Staff and students must read, understand and abide by Ulster University's GDPR Policy and get help from the Data Protection Officer if needed.
Staff must also complete the Ulster University Data Protection Training programme.
Any alleged breaches of the GDPR or DPA by staff and/or students will be fully investigated and may result in disciplinary action. In some instances, breaches may be considered as gross misconduct.
Safeguarding personal data
All staff and students must apply these criteria, as appropriate and relevant, at all times to the processing of personal data in both electronic and hard copy format:
- ensure data is kept securely with the level of security appropriate to the level of confidentiality and sensitivity of the material
- ensure robust procedures are in place to prevent accidental loss, destruction or damage of Personal Data or unauthorized unlawful processing
- ensure that the use of and access to computers, laptops and other portable electronic data processing/storage devices is compliant with University guidance within the Acceptable Use of Information Technology Code of Practice
- staff who have responsibility for supervising students involved in work which requires the Processing of Personal Data are required to ensure that the students are fully aware of the data protection principles, the requirements of this policy and the need to obtain the consent of any Data Subjects involved as appropriate
- ensure that access to Personal Data is restricted only to authorised persons
- inform University security staff immediately of incidents where persons without proper authorisation are found in areas where Personal Data is held or processed
- ensure that Personal Data is retained for no longer than is necessary for the purpose for which is was obtained. Further information can be found in the University's Retention and Disposal Schedule
- ensure that all Personal Data is obtained for specified, explicit and legitimate purposes and only processed for those purposes
- ensure that all Personal Data is processed lawfully, fairly and transparently with a legal basis for processing
- ensure that all Personal Data collected or otherwise processed is adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed
- avoid, in so far as possible, recording personal opinions not based on fact about a Data Subject. These comments will be disclosable
- ensure that Personal Data is processed securely and not disclosed either accidentally or deliberately either verbally or in writing to any unauthorised person or organisation
- avoid giving Personal Data by telephone unless there is a very high degree of certainty that the caller is the person he/she claims to be and is an appropriate person to receive the data in question
- ensure that accurate, up-to-date personal details are provided to the University and notify them of any changes or errors. Inaccurate Personal Data must be erased or rectified immediately
There may be circumstances when it is appropriate for the University to share personal information with other organisations. In any such circumstances, further guidance should be sought from the Data Protection Officer