Data Protection Policy

Introduction

1. Northeastern University London (the University) is committed to protecting your personal data and informing you of your rights concerning that data.
2. The University needs to keep some personal data about its employees, prospective employees, students, prospective students and other people. The University processes information so that, for example, it can obey the law, admit students, teach and support students, and recruit and pay staff.
3. To comply with the Data Protection Act 2018 (the “Act”) and the General Data Protection Regulation (GDPR), the University must collect and use personal data fairly, store it safely and not unlawfully disclose it to any other person.
4. To do this, the University must comply with the Data Protection Principles, which are set out in the Act. In summary, personal data must:
   1. Be obtained and processed fairly and lawfully and not processed unless certain conditions are met.
   2. Be obtained for a specified and lawful purpose and not processed in any manner incompatible with that purpose.
   3. Be adequate, relevant and not excessive for that purpose.
   4. Be accurate and kept up to date.
   5. Not be kept for longer than is necessary for that purpose.
   6. Be processed in accordance with the data subject’s rights.
   7. Be kept safe from unauthorised access, accidental loss or destruction.
   8. Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.
5. One of the University’s responsibilities as a Data Controller is to be transparent in our processing of your personal data and to tell you about the different ways in which we collect and use your personal data. The University will process your personal data in accordance with the General Data Protection Regulation 2018 (GDPR) and the Data Protection Act 2018 (DPA), and this privacy notice is issued in accordance with GDPR Articles 13 and 14.
6. The University may update its Privacy Notices at any time. You can find the current versions of the University’s Privacy Notices below; please check back here regularly to review any changes.

Registration

7. The University is registered as a Data Controller with the Information Commissioner’s Office (ICO) under the DPA (registration number Z3136922).

Status of this Policy

8. Employees and students are required, as a condition of employment or study, to abide by the University’s regulations and policies. Failure to comply with this Policy may lead to disciplinary proceedings

Code of Practice

9. In implementing this Policy, the University will be guided by the Jisc Data Protection Code of Practice for the HE and FE sectors published at Jisc (the “Jisc Code”). The Jisc Code is not mandatory, and if there is any conflict between this Policy and the Jisc Code, this Policy shall prevail.

The Data Controller and the Designated Data Controllers

10. The University itself is the Data Controller under DPA, and the Board of Directors is ultimately responsible for implementation. The Designated Data Controllers will deal with day-to-day matters.
11. The University’s Designated Data Controller for students and applicants is the Registrar, and for all others is the Chief Executive Officer (CEO).

The Data Protection Officer

12. The University has appointed a Data Protection Officer. Their contact information is as follows:

Data Protection Officer

Northeastern University London

Devon House

58 St Katharine’s Way

London E1W 1LP

Your Personal Data & its Processing

13. The University defines “personal data” as information relating to a living and identifiable individual. Personal data can include “special categories of data”, such as information about your racial or ethnic origin, religious or other beliefs, physical or mental health, criminal convictions and offences, the processing of which is subject to strict requirements.
14. “Processing” means any operation which we carry out using your personal data, for example obtaining, storing, transferring or deleting.
15. The University only process data for specified purposes and when data protection law permits its processing. The details of each processing purpose and its legal basis are provided in each of the privacy notices listed below – please consult the one most relevant to your relationship to the University.

Your rights as a Data Subject

16. You have the following rights in relation to your personal data processed by us:

The Right to Be Informed

17. The University will ensure you have sufficient information to ensure that you understand how and why the University processes your personal data and that you know how to enforce your rights.
18. The University provides information in the form of privacy notices, which you can read online.

The Right of Access and The Right to Data Portability

19. You have a right to see all the information the University holds about you. Where data is stored electronically in a structured form, such as in a database, you have a right to receive that data in a standard electronic format that allows you to supply that data to a third party – this is called “data portability”.

The Right of Rectification

20. If the University holds data about you that is incorrect, you have the right to have it corrected.

The Right to Erasure

21. You can ask the University to delete your data and, where this is appropriate, the University will take reasonable steps to do so.

The Right to Restrict Processing

22. If you think there’s a problem with the accuracy of the data the University holds about you, or the University is using data about you unlawfully, you can request that any current processing is suspended until a resolution is agreed.

