Data Protection - Harlaxton Multisite

Data Protection

Introduction

How we use your personal information.

1. Why have I been directed to this webpage?

The general information published on this page is intended to supplement the specific information that you have already been given in connection with your engagement with a particular service, facility, event or initiative run by the College. You may have been directed here, for example, because you are accessing an optional student or staff service or are using a College facility, or because you are using a particular website or online resource, or because you have signed up to one of our newsletters or mailing lists, or you have signed up to attend an event aimed at members of the public. The below information – which we are obliged to supply you with – is the same for many such situations, and we thought it would be helpful to have it in one place.

Separate pages aimed at different types of individual whose information we use regularly (students, faculty, staff, alumni and supporters and job applicants) are all available from this area’s navigation bar above.

2. Who will process my personal information?

The information published here applies to the use of your personal information by Harlaxton College (www.harlaxton.ac.uk or harlaxton.evansville.edu) and Harlaxton Manor Enterprises Ltd (www.harlaxton.co.uk) and, in some instances, the University of Evansville (www.evansville.edu) and, through the viewing or use of any websites within the Harlaxton College domain.

Harlaxton College, Harlaxton Manor Enterprises Ltd and the University of Evansville are separate legal entities for these purposes and will supply their own information as relevant and necessary.

Under the GDPR, Harlaxton College and Harlaxton Manor Enterprises Ltd (like all data controllers) are required to pay a fee to the ICO and be included in the ICO’s register of fee payers.

The College’s register entry number is Z1911298 and the Harlaxton Manor Enterprises Ltd’s register entry number is ZA225090.

You have already been told about the specific purposes for which we process your personal information, the legal basis for that processing and (if applicable) any data sharing or international transfer arrangements. Unless you have already been told otherwise, there is no statutory or contractual requirement to supply us with any of your personal information, and we will not use it to carry out any automated decision-making that affects you. If we asked for your consent to use your personal information, you can withdraw this at any time.

3. How can I access my personal information?

You have the right to access the personal information that is held about you by the College. Further details are published at Making a Subject Access Request.

You also have the right to ask us to correct any inaccurate personal information we hold about you, to delete personal information, or otherwise restrict our processing, or to object to processing (including the receipt of direct marketing) or to receive an electronic copy of the personal information you provided to us. Please note that all these rights are qualified in various ways.

4. How long is my information kept?

Information about how long different types of information are retained by the University is published within individual core privacy notices – each titled ‘How we use your personal information (for …)’ – are available from this area’s menu tabs.

5. Who can I contact?

If you have any questions about how your personal information is used, or wish to exercise any of your rights, please consult these data protection webpages. If you need further assistance, please contact the College’s Data Protection Officer (dpo@harlaxton.ac.uk).

6. How do I complain?

If you are not happy with the way your information is being handled, or with the response received from us, you have the right to lodge a complaint with the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, SK9 5AF.

7. Are changes made to this webpage?

This webpage was last updated in June 2018. It is reviewed when necessary and at least annually. Any changes will be published here.

Subject access requests

Under data protection legislation an individual has the right to access the information that an organization holds about them. Accessing personal data in this way is known as making a subject access request.

You are entitled:

to be informed whether your personal data are being processed by Harlaxton College
to be sent a copy of your personal data (normally as of the date of receipt of your request), subject to any applicable exemptions and the removal of other people’s personal data as appropriate
to be sent certain information about your personal data

Your subject access request to the College may be submitted in whatever format you wish, but we have created a standard Subject Access Request Form for your convenience, which may be completed and emailed to dpo@harlaxton.ac.uk or sent in the post to the address on the form. Using the form will help us to verify your identity and give a timely and accurate response to your request. There is no charge to make a subject access request.

SUBJECT ACCESS REQUEST FORM

On receipt of your request, we will let you know the statutory deadline by which we will reply. If, on receipt of our response, you consider that the College has not dealt correctly with your request, please email dpo@harlaxton.ac.uk. If you are still not satisfied, you should contact the Information Commissioner’s Office.

Exercising other data protection rights

Under data protection legislation an individual has various other rights. These rights requests may be submitted in whatever format you wish, but we recommend that you email dpo@harlaxton.ac.uk to ensure a timely response to your request.

How we use your personal information

Data Protection

Introduction

Subject access request

How we use your information

Data protection overview

GDPR

For Student Applicants

This page provides information about the use of personal information provided by applicants to Harlaxton College.

1. What is ‘personal information’?

‘Personal information’ means any information which relates to or identifies you as an individual.

2. Who will process my personal information?

The information provided here applies to the use, sharing and disclosure of your personal information by Harlaxton College (www.harlaxton.ac.uk or harlaxton.evansville.edu) and by the University of Evansville (www.evansville.edu) as part of the admissions process. Please note that the College and the University are separate legal entities for these purposes. The College and the University work together closely and share the personal information you provide in your application in accordance with agreed protocols. The University of Evansville when assessing your application may provide you with additional statements about how they will use, share and disclose your personal information as you progress through your application.

3. What personal information will be processed?

The College and/or, where relevant, the University, will use the details you provide on your application, together with additional details provided by any referee and recorded following any interview process.

