ϳԹ

Skip page header and navigation

ϳԹ Data Protection

ϳԹ needs to process and store information (including personal information known as ‘Personal Data’ and sensitive data known as ‘Special Category Data’) about students, employees and others to effectively carry out its business including (but not limited to):

  • Monitoring performance
  • Recording achievements
  • Allowing recruitment to take place
  • Payment of staff
  • Implementation of health and safety matters
  • Organisation of courses
  • Legal compliance obligations to funding bodies and government.

ϳԹ is legally obliged to process information in accordance with the following:

Important Data Protection Information

  • Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.

    Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.

    Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.

    The GDPR protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.

    Some examples of Personal Data:

    • a name and surname
    • a home address
    • an email address such as name.surname@company.com
    • an identification card number
    • an Internet Protocol (IP) address

    Some examples of data not considered to be Personal Data:

    • a company registration number
    • an email address such as info@company.com
    • anonymised data
  • Under GDPR, companies have obligations regarding the personal data of data subjects, but there is also a separate category of data that is treated differently – GDPR special category data.

    What is GDPR special category data and how do the rules differ for processing that information?

    GDPR Special Category Data

    GDPR special category data is personal information of data subjects that is especially sensitive, the exposure of which could significantly impact the rights and freedoms of data subjects

    GDPR special category data includes the following information:

    • Race and ethnic origin
    • Religious or philosophical beliefs
    • Political opinions
    • Trade union memberships
    • Biometric data used to identify an individual
    • Genetic data
    • Health data
    • Data related to sexual preferences, sex life, and/or sexual orientation.

    Because these data elements are particularly sensitive, an organisation must have a legitimate and lawful reason for collecting, storing, transmitting, or processing these data. If special category data are collected, stored, processed, or transmitted data controllers must ensure that additional protections are put in place to ensure that information is appropriately safeguarded.

    Why do we process Special category data?

    We process Special Categories of Personal Data for the following purposes (this list is not exhaustive):

    (a) assessing an employee’s fitness to work
    (b) complying with health and safety obligations
    (c) complying with the Equality Act 2010
    (d) checking applicants’ and employees’ right to work in the UK
    (e) verifying that candidates are suitable for employment or continued employment

  • ϳԹ has developed a data protection policy to ensure all staff, students and anybody associated with the University understands their rights and responsibilities under the legislation

  • Description of processing

    The following is a broad description of the way this organisation/data controller processes personal information. To understand how your own personal information is processed you may need to refer to any personal communications you have received, check any privacy notices the organisation has provided or contact the organisation to ask about your personal circumstances.

    Reasons/purposes for processing information

    We process personal information to enable us to provide education and support services to our students and staff; advertising and promoting the university and the services we offer; publication of the university magazine and alumni relations, undertaking research and fundraising; managing our accounts and records and providing commercial activities to our clients. We also process personal information for the use of CCTV systems to monitor and collect visual images for the purposes of security and the prevention and detection of crime.

    Type/classes of information processed

    We process information relevant to the above reasons/purposes. This may include:

    • personal details
    • family details
    • lifestyle and social circumstances
    • education details and student records
    • education and employment details
    • financial details
    • disciplinary and attendance records
    • vetting checks;
    • goods or services provided
    • visual images, personal appearance and behaviour
    • information held in order to publish university publications

    We also process sensitive classes of information that may include:

    • racial or ethnic origin
    • trade union membership
    • religious or other similar beliefs
    • physical or mental health details
    • sexual life
    • offences and alleged offences
    • criminal proceedings, outcomes and sentences

    Who the information is processed about

    We process personal information about:

    • students
    • employees, contracted personnel
    • suppliers, professional advisers and consultants
    • business contacts
    • landlords, tenants
    • complainants, enquirers
    • donors and friends of the University
    • authors, publishers and other creators
    • persons who may be the subject of enquiry
    • third parties participating in course work
    • health, welfare and social organisations
    • friends of the University
    • individuals captured by CCTV images

    Who the information may be shared with

    We sometimes need to share the personal information we process with the individual themself and also with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act (DPA). What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.

