• be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met;
• be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose;
• be adequate, relevant and not excessive for those purposes;
• be accurate and kept up to date;
• not be kept for longer than is necessary for that purpose;
• be processed in accordance with the data subject’s rights;
• be kept safe from unauthorised access, accidental loss or destruction;
• not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.

The College and all staff or others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, the College has developed this Data Protection Policy.

2. STATUS OF THE POLICY
This policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and policies made by the College from time to time. Any failure to follow the policy can, therefore, result in disciplinary proceedings.
Any member of staff who considers that the policy has not been followed in respect of personal data about themselves should raise the matter with the Administrator. If the matter is not resolved it should be raised as a formal grievance.

• know what information the College holds and processes about them and why;
• know how to gain access to it;
• know how to keep it up to date;
• know what the College is doing to comply with its obligations under the 1998 Act.

The College will, therefore, provide all staff and students and other relevant users with a standard form of notification. This will state all the types of data the College holds and processes about them and the reasons for which it is processed. The College will try to do this at least annually.

4. RESPONSIBILITIES OF STAFF

Checking that any information that they provide to the College in connection with their employment is accurate and up to date.

• Informing the College of any changes to information which they have provided, ie changes of address.
• Checking the information that the College will send out from time to time, giving details of information kept and processed about staff.
• Informing the College of any errors or changes. The College cannot be held responsible for any errors unless the staff member has informed the College of them.

If, and when, as part of their responsibilities, staff collect information about other people (eg about students’ course work, opinions about ability, references to other academic institutions or details of personal circumstances) they must comply with the guidelines for staff.

All staff are responsible for ensuring that:

• any personal data which they hold is kept securely;
• personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party.
  
  Staff should note that unauthorised disclosure will usually be a disciplinary matter and may be considered gross misconduct in some cases.
  
  Personal information should be:
• kept in a locked filing cabinet; or
• in a locked drawer; or
• if it is computerised, be password protected; or
• kept only on disk which is itself secure.

6. STUDENT OBLIGATIONS
Students must ensure that all personal data provided to the College is accurate and up to date. They must ensure that changes of address, etc, are notified to the student registration office/other person as appropriate. Students who use the College computer facilities may, from time to time, process personal data. If they do they must notify the designated Supervisor. Any student who requires further clarification about this should contact the Supervisor.

6. RIGHTS TO ACCESS INFORMATION
Staff, students and other users of the College have the right to access any personal data that is being kept about them either on computer or in certain files. Any person who wishes to exercise this right should complete the college “Access to Information” form and hand it in to Reception who will forward it to the appropriate Data Controller.
In order to gain access an individual may wish to receive notification of the information currently being held. This request should be made in writing using the standard form attached.
The College aims to comply with requests for access to personal information as quickly as possible but will ensure that it is provided within 21 days unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the data subject making the request.

8. PUBLICATION OF COLLEGE INFORMATION

Information that is already in the public domain is exempt from the 1998 Act. It is the College policy to make as much information public as possible and, in particular, the following information will be available to the public for inspection:

• Names of College Directors and senior staff with significant financial responsibilities (for inspection during office hours only).
• List of staff.
• Photographs of key staff.

The College’s internal phone list will not be a public document.

Any individual who has good reason for wishing details in these lists or categories to remain confidential should contact the appropriate Data Controller.

9. SUBJECT CONSENT

In many cases the College can only process personal data with the consent of the individual. In some cases, if the data is sensitive, express consent must be obtained. Agreement to the College processing some specified classes of personal data is a condition of acceptance of a student onto any course and a condition of employment for staff. This includes information about previous criminal convictions.
The College will also ask for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as asthma or diabetes. The College will only use the information in the protection of the health and safety of the individual, but will need consent to process in the event of, for example, a medical emergency.
Therefore, all prospective staff and students will be asked to sign a Consent to Process form, regarding particular types of information, when an offer of employment or a course place is made. A refusal to sign such a form can result in the offer being withdrawn.

10. PROCESSING SENSITIVE INFORMATION

Sometimes it is necessary to process information about a person’s health, criminal convictions, race and gender and family details. This may be to ensure the College is a safe place for everyone, or to operate other College policies such as the sick pay policy or equal opportunities policy. Because this information is considered sensitive and it is recognised that the processing of it may cause particular concern or distress to individuals, staff and students will be asked to give express consent for the College to do this. Offers of employment or course places may be withdrawn if an individual refuses to consent to this, without good reason. More information about this is available from the appropriate Data Controller.

11. THE DATA CONTROLLER AND THE DESIGNATED DATA CONTROLLER(S)

The College as a body corporate is the Data Controller under the Act and the board is, therefore, ultimately responsible for implementation. However, there are designated Data Controllers dealing with day to day matters. The first point of contact for enquirers is

Hiren Patel College Secretary
Tel: 02002005757
E-mail: info@acllondon.co.uk

who may deal with the enquiry himself or refer it to another designated data controller.

12. EXAMINATION MARKS

Students will be entitled to information about their marks for both coursework and examinations. However, this may take longer than other information to provide. The College may withhold certificates, accreditation or references in the event that the full course fees have not been paid, or all books and equipment returned to the College.

13. RETENTION AND DISPOSAL OF DATA

The College will keep some forms of information for longer than others. Because of storage problems, information about students cannot be kept indefinitely, unless there are specific requests to do so.
When disposing of any document containing personal data, care should be taken to ensure that the document is shredded before consigning to the waste collection. Where there are bulk quantities of such documents, arrangements should be made with the Director.

14. CONCLUSION

Compliance with the 1998 Act is the responsibility of all members of the College. Any deliberate breach of the data protection policy may lead to disciplinary action being taken, or access to College facilities being withdrawn, or even prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the designated College Data Controller.