The Information Governance Unit (IGU) is the department within the Coventry University Group responsible for providing advice and monitoring compliance with General Data Protection Regulation 2016 (GDPR), Data Protection Act 2018 (DPA), Privacy and Electronic Communications Regulation 2003 (PECR), Freedom of Information Act 2000 (FOIA) and any other related legislation.
If you have any questions about the processing of personal data you should raise this with the IGU at the following address firstname.lastname@example.org
Tasks of the IGU
Some of the tasks the IGU are responsible for are listed below:
- Act as a contact point for data subjects and responding to queries and requests including Data Subject Rights Requests
- Act as a contact point for Freedom of Information Requests
- Act as a contact point for supervisory authority, Information Commissioners Office
- Investigating and reporting data breaches to the Information Commissioners Office
- Failure to comply with regulatory deadlines for FOIA and DPA
- Assess risks associated with processing operations involving personal data and providing assistance with completing Data Protection Impact Assessments (DPIA)
- Raise awareness and provide data protection training, guidance and advice
- Develop/review privacy notices, privacy policies and consent forms
- Conduct assessments to identify gaps and provide remedial guidance to ensure compliance with the data protection legislation
- Disclosure of information to third parties such as the Police
The IGU is here to help so please do feel free to get in contact if you need our assistance.
Data breach guidance
Under the General Data Protection Regulation (the “GDPR”) in the event of a personal data breach the Coventry University Group (“the Group”) must report the breach to the Information Commissioner’s Office (the “ICO”) without undue delay and in any event within 72 hours of becoming aware of the breach.
The threshold to determine whether an incident needs to be reported to the ICO depends on the risk it poses to the data subjects in question. Where there is a likelihood of a high risk to people’s rights and freedoms, the Group will also need to report the breach to the data subjects who have been affected. A high risk situation will include whether a data subject will potentially suffer a significant detrimental effect such as financial loss, discrimination or damage to reputation.
What is a personal data breach?
A personal data breach is defined in the GDPR as being “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. This is therefore wider than simply a loss of personal data and can include:
- unauthorised access
- loss of mobile devices, laptop or paper copies
- sending personal data to the wrong person
- disclosure to third party; and
- the unauthorised alteration of data and the deletion of personal data.
When does the University Group need to report a breach to the ICO?
When a personal data breach occurs an assessment of whether such breach will have any impact upon the data subjects’ rights or freedoms must be carried out. If it’s likely that there will be a risk to a subject’s rights or freedoms then the University Group must notify the ICO. The GDPR details some of the negative consequences of a data breach that will impact upon a data subject’s rights or freedoms and these are as follows:
- loss of control over their personal data
- identity theft or fraud
- financial loss
- unauthorised reversal of pseudonymisation
- damage to reputation
- loss of confidentiality of personal data protected by professional secrecy
- any other significant economic or social disadvantage.
Where University Group notifies ICO of the breach, the ICO will conduct an investigation to the nature and seriousness of the breach and the adequacy of any remedial actions taken by the University and will determine further course actions, which may be;
- Record the breach and take no further action, or
- Investigate the circumstances of the breach and any remedial action which could lead to:
- No further action;
- A requirement on the University Group to undertake a course of action to prevent further breaches;
- Formal enforcement action turning such a requirement into a legal obligation; or
- Where the evidence of a serious breach of GDPR, whether deliberate or negligent, the serving of the monetary penalty notice requiring the organisation to pay a monetary penalty of an amount determined by the Commissioner up to the value of €20mil or 4% global turnover whichever is higher.
If personal data has been made essentially anonymised and unintelligible to unauthorised parties and a copy exists, a breach may not need to be notified to the ICO as there is little risk to the rights and freedoms of a data subject. If there is no backup then this breach will need to be reported as the lack of availability of this data may pose a risk to a data subject.
When does the University Group have to report a breach to a data subject?
If the breach is likely to result in a high risk to the rights and freedoms of individuals, then the University Group must inform the data subjects concerned as soon as possible. A high risk to the rights and freedoms of the individual is a higher threshold than the risk needed to report the breach to the ICO. High risk is likely to mean that the impact of the breach is more severe and that the consequences of the breach are greater.
The GDPR sets out 3 conditions that, if met, remove the requirement to notify individuals of a breach. The first is that the UniversityGroup has in place measures which cause personal data accessed without authorisation to be unintelligible, such as by encryption. The second condition is that, following the breach, the University Group immediately takes steps to ensure that the high risk does not materialise. The third condition is where informing the data subjects directly would involve a disproportionate effort in which case a public communication will suffice.
On some occasions where informing the data subject directly would involve a disproportionate effort then a public communication regarding the breach may be issued.
How long does the University Group have to report a breach?