4. What is the purpose and legal basis of the processing?

The College and the University will process the personal information provided on your application and the other information referred to above for the purposes of identifying you, processing your application, verifying the information provided, deciding whether to offer you a place on the course you have applied for, and communicating that outcome (together with any feedback).

We may also use or disclose the information provided for the following statutory or public interest purposes:

To prevent or detect fraud.
For equal opportunities monitoring.
To help us to make reasonable adjustments for any disability, as requested by you.
To allow us to consider any future accommodation requirements.
To provide statutory returns required by applicable legislation.
For research and statistical purposes (which may include the receipt of applicant surveys), but no information which could identify you will be published.

We consider the processing of your personal information for the above purposes to be either necessary for us to take steps with a view to creating a contractual relationship with you (e.g. to assess your application to study with us), or necessary for compliance with a legal obligation (e.g. to administer visa applications), or necessary for the performance of tasks we carry out in the public interest (e.g. the provision of education). Where we ask for any sensitive information, such as that concerning your ethnicity, sexual orientation, religious beliefs or health/disability, the use made of such information will be explained and you will often have the option to refuse your consent by not supplying it. We require you to provide us with the information we ask for during the application process in order to assess your application properly except where its supply is marked as optional. Admissions decisions are not automated.

5. Who will my personal information be shared with?

As well as circulating your application and related materials to the appropriate staff at the College and the University, we will share your personal information for the above purposes as relevant and necessary with:

Your referees.
Where relevant and as required and/or notified to you, your home University.
Your examination boards or awarding bodies.
Your funders and/or potential funders. These funders and/or potential funders may need to assess your financial situation.
Where relevant and as required, UK Visas and Immigration in order to act as your sponsor for visa purposes.
Where relevant and as required, governmental bodies including local authorities, the Home Office, and the Department for Work and Pensions and its agencies.
Other Higher Education organizations, in order to assist with tracking and research into access to Higher Education.
Companies or organizations providing specific services to, or on behalf of, the College and the University of Evansville (e.g. Terra Dotta).

On occasion, the above types of sharing may involve the transfer of your personal information outside the European Economic Area (e.g. to report to your home institution). Such transfers usually are necessary in order to process your application and/or meet our obligations with you and are carried out with appropriate safeguards in place to ensure the confidentiality and security of your personal information.

We do not sell your personal data to third parties under any circumstances.

6. How is my personal information used if I am accepted?

If you are accepted, we will use your personal information for the purposes described at ‘How we use your personal information (for students)’ as amended from time to time. Further information about this will be provided in your offer of admission.

If you are accepted, the College and University will also return data about you to other external agencies and funding bodies, as required.

7. How can I access my personal information?

You have the right to access the personal information that is held about you by the College or University. Further details are set out on the College’s data protection webpages at Data Protection – Subject Access Requests.

8. How long is my information kept?

We store your personal information for as long as necessary to complete the application process. If you are successful, your information will be kept as part of your student record for the duration of your studies (and it may be used as part of our assessment of any future application you make for further studies at Harlaxton College or the University of Evansville).

If you are unsuccessful, your information will be normally kept for at least one year after the completion of the application process.

9. Who can I contact?

If you have any questions about how your personal information is used, or wish to exercise any of your rights, please consult the College’s data protection webpages at Data Protection – Introduction. If you need further assistance, please contact the College’s Data Protection Officer (dpo@harlaxton.ac.uk).

10. How do I complain?

11. Are changes made to this webpage?

This webpage was last updated in June 2018. It is reviewed when necessary and at least annually. Any changes will be published here and you will be notified via this webpage and/or by email.

For Students

This page provides information about the use of personal information while you are a student at Harlaxton College.

1. What is ‘personal information’?

‘Personal information’ means any information which relates to or identifies you as an individual.

2. How does this webpage relate to other information about data protection?

When you applied to become a student you were told how the College and the University of Evansville would use your personal information to process your application and for related purposes (see How we use your personal information (for student applicants)). You were referred to this webpage for a fuller statement of the uses we make of your personal information while you are a student at Harlaxton College. In addition to the information published here, when you use specific services and facilities offered by the College, you will be told about any other uses of your personal information.

3. Who will process my personal information?

The information published here applies to the use, sharing and disclosure of your personal information by Harlaxton College (www.harlaxton.ac.uk or harlaxton.evansville.edu) and by the University of Evansville (www.evansville.edu). Please note that the College and the University are separate legal entities for these purposes. The College and the University work together closely and share your personal information for a variety of academic, administrative and statistical purposes in accordance with agreed protocols.

4. What personal information will be processed?

The College will keep a record of the details you provided on your application form, any supporting documents requested as part of your admission and additional details provided by any referees and recorded following any interview process. We will also maintain records about your studies at Harlaxton College, and about your use of the academic and non-academic facilities and services that we offer. This personal information will include data such as your name, home address, date of birth, course studied, fee payments, and information about your examinations, assessments and results. Your personal information is created, stored and transmitted securely in a variety of paper and electronic formats, including databases that are shared between the College and the University of Evansville (such as the main student records database – Colleague). Access to your personal information is limited to College or University staff who have a legitimate interest in it for the purpose of carrying out their contractual duties, and our use of your personal information will not be excessive.

