糖心TV

Skip to main content Skip to navigation

Information Security, Risk and Compliance

IMP 07: Data Protection Policy

Information Classification - Public.

Purpose and Scope

The purpose of this policy is to set out how the University of 糖心TV (鈥our鈥, 鈥us鈥, 鈥we鈥) handles the personal data of its staff, students, alumni, research participants, suppliers, website users and other relevant identifiable living individuals (鈥data subjects鈥), in compliance with applicable data protection law, including (without limitation): the Data Protection Act 2018 and the UK GDPR, as amended.

The policy covers everyone who has a contractual (formal or informal/implied) relationship with the University and any individual processing personal data on behalf of the University, including employees, students, visiting academics, and consultants. Please note that this list is not exhaustive.

For purposes of this policy, we will refer to everyone covered as 鈥渕embers.鈥

The policy covers all information processed by the University, regardless of ownership or format.

The Information Commission Office鈥檚 (ICO鈥檚) website provides clear guidance on all key aspects of data protection for .

Roles and Responsibilities

The Chief Information Security Officer (CISO) retains overall accountability for this policy and for ensuring the Policy meets legal and regulatory requirements; for keeping this Policy up to date; and for ensuring that controls, checks, and audits are carried out as part of compliance with this Policy.

Operational Responsibilities

Role Function

Designate of Head of Department (e.g. academic lead on research, individuals with delegated authority for information, system administrators).

 Responsible 鈥 for overseeing compliance with the Policy within areas of responsibility.
Head of Department (or equivalent). Accountable 鈥 for compliance with this policy within Departments.
Information Risk and Compliance Team and DPO (with escalation to CISO). Consult 鈥 to discuss organisational level compliance with the Policy.
IDG Digital 糖心TV Partners Inform 鈥 must be informed of the content of the Policy to communicate it to their departments.

The Role of the DPO

As a university, we have a responsibility as a data controller (or when acting as a joint data controller or a data processor) for: (a) complying with applicable data protection law, (b) cooperating with the ICO, (c) monitoring regulatory developments, and (d) responding to claims and paying fines issued by the ICO.

The University Council is responsible for periodically assessing our overall risk profile, and ensuring appropriate resources and processes are in place to enable effective compliance with data protection law.

The University鈥檚 Data Protection Officer (DPO) is responsible for:

  • advising the University on all aspects of its compliance with data protection law;
  • acting as an available point of contact with the ICO on data protection matters; and
  • acting as an available point of contact for complaints, and in respect of claims, from data subjects.
  • monitoring our compliance with applicable data protection law, taking into account our overall risk profile, and reporting to the Audit and Risk Committee.

Data protection principles

We will ensure that all personal data related to our data subjects is:

  • processed lawfully, fairly, and in a transparent manner;
  • collected only for specified and legitimate purposes;
  • adequate, relevant, and limited to what is necessary in relation to the purpose(s) for which it is processed;
  • accurate and where necessary kept up to date;
  • not kept for longer than is necessary for the purpose(s) for which the data is processed;
  • processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction, or damage; and
  • processed in an accountable manner, and to this end we will maintain appropriate records to demonstrate compliance with these principles.

Further guidance on the various legal bases for processing personal data can be found here: Lawful bases for processing personal dataLink opens in a new window.

Privacy Notices

This policy is not, and must not be confused with, a privacy notice which is a separate written statement informing data subjects about how their personal data is processed by us. Please find a link through to the University鈥檚 respective privacy notices hereLink opens in a new window.

Data protection by design and default

We are committed to the principle of data protection by design and default. By this, we mean that data protection issues are considered throughout the design and development of our projects, services, products, processes and systems, and throughout the lifecycle of relevant data processing arrangements.

Anyone initiating new activities that involve personal data in potentially novel or high-risk ways, or when existing processes change, must complete the Data Protection Impact Assessment (DPIA) process prior to commencement of these activities. If it's unclear whether the processing is novel or high-risk, the DPIA screening process should be used to assess the need for a full DPIA. Further details of the University鈥檚 DPIA process can be found hereLink opens in a new window and guidance on DPIAs more generally can be found on the .

The DPIA process enables the early identification, assessment and discussion of proposed data processing activities and material changes with relevant stakeholders prior to progression.

