Data protection policy

Introduction

Heriot-Watt University is an international community of learning, and personal interaction is at the heart of our mission to create and exchange knowledge for the benefit of society. The University's need to communicate and share personal data worldwide also presents significant data protection risks. 

As members of a global interconnected university, we need to ensure that everyone enjoys the same high standards of privacy in their interactions with us wherever in the world they may be. We take a practical approach to managing information about people which reflects our values. As we work in a global, interconnected environment we comply with the highest legal standard applicable unless the law in a particular country requires us to make an exception, which we then document and explain to the individuals concerned. The benchmark legal standard is the European Union General Data Protection Regulation (GDPR) as applied under UK law. 

The University Group must comply with relevant legislation protecting privacy rights in every jurisdiction where the University operates. As the University and its constituent legal entities are UK data controllers, and also data processors for certain activities, the territorial scope of UK data protection legislation, and therefore of this policy, applies to all processing of personal data by and for the University, regardless of where the processing takes place.  

As of 1 January 2021, the European Union (EU) General Data Protection Regulation (GDPR) has been embedded into UK law as the UK GDPR alongside the revised UK Data Protection Act, 2018 (DPA), and the Privacy and Electronic Communications Regulations 2003 (PECR).

In addition, we must comply with the European Union (EU) General Data Protection Regulation (GDPR) in relation to personal data collected before 31 December 2020 and when offering goods and services to people in the EU or monitoring their behaviour in the EU.  

In Dubai we apply the UK GDPR, DPA and PECR together with United Arab Emirates federal laws that protect personal privacy. 

We comply with the Malaysia Personal Data Protection Act 2010, alongside the UK GDPR, DPA and PECR for activities involving our Malaysia campus. 

The law and your rights
This policy applies to all personal data created or received in the course of University business in all formats, of any age. Personal data may be held or transmitted in paper, physical and electronic formats or communicated verbally in conversation or over the telephone.
Our University must protect personal information and control how it is used in accordance with the legal rights of the data subjects i.e. the individuals whose personal data is held.
All staff, students and other data subjects are entitled to know:
  • Their rights under data protection law and how to use them
  • What the University is doing to comply with its legal obligations under data protection law

Misuse of personal data, through loss, disclosure, or failure to comply with the Data Protection Principles and the rights of data subjects, may result in significant legal, financial and reputational damage. This may include penalties of up to €20 million or 4% of worldwide annual turnover for serious breaches of the law, claims for compensation and loss of recruitment and research income.

Who is affected by our policy? Who does it impact on?
Data subjects including (but are not confined to):
  • Prospective applicants
  • Applicants to programmes and posts
  • Current and former students
  • Alumni
  • Employees (current and former)
  • Family members where emergency or next of kin contacts are held
  • Workers employed through temping agencies (including casual workers)
  • Court and Committees of the Court members
  • Research subjects and external researchers
  • Visiting scholars and volunteers
  • Donors (potential and actual)
  • Customers Conference delegates
  • People making requests for information or enquiries
  • Complainants
  • Professional contacts and representatives of funders
  • Partners and contractors

Users of personal data: Our policy applies to anyone who obtains, records, can access, store or use personal data in the course of their work for the University. Users of personal data include employees and students of the University, contractors, suppliers, agents, University partners and external researchers and visitors.

Where does our policy apply?
Our policy applies to all locations from which University personal data is accessed including home use.
As the University operates internationally, through its campuses in Dubai and in Malaysia and through arrangements with partners in other jurisdictions, the remit of the policy shall include such overseas campuses and international activities and shall pay due regard to non UK legislation that might be applicable.

In Dubai we apply the UK GDPR, DPA and PECR together with United Arab Emirates Federal laws that protect personal privacy. 

We comply with the Malaysia Personal Data Protection Act 2010, alongside the UK GDPR, DPA and PECR for activities involving our Malaysia campus. 