In addition to this, the College may process some information about you that is classed as ‘sensitive’ or ‘special category’ personal data, and which requires additional protections. This includes information concerning your ethnicity, sexual orientation, religious beliefs or health/disability that we use for planning and monitoring purposes, or in order to provide care, help or suitable adjustments. For certain courses of study, other sensitive information may be processed, such as information about past criminal convictions and working with children or vulnerable adults. Access to, and the sharing of, your ‘sensitive’ personal data are controlled very carefully. You will normally be given further details about our use of any such data when we collect it from you.

5. What is the purpose and legal basis of the processing?

The College will process your personal information for a range of contractual, statutory or public interest purposes, including the following:

To deliver and administer your education, record the details of your studies (including any placements with external organizations), and determine/confirm your academic achievements (e.g. results, prizes).
Where relevant, to monitor, evaluate and support your research activity.
To administer the financial aspects of your relationship with us and any funders.
To deliver IT facilities to you.
To deliver facilities and services to you (e.g. accommodation, sport, libraries).
To enable your participation at events (e.g. functions).
To communicate effectively with you by post, email and phone, including the distribution of relevant newsletters and circulars.
To operate security (including CCTV), governance, disciplinary (including plagiarism and academic misconduct), complaint, audit and quality assurance processes and arrangements.
To support your medical, safety, welfare and religious requirements.
To compile statistics and conduct surveys and research for internal and statutory reporting purposes.
To fulfil and monitor our responsibilities under equalities, immigration and public safety legislation.
To enable us to contact others in the event of an emergency (we will assume that you have checked with the individuals before you supply their contact details to us).

We consider the processing of your personal information for these purposes to be either necessary for the performance of our contractual obligations with you (e.g. to manage your education, student experience and welfare while studying at Harlaxton College), or necessary for compliance with a legal obligation (e.g. visa monitoring), or necessary for the performance of tasks we carry out in the public interest (e.g. teaching), or necessary for the pursuit of the legitimate interests of the College or an external organization (e.g. to enable your access to external services). We require you to provide us with any information we reasonably ask for to enable us to administer your student contract. If we require your consent for any specific use of your personal information, we will collect it at the appropriate time and you can withdraw this at any time. Where we ask for any sensitive information, such as that concerning your ethnicity, sexual orientation, religious beliefs or health/disability, you will normally have the option to refuse your consent by not supplying it. We will not use your personal information to carry out any wholly automated decision-making that affects you.

6. Who will my personal information be shared with?

As described above, your personal information is shared with relevant staff at the College and the University of Evansville. In addition, it is shared as permitted or required by law, on a considered and confidential basis, with a range of external organizations, including the following:

Your funders and/or sponsors.
The providers of any external/collaborative learning and training placements or fieldwork opportunities.
External examiners and assessors, and external individuals involved in relevant College committees or procedures.
Relevant Government Departments (e.g. Home Office, Foreign and Commonwealth Office, Department of Health).
Relevant executive agencies or non-departmental public bodies (e.g. UK Visas and Immigration, HM Revenue and Customs, the Health and Safety Executive).
Any relevant professional or statutory regulatory bodies.
Local authorities.
On occasion and where necessary, the police and other law enforcement agencies.
On occasion and where necessary, auditors.
On occasion and where necessary, subsidiary companies of the College (e.g. Harlaxton Manor Enterprises Ltd).
Companies or organizations providing specific services to, or on behalf of, the College or University of Evansville (e.g. Terra Dotta, LiveText).

You are able to control how external enquirers or organizations access details of your results and degrees awarded. We will normally provide references to third parties.

We will include your basic contact details in our internal online directory.

On occasion, the above types of sharing may involve the transfer of your personal information outside the European Economic Area (e.g. to facilitate your participation in an exchange visit or to report to your home institution). Such transfers usually are necessary in order to meet our contractual obligations with you and are carried out with appropriate safeguards in place to ensure the confidentiality and security of your personal information.

Other than as set out above, we will not normally publish or disclose any personal information about you to other external enquirers or organizations unless you have requested it or consented to it, or unless it is in your vital interests to do so (e.g. in an emergency situation). We do not sell your personal data to third parties under any circumstances.

7. How is my personal information used after I graduate?

After you complete your studies at Harlaxton College a core record of your studies is retained indefinitely so that the details of your academic achievements can be confirmed and for statistical or historical research. Your contact and core personal details are passed to the Alumni Relations office while you are still a student so that you can be added to the alumni database. A statement for alumni and supporters setting out how their personal information is used by the College is published at How we use your personal information (alumni and supporters); you will receive more details at the appropriate time.

8. How can I access my personal information?

9. How long is my information kept?

We store your personal information as part of your student record for the duration of your studies (and it may be used as part of our assessment of any future application you make for further studies at Harlaxton College or the University of Evansville).

10. Who can I contact?

11. How do I complain?

12. Are changes made to this webpage?

This webpage was last updated in June 2018. It is reviewed when necessary and at least annually. Any changes will be published here and you will be notified via this webpage and/or by email.