The University Group must report the breach to the ICO without undue delay and in any event within 72 hours of becoming aware of the breach. It is likely that the University Group will be seen as being aware when there is a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised. The University Group will be allowed a short period of time in which to conduct an initial investigation to establish whether or not a breach has in fact occurred, but will then be seen as being aware of the breach and the 72 hour deadline to notify will begin.
An example of this is where a student receives an email containing personal data they have provided to the University from someone falsely purporting to be representing the University Group. The implication here is that a third party has stolen this information from the University Group. The University then conducts a short investigation and finds evidence that there has been unauthorised access to its databases. At this point the University Group is aware and must report the breach within 72 hours (if it judges the breach will have any impact upon the data subjects rights or freedoms).
What to do if you suspect that there has been a data breach and when to do it:
1. Immediately report the breach to the Information Governance Unit (the “IGU”). The responsibility for reporting the breach lies with the person who discovered the breach. Please do not hesitate to do this. No matter how serious the breach is, it is far easier to mitigate any potential consequences when we know about it as soon as possible;
In the event of a personal data breach it must be reported immediately by the person that discovered the breach by telephoning the IT Service Desk number +44 (0) 24 7765 7777 or you can email email@example.com and/or completing the data breach form.
2. The IGU when deemed necessary, will decide whether there is enough information to establish that a breach of personal data has occurred;
3. The IGU will assess the breach and determine whether such breach meets the threshold of whether an incident needs to be reported to the ICO;
4. If not enough information is available to allow the IGU to establish whether there has been a data breach then a brief investigation will be conducted. Such investigation is likely to involve other departments within the University Group;
5. If the IGU determines that there has been a breach of personal data which impacts upon the data subjects rights or freedoms then the IGU will report the breach to the ICO within 72 hours;
6. If the IGU determines that there has been no data breach or that the breach will not impact upon the data subject’s rights or freedoms then no report to the ICO will be necessary;
7. If the breach is likely to result in a high risk to the rights and freedoms of individuals, then the IGU must inform the data subjects concerned directly and without undue delay; and
8. Regardless of whether the breach was reported to the ICO, the IGU will require that action is taken to ensure that such a breach does not happen again. This may involve the introduction of new policies or procedures or new security measures. Action will also need to be taken to mitigate the consequences of any breach.
If you would like any further information or have any queries relation you can contact the Information Governance Unit by email firstname.lastname@example.org
Further information can be found on the Information Commissioner’s website at www.ico.org.uk or via their helpline on 0303 123 1113.
When should staff and student data be disclosed?
The data protection laws provide individual’s with increased control over their personal data and who it is shared with. This includes the staff and students of the University Group.
Respect must be maintained for the individuals rights under the data protection laws at all times and personal data must not be disclosed to third parties, including family members, friends, local authorities, government bodies or the police unless the individual has consented or there is another lawful basis for doing so.
It is important that whenever a third party requests information about a member of staff or student that request is carefully scrutinised so as to understand exactly what is being requested and why. If the person making the enquiry has a genuine requirement for the information then you should consider whether its disclosure would be fair, reasonable and lawful.
No personal data should be disclosed to a third party via telephone. In such cases members of staff are required to ask requestors to submit their requests in writing (where appropriate on headed paper). This will give the member of staff time to check the identity of the requestor and whether or not there is a lawful basis for the disclosure.
Details of how the Coventry University Group processes personal data and who it is shared with can be found in the Coventry University Group’s Privacy Notices. This is a link to the Coventry University website, however, please note that each subsidiary may have its own notices. If you are in doubt of which notice applies to you and you are having any difficulties in finding it, please contact the Information Governance Unit at email@example.com.
Except where the University Group is legally obliged to provide personal information, it should be remembered that even where the data protection laws permit disclosure the University Group is not required to provide any requested information and if in any doubt information should not be provided. If you are in any doubt as to whether information should be provided in relation to any request you should contact the Information Governance Unit at firstname.lastname@example.org.
Sharing Personal Data within the Group
Sharing personal data within the Group is permitted where legitimately necessary for the performance of Group-related activities.
If you have any queries in relation to the sharing of Personal Data within the University Group, please contact the Information Governance Unit at email@example.com.
Disclosure of personal data to third parties such as employment agencies or prospective employers at the individual’s request.
The Group often receives requests for personal data it holds, such as that of students, from third parties. Generally, disclosure of personal data to third parties will not be permitted by the Group, except under specific circumstances where there is a lawful basis for disclosure.
Disclosure of personal data to third parties is permitted only in the following circumstances:
- If written consent from the individual whose personal data has been requested has been obtained; or
- There is a statutory obligation for the University to disclose the personal data (e.g. HESA and other Funding Council statistical returns); or
- The disclosure is in the legitimate interests of the Group or the third party to whom the information is being disclosed (except where this would prejudice the rights, freedoms or legitimate rights of the student); or
- Disclosure is in the vital interests of the individual (e.g. information relating to a medical condition may be disclosed in a life or death situation); or
- Disclosure is required for performance of a contract (e.g. contract between student and sponsor); or
- Disclosure is necessary for the performance of a specific task in the Group’s exercise of its public duty as an education and research institution.
