Privacy Policy
Data Protection Policy
The Data Protection Act 1998 (DPA) was passed in order to implement the EU Data Protection Directive (95/46/EC) and applies to all data relating to, and descriptive of, living individuals (defined by the Act as " personal data") which are held either electronically or in a structured manual filing system. The Act came into force on 1st March 2000 with most of its provisions becoming effective on 24th October 2001.

The Scottish Wider Access Programme (hereafter referred to as SWAP) is committed to a policy of protecting the rights and freedoms of individuals with respect to the processing of their personal data held by it. 
Data may only be processed in accordance with this policy and with the terms of SWAP's Notification to the Information Commissioner, which sets out the purposes for which SWAP holds and processes personal data. Any breach of the policy may result in SWAP, as the registered Data Controller, being liable in law for the consequences of the breach. This liability may extend to the individual processing the data and the Director under certain circumstances. 

This policy applies regardless of where the data is held and, in respect of automatically processed data, the ownership of the equipment used, if the processing is for SWAP purposes.
All data users must comply with the eight Data Protection Principles. The Principles define how data can be legally processed. 'Processing' includes obtaining, recording, holding or storing information and carrying out any operations on the data, including adaptation, alteration, use, disclosure, transfer, erasure, and destruction. 
  • Personal data shall be processed fairly and lawfully. 
  • Personal data shall be held only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or purposes. 
  • Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed. 
  • Personal data shall be accurate and where necessary kept up to date. 
  • Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose. 
  • Personal data shall be processed in accordance with the rights of data subject under the DPA. 
  • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of the data. 
  • Personal data shall not be transferred to a country or a territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. 

The DPA defines both personal data and sensitive personal data. Data users must ensure that the necessary conditions are satisfied for the processing of personal data and in addition that the extra, more stringent, conditions are satisfied for the processing of sensitive personal data.
'Personal data' has a broad ranging definition and can include not only items such as home and work address, age, telephone number and schools attended but also photographs and other images, if focussed on an individual and disclosing information which is biographical in a significant sense. ‘Sensitive personal data’ consists of religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life and criminal record. 
Responsibilities of Director of SWAP
The Director of SWAP has a responsibility to ensure compliance with the Act and this Code, and to develop and encourage good information handling practices, within their areas of responsibility. All users of personal data within SWAP have a responsibility to ensure that they process the data in accordance with the eight Principles and other conditions set down in the DPA. 
Access to Data 
The Act gives data subjects a right to access personal data held about them by SWAP. Under the GDPR most requests will be carried out free of charge. However, SWAP will have the right to refuse or charge for requests that are manifestly unfounded or excessive. SWAP will however seek to take an approach which facilitates access to their personal data by individuals without them having to make formal subject access requests under the Act, whilst acting within the Data Protection Principles. All formal subject access requests must be responded to within one month, as prescribed by the GDPR (2018), and must be notified to the Director as soon as they are received. Any cases of doubt as to whether a request for access to personal data is a subject access request under the Act must be referred to the Director without delay. 
Retention of Data 
Personal data must only be kept for the length of time necessary to perform the processing for which it was collected. This applies to both electronic and non-electronic personal data. 
SWAP’s data retention schedule records all data held by SWAP; how and why it is kept and for what time period.  SWAP carries out an annual information audit to ensure that all data retention and disposal is appropriately controlled in accordance with the 8 DP principles. 
Data Transfer 
SWAP adheres to the ICO Data Sharing Code of Practice 2011.
When personal data are transferred internally the recipient must only process the data in a manner consistent with the original purpose for which the data was collected. 
Personal data can only be transferred out of the European Economic Area under certain circumstances. The Act lists the factors to be considered to ensure an adequate level of protection for the data and some exemptions under which the data can be exported. Information published on the Web must be considered to be an export of data outside the EEA.
Data Security

All SWAP users of personal data must ensure that all personal data they hold is kept securely. They must ensure that it is not disclosed to any unauthorised third party in any form either accidentally or otherwise.
Status of the Policy 
The updated policy was approved by SWAP’s executive groups in 2018. Any breach will be taken seriously. 

Data Protection Officer

SWAP has notified the Office of the Information Commissioner that it processes personal data. Questions related to the terms of the notification and other day to day matters on the operation of the policy and the Act can be dealt with by the Directors of SWAP East and SWAP West.
34 Buccleuch Place

(t) 0131 650 6861

Glasgow Kelvin College
43 Shamrock Street
Glasgow G4 9LD
(t) 0141 564 7206
about us