For Alumni and Supporters

This page provides information about the use of personal information we collect about our alumni and our past, current and future supporters, whether donors, volunteers, participants in membership groups that we run, or attendees at events that we organize.

1. What is ‘personal information’?

‘Personal information’ means any information which relates to or identifies you as an individual.

2. How does this webpage relate to other information about data protection?

If you became a student you at Harlaxton College you were told how the College and the University of Evansville would use your personal information to deliver and administer your education, and for related purposes (see How we use your personal information (for students)).

You were referred to this webpage for a fuller statement of the uses we make of your personal information we collect about our alumni and our past, current and future supporters, whether donors, volunteers, participants in membership groups that we run, or attendees at events that we organize.

3. Who will process my personal information?

The information provided here applies to the use, sharing and disclosure of your personal information by Harlaxton College (www.harlaxton.ac.uk or harlaxton.evansville.edu) and by the University of Evansville (www.evansville.edu). Please note that the College and the University are separate legal entities for these purposes. The College and the University work together closely and share your personal information for a variety of fundraising and alumni relations purposes. Developing a better understanding of our alumni and supporters allows us to keep in touch with you, in order to keep you apprised of our activities and developments, to provide services to you, and to identify ways in which you can support us, through donations or other forms of financial and non-financial support.

4. What personal information will be processed?

The College may hold information relating to you from a number of sources. A significant proportion of the information we hold on alumni is that which you provide to us (for example, you may give us information by filling in forms on the College’s website, or by corresponding with us by telephone, email or otherwise). If you are a student or studied at Harlaxton College, some of your personal data is transferred from your student record to the College’s alumni database.

Most records contain:

details of your education (e.g. the courses you have completed, dates of study)
unique personal identifiers and biographical information (e.g. student number, date of birth)
your contact details (and we update these whenever you let us know that they have changed)
details of your interactions with the College, including:
- your membership of clubs and your attendance at College events
- other contact with us or our partners (as listed below)
- details of benefits and services provided to you
- your relationships with other alumni or supporters of the College
details about your family (e.g. your marital status, the name of your partner or spouse)
personal data provided by you for a specific purpose (e.g. disability and dietary preferences for event management purposes)
your communication preferences, to help us provide tailored and relevant communications

We also record, where applicable, based on information which you provide to us and, in some cases, publicly available information and information from our partners (as listed below):

your career highlights and other life achievements
information about your areas of interest and extra-curricular activities

We augment the data we hold from the College and the University of Evansville with publicly available data.

In addition to this, the University may process some information about you that is classed as ‘sensitive’ or ‘special category’ personal data, and which requires additional protections. Where we ask for any sensitive information, such as that concerning your ethnicity, sexual orientation, religious beliefs or health/disability, the use made of such information will be explained and you will often have the option to refuse your consent by not supplying it.

5. What is the purpose and legal basis of the processing?

The College will process your personal information for a range of contractual, statutory or public interest purposes in support of alumni relations, supporter communications and fundraising, including the following:

To send you publications (e.g. alumni magazines and updates about the College)
To conduct surveys
To provide services, including access to College facilities
To send you details of volunteering opportunities
To enable your participation at events (e.g. functions).
For internal record keeping, including the management of any feedback or complaints
For administrative purposes (e.g. in order to administer an event you have registered for or attended)
To communicate effectively with you by post, email and phone, including the distribution of relevant newsletters and circulars.
To operate security (including CCTV), governance, complaint, audit and quality assurance processes and arrangements.
To support your medical, safety, welfare and religious requirements.
To compile statistics and conduct surveys and research for internal and statutory reporting purposes.
To fulfill and monitor our responsibilities under equalities, immigration and public safety legislation.
To enable us to contact others in the event of an emergency (we will assume that you have checked with the individuals before you supply their contact details to us).

Communications to you may be sent by post, telephone or electronic means (principally by email), depending on the contact details we hold, the consent that you have provided, and the preferences expressed by you about the types of communications you wish to receive.

We may use automated or manual analyses to link data together to help us to provide you with an improved experience, to send you communications which are relevant and timely, to identify volunteering opportunities or opportunities for providing support which may be of interest to you, and to avoid approaching you with opportunities which are not of interest.

We consider the processing of your personal information for these purposes to be necessary for the pursuit of the legitimate interests of the College in maintaining a record of its cultural life, deepening its relationships with alumni and supporters and recognizing their achievements at College and public level. The College has a legitimate interest in facilitating communications with alumni and supporters, recording and recognizing contributions and ensuring that there is a positive and well-informed ongoing relationship.

If we require your consent for any specific use of your personal information, we will collect it at the appropriate time and you can withdraw this at any time. Where we ask for any sensitive information, such as that concerning your ethnicity, sexual orientation, religious beliefs or health/disability, you will normally have the option to refuse your consent by not supplying it. We will not use your personal information to carry out any wholly automated decision-making that affects you.

