Data protection is a set of good practice rules for handling information about people. This policy sets out how the Scottish Wider Access Programme (hereafter referred to as SWAP) manages its responsibilities to data protection.

 

SWAP is committed to a policy of protecting the rights and freedoms of individuals with respect to the processing of their personal data held by it. SWAP uses, stores, and otherwise processes personal data relating to students and staff from partner institutions. When processing personal data, SWAP is obliged to fulfil individuals’ reasonable expectations of privacy by complying with the Data Protection Laws.  

 

Data may only be processed in accordance with this policy and with the terms of SWAP's notification to the Information Commissioner, which sets out the purposes for which SWAP holds and processes personal data. Any breach of the policy may result in SWAP, as the registered Data Controller, being liable in law for the consequences of the breach. This liability may extend to the individual processing the data, the SWAP Director and the partners within the SWAP consortium, under certain circumstances. 

 

This policy applies regardless of where the data is held and, in respect of automatically processed data, the ownership of the equipment used, if the processing is for SWAP purposes. It applies to all personal data we process regardless of the location where the personal data is stored and regardless of the data subject. 

 

Principles 

 

When SWAP processes personal data, staff should be guided by the following principles, which are set out in the Data Protection Laws. SWAP is responsible for, and must be able to demonstrate compliance with, the data protection principles listed below. Those principles require personal data to be:

 

 

The Data Protection Laws define both personal data and sensitive personal data. Data users must ensure that the necessary conditions are satisfied for the processing of personal data and in addition that the extra, more stringent, conditions are satisfied for the processing of sensitive personal data. 

 

‘Personal data’ has a broad ranging definition and can include not only items such as home address, age, telephone number and schools attended but also photographs and other images, if focussed on an individual and disclosing information which is biographical in a significant sense. ‘Sensitive personal data’ consists of religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life and criminal record. 

 

 

The Data Protection Laws give data subjects a right to access personal data held about them by SWAP. When students register with us, they enter into a contract. This is the legal basis upon which SWAP collects their personal data. Data subjects have rights in relation to the way we handle their personal data. These include the following rights most relevant for SWAP data subjects:

 

a. To ask for access to the personal data that we hold

b. To prevent our use of the personal data for direct marketing purposes

c. To ask if it is still necessary in relation to the purposes for which it was collected

d. To ask us to rectify inaccurate data or complete incomplete data

e. To be notified of a personal data breach which is likely to result in high risk to their rights and freedoms.

 

With regard to Point 1 above, under the Data Protection Laws, most subject access requests will be carried out free of charge. However, SWAP will have the right to refuse or charge for requests that are manifestly unfounded or excessive. SWAP will however seek to take an approach which facilitates access to their personal data by individuals without them having to make formal subject access requests under the DPA, whilst acting within the Data Protection Principles. All formal subject access requests must be responded to within one month and must be notified to the Director as soon as they are received. Any cases of doubt as to whether a request for access to personal data is a subject access request under the Act, must be referred to the Director without delay. 

 

 

As a Data Controller, SWAP is responsible for establishing policies and procedures in order to comply with data protection law. The Director of SWAP has a duty to develop and encourage good information handling practices, within SWAP’s areas of responsibility. All users of personal data within SWAP have a responsibility to ensure that they process the data in accordance with the Data Protection Principles and other conditions set down in the Data Protection Laws. 

 

All SWAP staff members who process personal data about students, staff, applicants, alumni or any other individual must comply with the requirements of this policy. Staff members must ensure that:

 

a. All personal data is kept securely

b. No personal data is disclosed either verbally or in writing , accidentally or otherwise, to any unauthorised third party

c. Personal data is kept in accordance with SWAP’s data retention schedule

d. Any queries regarding data protection are promptly given to the SWAP Director.

e. Any data protection breaches are immediately brought to the attention of the SWAP Director.

 

 

SWAP students are responsible for:

Familiarising themselves with the Privacy Notice provided when they register with SWAP

Ensuring that their personal data provided to SWAP is accurate and up to date

 

 

 

Personal data must only be kept for the length of time necessary to perform the processing for which it was collected. This applies to both electronic and non-electronic personal data. For SWAP students, this information is contained in the Privacy Notice which all students who register as a SWAP student must read and accept before registering.  

SWAP’s data retention schedule records all data held by SWAP; how and why it is kept and for what time period.  SWAP carries out an annual information audit to ensure that all data retention and disposal is appropriately controlled in accordance with the data protection principles. 

 

 

When registering with SWAP, students have entered into a contract with SWAP. This legal basis allows SWAP to share personal data with the data subject’s college and the university that the data subject chooses.  SWAP must ensure that this data is transferred by secure systems.  When personal data is transferred the recipient must only process the data in a manner consistent with the original purpose for which the data was collected. 

Personal data can only be transferred out of the European Economic Area under certain circumstances. The Act lists the factors to be considered to ensure an adequate level of protection for the data and some exemptions under which the data can be exported. Information published on the Web must be considered to be an export of data outside the EEA.

 

 

This policy was updated in May 2018 in order to ensure continuing compliance with the new data protection laws. Any breach will be taken seriously. 

 

 

SWAP has notified the Information Commissioner’s Office that it processes personal data. Questions related to the terms of the notification and other day to day matters on the operation of the policy can be dealt with by the Director of SWAP. 

 

SWAP East
22B Buccleuch Place
Edinburgh

EH8 9LN

(t) 0131 650 6861

(e) swapeast@ed.ac.uk

(w) www.scottishwideraccess.org

c/o Glasgow Kelvin College
Springburn Campus
Room 226
123 Flemington Street
Glasgow, G21 4TD

(t) 0141 564 7206
(e) swapwest@scottishwideraccess.org
(w) www.scottishwideraccess.org