DATA PROTECTION GOVERNANCE

Who is the Data Protection Officer?

The Data Protection Officer (DPO) for Chichester College Group, First Steps and Anglia Examinations is Benjamin Phillips.

Benjamin is based at Chichester College but works across all campuses. He can be reached by emailing dp@chichester.ac.uk or calling 01243 786321 ext: 2653.

.

Is the Group registered as a Data Controller with the Information Commissioner’s Office (ICO)?

The Group is registered as a data controller with the ICO and has been recorded on the official fee payers register.

Our registration numbers are:

Chichester College Group - Z4919601

First Steps Childcare - Z7715459

Anglia Examinations Syndicate Ltd - Z5007871

.

What do Data Champions do?

Data Champions are established across the Group. They form the Privacy Network and work with the Data Protection Officer to manage our compliance with data protection legislation. They assist to collate documents from within your department when people want to make use of their rights under data protection legislation and act as a point of contact to answer questions from their colleagues.

.

What training is available to staff on data protection?

A mandatory e-module can be found on CCGOnline under staff training. This must be taken by all staff every two years. The module is designed to talk you through the fundamentals of GDPR in the context of the Group.

The Group also offers a Level 2 NCFE VRQ in data protection and data security. To find out more about this VRQ contact professional development.

The data protection team runs a series of workshops throughout the year to act as refresher courses. The Data Protection Officer will attend team meetings and offer additional training for departments on request. Please email dp@chichester.ac.uk to book a session and discuss the content of the session.

.

How long should I keep files for?

The Group has a document retention policy which can be found on ChiDrive. This document outlines the retention schedule for different types of documents. Once this retention schedule has been reached the information should be securely destroyed either by deleting the file or placing it into confidential waste. If you have questions about how long documents should be kept for contact the document owner or the Data Protection Officer.

.

DATA BREACHES

I think there has been a data breach, what should I do?

GDPR defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alternation, unauthorised disclosure of, or access to, personal data, transmitted, stored or otherwise processed.

If you know or suspect a breach has occurred you must inform the data protection team immediately by calling 01243 786321 ext: 2653. If you are aware of an IT security breach report this immediately to CSU. If the breach is out of hours or during holidays where the College is closed email dp@chichester.ac.uk.

All data breaches must be recorded centrally with the data protection team. If there is a risk to people's rights and freedoms, the Group may have to inform the Information Commissioner’s Office (ICO). We have 72 day hours to make this decision from the point you discovered the breach.

.

SHARING PERSONAL DATA

 How do I share data safely?

When sharing information there must be a lawful basis for doing so, such as to fulfill a contract, meet legal obligations or we have collected consent. You should only share information if you are confident the recipient is who they say they are. 

We must also keep the personal information secure. This includes during transport. The level of security should be proportionate to the type of data being shared. There is an expectation that special category data such as medical data or protected characteristics would have a greater level of security.

Encryption is one of the easiest ways to protect data. A free program called 7-zip can be found in the application catalogue on Group PCs. Encryption means the file cannot be accessed without a password. Remember to provide the recipient the password separately to the encrypted file to keep it secure. Speak with computer services for help with encrypting and decrypting files.

When sending emails through your Group email account from Outlook or through a web browser there is an option to encrypt the email. We would still encourage you to encrypt confidential attachments for added security.

Another option is to upload your file to your CCG OneDrive account and share the link. When shared externally the link is valid for 30 calendar days and requires the recipient to enter their email address to access the file. Do not use any other cloud storage provider to access your files as we cannot guarantee their compliance with GDPR or the Group IT Security Policy.

Setting up a Microsoft Teams Group is another great way of sharing documents with a group of people. This option is best suited when the same people need access to files on a regular basis. 

Avoid the use of removable media such as memory sticks or portable hard drives as these can easily be lost or stolen and do not have the same level of security by default.

 .

What can I say to parents?

Students own their data and therefore we cannot discuss a student’s performance or progress at college with a parent, guardian or another family member without the student’s permission.

At Worthing, contact with parents is automatic and students can use their right to object to stop the College from communicating with parents. GLT have approved Worthing College to move to the practice of the other Colleges from 1 August 2020.

At Brinsbury, Chichester, Crawley and Haywards Heath parental contact works on consent. Students specify who they allow the college to discuss performance and progress at college with when they join the college and can change this at any time. These people are known as permitted contacts.

You can check who you can discuss performance and progress at college with by logging into EBS or Columbus, searching for the student and looking under the contact info tab. They are listed as contacts 1,2 and 3. The emergency contact is different to a permitted contact and should only be used in an emergency.