6. Who will my personal information be shared with?

As described above, your personal information is shared with relevant staff at the College and the University of Evansville which advances the mission of the College by providing expertise in fundraising and alumni relations and by growing the base of support for the College among alumni and friends. In addition, it is shared as permitted or required by law, on a considered and confidential basis, with a range of external organizations, including the following:

Relevant Government Departments (e.g. Home Office, Foreign and Commonwealth Office, Department of Health).
Relevant executive agencies or non-departmental public bodies (e.g. the Health and Safety Executive).
Local authorities.
On occasion and where necessary, the police and other law enforcement agencies.
On occasion and where necessary, auditors.
On occasion and where necessary, subsidiary companies of the College (e.g. Harlaxton Manor Enterprises Ltd).
Companies or organizations providing specific services to, or on behalf of, the College or University of Evansville.

We will include your basic contact details in our internal online directory.

On occasion, the above types of sharing may involve the transfer of your personal information outside the European Economic Area (e.g. to the University of Evansville). Such transfers are carried out with appropriate safeguards in place to ensure the confidentiality and security of your personal information.

7. How can I access my personal information?

8. How long is my information kept?

We will retain your data indefinitely in support of your lifelong relationship with the College or until you request us to do otherwise.

9. Who can I contact?

10. How do I complain?

11. Are changes made to this webpage?

This webpage was last updated in June 2018. It is reviewed when necessary and at least annually. Any changes will be published here and you will be notified via this webpage and/or by email.

For Staff and Visiting Academics

This page provides information about the use of personal information while you are a member of staff, worker, consultant, volunteer, visiting lecturer or faculty member or academic visitor at Harlaxton College. As a member of staff (or equivalent) you also have certain legal and contractual responsibilities to protect the personal information of other people (e.g. other employees, students) by handling it appropriately; relevant policies and guidance are available at Data Protection – Introduction.

1. What is ‘personal information’?

‘Personal information’ means any information which relates to or identifies you as an individual.

2. How does this webpage relate to other information about data protection?

When you applied to become a member of staff (or equivalent) you were told how the College would use your personal information during the recruitment process and for related purposes. You were referred to this webpage for a fuller statement of the uses we would make of your personal information if you became a member of staff (or equivalent). In addition to the information published here, when you use specific services and facilities offered by the College, you will be told about any other uses of your personal information.

3. Who will process my personal information?

If you are simultaneously employed by or otherwise associated with another University or employer (e.g. the University of Evansville or a partner university), that organization will provide you with its own statement setting out how it will use, share and disclose your personal information.

4. What personal information will be processed?

The College will keep a record of the details you provided on your application form, any supporting documents requested, and additional details provided by any referees and recorded following any interview process. We will maintain various administrative and financial records about your employment at or association with Harlaxton College, and about your use of the academic and non-academic facilities and services that we offer. Where relevant, we may supplement these records with personal data from the public domain (e.g. your publications) or other sources.

Your personal information is created, stored and transmitted securely in a variety of paper and electronic formats, including some databases that are shared between the College and the University of Evansville (e.g. the Colleague course and student management system). Access to your personal information is limited to staff who have a legitimate interest in it for the purpose of carrying out their contractual duties, and our use of your personal information will not be excessive.

In addition to this, the College may process some information about you that is classed as ‘sensitive’ or ‘special category’ personal data, and which requires additional protections. This includes information concerning your ethnicity, sexual orientation, religious beliefs or health/disability for planning and monitoring purposes, or in order to provide care, help or suitable adjustments. For certain roles, other sensitive information may be processed, such as information about past criminal convictions, working with children or vulnerable adults, and your fitness to practice in certain regulated professions. Access to, and the sharing of, your ‘sensitive’ personal data are controlled very carefully. You will normally be given further details about our use of any such data when we collect it from you.

5. What is the purpose and legal basis of the processing?

The College will process your personal information for a range of contractual, statutory or public interest purposes, including the following:

To assess your suitability for a particular role or task (including any relevant right to work checks).
To support you in implementing any health-related adjustments to allow you to carry out a particular role or task.
Where relevant, to monitor, evaluate and support your research and commercialization activity.
To administer remuneration, payroll, pension and other standard employment functions.
To administer HR-related processes, including those relating to performance/absence management, disciplinary issues and complaints/grievances.
To operate security (including CCTV), governance (including conflicts/declarations of interest), audit and quality assurance processes and arrangements.
To deliver IT facilities to you.
To deliver facilities (e.g. libraries), services (e.g. accommodation) and staff benefits (e.g. fitness facilities, events) to you, and where appropriate to monitor your use of those facilities in accordance with College policies (e.g. on the acceptable use of IT).
To communicate effectively with you by post, email and phone, including the distribution of relevant newsletters and circulars.
To support your training, health, safety, welfare and religious requirements.
To compile statistics and conduct surveys and research for internal and statutory reporting purposes.
To fulfill and monitor our responsibilities under equalities, immigration and public safety legislation.
To enable us to contact others in the event of an emergency (we will assume that you have checked with the individuals before you supply their contact details to us).

We consider the processing of your personal information for these purposes to be either necessary for the performance of our contractual obligations with you (e.g. to manage your employment contract), or necessary for compliance with a legal obligation (e.g. the administration of taxes), or necessary for the performance of tasks we carry out in the public interest (e.g. the provision of education). We require you to provide us with any information we reasonably ask for to enable us to administer your contract. If we require your consent for any specific use of your personal information, we will collect it at the appropriate time and you can withdraw this at any time. Where we ask for any sensitive information, such as that concerning your ethnicity, sexual orientation, religious beliefs or health/disability, you will normally have the option to refuse your consent by not supplying it. We will not use your personal information to carry out any wholly automated decision-making that affects you.