What are the responsibilities of the University under Data Protection law?
Our policy and its supporting procedures and guidance support University compliance with its obligations as a Data Controller and where applicable, a Data Processor under data protection law. The University is responsible for, and must be able to demonstrate, compliance with the following Data Protection Principles ('accountability'). The law states that personal data shall be:
  • Processed lawfully, fairly and in a way that is transparent to the data subject ('lawfulness, fairness and transparency')
  • Collected or created for specified, explicit and lawful purposes and not be further processed in a manner that is incompatible with those purposes. ('purpose limitation') Adequate, relevant and limited to what is necessary for those purposes ('data minimisation')
  • Accurate and kept up to date ('accuracy')
  • Retained in a form that can identify individuals for no longer than is necessary for that purpose ('storage limitation')
  • Kept safe from unauthorised access, processing, accidental or deliberate loss or destruction ('integrity and confidentiality')
What does the processing of data fairly and lawfully mean?
  • Only collect and use personal data in accordance with the lawful conditions set down under the GDPR;
  • Document each condition we rely on; maintain this information within a formal set of Records of Processing Activities; regularly review and update these records and make them available to the Information Commissioner’s Office, other supervisory authorities and data subjects on request
  • Treat people fairly by using their personal data for purposes and in a way that they would reasonably expect
  • Ensure that if we collect someone's personal data for one purpose e.g. to provide advice on study skills, we will not reuse their data for a different purpose that the individual did not agree to or expect e.g. to promote goods and services for an external supplier
  • Rely on consent as a condition for processing personal data only where:
    • We first obtain the data subject’s specific, informed and freely given consent
    • The data subject gives consent, by a statement or a clear affirmative action that we document
    • The data subject can withdraw their consent at any time without detriment to their interests
What we mean by informing data subjects of what we are doing with their personal data?
At the point that we collect their personal data, we will explain to data subjects in a clear, concise and accessible way:
  • The identity and contact details of the University and the Data Protection Officer
  • What personal data we collect
  • For what purposes we collect and use their data
  • What lawful conditions we rely on to process data for each purpose and how this affects their rights
  • Whether we intend to process the data for other purposes and their rights to object
  • The sources from which we obtain their data, where we have received the data from third parties
  • Whether we use automated decision making, including profiling, and if so the impact on data subjects and their rights to object
  • Whether they need to provide data to meet a statutory or contractual requirement and if so, the consequences of not providing the data
  • Our obligations to protect their personal data
  • To whom we may disclose their data and why
  • Which other countries we may we may send their data to, why we need to do this and what safeguards apply in each case
  • Where relevant, what personal data we publish and why How data subjects can update the personal data that we hold
  • How long we intend to retain their data
  • How to exercise their rights under data protection law
What do we have to do in order to uphold individual's rights as data subject?
In order to obtain uphold the rights of an individual, we will:
  • Obtain a copy of the information comprising their personal data, free of charge (where feasible) within one month of their request (see also our pages on requesting personal data)
  • Correct personal data and ensure it is complete
  • Have their personal data erased when it is no longer needed if the data has been unlawfully processed or if the data subject withdraws their consent, (unless there is an overriding legal or public interest in continuing to process the data)
  • Restrict the processing of their personal data until a dispute about the data’s accuracy or use has been resolved, or when the University no longer needs to keep personal data but the data subject needs the data for a legal claim
  • Data portability; where a data subject has provided personal data to the University by consent or contract for automated processing and asks for a machine readable copy or have it sent to another data controller
  • Object to and prevent further processing of their data for the University’s legitimate interests or public interest unless the University can demonstrate compelling lawful grounds for continuing
  • Prevent processing of their data for direct marketing
  • Stop the University processing data obtained for online services such as social media, where consent for the processing was previously given by or on behalf of a child, who withdraws their consent
  • Object to decisions that affect them being taken solely by automated means
  • Claim compensation for damages caused by a breach of data protection law
What we mean by applying 'data protection by design and default' principles to all our personal data processing
This means that we will:
  • Use proportionate privacy and information risk assessment, and where appropriate data protection impact assessment, to identify and mitigate privacy risks at each stage of every project or initiative involving processing personal data and in managing upgrades or enhancements to systems and processes used to process personal data
  • Adopt data minimisation: we will collect, disclose and retain the minimum personal data for the minimum time necessary for the purpose
  • Anonymise personal data wherever necessary and appropriate, e.g. when using it for statistical purposes, so that individuals can no longer be identified
How we plan to protect personal data
Our University will use appropriate technical and organisational measures to:
  • Control access to personal data so that staff, contractors and other people working on University business can only see such personal data as is necessary for them to fulfil their duties
  • Require all University staff, contractors, students and others who have access to personal data in the course of their work to complete basic data protection training, supplemented as appropriate by procedures and guidance relevant to their specific roles
  • Set and monitor compliance with security standards for the management of personal data as part of the University's wider framework of information security policies and procedures
  • Reduce risk of disclosure by pseudonymising personal data where possible, Provide appropriate tools for staff, contractors, students and others to use and communicate personal data securely when working away from the University, for instance through provision of a secure Virtual Private Network, encryption and cloud solutions
  • Take all reasonable steps to obtain assurance that all suppliers, contractors, agents and other external parties who process personal data for the University will comply with auditable security controls to protect our data and enter into our Data Processor Agreements
  • Maintain Data Sharing Agreements with educational partners and other external bodies with whom we may need to share personal data to deliver academic programmes, shared services or joint projects to ensure proper governance, accountability and control over the use of such data
  • Maintain records of processing activities
  • Where transferring personal data to another country outside the European Union put in place appropriate agreements and auditable security controls to maintain privacy rights; allow personal data to be transferred to other countries only if it maintains the same level of protection for the privacy rights of the data subjects concerned
  • Ensure that our students are aware of how data protection law applies to their use of personal data in the course of their studies or research and how they can take appropriate steps to protect their own personal data and respect the privacy of others
  • Manage all subject access and third party requests for personal information about staff, students and other data subjects in accordance with our procedures for responding to requests for personal data
  • Make appropriate and timely arrangements to ensure the confidential destruction of personal data in all media and formats when it is no longer required for University business
Maintain privacy when sharing data internationally
We will apply appropriate legal and organisational safeguards to maintain privacy rights and data flows when sharing personal data with organisations in other countries. This means that when considering transfer of personal data or two-way data sharing with organisations in countries outside the UK and European Economic Area we will: 