The Right to Object

23. You have a right to opt out of direct marketing. You have a right to object to how the University uses your data if the University does so on the basis of “legitimate interests” or “in the performance of a task in the public interest” or “exercise of official authority” (a privacy notice will clearly state to you if this is the case). Unless the University can show a compelling case why its use of data is justified, the University must stop using your data in the way to which you have objected.

Rights related to Automated Decision-Making Including Profiling

24. The University may use a computer programme, system or neural network to make decisions about you (for example, everyone that is on a particular course gets sent a specific letter) or to profile you. You have the right to ask for a human being to intervene on your behalf or to check a decision

The Right to Withdraw Consent

25. If the University is relying on your consent to process your data, you may withdraw your consent at any time.

Exercising Your Rights

26. To request your information, please send a written request to the appropriate Designated Data Controller.
27. The request must include:
    1. The full name and address of the person making the request.
    2. If the Data Subject is a different person, that person’s full name and address.
    3. Sufficient details to enable the University to identify the Data Subject’s records, for example, the dates when a former student or employee was at the University.
    4. A description of the information requested, with as much detail as possible.
28. The request should either be handed personally to the Designated Data Controller or sent by recorded delivery or email. The University will need to see original proof of identity of the Data Subject and (if the person making the request is not the Data Subject) that person and evidence of the Data Subject having authorised the request.
29. The University will handle requests in accordance with the guidance provided by the Information Commissioner, aims to comply with requests promptly and will ensure that responses are provided within one month, as required by the GDPR.

Queries and Complaints

30. For more information on your rights, if you wish to exercise any right, for any queries, you may have, or if you wish to make a complaint, please contact the Data Protection Officer.

Complaint to the Information Commissioner

31. You have a right to complain to the Information Commissioner’s Office (ICO) about the way in which the University processes your personal data. You can make a complaint via the ICO’s website.

Privacy Notices

32. Please consult the privacy notice that best fits your relationship with the University.

Data Security

33. All members of staff are responsible for ensuring that any personal data that they hold is kept securely and not disclosed by any means, accidentally or otherwise, to any unauthorised third party. Unauthorised disclosure, including avoidable accidental disclosure, may constitute a disciplinary matter and may be gross misconduct in some cases.
34. Hard copies of personal data must be kept in a locked filing cabinet, drawer, or similar secure storage, on University premises. It is not sufficient to lock the room in which the data is kept.
35. Hard copies of assignments, including exam scripts, may be removed from the University for marking purposes.
36. Computerised personal data may only be held on the University’s official designated data repositories. These are:
    1. Highrise
    2. Quercus
    3. TurnItIn
    4. PeopleHR
    5. CELCAT and all products
    6. Eaglepoint CRM
    7. Hubspot
    8. Mailchimp
    9. Eventbrite
    10. Zapier
    11. Logiforms
    12. Canvas
    13. Google ecosystem (Google drive, Gmail and Google Calendar)
    14. PaperCut
    15. Active Directory and all associate programmes
37. Personal data may not be stored on a laptop, local hard drive, a network drive, a USB stick, CD or any other storage media unless the device is encrypted.

Data Protection Breaches

38. A Data Subject is any person whose personal data is held or processed by the University, including employees, students and applicants. All Data Subjects must:
    1. Check that information provided to the University is accurate and up to date.
    2. Update the University immediately when information changes, such as changes of address. Unless the Data Subject does so, the University is not responsible for errors.

Data Protection Notice

39. If personal data is obtained directly from the Data Subjects themselves, a data protection notice must accompany any request for personal data, including the following information:
    1. The information that the University is the data controller.
    2. The purposes for which the data will be processed.
    3. Any further information necessary to make the processing fair, for example details of any third parties to whom the data might be disclosed.
    4. An opt-in or opt-out to marketing, if appropriate.
    5. A statement that the Data Subject is giving their consent for the processing of the data for the stated purposes to take place.

Sensitive Information

40. The University has to process some information about health, criminal convictions, race, and trade union membership, for specific purposes such as safety or equal opportunities. Data subjects must be asked to give express consent for this. Offers of employment or student places may be withdrawn if an individual unreasonably refuses consent.