6. Who will my personal information be shared with?

As described above, your personal information is shared with relevant staff at the College and the University of Evansville. In addition, your personal information is shared as permitted or required by law, on a considered and confidential basis, with a range of external organisations, including the following:

The external providers of any staff benefits or pensions.
Relevant Government Departments (e.g. Home Office, Foreign and Commonwealth Office, Department of Health), executive agencies or non-departmental public bodies (e.g. UK Visas and Immigration, HM Revenue and Customs, and the Health and Safety Executive.
Any relevant professional or statutory regulatory bodies.
Any relevant simultaneous employers (e.g. the University of Evansville and partner institutions).
On occasion and where necessary, the police and other law enforcement agencies.
On occasion and where necessary, auditors.
On occasion and where necessary, subsidiary companies of the College (e.g. Harlaxton Manor Enterprises Ltd).
Companies or organizations providing specific services to, or on behalf of, the College or University of Evansville (e.g. Terra Dotta, LiveText).

We will provide references about you to external enquirers or organizations where you have requested or indicated that we should do so. We will include your basic contact details in our internal online directory.

On occasion, the above types of sharing may involve the transfer of your personal information outside the European Economic Area (e.g. to report to your home institution). Such transfers usually are necessary in order to meet our contractual obligations with you and are carried out with appropriate safeguards in place to ensure the confidentiality and security of your personal information.

We do not sell your personal data to third parties under any circumstances.

7. How can I access my personal information?

8. How long is my information kept?

We store your personal information as part of your staff record for the duration of your employment or assignment (and it may be used as part of our assessment of any future application you make for further employment at Harlaxton College). After you leave, certain records pertaining to your employment are retained indefinitely so that the details of your employment can be confirmed and so that we can conduct statistical or historical research.

Alumni benefits and services are made available to certain categories of former staff. If you choose to accept these benefits, more information about the use of your personal information is published at Data Protection – Introduction.

9. Who can I contact?

10. How do I complain?

11. Are changes made to this webpage?

This webpage was last updated in June 2018. It is reviewed when necessary and at least annually. Any changes will be published here and you will be notified via this webpage and/or by email.

For Job Applicants

This page provides information about the use of personal information provided by job applicants to Harlaxton College.

1. What is ‘personal information’?

‘Personal information’ means any information which relates to or identifies you as an individual.

2. How does this webpage relate to other information about data protection?

3. Who will process my personal information?

4. What personal information will be processed?

The College will use the details you provide on your application form, together with the supporting documents requested and additional details provided by any referees and recorded following any interview process.

You may be required to undergo certain additional recruitment checks or procedures as part of the job application and offer process. These may include a Disclosure and Barring Service (DBS) check, a basic disclosure (criminal records) check, security checks, any application for immigration purposes including where a Certificate of Sponsorship through UK Visas and Immigration (UKVI) is required, and similar processes that will only affect some applicants, whether because of the type of post you are applying for or because of your individual status. If any of these checks affect you, we will make this clear to you at the relevant point in the application process.

In all cases, we will only use any information gathered as part of any relevant check or procedure for that specific purpose, and we will handle, store, retain and destroy relevant materials in accordance with applicable legislation and codes of practice. This means that access to any relevant materials (including any forms completed by the College) is strictly controlled, and they are retained for no longer than strictly necessary to fulfill the purpose in accordance with the legislation. Wherever possible we will not retain original documents or print-outs and instead will make a note on our central HR file that the relevant check or procedure has been completed. We will only share any relevant information with external parties insofar as we are required to do so (this may include partner organizations or employers). We recognize that for some checks, and in some circumstances, it is a criminal offense to pass any information on to anyone who is not entitled to receive it.

5. What is the purpose and legal basis of the processing?

The College will process the personal information provided on your application and the other information referred to above for the purposes of identifying you, processing your application, verifying the information provided and assessing your suitability for the role (including any relevant right to work checks), deciding whether to offer you a job, and communicating that outcome (together with any feedback).

We may also use or disclose the information provided for the following statutory or public interest purposes:

To prevent or detect fraud.
For equal opportunities monitoring.
To help us to make reasonable adjustments for any disability, as requested by you.
To provide statutory returns required by applicable legislation.
For research and statistical purposes (which may include the receipt of applicant surveys), but no information which could identify you will be published.

If you are a current employee, then we may use the information (including equalities information) you provide in any application you submit to update the employment records we already hold on you.

Where we ask for any sensitive information, such as that concerning your ethnicity, sexual orientation, religious beliefs or health/disability, the use made of such information will be explained and you will normally have the option to refuse your consent by not supplying it. We require you to provide us with the information we ask for during the application process in order to assess your application properly except where its supply is marked as optional. Applications decisions are not automated.