Sharing personal data with third parties

When sharing personal data with third parties, members must do so in accordance with applicable data protection law. In this regard, there is guidance in relation to putting in place appropriate data sharing agreements before any personal data is shared with or otherwise processed by third parties, which can be found hereLink opens in a new window.

Transfer of personal data internationally

All personal data transfers outside of the United Kingdom and/or EEA (鈥international transfers鈥) must be carried out in compliance with applicable data protection law. To this end, there is guidance on the requirements for international transfers to legitimately take place, as can be found hereLink opens in a new window. Such requirements may include completing an International Transfer Impact Assessment, as well as ensuring appropriate written international data transfer agreements are in place, before any international transfers go ahead.

International transfer safeguards must be subject to ongoing review and re-evaluated no less frequently than every three years, and whenever there is a substantive change in the legal, regulatory, or operational environment affecting the transfer.

Security Measures

Appropriate security measures must be applied to personal data as prescribed by the Information Management Policy FrameworkLink opens in a new window.

Anonymisation/pseudonymisation

Where possible, personal data must be anonymised by default. Where anonymisation is not possible or would significantly impede University work, data must be pseudonymised. Where either anonymisation or pseudonymisation is not possible or would significantly impede University work, members must ensure that appropriate mitigations are applied to address the heightened risk profile of personal data being identifiable. Guidance on Anonymisation, Pseudonymisation and Redactions can be found hereLink opens in a new window.

Breach management

We maintain a robust personal data breach management procedure and the Data Protection Officer (DPO) is responsible for reporting qualifying breaches to the ICO within 72 hours of discovery, as required by applicable data protection law. Members are responsible for familiarising themselves with our breach management procedure and for reporting suspected or actual breaches to the Legal and Compliance team immediately on identification. Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, the DPO is also responsible for ensuring that those individuals are notified without undue delay, in accordance with legal requirements. Further information on the University鈥檚 breach management process can be found hereLink opens in a new window.

Training

Members are required to complete mandatory online data protection training, at least annually, in line with IMP 04 Information Management and Security Training and Awareness PolicyLink opens in a new window.

Record keeping

Comprehensive and accurate records of data processing activities must be maintained by departments processing personal data. Records must be retained in line with the University鈥檚 Records Retention Schedule (RRS)Link opens in a new window.

Departments handling archival records, such as the Modern Records Centre, must be aware of Article 89 of the UK GDPR which sets out requirements for handling records of certain interests (E.g. public, historical, scientific interest).

Data subject rights

All departments which process personal data on behalf of the university must ensure procedures and information systems enable the provision of the following data subject rights prescribed in legislation:

  • right to be informed;
  • right of access;
  • right to rectification;
  • right to erasure;
  • right to restrict processing;
  • right to data portability;
  • right to object; and
  • rights in relation to automated decision making and profiling.

Departments must also ensure that any request to exercise these rights is acted upon without undue delay. The University must meet a one month statutory deadline to process such requests and therefore, any such requests must be notified to the central team at infocompliance@warwick.ac.uk as soon as possible to ensure compliance with the required timeframes.

Exceptions

under this policy must be submitted to the CISO, DPO or their designate. Authority to approve exception requests is delegated to the Information Risk and Compliance Team. Activities that have received prior approval by the Research Ethics Committee will be exempt, but the CISO must be notified.

This policy may have an impact on users of assistive technology or assistive software dependent on circumstances. These individual cases will be considered on a case-by-case basis.

Compliance monitoring

All members of the University are expected to comply with this document as part of the Information Management Policy Framework (IMPF). Where breaches of the IMPF present a significant risk, including those falling under Regulations 23 (Student Disciplinary Offences)Link opens in a new window and Regulation 31 (Information Management, Security and Records Management)Link opens in a new window, they will be subject to the appropriate student or staff disciplinary procedure or applicable contractual terms for staff not employed directly by the University or contractors.

It is the responsibility of all members to report any instances of non-compliance to the Information Risk and Compliance Team. This can be done via the . This team monitors adherence to the IMPF using reported data and other available tools.

Where issues require escalation or further review, they will be referred to the Information Security and Data Protection Committee via the Chief Information Security Officer (CISO) and include either Conduct and Resolution Team or Employee Relations Team, as appropriate.

Let us know you agree to cookies

We use cookies to give you the best online experience. Please let us know if you agree to functional, advertising and performance cookies. You can update your cookie preferences at any time.

Cookie policy