ENSA is committed to the protection of the personal data of students, employees, suppliers and other individuals whom we might hold information about.
ENSA recognises the General Data Protection Regulations, UK Data Protection legislation and the Privacy of Electronic Communications Regulations (PECR) as the primary statutory responsibilities relating to data handling and processing.
To this end, every individual employee, student volunteer, member, or contractor handling data collected or administered by ENSA must take responsibility and due consideration for its appropriate use in line with this policy and the declared processing activities. The specific arrangements for handling, processing and administering data can be found at www.napierstudents.com/privacy.
These arrangements apply to all employees and volunteers, and overseen by the nominated Data Protection Officer reporting to ENSA’s management team and Trustee Board. Any deliberate breach of the data protection policy may lead to disciplinary action being taken, or access to the Association’s facilities being withdrawn, or even criminal prosecution. It may also result in personal liability for the individual.
Any questions or concerns about the interpretation or operation of this policy should be taken up with the Data Protection Officer.
Responsibilities
Students, suppliers and contractors
Students, suppliers and contractors must ensure that all personal data provided to ENSA is accurate and up to date, and that they have read and understood the relevant terms and conditions of engagement with the Association. They must ensure that changes of address, etc., are updated on the appropriate systems by contacting the relevant staff detailed in the privacy notice at www.napierstudents.com/privacy.
Student volunteers
Club and Society Officer Holders, committee members, representatives and other student volunteers may handle personal data to administer their activities and services. Students handling such data are required to have completed the relevant training prior to receiving permission to handle any personal data related to ENSA activities and services. When handling personal data students are required to follow the guidance set out in the ENSA Data Protection Code of Practice including the reporting of data breaches, respecting the rights of individuals and secure processing procedures. Details of the training course and handbook can be found at www.napierstudents.com/privacy.
ENSA employees
ENSA holds various items of personal data about its employees which are detailed in the relevant privacy notice at www.napierstudents.com/privacy. Employees must ensure that all personal data provided to ENSA in the process of employment is accurate and up to date. They must ensure that changes of address, etc., are updated by contacting their line manager.
In the course of day to day working it is likely that staff will process individual personal data. Prior to handling any data staff are required to have completed the relevant training course. In addition to this staff must maintain a current knowledge of data processing best practice through refresher courses and learning available on the Information Commissioner's Office website at www.ico.co.uk. When handling personal data staff are required to follow the guidance set out in the ENSA Data Protection Code of Practice, details of which can be found at www.napierstudents.com/privacy.
ENSA Managers and Project Leads
ENSA Managers and Project Leads must ensure that staff handling data in the course of their roles have conducted the appropriate training, are processing data within the frameworks agreed and following the guidance set out in the ENSA Data Protection Code of Practice. Managers are also required to conduct termly audits of their relevant spaces and IT infrastructure to identify possible weaknesses in information security.
The ENSA Management Team is required to demonstrate ownership of the Association’s data protection policy and to communicate its values across ENSA. This accountability cannot be delegated, however operational aspects of data protection management may be delegated to other members of staff. The ENSA Management Team must gain assurance that these responsibilities are being fulfilled and to ensure resources are available to fulfil the requirements of this policy and associated procedures.
Data Protection Officer
The Data Protection Officer is responsible for:
- informing and advising the organisation and its employees about their obligations to comply with the Data Protection legislation and other data protection laws;
- monitoring compliance with the Data Protection legislation and other data protection laws, including managing internal data protection activities, advising on data protection impact assessments, training staff and conducting internal audits;
- to be the first point of contact for supervisory authorities and for individuals whose data is processed (students, employees, customers, etc.).
The Data Protection Officer is delegated authority by the General Manager to carry out their role with the resources required to be effective in the protection and security of the individual data the organisation handles.
The data protection officer shall be assigned the dataprotection@napierstudents.com email address
Trustee Board
The ENSA Trustee Board has overall accountability for the strategy of the Association and is responsible for strategic oversight of all matters related to statutory legal compliance and risk for ENSA. The Trustee Board should seek assurance from the ENSA Management Team that effective arrangements are in place and are working.
Compliance
Respecting Individuals Rights
Data Protection legisaltion sets out a series of rights for individuals. ENSA employees and volunteers planning data processing activities must record how these rights are addressed. The ENSA Data Protection Code of Practice details the rights and the organisation’s standardised processes to meet these individual rights.