6. Who will my personal information be shared with?

As well as circulating your application and related materials to the appropriate staff at the College, we will share your personal information for the above purposes as relevant and necessary with:

Your referees.
Where relevant and necessary, the University of Evansville and other partner institutions.
Where relevant and as required, the Disclosure and Barring Service or UK Visas and Immigration in order to administer relevant recruitment checks and procedures.
Companies or organizations providing specific services to, or on behalf of, the College (e.g. recruitment agencies.

7. How is my personal information used if I become a member of staff?

If you are accepted, we will use your personal information for the purposes described at How we use your personal information (for staff and visiting academics), as amended from time to time.

If you are accepted, the College may also return data about you to other external agencies, as required (e.g. external providers of any staff benefits or pensions and various public bodies such as HM Revenue and Customs).

8. How can I access my personal information?

You have the right to access the personal information that is held about you by the College or University. Further details are set out on the College’s data protection webpage Subject Access Requests.

9. How long is my information kept?

We store your personal information for as long as necessary to complete the application process. If you are successful, your information will be kept as part of your staff record for the duration of your employment.

If you are unsuccessful, your information will be normally kept for one year after the completion of the application process (except if the person appointed to the post is sponsored under the UK’s points-based immigration system, when we are required to retain the applications of all candidates shortlisted for final interview for one year or until a Home Office compliance officer has examined and approved them, whichever is the longer period.

10. Who can I contact?

11. How do I complain?

12. Are changes made to this webpage?

This webpage was last updated in June 2018. It is reviewed when necessary and at least annually. Any changes will be published here and you will be notified via this webpage and/or by email.

Overview

This page provides an overview of the following data protection topics and links to sources of further information.

Legislation

Data protection legislation sets out rules and standards for the use and handling (‘processing’) of information (‘personal data’) about living identifiable individuals (‘data subjects’) by organizations (‘data controllers’).

The law applies to organizations in all sectors, both public and private. It applies to all electronic records as well as many paper records. It doesn’t apply to anonymous information or to information about the deceased.

Since May 25, 2018, the legislation in the UK is the EU General Data Protection Regulation (GDPR), coupled with the UK Data Protection Act 2018 (DPA 2018) that supplements the GDPR in specific ways. These two pieces of legislation replaced the Data Protection Act 1998 (DPA 1998). All the legislation is based around the notions of principles, rights and accountability obligations. The legislation is regulated in the UK by the Information Commissioner’s Office (ICO) as well as the courts.

Under the GDPR, Harlaxton College and Harlaxton Manor Enterprises Ltd (like all data controllers) are required to pay a fee to the ICO and be included in the ICO’s register of fee payers.

The College’s register entry number is Z1911298 and the Harlaxton Manor Enterprises Ltd’s register entry number is ZA225090.

Principles

Data controllers processing personal data must follow – and be able to demonstrate that they are following – the data protection principles. Under the GDPR, there are six principles. Personal data must be processed following these principles so that the data are:

Processed fairly, lawfully and transparently – and only if there is a valid ‘legal basis’ for doing so
Processed only for specified, explicit and legitimate purposes
Adequate, relevant and limited
Accurate (and rectified if inaccurate)
Not kept for longer than necessary
Processed securely – to preserve the confidentiality, integrity and availability of the personal data

Under the DPA 1998 there were eight principles but two of these (about the rights of data subjects and transfers of personal data outside the European Economic Area) are covered in different ways in the GDPR. Depending on the context, there are full or partial exemptions from the principles when processing personal data for specific purposes.

Privacy notices

An important aspect of complying with data protection legislation is being open and transparent with individuals about how their personal data will be used. The supply of this information – through documents variously known as ‘privacy notices’, ‘data protection statements’, ‘data collection notices’, ‘privacy policies’ and numerous other interchangeable terms – takes places in numerous targeted ways depending on the context of the interaction with the individual.

The College’s core privacy notices – each titled ‘How we use your personal information (for …)’ – are available from the menu on the Data Protection – Introduction page.

Rights

Under the GDPR, data subjects are given various rights:

The right to be informed of how their personal data are being used – this right is usually fulfilled by the provision of ‘privacy notices’ as described above
The right of access to their personal data – accessing personal data in this way is usually known as making a ‘ subject access request‘
The right to have their inaccurate personal data rectified
The right to have their personal data erased where appropriate – known as the right to be forgotten
The right to restrict the processing of their personal data pending its verification or correction
The right to receive copies of their personal data in a machine-readable and commonly-used format – known as the right to data portability
The right to object: to processing (including profiling) of their personal data that proceeds under particular legal bases; to direct marketing; and to processing of their data for research purposes where that research is not in the public interest
The right not to be subject to a decision based solely on automated decision-making using their personal data

A response to a rights request needs to be sent within one month. However, nearly all of these rights are qualified in various ways and there are numerous specific exemptions both in the GDPR and in the DPA 2018 (for example, some of the rights do not apply to the processing of employee data in certain contexts). These rights build upon and strengthen rights previously given to data subjects under the DPA 1998.

