have an Appropriate Policy Document (2) in place:

1. the data controller is processing personal data in relation to specific conditions within GDPR Articles 9 or 10 (as listed above), and consequently
2. the University is relying on certain conditions listed in DPA Parts 1, 2 or 3 of Schedule

This appropriate policy document will include the following:

• an explanation of which Schedule 1 conditions the University relies upon when processing special category data and criminal conviction data (which require an appropriate policy document to be in place);
• an outline of the data protection principles, detailing how we comply with each;
• a description of our Retention and Disposal Schedule.

As per the requirements of the DPA, the University will retain a copy of this Policy Document, keep it under review, and provide it to the ICO on request. We also make reference to it within our Record of Processing Activity (ROPA).

The University relies on DPA Schedule 1 conditions to process special categories of personal data:

2.1 Conditions relating to employment, health and research

Employment, social security and social protection

The University conducts processing in connection with employment – in order to do this, we must process personal data and special category personal data.

2.2 Substantial Public Interest Conditions

Statutory and government purposes

Fulfilling the University’s responsibilities as an educational institution and in particular to provide higher education, carry out any research and publish the results, and to conduct itself in a manner compliant with its responsibilities under the Education Reform Act (3).

Complying with any other legal requirements, such as the requirement to disclose information in connection with legal proceedings.

Equality of opportunity or treatment

Ensuring compliance with the University’s obligations under legislation such as the Equality Act 2010 and Sex Discrimination Act 1970, including ensuring that the public sector equality duty is fulfilled when carrying out our duties.

Preventing or detecting unlawful acts

The University processes data concerning criminal records in connection with employment in order to reduce the risk to staff, students and the public. In particular, Disclosure and Barring Service (DBS) checks are conducted for regulated professional courses that we offer, such as those under the Faculty of Education, and Health Psychology and Social Care. In addition, we process self-declaration relevant (unspent4) criminal conviction data for relevant positions (under UCAS criteria).

Protecting the public against dishonesty

The University processes information including conviction data (outlined above) and any data generated around the Professional Standards process in connection with employment in order to protect the local community.

Regulatory requirements relating to unlawful acts and dishonesty

Complying with the University’s duties in terms of preventing unlawful acts and dishonesty, as per responsibilities inferred on us by the Higher Education and Research Act 2017, and by the independent regulator, the Office for Students.

We also assist other authorities in connection with their regulatory requirements.

Preventing fraud

Disclosing personal data in accordance with arrangements made by an antifraud organisation, such as Law Enforcement agencies, including Action Fraud UK.

Counselling 

Personal data are used by the University for the purposes of offering student and staff counselling, or other welfare support services. This data is almost always collected and processed with the explicit consent of the data subject; however, in rare circumstances where a substantial public interest is identified, consent will not be used as the condition for processing (e.g. if there is a requirement to disclose information to the police, to prevent or detect crime).

Insurance

The University has a requirement to indemnify itself and its students and staff against any covered losses, and to ensure that the Institution and its members have an appropriate level of protection. The University will process personal data in order to enter into relevant contracts for this purpose.

Occupational pensions

Fulfilling the Service’s obligation to provide an occupational pension scheme, and determining benefits payable to dependents of pension scheme members.

Disclosure to elected representatives

The University may share personal information with elected representatives, such as Members of Parliament or local government Councillors at the request of their constituents.

Under Article 5 of the GDPR, the University must ensure compliance with the seven data protection principles. These are set out below, along with a description of how each principle is met when we process special category data. In addition, we ensure that we complete thorough Data Protection Impact Assessments. Our process stipulates that these should be completed in all instances, and not solely where there is a requirement by law. This helps us to ensure that each principal is thoroughly considered and that any processing activity is compliant with the legislation.

3.1 Personal data is processed lawfully, fairly and transparently

In every case outlined above, the University ensures that:

• there is an appropriate lawful basis in place from Article 6 and 9, and where appropriate identified in the statute
• the processing is fair to the data subjects
• the processing being conducted is transparent, which is achieved through the creation and maintenance of detailed Privacy Notices – available online

3.2 Personal data is collected for specific and legitimate purposes and processed in accordance with those purposes

Personal data are only processed for limited purposes, in line with the University’s privacy notices. Personal data are not processed for other purposes without obtaining the data subject’s prior consent unless authorised by law.

3.3 Any personal data that is processed is adequate, relevant and limited to what is necessary for the stated purposes

The University only collects personal data that are relevant to its responsibilities as a Higher Education Institute. The data it holds are continually reviewed for necessity through the use of the Record of Processing Activity.

3.4 Personal data is accurate and, where necessary, kept up-to-date

The University ensures that all personal data it holds are kept under review, and is checked for accuracy at every opportunity. The University fully complies with its responsibilities under the GDPR Article 16 (right to rectification).

3.5 Personal data is kept for no longer than necessary

Personal data are retained in an identifiable form in line with our Retention and Disposal Schedule. This retention level is clearly set out in each instance within the relevant privacy notice.

Retention periods are based on legal requirements to retain data and on service standards. They are continually reviewed by the University’s records manager and information asset owners.

3.6 Personal data are kept secure

In all cases, the data are stored securely using appropriate technological controls, and access is highly restricted to certain ‘need to know’ staff. The information is only shared outside of the University where there is lawful basis to do so, and where appropriate safeguards and restrictions are in place. We also ensure that we conform to the ISO 27001 standard.

3.7 The Controller is responsible for, and must be able to demonstrate compliance with, the above principles (the accountability principle)

The University has a data protection officer in post, supported by an Information Governance team who is accountable for ensuring the organisation is aware of its responsibilities as set out by the data protection principles and surrounding legislation. In addition, the University has detailed policies and procedures in place to ensure that appropriate

Personal data are retained in line with the University’s Retention and Disposal schedule. When disposing of personal data, we ensure this is carried out securely.

The University’s Record of Processing Activity contains details of the retention periods for the Service’s data processing activities together with information on the lawful basis for processing this data.

All the University staff are required to complete mandatory data protection training, and to comply with the University’s policies and procedures when handling personal data or special category data. There is a clear information governance structure in place, which ensures that all personal data are processed in a transparent, fair and lawful manner.

Where the University share personal data with other controllers and processors, there are measures in place to ensure that the responsibility of each third party organisation is clearly defined, and there is no ambiguity in how data is processed.

There is a well-defined and mature Information Asset Owner and Information Asset Manager framework in place across the organisation. Quarterly compliance returns are conducted which assess data protection compliance at a local level, and Information Governance Boards are regularly conducted to ensure that standards are met throughout the organisation; this is a continual cycle of review and improvement, which ensures that the University are achieving full compliance with the legislation.

1. Section 10 of the DPA specifies which parts of Schedule 1 have to be met (i.e. 1, 2 or 3), depending on which Article 9 condition is applicable for the processing in question. The same detail is provided for cases where criminal conviction data is being processed.
2. Part 4, Schedule 1 of the DPA
3. As per Section 124 of the Education Reform Act 1988
4. Under the Rehabilitation of Offenders Act 1974

The data protection officer reviews this Appropriate Document Policy on a biannual basis to ensure that it remains current and relevant.