guide 10

How the college processes personal data

Introduction

The College wishes to make it clear to all students, staff and other workers how their personal data, including certain sensitive data, will be processed by the College. In essence, in order to function normally, the College needs to process 'ordinary' and 'sensitive' personal data. Processing of certain data will for many activities continue after individuals have left the College.

Some, but not all, of the purposes listed below will also apply to applicants to the College.

In most instances staff - and where appropriate, students - will not need to obtain consent to process from data subjects who are students or members of staff because such consent is obtained routinely by the University.

College data collection statements usually inform the data subject that their data will be used for "standard administrative purposes", this documents aims to set out what the majority of these purposes are.

The data for which consent to process may be considered as having been obtained are set out below. Part I sets out the use of student personal data. Part II sets out the use of staff personal data. Staff - or students - who wish to process personal data not included in these extracts should obtain consent from the data subject(s) first; and should also contact the departmental/divisional Data Protection Coordinator to inform them of the need to include such data in the department's Data Protection Registration.

In practice, the day-to-day processing of data will continue as before. An exception to this is research data: in most instances, the College cannot obtain widespread consent in advance of processing and researchers will need to consider individually whether or not they need to obtain specific consent to process from data subjects. In the case of health-related research this will always include obtaining appropriate approval from the local Ethics Committee (and in some instances approval from the Patient Information Advisory Group). The College has a Clinical Research Office which oversees ethical issues of clinical research by College

The lists shown below are not exhaustive and do not preclude the College from processing personal data that is included within its registered use under the Data Protection Act or in any other way allowed under the law.

Provision of personal data to a third Party

Except as otherwise provided for set out below, or unless written authorisation has been provided by the member of staff/student concerned, the College does not normally release information that could constitute personal data to any third party (including parents, relatives and friends). Please see guidance on Disclosure of student data or Disclosure of staff data.

All students agree that their personal data may be processed and released to third parties for the following purposes (21-42).

Guide 10 - use of data for college purposes

Use of Student Personal Data

All students agree to the College processing their personal data for the following purposes, provided that sensitive personal data may be processed only as set out in clauses 44-52 below unless specific consent is obtained:

  1. Admission, registration and administration of their studies including the requirements of the Student Online Evaluation Survey (SOLE)
  2. Academic assessment.
  3. Administration of appeals, complaints or grievances.
  4. Pursuit of social and sporting activities e.g. relating to use of the College's sports facilities.
  5. The provision of College accommodation and other support services such as those of the Library and the Careers Service.
  6. The granting of awards (including the publication of awards and marks and inclusion in pass lists made available via the College's web site).
  7. Processing and recovery of accounts and fees.
  8. Research and statistical analysis.
  9. Production of statistical returns required by certain third party bodies e.g. the Higher Education Statistics Agency.
  10. Creation of e-mail addresses, available to those within and outside of the College. (Please note that it is possible for those accessing such addresses to obtain such information as a student's home department/division and indeed whether an individual is or has been enrolled at the College.)
  11. Direct mailing of College publications regarding third party services and College activities and events organised for students.
  12. Host mailing of services or career opportunities that the College believes may be of interest to students.
  13. Administration of employment contracts where the student is employed by the College.
  14. Administration of the College's Alumni relations.
  15. Consideration of the award of scholarships.
  16. Administration of such College codes of practice and policies as apply to students.
  17. In relation to the safety of individuals and their property and the protection of College assets, including the use of CCTV
  18. The production of student identification cards
  19. The production of photographs of students for use within the College and its teaching partners.
  20. For organising events for incoming international students
  21. To the Higher Education Statistics Agency, the Funding Council, government departments and other authorised users for the analysis of student statistics and/or to enable them to carry out their statutory functions as applicable. (ref b)
  22. To the Home Office or British overseas consulates in cases where an applicant or student has requested help from us regarding visas.
  23. To The Imperial College Students' Union for: direct mailing about Union activities, societies and events, administration of Union membership and membership rights, giving of advice on welfare and other issues.
  24. To professional and industrial bodies wishing to communicate with students about career opportunities and membership of their body. Normally the College will forward information on behalf of the organisation.
  25. To direct mail agencies who may assist the College in the administration of mailing to students. Student data will only be used for mailings from the College.
  26. To the police or other regulatory body where pursuant to the investigation or disclosure of a potential crime.
  27. To close family and the emergency services where there is an emergency situation e.g. illness, serious injury or bereavement.
  28. To external examiners for the purposes of assessment.
  29. To government al and regulatory bodies for the purpose of gathering census or other information including the assessment of fees, including electoral registration officers.
  30. To the Home Office and other international and national governmental and regulatory bodies in connection with the assessment of students' status.
  31. To other educational institutio ns, including those involved in the delivery of a student's course or programme, e.g. affiliated colleges and exchange institutions, including those outside the EEA; and to other organisations in relation to work placements.
  32. To professional bodies where registration with that body is related to or a requirement of the stud ent's studies e.g. the GMC for medical students.
  33. To the College's Alumni branch offices/representatives within and outside of the UK for dissemination of information in connection with activities and events for former students.
  34. To any third party accessing the College's e-mail directory of student e-mail addresses.
  35. To any third party wishing to access a catalogue within the University's library containing reference to student work.
  36. To third parties accessing information about student awards - ranged by department - which is available in the public domain.
  37. To family, sponsors or other third parties to enable the payment of student debts.
  38. To external agents of the College in relation to the repayment of student debts.
  39. To external agencies - which may be based outside the European Economic Area - in connection with procedures for guarding against plagiarism.
  40. To Data Processors who are registered under the Act in order for them to process data on behalf of the College for any of the purposes for which the College is permitted to process the data, including the provision of academic and other services by the College.
  41. In relation to the provision of references for students or former students.
  42. To sponsors, including the UK research councils, the Student Loan Company and sponsors located overseas.
  43. To external bodies and individuals who have funded student prizes and awards.