Accountability obligations

Data protection legislation imposes certain accountability obligations on all data controllers. Under the GDPR, the main obligations for large data controllers include:

Implementing policies, procedures, processes and training to promote ‘data protection by design and by default’
Where necessary, carrying out systematic Data Protection Impact Assessments (DPIAs) on ‘high risk’ processing activities
Having appropriate contracts in place when sharing personal data – especially when outsourcing functions that involve the processing of personal data and/or transferring the personal data outside the EEA
Maintaining records of the data processing that is carried out across the organization
Documenting and reporting personal data breaches both to the ICO and the affected data subjects
Where necessary, appointing an independent Data Protection Officer to advise on and monitor compliance

Data breaches

One of the most important accountability obligations concerns personal data breaches – that is, personal data held by the College is lost, stolen, inadvertently disclosed to an external party, or accidentally published. If a personal data breach occurs, this should be reported immediately to appropriate staff within the College (e.g. senior administrative or IT staff), who should then inform the College’s Data Protection Officer ( dpo@harlaxton.ac.uk).

Remedial work can then be done so that the breach can be contained. On occasion, we need to report breaches to relevant external authorities, including the ICO, within a short timeframe.

Policy

The College’s Data Protection Policy was approved by the College’s Trustees at its meeting on 18th October 2018.

Guidance and training

More detailed guidance for College staff on data protection is published:

In the short Data Protection Quick Guide leaflet
On the ICO Resources and Support web pages

General Data Protection Regulation

What is the General Data Protection Regulation?

The General Data Protection Regulation (GDPR) is a new data protection law that applies in the UK and the rest of the EU from 25 May 2018 and replaces the Data Protection Act 1998 (DPA 1998). The law applies to organizations in all sectors, both public and private. Like the DPA 1998, it is regulated in the UK by the Information Commissioner’s Office (ICO). It applies in the UK despite and beyond Brexit. Individual EU Member States can introduce certain additional provisions to, and exemptions from, the GDPR. The UK Government has implemented these (plus other related measures, such as the regulatory powers of the ICO) by way of a new Data Protection Act 2018.

Is it similar to the Data Protection Act 1998?

Like the DPA 1998, the GDPR sets out rules and standards for an organization’s use of information relating to living identifiable individuals. It doesn’t apply to anonymous information or to information about the deceased. The GDPR’s rules and standards are based around the existing DPA 1998 concepts of data protection principles and individual rights.

What’s new?

The GDPR has been designed to harmonize and strengthen data protection law and practice across the EU. While allowing for an element of risk-based implementation, the GDPR is substantially more prescriptive than the DPA 1998 in describing how organizations should implement the principles and uphold the rights of individuals – and how they should demonstrate that they are doing so.

What are the new prescriptive requirements?

In short, there are changes to the following:

The existing data protection principles have been reinforced and an accountability principle has been introduced.
The legal bases under which organizations can use an individual’s personal data have been subtly changed, and the conditions under which an individual’s consent can be valid are more stringent.
Much more detailed information needs to be supplied to individuals about how their personal data is used (via what are usually termed ‘privacy notices’).
Individuals can exercise their rights for free. The GDPR both boosts existing rights (e.g. the right to access the personal data or the right to have inaccurate data corrected) and introduces new ones (e.g. the right to be forgotten).
organizations are required to promote a culture of ‘privacy by design and default’ through measures such as Data Protection Impact Assessments, security assessments, the maintenance of registers setting out how personal data is used, and mandatory terms in legal agreements with other organizations with whom data is shared.
Certain types of personal data breach must be notified to the ICO within 72 hours, as well as to the affected individuals. The changes will have a wide-ranging impact on how all organizations, including the College, can hold and use information about living identifiable individuals.

What are the penalties if something goes wrong?

The maximum fine that the College could receive for a breach of the DPA 1998 is £500,000; under the GDPR this is increased to €20m, or 4% of annual turnover (whichever is higher). It is accordingly even more important to make a collective effort to ensure that we handle personal data securely, carefully and in line with what individuals have been told.

What is the College doing about GDPR?

The College has established a GDPR Data Protection Working Group, chaired by the College’s Data Protection Officer, to work on and oversee the College’s preparations.

How does the GDPR affect central College processes?

Many of the changes necessitated by the GDPR may be fulfilled by amending central processes. Some of these concern the core interactions with, and information supplied to, different categories of individual such as applicants, students, alumni and staff. Others relate to the overarching policies, procedures and records that are required to enable us to demonstrate our compliance with the new law.

How does the GDPR affect College departmental processes? What do I need to do?

Although the greatest impact is upon central processes, some changes need to be implemented at a departmental level to ensure that certain processes overseen by departments (e.g. Academic Administration, Library) are aligned to the new law.

In addition, the Data Protection – Overview page contains resources that have been aligned to GDPR standards; these will continue to be supplemented and refined.

Can I have a bit more detail on the background?

The following resources should assist.

Text of the GDPR
ICO’s Guide to the GDPR
Government documents about, and draft text of, the Data Protection Bill
Text of the Data Protection Act 2018 (as enacted on 23 May 2018)

Who can I contact with further questions?

Further questions should be directed to the College’s Data Protection Officer (dpo@harlaxton.ac.uk).

This webpage was last updated in June 2018. It is reviewed when necessary and at least annually. Any changes will be published here.

Harlaxton Manor,

Harlaxton,

Grantham,

Lincolnshire,

NG32 1AG

HARLAXTON COLLEGE

HARLAXTON MANOR

FIND OUT MORE