• Check if the recipient country has received a European Commission Adequacy decision indicating that the country provides adequate protections for the privacy rights and freedoms of data subjects,

 • Before sharing personal data with a recipient in a country without an Adequacy decision, complete a privacy risk assessment, apply data minimisation and security controls and put in place a legally binding and enforceable agreement with the recipient to provide ‘appropriate safeguards’ for the rights of the data subjects whose personal data is being transferred including enforceable rights and effective remedies for the individuals concerned. This agreement may include the European Commission Standard Contractual Clauses for international data transfers or comprise a legally binding and enforceable instrument between two public authorities or bodies.

• Provide sufficient guarantees to organisations in other countries that wish to transfer personal data to the University of our organisational and technical measures to comply with data protection law and enter into a legally binding and enforceable agreement with that organisation to provide ‘appropriate safeguards’ for the rights of the data subjects whose personal data is being transferred including enforceable rights and effective remedies for the individuals concerned.

How long we will keep data?
The University will keep personal data for as long as legally required and for the purposes it was collected for. Further information can be found how we manage information. We will then:
  • Destroy records securely or
  • Transfer them to either our own storage space and or storage provider for a limited period or
  • Transfer them to our Archive Section given the public interest, scientific, historical or statistical purposes

When managing access to archives containing personal data we will apply appropriate technical and organisational measures to safeguard the rights and freedoms of the data subjects concerned:

  • Apply exemptions to public rights of access to information as appropriate in accordance with the data subjects' rights to privacy
  • Redact personal data, e.g. by pseudonymisation,
  • Withhold access to specific categories of record, such as student records, for the lifetime of the student and their identifiable next of kin
How we will manage data security breaches
We will take all necessary steps to reduce the impact of incidents involving personal data by following the University’s Information Security Incident Management Policy and Procedures.
 
Where a data breach is likely to result in a risk to the rights and freedoms of data subjects, the Data Protection Officer will liaise with the Information Commissioner’s Office and report the breach, in line with regulatory requirements, within 72 hours of discovery. The Data Protection Officer will also recommend, where necessary, actions to inform data subjects and reduce risks to their privacy arising from the breach.

The use of privacy notices

Privacy notices are a method by which our University can explain to data subjects what we do with their personal data.  Our University has Privacy statements for:

A pdf version of our Data Protection Policy is available for download.

Key information

Ann Jones

Frank Lopez