Processing Special Categories of Data
ENSA shall only process special categories of data linked to individuals, such as health data, religious and sexual orientation, with the consent of individuals except for where the disclosure is to preserve life or for legal purpose. This data may be analysed in broad terms where no direct link to an individual can be made.
Subject Access Requests
The ENSA Data Protection Code of Practice details the procedures on how subject access requests must be handled. As standard, ENSA does not charge to comply with access requests and will refuse manifestly unfounded or excessive requests. Any individual or department receiving a Subject Access Request must share this with the Data Protection Officer within 5 working days. The Data Protection Officer shall respond to the request within one month of initial receipt.
Lawful Data Processing
ENSA shall only process data within the law. Where a lawful process has been identified, ENSA employees and volunteers must make a record of the lawful justification within the privacy notice. The ENSA Data Protection Code of Practice details the procedures on how to record the lawful processing justification.
Children
ENSA staff and volunteers shall not normally process data related to any individual aged under 16. If a scenario, where there is a requirement to process data of a child, the Data Protection Officer shall be responsible for ensuring the processing is robustly compliant with Data Protection legislation standards.
Data Breaches
ENSA shall adopt processes to detect data breaches including audits and other appropriate processes. Employees and volunteers shall report and investigate data breaches as outlined in the Cyber Incident Response Plan (CIRP) contained within the ENSA Data Protection Code of Practice.
Where an employee, volunteer, supplier or contractor discovers a data breach they must report this to the Data Protection Officer within 24 hours. The Information Commissioner’s Office shall be notified within 72 hours of the breach where there is a risk to the rights and freedoms of individuals such as discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. Where there is a high risk to the rights and freedoms of individuals they shall be notified directly also. The reporting procedures are detailed in the ENSA Data Protection Code of Practice.
Data Protection by Design
Employees and volunteers are required to adopt a ‘privacy by design’ approach to planning data collection and processing. In addition to data collection records, Privacy Impact Assessments (PIAs) and where appropriate Legitimate Interest Assessments (LIAs) shall be completed prior to any data collection or processing. Details of how to conduct PIA’s and LIA’s are contained within the ENSA Data Protection Code of Practice.
Information Security
Data Storage
Electronically stored personal data must be stored in an encrypted or password protected form to protect against unauthorised access or processing. Physical representation of data, such as paper forms or USB memory sticks, must be stored within a locked storage unit. When no longer needed, the e-copies should be deleted and any paper copies securely destroyed.
Vital records for the purposes of business continuity must be protected from loss, destruction or falsification by ENSA employees, in accordance with statutory, regulatory, contractual, and ENSA Policy requirements.
ENSA has 3 primary platforms for securely storing data online – the Edinburgh Napier University servers (H:// drives and SharePoint), the Memberships Solutions Limited servers and Sage Accountancy & Payroll systems. Staff and Volunteers are required to store data they handle on one of these platforms only as detailed within the ENSA Data Protection Code of Practice.
Appropriate measures to store and retrieve a duplicate set of data, such as RAID arrays or mirror servers, must be explicitly identified in any data sharing agreements, or service level contracts, for systems used to store personal data, to ensure that the risk of loss or damage is minimised.
Due to limited resources, maintaining back-up copies of all physical representations of data is not practicable for ENSA, therefore control measures for access must also ensure that manual personal data is kept in an appropriately secure environment where risk of loss or damage is minimised.
Explicit permission from line management must be obtained before removing restricted information, including personal data and confidential information from ENSA premises. Restricted information processed on portable devices and media must be encrypted. The password to an encrypted device must not be stored with the device.
Third Party Contracts
ENSA may transfer data to third parties for processing in line with guidance contained within the ENSA Data Protection Code of Practice. Prior to data transfer a contract to ensure compliance with relevant legislation must be in place with oversight by the Data Protection Officer.
IT Systems
Employees and volunteers must undertake the relevant training to ensure sufficient security awareness. Employees and volunteers must make best attempts to protect their identity by using a strong password. Account passwords and usernames should not be shared without authorisation from organisational managers.
Digital equipment and media containing information must be secured against theft, loss or unauthorised access when outside ENSA premises. In addition, all digital equipment and media must be disposed of securely and safely when no longer required - the ENSA Data Protection Code of Practice outlines the appropriate procedures.
Policy Monitoring
Compliance with the policies and procedures laid down in this document will be monitored via ENSA Management Team, together with reviews by the Trustee Board. The Data Protection Officer is responsible for the monitoring, revision and updating of this document on a 3 yearly basis or sooner if the need arises.