Page content

Ulster University Appropriate Policy Document

The University processes a variety of personal data about a various groups of individuals, including but not limited to, prospective, current and former students, alumni, current, prospective and former employees and board members. This personal data is used for a variety of purposes in the administration of the University and the discharge of its public task.

The University actively seeks to preserve the privacy rights of those individuals that share information with the University.  The personal data which you provide to the University will be processed in accordance with UK data protection legislation, specifically UK GDPR and the Data Protection Act 2018 (DPA 2018).

In some instances, the University is required to process Special Category Data and Criminal Offence Data. These types of data are afforded additional protection under the DPA 2018 and UK GDPR and the University can only process it if and when certain conditions are met.

Part 4, Schedule 1 of the DPA 2018 outlines the requirement for organisations to have an appropriate policy document when processing Special Category Data and Criminal Offence Data to enable to demonstrate that the conditions comprised within sections 10, 11 and Schedule 1 of the DPA 2018 are met. The purpose of this appropriate policy document is to fulfil that requirement.

This appropriate policy document complements the University’s Data Protection Policy and Privacy Notices and provides detail of how the University processes special category data and criminal offence data at a more granular level.

This document will also supplement our Privacy Notices when processing under conditions that do not require an Appropriate Policy Document.

Special Category Data

Special category data is defined at Article 9 of the UK GDPR as personal data revealing:

  • Racial or ethnic origin;
  • Political opinions;
  • Religious or philosophical beliefs;
  • Trade union membership;
  • Genetic data;
  • Biometric data;
  • Data concerning health; or
  • Data concerning a natural person’s sex life or sexual orientation.

Criminal Offence Data

Article 10 of the UK GDPR covers processing in relation to criminal convictions and offences or related security measures.  The UK GDPR specifically refers to “personal data relating to criminal convictions and offences or related security measures”. This covers a wide range of information about criminal activity, allegations, investigations and proceedings. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences or proceedings for an offence committed or alleged to have been committed, including sentencing. This is collectively referred to as ‘criminal offence data’.

Conditions for processing special category and criminal offence data

When processing special category data, the University will ensure it has identified its lawful basis for processing as set out in Articles 9(2) and 10 of the UK GDPR including:

  • Article 9(2)(a) – Explicit Consent
  • Article 9(2)(b) - For employment, social security and social protection purposes;
  • Article 9(2)(c) – Where processing is necessary to protect the vital interests of the data subject or of another natural person
  • Article 9(2)(g) - For reasons of substantial public interest purposes;
  • Article 9(2)(f) – For the establishment, exercise or defence of legal claims.

The University processes criminal offence data under Article 10 of the UK GDPR.

Processing which requires an Appropriate Policy Document

Almost all of the substantial public interest conditions in Schedule 1 Part 2 of the DPA 2018, plus the condition for processing employment, social security and social protection data, require an Appropriate Policy Document. This document demonstrates that the University’s processing of special category and criminal offence data under the DPA 2018 conditions are compliant with the Article 5 principles.

Description of data processed

The University processes special category data about our employees that is necessary to fulfil our obligations as an employer.  This includes information about their health and wellbeing, ethnicity and their membership of a trade union.  Further information for employees about this processing can be found in our Employee Privacy Notice.

The University processes special category data and criminal offence data (where applicable) about our students to fulfil our core business activities of teaching and learning.  Further information about this processing can be found in our Student Privacy Notice.

Schedule 1 Conditions for Processing

  1. Special Category Data

    We process special category data for the following purposes in Part 1 of Schedule 1:

    • Conditions Relating to Employment, Social Security and Social Protection

    The University Processes a variety of information about prospective, current and former employees for employment purposes Substantial Public Interest Conditions. Such information may comprise of special category data.

    It is not appropriate to obtain consent for this processing due to the fact consent cannot be freely given or withdrawn and therefore the University relies on the condition of employment, social security and social protection at paragraph 1, Part 1, Schedule 1 of the DPA 2018 for such Processing.

    • Statutory and government purposes

    The University is legally required to provide some Special Category Data about staff and students to external organisations for statutory returns and reports, such as the data provided to the Higher Education Statistics Agency (HESA) and the Department for the Economy (DfE).

    • Equal Opportunity or treatment

    In recognition of the importance of ensuring equality of opportunity and treatment throughout the organisation and in compliance with equality and diversity legislation, processing is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment.

    • Preventing or detecting unlawful acts

    The University Processes Criminal Offence Data to enable it to manage any potential risks to the University community and campus to prevent or detect unlawful acts. The University relies upon the condition at paragraph 10, Part 2, Schedule 1 of the DPA 2018 for such processing.

    Any Criminal Offence Data or Personal Data disclosed under for the purposes of preventing or detecting unlawful acts is shared securely and only the minimum amount of information as necessary is disclosed

    • Preventing fraud

    Disclosing personal data in accordance with arrangements made by an anti-fraud organisation.

    • Insurance

    Processing of personal data which is necessary for an insurance purpose and for reasons of substantial public interest, where the University cannot reasonably be expected to obtain consent from the Data Subject.