Other Processing of Personal Data

41. If faculty or students need to hold or process personal data as part of their studies or research, they must notify the Registrar in advance and comply with guidelines that will be provided.
42. Staff and students may themselves hold or process personal data as part of their coursework, for personal or domestic purposes or otherwise. The University is not the Data Controller in such cases, and the individual concerned is entirely responsible for such disclosures. Such data is not covered by this Policy.

Transfer of Data

43. Personal data may need to be transferred to third parties in some cases, and in that case, the University will be guided by the Jisc Code.
44. Data may also be disclosed to third parties without the consent of the Data Subject when required by law and in certain other limited circumstances. If the need for this arises, the University will be guided by the Jisc Code.

Assessment Results

45. Students will typically receive information about their results for both coursework and examinations routinely. Examination and coursework scripts themselves are exempt from the subject access rules. The Act provides for extended response times for other assessment-related requests.

University Information

46. The names and other personal data relating to staff and directors of the University will be published on the University website if required by law. Work-related information about University staff may be published on the University website.

Data Retention and Destruction

47. The University must retain some student and staff personal data after they leave the University either because the law requires it or for other reasons, e.g., to provide transcripts and references or to keep tax records. Each type of data will be kept for a set period, which is defined in the University’s Data Retention Schedule.
48. When it is time to destroy records, hard copies will be mechanically destroyed by incineration, shredding or a similar permanent method (which may be subcontracted) and electronic records will be permanently wiped by an appropriate irreversible method.

Data Retention Schedule

Introduction

49. The University will only keep your personal data for as long as necessary to fulfil the purposes for which it was collected.
50. To determine the appropriate retention period for personal data, the University considers the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which the University processes your personal data and whether it can achieve those purposes through other means, and the applicable legal requirements.
51. This data retention schedule describes the time periods for which records should be retained by the University. The retention periods given in this document are taken mainly from the JISC Record Retention Schedule which can be viewed here.
52. At the end of the retention period records should be destroyed securely or deleted. Where the retention period is “permanent”, the record will never be destroyed.
53. Only one copy of each record needs to be kept for the full duration of the retention period. Duplicate and additional copies of records should be destroyed as soon as they are no longer of operational use.
54. The Records Management British Standard BS ISO 15489 defines a record as “Information created, received and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or the transaction of business”. All records created and stored by the University, both in paper and electronic form and including data held in databases are subject to retention policies. Where a record contains personal identifying information the retention periods stated in this schedule are mandatory requirements and must be followed unless the Information Governance Office has approved a specific exception. Entries marked with an * indicate a record that is likely to contain personally identifying information, this may not be exhaustive.

Unstructured Information Systems

55. Email should not be used for storing any University records. Emails that constitute a record which needs to be retained, including those containing personally identifying information, must be stored in a filing system appropriate to their level of confidentiality or criticality.
56. Shared drives or other unstructured information storage solutions (including cloud-based storage) used to store any University records should be managed in accordance with this schedule, however where those records contain personally identifying information the retention periods must be followed.

Structured Systems Storing Personally Identifying Information

57. All structured information management systems that store records containing personal identifying information must be managed in accordance with this schedule. These information management systems must have a deletion or archival capability and, where appropriate, be able to identify a subset of the original information for continued retention.

Important Notes

58. University policy and strategy documents should be retained for 10 years or 5 years, depending on importance, and then referred to the University archives.
59. Audits and reviews of performance against plans and strategies should be retained for 10 years after the current academic year and then be offered to the University archives.
60. Contracts and customer service agreements should be retained for 6 years after the termination of the contract or agreement, and then be offered to the University archives.
61. Original financial records should be retained for 6 years after the current financial year to ensure compliance with the Limitation Act 1980 and HM Customs & Excise Notice 700/21: Keeping [VAT] records and accounts.
62. Publications and promotional materials should be kept while current, and then a copy offered to the University archives for review.
63. Individual student files should be kept for 6 years after the student’s relationship with the University has ended. This is to ensure compliance with the Limitation Act 1980 and is in line with the principles set out in data protection law. Only essential records of students should be kept for more extended periods: Name, dates of relationship with the University and final award classification. Also, a full record of courses taken and the marks for these should be kept for at least 40 years for each student to construct student transcripts.

Details of Records

Version History