Data protection policy

Introduction

Heriot-Watt University is an international community of learning, and personal interaction is at the heart of our mission to create and exchange knowledge for the benefit of society. The University's need to communicate and share personal data worldwide also presents significant data protection risks. 

As members of a global interconnected university, we need to ensure that everyone enjoys the same high standards of privacy in their interactions with us wherever in the world they may be.  This aligns with our Strategy and Values. This means that we will comply with the highest legal standard applicable unless the law in a particular country requires us to make an exception, which we then document and explain to the individuals concerned. The benchmark legal standard is the European Union General Data Protection Regulation (GDPR) as applied in UK law.  

The University Group must comply with relevant legislation protecting privacy rights in every jurisdiction where the University operates. As the University and its constituent legal entities are UK Data Controllers, and also Data Processors for certain activities, the territorial scope of UK Data Protection legislation, and therefore of this policy, applies to all processing of personal data by and for the University, regardless of where the processing takes place.  

As of 1 January 2021, the European Union (EU) General Data Protection Regulation (GDPR) has been embedded into UK law as the UK GDPR alongside the revised UK Data Protection Act, 2018 (DPA), and the Privacy and Electronic Communications Regulations 2003 (PECR).

In addition, we must comply with the European Union (EU) General Data Protection Regulation (GDPR) in relation to personal data collected before 31 December 2020 and when offering goods and services to people in the EU or monitoring their behaviour in the EU.  

In Dubai we apply the UK GDPR, DPA and PECR together with United Arab Emirates Federal Data Law that protects personal privacy. 

We comply with the Malaysia Personal Data Protection Act 2010, alongside the UK GDPR, DPA and PECR for activities involving our Malaysia campus. 

These data protection laws require the University to protect personal information and control how it is used in accordance with the legal rights of the data subjects - the individuals whose personal data is held.

All data subjects are entitled to know:

• Their rights under data protection law and how to use them,

• What the University is doing to comply with its legal obligations under data protection law.

Misuse of personal data, through loss, disclosure, or failure to comply with the Data Protection Principles and the rights of data subjects, may result in significant legal, financial and reputational damage. This may include penalties of up to £17.5 million or 4% of worldwide annual turnover for serious breaches of the law, claims for compensation and loss of recruitment and research income. In order to manage these risks, this policy sets out responsibilities for all managers, employees, contractors, and anyone else who can access or use personal data in their work for the University.

Purpose of our policy

This policy and its supporting procedures and guidance support University compliance with its obligations as a Data Controller and where applicable, a Data Processor under data protection law. The University is responsible for, and must be able to demonstrate, compliance with the following Data Protection Principles (“accountability”). In summary, these state that personal data shall be:

  • Processed lawfully, fairly and in a way that is transparent to the data subject (“lawfulness, fairness and transparency”);
  • Collected or created for specified, explicit and lawful purposes and not be further processed in a manner that is incompatible with those purposes (“purpose limitation”);
  • Adequate, relevant and limited to what is necessary for those purposes (“data minimisation”);
  • Accurate and kept up to date (“accuracy”);
  • Retained in a form that can identify individuals for no longer than is necessary for that purpose (“storage limitation”);
  • Kept safe from unauthorised access, processing, accidental or deliberate loss or destruction (“integrity and confidentiality”).

Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is compatible with the purpose and storage limitation principles, subject to appropriate safeguards for the rights and freedoms of the data subjects.

Under data protection law the University must also:

  • Proactively inform data subjects about its data processing activities and their rights under the law;
  • Meet its legal obligations as a data controller or processor, including data protection by design and default, data protection impact assessment, maintaining records of processing activities, measures to ensure the security of processing, handling of data breaches; designation and role of the Data Protection Officer;
  • Allow personal data to be transferred to other countries only if appropriate safeguards are in place to maintain the same level of protection for the privacy rights of the data subjects concerned.

This policy sets out a framework of governance and accountability for data protection compliance across the University. It forms part of the University Information Security Management System (ISMS). This incorporates all policies and procedures that are required to protect University information by maintaining:

  • Confidentiality: protecting information from unauthorised access and disclosure;
  • Integrity: safeguarding the accuracy and completeness of information and preventing its unauthorised amendment or deletion;
  • Availability: ensuring that information and associated services are available to authorised users whenever and wherever required;
  • Resilience: the ability to restore the availability and access to information, processing systems and services in a timely manner in the event of a physical or technical incident.

Our objectives

The University will apply the Data Protection Principles and the other requirements of data protection law to the management of all personal data throughout the information life cycle by adopting the following policy objectives.

Process personal data fairly and lawfully

We will:
  • Only collect and use personal data in accordance with the lawful conditions set down under the UK GDPR (see the downloadable pdf version of this policy for a detailed breakdown);
  • Document each condition we rely on; maintain this information within a formal set of Records of Processing Activities; regularly review and update these records and make them available to the Information Commissioner’s Office, other supervisory authorities and data subjects on request;
  • Treat people fairly by using their personal data for purposes and in a way that they would reasonably expect;
  • Ensure that if we collect someone's personal data for one purpose e.g. to provide advice on study skills, we will not reuse their data for a different purpose that the individual did not agree to or expect e.g. to promote goods and services for an external supplier;
  • Rely on consent as a condition for processing personal data only where:
    • We first obtain the data subject’s specific, informed and freely given consent, and
    • The data subject gives consent, by a statement or a clear affirmative action that we document, and
    • The data subject can withdraw their consent at any time without detriment to their interests.