  2. Criminal Offence Data

The University processes criminal offence data for the following purposes in part 2 of Schedule 1:

  • Preventing or detecting unlawful acts

The University processes Criminal Offence Data to enable it to manage any potential risks to the University community and campus to prevent or detect unlawful acts.

  • Safeguarding of children and of individuals at risk

It is necessary to process Criminal Offence Data to safeguard children and individuals at risk against neglect, physical, mental or emotional harm and protect them from such harm.  Such processing enables the University to identify and manage any potential risks to the University community and campus.

For further information about the University’s Safeguarding policy and procedures, please visit Safeguarding vulnerable groups (ulster.ac.uk).

Procedures for ensuring compliance with the principles

Article 5 of the UK GDPR sets out the data protection principles. The University complies with the principles relating to Processing of Personal data, which requires personal data to be:

  • Processed lawfully, fairly and in a transparent manner (“Lawfulness, Fairness and Transparency”);
  • collected only for specified, explicit and legitimate purposes (“Purpose Limitation”);
  • adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (“Data Minimisation”);
  • accurate and where necessary kept up to date (“Accuracy”);
  • not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (“Storage Limitation”); and
  • Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (“Security, Integrity and Confidentiality”).

These are our procedures for ensuring that we comply with the principles.

Principle (a): Lawfulness, Fairness and Transparency

Processing personal data must be lawful, fair and transparent. The University provides clear and transparent information about why we process personal data including our lawful basis for processing in our privacy notices and this policy document.

Our processing for the purposes of employment relates to our obligations as an employer.

Our processing for purposes of substantial public interest is necessary in order for the University to carry out its functions.

The University will:

  • ensure that personal data is only processed where a lawful basis applies, and where processing is otherwise lawful.
  • only process personal data fairly and for the purposes disclosed to the data subject.
  • ensure that data subjects receive full privacy information so that any processing of personal data is transparent.

Principle (b): Purpose Limitation

The University will ensure that personal data is collected for specified, explicit and legitimate purposes and not further processed for purposes incompatible with the original purpose it was collected for.

The University will:

  • only collect personal data for specified, explicit and legitimate purposes, and we will inform data subjects what those purposes are in a privacy notice at the point of data collection and on our website.
  • not use personal data for outside of the purposes for which it was collected.  If we do use personal data for a new purpose that is compatible, we will inform and seek the consent of the data subject first.

Principle (c): Data Minimisation

The University collects personal data necessary for the relevant purposes and ensure it is not excessive. The information we process is necessary for and proportionate to our purposes. Where personal data is provided to us or obtained by us, but is not relevant to our stated purposes, we will erase it.

The University will:

  • Only collect the minimum personal data required for the purpose for which it is collected.
  • Ensure that the personal data collected is adequate and relevant.

Principle (d): Accuracy

If the University becomes aware that personal data is inaccurate or out of date, we will take every reasonable step to ensure that data is erased or rectified without delay. If we decide not to either erase or rectify it, for example because the lawful basis we rely on to process the data means these rights don’t apply, we will document our decision.

The University will:

  • Ensure the accuracy of personal data and kept up to date where necessary.
  • Ensure when updated information is received, confirm the identity of the individual and update the information where necessary.

Principle (e): Storage Limitation

All special category data processed by us for the purpose of employment or substantial public interest is, unless retained longer for archiving purposes, retained for the periods set out in our Records Retention and Disposal Schedule. We determine the retention period for this data based on our legal obligations and the necessity of its retention for our business needs. Our retention schedule is reviewed regularly and updated when necessary.

The University will:

  • Only keep personal data in an identifiable form as long as necessary for the purpose for which it is collected  .
  • Delete or pseudonymise the data once the retention period has elapsed.

Principle (f): Integrity and Confidentiality (Security)

Personal Data shall be Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The University implements and maintain reasonable and appropriate security measures against unlawful or unauthorised Processing of Personal Data and against the accidental loss of or damage to Personal Data.

Accountability Principle

The University will be responsible for and demonstrate its compliance with the above data protection principles.

The University shall:

  • ensure that records are kept of all Personal Data Processing activities, and that these are provided to the Information Commissioner on request;
  • carry out a DPIA for any high-risk Personal Data Processing to understand how Processing may affect Data Subjects and consult the Information Commissioner if appropriate;
  • ensure that a DPO is appointed to provide independent advice and monitoring of Personal Data handling, and that the DPO has access to the highest management level for reporting purposes; and
  • have internal processes to ensure that Personal Data is only collected, used or handled in a way that is compliant with data protection law.

Data Protection Officer

Further information in respect of the University’s practice in respect of data protection and our Data Protection Policy is available at on our Data Protection Page.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request the University transfer a copy of your personal information to another party, please contact the University’s Data Protection Officer,

Eoin Coyle

Data Protection & Information Compliance Manager

Ulster University

Room J308

Coleraine BT52 1SA

GDPR@ulster.ac.uk

If you are not satisfied with how the University is processing your personal data, you can make a complaint to the ICO. Further information about your data privacy rights are available on the ICO’s website at: www.ico.org.uk.