Where a third party has requested that special category data be disclosed, please note a further condition is required to be met, in addition to the lawful basis, under Data Protection laws and therefore the request should be referred to the Information Governance Unit via firstname.lastname@example.org for review.
Where the identity of the requestor cannot be confirmed through the initial correspondence, for example a request has been received via a personal email address, then the member of staff should make a written request to receive evidence of identity e.g. a signed/attributed letter on organisational headed paper before corresponding further with the third party.
Disclosure to the police and other third party casual enquiries
Requests from the Police or law enforcement officials
All requests for disclosure of personal data held by the Group made by the police should be referred immediately to the Information Governance Unit via email@example.com.
In situations where police officers request disclosure in person from any member of staff, no personal data should be disclosed and the police should immediately be referred to the Information Governance Unit, Portal House, 163 New Union Street, CV1 2PL.
The Group aims to support police investigations where possible, however the Group has obligations to manage personal data in accordance with Data Protection laws.
Requests for information for Council Tax purposes
The Group routinely provides the local Councils with details of current students for Council Tax exemption purposes. The information disclosed in such cases includes, but is not limited to, confirmation of whether the individual is a student, the status of their study (i.e. full-time, part-time) and the course start and end dates. Students living outside such council areas may ask for certification for this purpose and the Group, in accordance with its legal obligation, will provide this.
Requests from parents, friends and relatives
Where requests are received from parents, friends or relative of a student or staff member, no personal data should be disclosed without the explicit consent of the individual. Staff members may advise that they will accept a message and, if having checked the Group’s records such individual is a student or staff member, they will pass it on accordingly. This avoids disclosure of any personal data pertaining to the student, including whether or not they are a student of the Group.
Requests from organisations providing financial support
The Group routinely notify public funding bodies and the Student Loans Company of changes to a student’s status. These disclosures are covered within the Privacy Notices and Record of Processing Activities. Records should not be disclosed to private funders who are not covered within our privacy notices without evidence of student consent.
Requests from Home Office/ Immigration and Nationality Directorate/ UK Visas
The Group often received requests for information on attendance and other details relating to international students. Information should only be disclosed where we are satisfied that there is a legal requirement to provide the requested information or the individual concerned has given their consent.
Requests for information about deceased staff or students
Data Protection laws are only applicable to living individuals, however for deceased staff members or students there may be an ongoing duty of confidentiality. Please refer the matter to Information Governance Unit via firstname.lastname@example.org for further advice if necessary.
In cases where the University Group is asked to confirm if an individual is or has been a student or employee of the University Group and the University Group has never had a relationship with the individual, this fact can be confirmed (as the University Group does not hold any personal data to disclose). If however the University Group has had a relationship with the individual the University Group must consider if it has a lawful basis for disclosing such information. In accordance with the University Group’s fair processing notices information may be provided where it is in the legitimate interests of the Group to do so including in relation to fraud prevention or where there is a statutory obligation on the University Group to do so (such as a HESA requirement).
Exam results, examination scripts, assessments, results, comments on those papers by examiners and examination marks are all types of personal data. Accordingly, they must be handed in accordance with the data protection laws.
Examination scripts are expressly exempted from the normal data subject access rules by the Data Protection Act 2018. This means that the University is under no obligation to allow students to have access either to their original scripts or copies of the scripts.
Examiner’s comments and assessments
An individual can request access to an examiners comments and assessments, whether made on a script or on a separate document. However, the time period for responding to such a request is five months from the date of receipt of the request or 40 days after the announcement of the result whichever is the earlier.
For the purposes of the data protection legislation examination marks are treated in exactly the same way as examiner’s comments with the same time scales applying.
Examination board minutes
Minutes of examination boards that contain discussion of specific individuals are subject to the normal rules on data subject access. Accordingly a data subject access request can be made and must be considered in line with the general principles for dealing with such a request.
A students examination results constitute their personal data. Therefore care should be taken back when issuing results to make sure that the students’ rights are protected and their personal data is not shared with any third party including other students.
It is generally expected that tutors and senior members of staff will provide references for both students and their colleagues. Giving a reference will inevitably involve the disclosure of personal data in the form of both facts and opinions.
Guidance on writing and obtaining references can be obtained from the People team.
All references, both those written and obtained should be retained in accordance with the University’s established data retention periods.
All references are provided in confidence to or by the University Group, therefore Data Protection Act 2018, Schedule 2, Part 4, Section 24 state that confidential reference provided for the purpose of education, training or employment (or prospective education, training or employment) of the data subject are exempt from subject access requests.
For details on exemption for references, please see ICO guidance available.