Where we are relying on substantial public interest to process special categories of personal data or criminal offences personal data we must have an appropriate policy document in place specifying:

  • Which condition we rely on
  • How we comply with the data protection principles
  • How long we retain the data
 

Inform data subjects what we are doing with their personal data

This means that, at the point that we first collect their personal data, we will explain to data subjects in a clear, concise and accessible way:
  • The identity and contact details of the University and the Data Protection Officer
  • Applicants to programmes and posts
  • What personal data we collect
  • For what purposes we collect and use their data
  • What lawful conditions we rely on to process data for each purpose and how this affects their rights
  • Whether we intend to process the data for other purposes and their rights to object
  • The sources from which we obtain their data, where we have received the data from third parties
  • Whether we use automated decision making, including automated profiling, and if so the impact on data subjects and their rights to object
  • Whether they need to provide data to meet a statutory or contractual requirement and if so, the consequences of not providing the data
  • Our obligations to protect their personal data
  • To whom we may disclose their data and why
  • Which other countries we may send their data to, why we need to do this and what safeguards apply in each case,
  • Where relevant, what personal data we publish and why
  • How data subjects can update the personal data that we hold
  • How long we intend to retain their data
  • How to exercise their rights under data protection law.

We will publish this information on our website and where appropriate in printed formats. We will review the content of these Privacy Notices regularly and inform our data subjects of any significant changes that may affect them.

We will provide simple and secure ways for our students, staff and other data subjects to update the information that we hold about them such as home addresses.

Where we process personal data to keep people informed about University activities and events, we will provide in each communication a simple way of opting out of further marketing communications.

In these ways we will provide accountability for our use of personal data and demonstrate that we will manage people's data in accordance with their rights and expectations

Uphold individual's rights as data subjects

This means that we will uphold their rights to:
  • Obtain a copy of the information comprising their personal data, free of charge within one month of their request, only extending this by the permitted deadline of two further months in the case of complex or voluminous requests
  • Have inaccurate personal data rectified and incomplete personal data completed,
  • Have their personal data erased when it is no longer needed, if the data have been unlawfully processed or if the data subject withdraws their consent, unless there is an overriding legal or public interest in continuing to process the data
  • Restrict the processing of their personal data until a dispute about the data’s accuracy or use has been resolved, or when the University no longer needs to keep personal data but the data subject needs the data for a legal claim
  • Data portability; where a data subject has provided personal data to the University by consent or contract for automated processing and asks for a machine-readable copy or have it sent to another data controller
  • Object to and prevent further processing of their data for the University’s legitimate interests or public interest unless the University can demonstrate compelling lawful grounds for continuing
  • Prevent processing of their data for direct marketing
  • Stop the University processing data obtained for online services such as social media, where consent for the processing was previously given by or on behalf of a child, who withdraws their consent
  • Object to decisions that affect them being taken solely by automated means
  • Claim compensation for damages caused by a breach of data protection law 

Apply 'data protection by design and default' principles to all our personal data processing

This means that we will:
  • Integrate the data protection principles into functional design and implementation from the outset of every project or initiative that involves processing personal data, and in managing upgrades or enhancements to systems and processes used to process personal data, using proportionate privacy and information risk assessment, and where appropriate, data protection impact assessment, to identify and mitigate privacy risks at every stage,
  • Apply a 'privacy first' approach to any default settings of systems and applications
  • Adopt data minimisation: we will collect, disclose and retain the minimum personal data for the minimum time necessary for the purpose
  • Anonymise personal data wherever necessary and appropriate, e.g. when using it for statistical purposes, so that individuals can no longer be identified
  • Audit online services likely to be accessed by children to ensure that they comply with relevant provisions of the UK Information Commissioner’s Office statutory Age Appropriate Design Code

Protect personal data

This means that we will use appropriate technical and organisational measures to:

