SERC Privacy Notice
Introduction
SERC (Data Controller) values the relationships with all students, staff and stakeholders and this notice explains how the College collects, processes and manages your personal data. The College will process all personal data in compliance with the General Data Protection Regulations (GDPR) and the Data Protection Act 2018 for the purpose of providing you with a service you have requested and to meet our statutory obligations. We will never ask for information that is unnecessary to deliver this service. SERC is the Data Controller registered with the Information Commissioner Office (ICO) and is responsible under GDPR and Data Protection Act 2018 for the personal data that you submit to us.
The Data Protection Officer for the College is Sian Harvey.
The College’s registration reference number with ICO is Z6477199.
Lawful Basis
Personal Data
As a FE College our main lawful basis for processing your personal data are as follows:
- Article 6.1 (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes e.g. consent to contact next of kin, direct marketing, opting into a scheme.
- Article 6.1 (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; e.g. staff employment contracts, contracts for a service by a third party, student relationship with the College.
- Article 6.1 (c) processing is necessary for compliance with a legal obligation to which the controller is subject; e.g. The Health and Safety at Work (Northern Ireland) Order 1978, The Safeguarding Vulnerable Groups (Northern Ireland) Order 2007, Disability Discrimination Act 1995, SENDO, Employment law.
- Article 6.1 (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person e.g. we may need to disclose information to medical provider.
- Article 6.1 (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. On behalf of the Department for the Economy (DfE), our role is provide you with quality education. e.g. The Further Education (Northern Ireland) Order 1997.
- Article 6.1 (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child e.g. Nursery provider, photographs.
On occasions we may be required to process your personal data for other reasons however we will only do so where a Lawful Basis applies.
Special Category Data
We are also required to collect, process and maintain special category data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Where the College is required to process Special Category data, we will only do so where a lawful basis exists in Article 9 of GDPR or where appropriate, Schedule 1 and 2 of the Data Protection Act (2018).
Further information is available in the College Appropriate Policy Document.
Information on Criminal Convictions
Where appropriate, the College is required collect information about criminal convictions as part of student admission and staff recruitment process or we may be notified of such information directly by you in the course of you working for us. As per the Safeguarding Vulnerable Groups (NI) Order 2007, Rehabilitation of Offenders Act 1974, Protection of Freedom Act 2012, there is a legitimacy in our field of work to ask for this. We will use the information to make decisions about your engagement or continued employment/ enrolment in line Safeguarding and Pastoral Care SOP.
The College lawful basis for processing this information is Schedule 1(18) of the Data Protection Act (2018) ‘Safeguarding of children and of individuals at risk’.
Further information is available in the College Appropriate Policy Document.
Categories of Personal Data
Personal data and special category data captured may include:
- Name
- Date of birth
- Contact details
- Next of Kin
- Religious Belief
- Dependents
- Ethnicity
- Gender
- Sexual Orientation
- Marital Status
- Employment Status
- Political Opinion
- Residency
- Educational Background i.e. grades
- Disabilities, learning difficulties, long term medical conditions
- Criminal Convictions
- Photographic image for student/staff ID cards
- Barriers to education
- Career aspirations
Information may be obtained directly from the individual, or in some cases from a third party organisation involved in the services provided by the College that has obtained the information in the first instance.
All employees, students and visitors should have a reasonable expectation of being captured on CCTV on a daily basis.
While the use of CCTV is primarily for the following purposes, the College will regulate its use within the provisions of GDPR so as not to become intrusive:
- Deterring, prevention and detection of a crime including misuse/abuse of College equipment.
- Identification, apprehension and prosecution of offenders.
- Security of campus buildings and ground.
- Safeguarding/Health and Safety.
In exceptional circumstances the images may be viewed for investigatory purposes.
The College will only collect and process the necessary information required for these purposes, and without it the College may not be able to fulfil its obligations. Information is passed between various sections of the College for operational reasons and where a lawful basis exist to process as is necessary and proportionate for intended purposes only.
Purpose of Processing
The College holds the personal data and special category data of its students and staff in order to implement and manage all services and processes relating to students, including; student recruitment, admission, registration, teaching and learning (including attendance, progress and achievement), examination, graduation, collection and payment of monies and other services such as student support and careers; and for staff, including; recruitment, staff development, payroll, contractual requirements, quality and improvement and staff related policies.
How do we Collect Personal Data?
We collect personal information about students and employees through the initial application/enrolment stages from you, internal departmental processes, manual forms, telephone calls and on-line systems, third parties e.g. School Links.
Who will have access to my information, or who will you share it with?
We will share personal information with third parties where required to do so by law, where it is necessary to administer the working relationship with you or where there is a third party legitimate interest in doing so.
Information may be passed between various sections of the College for operational reasons and may also be disclosed to external agencies to which we have obligations, for example Government Agencies and associated Statutory Bodies (e.g. Department for the Economy, HMRC), FE Shared Services – Data Collection, Higher Education Statistics Agency, Funding Bodies, Government Survey & Research Organisations, UCAS, Student Loans Company, Education Authority, Learner Records Service, Crime Prevention Agencies, Employers who pay fees and/or allow you time off work to attend your course, Placement Providers, Examination Awarding Bodies, Social Welfare Organisations, Trade Unions, Careers Service, UKBA, Debt Recovery Agencies and potentially other such organisations for defined purposes. We may also disclose information to examining bodies, legal representatives.
We require third party service providers to respect the security of your data and to treat it in accordance with the law.
Transfers to Countries Outside the EU
Transfer of personal data outside the European Union, to third countries or international organisations is restricted under GDPR regulations. Overseas sharing will be processed in accordance with Chapter V of GDPR.
Retention Period
We will only retain personal data for as long as necessary to fulfil the purpose we collected it for, for the purpose of satisfying any legal, accounting or reporting requirements. The College will retain records in line with the FE Sector Retention and Disposal Schedule.
Data Subjects Rights
You have the right to:
- To be informed about what we do with your information at point of data collection
- Access your personal data that we process;
- To rectify inaccuracies in personal data that we hold about you;
- To be forgotten, that is your details to be removed from systems that we use to process your personal data
- To restrict the processing of your personal data
- To obtain a copy of your personal data in a commonly used electronic form
- To object to certain processing of your personal data by us
- To request that we stop sending you direct marketing communications
- To withdraw consent – only where processing is based on consent
For additional information on exercising your rights, please contact our Data Protection Officer (details below) or see our Data Protection Policy.
The Right to Lodge a Complaint
If you are not happy with how your information is being processed by the College, contact the DPO:
Data Protection Officer
SERC, Bangor Campus
Castle Park Road
Bangor
BT204TD
Email: sharvey@serc.ac.uk
If you are dissatisfied with the College response, you have a right to complain to the Information Commissioners Office (ICO).
The ICO contact details are:
Information Commissioner's Office
Wycliffe House
Water Lane
Cheshire
SK9 5AF
Tel: 0303 123 1113 or 01625 545 745
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
Automated decision making
The College will not use automated decision making to make decisions that will have significant impacts on data subjects.
Failure to provide personal information
If you fail to provide certain information when requested, we will not be able to fulfil our legal obligations or deliver the service you have requested.
Changes to this Privacy Notice
We reserve the right to update this privacy notice where there is a significant or unforeseen change to our processing activity. We will notify you of any updates to this notice.