    Where necessary or required we share information with:

    • family, associates and representatives of the person whose personal data we are processing
    • current, past or prospective employers
    • healthcare, social and welfare organisations
    • educators and examining bodies
    • suppliers and service providers
    • student union
    • financial organisations
    • debt collection and tracing agencies
    • auditors
    • police forces, security organisations
    • courts and tribunals
    • prison and probation services
    • legal representatives
    • local and central government
    • consultants and professional advisers
    • trade union and staff associations
    • survey and research organisations
    • press and the media
    • voluntary and charitable organisations
    • landlords

    Transfers

    It may sometimes be necessary to transfer personal information overseas. When this is needed information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with all aspects of the data protection act.

    Statement of exempt processing

    This data controller also processes personal data which is exempt from notification.

    Making a Subject Access Request

    To make an application to access the data that ϳԹ holds on you, please complete the attached Subject Access Request Form

  • Data Protection Statement For Alumni

    We want to stay in touch with you and keep your personal information in accordance with your wishes.  As an alumni/ae of the University or its predecessor institutions, the legal basis of why we hold your data is out of mutual “legitimate interest”.

    All data is held securely and appropriately by ϳԹ (ϳԹ). We will use your information to keep you up-to-date with news from our campus, including research, educational activities and courses, events, alumni activities, and opportunities to support our fundraising and volunteering programmes.  Your data may contribute to relevant surveys, inform Higher Education reporting requirements, and support other aspects of our charitable mission.

    We want to ensure that the information you receive from us is relevant and is welcomed.  Depending on your contact preferences, you will receive communications on the type of activities listed above via post, email, telephone, SMS text messages, and via our social media channels.  We will pay attention to your responses, including e-tracking to see if you open our emails and Google Analytics to understand more about visits to our website so that we can provide the most relevant information for you.

    From time to time we may undertake research and analysis using publicly available sources in addition to the information that you provide us. This work helps us to better focus our engagement to reach out to alumni that we have lost contact with, and to maintain the quality of the data held (for example, keeping address details up to date via the Post Office National Change of Address database).

    The type of information that we may collect and attach to your data record includes professional activities and details of existing connections with the University.

    We will never sell your personal data or share it for non ϳԹ activities. Unless you tell us otherwise, your data may be made available to our academic and administrative departments within the University. Data will only be shared with third parties who are agents of University projects and where there are appropriate controls in place to safeguard your information. This may include mailing houses or external surveying companies working on behalf of such organisations as the Higher Education Statistics Agency (HESA) or University funding bodies. If you decide to donate to the University, you can choose whether to give anonymously or be recognised

    You have the right to change your contact preferences or object to the use of your data for any of the above purposes by contacting: alumni@uwtsd.ac.uk

  • Impact Assessment is a process to help you identify and minimise the data protection risks of a policy or a project.

    • An impact assessment (DPIA) should be completed:

    1. at the outset of any project that involves the collection or handling of personal information;
    2. when any new policy is proposed that will require the collection or handling of personal information;
    3. where there is a proposed change to an existing policy, system or process that involves the collection or handling of personal information.

    The following information is from the Information Commissioner’s website:

    The template should be used for undertaking a DPIA. It may be modified to meet the needs of the activity being assessed, provided that the key elements are covered. It follows the approach recommended by the UCISA Privacy Impact Assessment Toolkit and the Information Commissioner’s Office Code of Practice.

    Please refer any questions on DPIA to the Data Protection Officer at foi@uwtsd.ac.uk

Get in Touch

Paul Osborne
Data Protection Officer
Tel: 01792  481180 

Email: foi@uwtsd.ac.uk

Swansea Business School,
ϳԹ,
High Street,
Swansea, SA1 1NE