  • Control access to personal data so that staff, contractors and other people working on University business can only see such personal data as is necessary for them to fulfil their duties
  • Require all University staff, contractors, students and others who have access to personal data in the course of their work to complete basic data protection training, supplemented as appropriate by procedures and guidance relevant to their specific roles
  • Set and monitor compliance with security standards for the management of personal data as part of the University's wider framework of information security policies and procedures
  • Reduce risks of disclosure by pseudonymising personal data where possible
  • Provide appropriate tools for staff, contractors, students and others to use and communicate personal data securely when working both on-campus and away from the University, for instance through provision of secure online platforms, a Virtual Private Network, encryption and cloud solutions
  • Use only data processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will comply with data protection law and ensure the protection of the rights of the data subject. This means we will take all reasonable steps to obtain evidenced assurance that all suppliers, contractors, agents and other external parties who process personal data for the University will enable us to comply with the data protection principles and the rights of data subjects and comply with auditable security controls to protect our data, enter into our Data Processor Agreements, or equivalent contracts that embed all the controller and processor obligations under the law
  • Maintain Data Sharing Agreements with educational partners and other external bodies with whom we may need to share personal data to deliver academic programmes, shared services or joint projects and activities to ensure proper governance, accountability and control over the use of such data
  • Where transferring personal data to another country outside the UK use adequacy assessment where necessary, apply data minimisation, and put in place appropriate agreements and auditable security controls to provide the safeguards necessary to maintain privacy rights
  • Ensure that our students are aware of how data protection law applies to their use of personal data in the course of their studies or research and how they can take appropriate steps to protect their own personal data and respect the privacy of others
  • Manage all data subject requests and third-party requests for personal information about staff, students and other data subjects in accordance with our Procedures for managing personal data requests
  • Make appropriate and timely arrangements to ensure the confidential destruction of personal data in all media and formats when it is no longer required for University business

Provide appropriate legal and organisational safeguards to maintain privacy rights and data flows when sharing personal data with organisations in other countries?

This means that when considering transfer of personal data or two-way data sharing with organisations in countries outside the UK and European Economic Area we will:
  • Check if the recipient country has received a UK or European Commission Adequacy decision indicating that the country provides adequate protections for the privacy rights and freedoms of data subjects
  • Before sharing personal data with a recipient in a country without an Adequacy decision, complete an international transfer risk assessment, apply data minimisation and security controls and put in place a legally binding and enforceable international data transfer agreement with the recipient to provide ‘appropriate safeguards’ for the rights of the data subjects whose personal data is being transferred including enforceable rights and effective remedies for the individuals concerned. This agreement may include the UK Information Commissioner’s Standard Data Protection Clauses for international data transfers or comprise a legally binding and enforceable instrument between two public authorities or bodies
  • Provide sufficient guarantees to organisations in other countries that wish to transfer personal data to the University of our organisational and technical measures to comply with data protection law and enter into a legally binding and enforceable agreement with that organisation to provide ‘appropriate safeguards’ for the rights of the data subjects whose personal data is being transferred including enforceable rights and effective remedies for the individuals concerned.

Retain personal data only as long as required

This means that we will:
  • Apply the University records retention policies to keep records and information containing personal data only so long as required for the purposes for which they were collected

Then, in line with the retention policy recommendations, we will:

  • Destroy records securely in a manner appropriate to their format; or
  • Transfer them by arrangement with the Information Governance Division in Governance and Legal Services to our records storage contractor for a limited period where required for legal and evidential purposes; or
  • Transfer the records by arrangement to the University Archivist, Information Services, for archiving in the public interest, scientific or historical research purposes or statistical purposes.

Some University records containing personal data are designated for permanent retention as archives or for scientific, historical and statistical purposes. When managing access to archives containing personal data we will apply appropriate technical and organisational measures to safeguard the rights and freedoms of the data subjects concerned:

  • Apply exemptions to public rights of access to information as appropriate in accordance with the data subjects' rights to privacy
  • Redact personal data, e.g. by pseudonymisation
  • Withhold access to specific categories of record, such as student records, for the lifetime of the student and their identifiable next of kin.

Manage any breaches of data security promptly and appropriately

This means that we will take all necessary steps to reduce the impact of incidents involving personal data by following the University’s Information Security Incident Management Policy and Procedures.
 
Where a data breach is likely to result in a risk to the rights and freedoms of data subjects, the Data Protection Officer will liaise with the UK Information Commissioner’s Office and report the breach, in line with regulatory requirements, within 72 hours of discovery. The Data Protection Officer will also recommend, where necessary, actions to inform data subjects and reduce risks to their privacy arising from the breach.
 

Scope of our policy

This policy applies to all personal data created or received in the course of University business in all formats, of any age. Personal data may be held or transmitted in paper, physical and electronic formats or communicated verbally in conversation or over the telephone.

Who is affected by the Policy

These include, but are not confined to: prospective applicants, applicants to programmes and posts, current and former students, alumni, current and former employees, family members where emergency or next of kin contacts are held, casual and other contingent workers, workers employed through temping agencies, members of the Court and members of the Committees of the Court, research subjects, external researchers, visiting scholars and volunteers, potential and actual donors, customers, conference delegates, people making requests for information or enquiries, complainants, professional contacts and representatives of funders, partners and contractors.

The policy applies to anyone who obtains, records, can access, store or use personal data in the course of their work for the University. Users of personal data include employees and students of the University, contractors, suppliers, agents, University partners and external researchers and visitors.

Where the Policy applies

This policy applies to all locations from which University personal data is accessed including home and mobile use.

As the University operates internationally, through its campuses in Dubai and in Malaysia and through arrangements with partners in other jurisdictions the remit of the policy shall include such overseas campuses and international activities and shall pay due regard to applicable legislation in each relevant country.

A PDF version of our Data Protection Policy is available for download.

Key information

Ann Jones