All students agree to the College processing their sensitive personal data (data about racial or ethnic origin, physical or mental health, commission or alleged commission of criminal offences) for the following purposes and for release to the following third parties:

44.  To the Higher Education Statistics Agency, the Funding Council, government departments and other authorised users for the analysis of student statistics and/or to enable them to carry out their statutory functions as applicable.
45.  To professional bodies where registration with that body is related to or a requirement of the student's studies e.g. the GMC for medical students.
46.  To other bodies involved in the delivery of the course or programme e.g. affiliated colleges, for the purpose of statistical analysis and programme administration.
47.  Unless otherwise agreed with the student, within the College only, for the assessment and provision of services to disabled students.
48.  For admission to and the administration of student programmes.
49.  Where required, to the police or other agencies in connection with particular programmes of study or prior to certain placements.
50.  To the College's insurers in respect of accidents occurring within the institution and external auditors.
51.  The production of student identification cards
52.  The production of photographs of students for use within the College and its teaching partners.

Use of Staff Personal Data

All members of staff and other workers agree to the College processing their personal data for the following purposes, including the processing of sensitive data where consent has been given: -

  1. Payment of salary, pension, sickness benefit or other payments due under the contract of employment.
  2. Monitoring absence or sickness under an absence control or capability policy.
  3. Training and development purposes.
  4. Management planning.
  5. Providing and obtaining references - and consultation with external agencies including police checks where necessary for the purposes of employment - for job applicants and employees in post; and providing references for former employees.
  6. For disclosure to the police or other regulatory body where pursuant to the investigation or disclosure of a particular crime.
  7. Promotion and salary progression exercises.
  8. Negotiations with trade unions or other staff representatives
  9. Curriculum planning and organisation.
  10. Research and statistical analysis.
  11. Time table organisation.
  12. Administration of College codes of practice and policies.
  13. Compliance with the equal-opportunities legislation e.g. Equality Act 2010.
  14. Compliance with any statutory or legal requirement to provide information about staff or other workers including, for example, statistical returns to external bodies and staff membership lists to Unions.
  15. Administration of the College's disciplinary and grievance procedures.
  16. Direct mailing for third party services reasonably concerned with employment-related matters or staff benefits.
  17. Production of published staff lists including the telephone and e-mail directories for both internal and external use.
  18. Production of Staff Identity Cards.
  19. Production of photographs of staff for display within the College or on the web.
  20. Development of staff research profiles by associated College companies.
  21. Monitoring the use of College resources.
  22. In relation to the safety of individuals and their property and the protection of College assets, including the use of CCTV.
  23. In relation to the provision of academic services and other services (for example, car parking).
  24. In relationship to membership of College and staff clubs, societies and similar organisations.
  25. For disclosure to close family and emergency services in the event of an emergency, for example, illness, serious injury or bereavement.
  26. In relation to exit questionnaires distributed to those leaving the College's employ.
  27. In connection with data processed by external contractors or consultants from whom the University may obtain services or seek advice.
  28. For disclosure to Data Processors who are registered under the Data Protection Act in order for them to process data on behalf of the College for any of the purposes for which the College is permitted to process the data, including the provision of academic and other services by the College.
  29. For disclosure to the College's insurers in respect of accidents occurring within the institution and to the College's external auditors.
  30. The dissemination of staff contact details for use in connection with critical incident management plans.
  31. To any third party accessing the College's e-mail directory of staff e-mail addresses.
  32. To any third party wishin g to access a catalogue within the University's library containing reference to staff work.
  33. To third parties accessing information about staff awards or prizes.
  34. To The Imperial College Students' Union for: administration of Union membership, societies and events.

Footnotes

(a) Sensitive personal data includes information relating to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sexual orientation and criminal convictions.

(b) In the case of HESA, thi s may include releasing telephone numbers so that HESA or its agents can make telephone calls in relation to the auditing of First Destination Surveys of graduates.