You can still give generic information to parents such as term dates, generic course information and details of policies or procedures but you should not discuss these in relation to a specific student.

The Group has procedures to involve parents or guardians under safeguarding and in the final stage of the positive behaviour management referral process where we can demonstrate it is in the best interest of the student to do so.

.

Can we still hold parents evenings?

Data protection legislation does not stop the College holding parents evenings. However, we can only discuss performance and progress at college with those who we have permission to share the information with. Refer to the section - what can I say to parents?

.

DATA RIGHTS

What are my data rights?

Data protection legislation gives individuals (known as data subjects) eight rights. These rights are:

1. The right to be informed
2. The right of access
3. The right of rectification
4. The right of erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling

The information commissioner's office has useful information on your rights on their website: click here.

.

How can I access my data?

The majority of information the Group holds is readily accessible to students and staff. You may be able to access your information by speaking directly to the department responsible. For example by speaking with the course leader, your line manager or Human Resources. Information is also available by logging into systems such as C-Space and HR self service.

Alternatively, if you are unable to find the information you are looking for you, can make a formal request to the data protection team. This is known as a subject access request (DSAR). You can request all information or specific information on yourself. The Group are unable to provide you with information on anyone else without proof you are entitled to act on their behalf.

A request can be made verbally or in writing. There is no specific form to complete. However the easiest way to make a request is by sending an email to dp@chichester.ac.uk and including a copy of formal identification such as a passport or driving license.

.

WORKING REMOTELY

I want to work from home, how do I access personal data securely?

The best way to work from home is to log into the Remote Desktop Service. From any computer or iPad with an internet connection, worldwide, you can log into a virtual machine and access a Windows 10 desktop. From here you have access to all college services such as your files, the intranet and Microsoft Office applications to use as if you were onsite.

To access the Remote Desktop follow the guide by CSU under the staff tab on CCGOnline. You must be on campus for the initial set up.

Contact computer services if you need further support.

.

MARKETING

What should I consider when creating and sending marketing campaigns?

You can only send direct marketing to individuals where you have their consent to do so. You must also be able to evidence this consent on request. The consent must be specific and freely given. For example consent to receive a monthly college e-newsletter cannot be in the same tick box as signing up to a college course.

Consent must be as easy to withdraw as it was to give. Consent can be withdrawn at any time.

Our lawful basis for marketing to businesses would most likely be legitimate interests. This is an opt-out process but it must be made clear where their contact details have come from, why we are sending them marketing and how they can opt-out. Legitimate interests cannot be used for direct marketing to individuals.

When sending electronic marketing you should also consider our obligations under the privacy and electronic communications regulations (PECR).

If you are considering a new marketing campaign or want to check if you can send marketing using details you already hold then talk to the marketing team or the data protection team.

.

COMPLAINTS

I have a complaint about the way Chichester College Group has handled my personal information, who should I talk to?

Any questions or complaints about the way Chichester College Group handle personal information should be addressed to the Data Protection Officer (DPO). You can raise your complaint by emailing dp@chichester.ac.uk or by sending a letter to the following address:

Data Protection Officer

Chichester College

Westgate Fields

Chichester

West Sussex

PO19 1SB 

If you are unsatisfied with the response from Chichester College Group you also have the right to complain to the Information Commissioner’s Office (ICO).

.

FREEDOM OF INFORMATION

What is the Freedom of Information Act?

The Freedom of Information Act 2000 enables public access to information held by public authorities. Anyone can make a request, they do not have to be UK citizens, or resident in the UK. The Act covers any recorded information (printed documents, computer files, letters, emails, photographs, and sound or video recordings) that is held by a public authority within the UK. This can include documents originally created by another organisation not covered by the Act but held by the Group. 

The college Group and therefore its commercial businesses are covered by the Act.

 Not every request for information has to be recorded as a Freedom of Information request. The Group makes lots of information available to the public by default. For example key policies are published on our websites and information on how the Group operates and the courses on offer can be obtained from everyday conversations.

Freedom of Information requests could be sent to anyone within the Group. If you receive a Freedom of Information request please forward it to the data protection team who will log the request and respond accordingly. Under the legislation the Group has 20 working days to confirm whether the information is held by the Group and if so to provide the information.

.

Who is the FOI Officer?

The Data Protection Officer (DPO) for Chichester College Group, First Steps and Anglia Examinations is Benjamin Phillips.

Benjamin is based at Chichester College but works across all campuses. He can be reached by emailing dp@chichester.ac.ukor calling 01243 786321 ext: 2653.