Resources / Data Protection Procedures
Appendices
- Appendix 1 – Elements of Personal Data and Sensitive Personal Data
- Appendix 2 – University entities to which these procedures apply
- Appendix 3 – The Data Protection Legislation and Authorities across the Caribbean (in the 17 contributing territories of The UWI)
- Appendix 4 – List of The UWI Global Centres
- Appendix 5 – Data Protection Legislation in countries with UWI Global Centres
- Appendix 6 - Record of Personal Data and/or Sensitive Personal Data Collected
- Appendix 7 - Personal Data and Sensitive Personal Data Access list template
- Appendix 8 - Forms
- Appendix 9 - Personal Data and/or Sensitive Personal Data Request Procedures
Download the Data Protection Procedures – General Operations
March 2021
A9.1. Introduction
As defined in The UWI Data Protection Policy (p.6), Personal Data are data which relates to a living individual or to an individual who has been deceased for less than thirty years, who is, or can be, identified, either from the data or from the data in conjunction with other information, which is in, or is likely to come into the possession of, the Data Controller. Personal Data include photographs, audio and video recordings, and text messages. The Data Controller is a person who (either alone or with others) controls the contents and use of Personal Data. The UWI, as a ‘legal person’, is a Data Controller.
These Procedures are complementary to The UWI Data Protection Policy and prescribe how requests for Personal Data are to be managed. These Procedures are applicable to all requests - those made by staff, students, or external entities - irrespective of the use to be made of the data.
A9.2. Authority
These Procedures have been approved by the University Finance and General Purposes Committee – a sub-committee of University Council – for implementation at all campuses of The UWI.
A9.3. Penalties for Breach
Staff who breach these procedures are subject to disciplinary procedures as outlined in the relevant University Regulations (for additional information, see section 4 – The UWI Data Protection Policy).
A9.4. Roles and Responsibilities
This section defines the roles and responsibilities involved in the management of personal data requests.
A9.4.1 Data Executive
The Data Executive is the head of a University department in which Personal Data are managed – collected, stored, processed, and/or maintained. The Data Executive is responsible for approving requests for Personal Data but may delegate such responsibility to, or seek assistance from, one or more Data Custodian (see A9.4.2).
The Data Executive shall be responsible for establishing the criteria for sharing Personal Data and ensuring that existing Data Custodians are kept abreast of these criteria, and that new Data Custodians are introduced and become fully au fiat with them before assuming duties. The Data Executive shall also ensure that staff joining the department are fully aware of both these Procedures and the established criteria for sharing Personal Data.
Examples of Data Executives: Director, HRMD (or equivalent); Manager, Payroll (or equivalent); Assistant Registrar and/or Senior Assistant Registrar, Admissions; Assistant Registrar and/or Senior Assistant Registrar Exams.
A9.4.2 Data Custodian
A Data Custodian manages the actual data. Data Custodians are responsible for, among other things:
- ensuring and maintaining the accuracy, integrity, and privacy of Personal Data;
- granting or denying requests for Personal Data (on behalf of the Data Executive) (see A9.4.1
- reviewing requests for Personal Data and responding within a reasonable time
- assisting individuals and entities (external and UWI sub-entities) with identifying what is required to fulfill their request for Personal Data
- Interfacing with Enterprise Systems Support (see A9.4.4) for requests that they are not able to fulfill without additional support
A9.4.3 Data Requestor
A Data Requestor is any individual (staff, student, external entity) who makes a request for Personal Data.
A Data Requestor whose request has been approved by a Data Executive/Data Custodian must use the data only in a manner consistent with purposes approved by the University.
A Data Requestor should not share Personal Data with others who do not have approval to use that same data unless explicitly authorized as part of the request for Personal Data.
A Data Requestor must follow any instructions or restrictions imposed by the Data Custodian or Data Executive.
A9.4.4 Enterprise Systems Support (ESS)
Enterprise Systems Support (ESS) are ICT staff who work in any section which supports the University’s Enterprise Systems.
ESS are responsible for fulfilling requests for Personal Data which cannot be handled solely by the Data Executive/Data Custodian.
ESS will fulfill these requests by pulling the required data from the various Enterprise Systems (e.g. PeopleSoft, Banner) and passing it on to the Data Executive/Data Custodian in the required format.
ESS can only fulfill requests which have been approved by the Data Custodian (or Data Executive).
A9.5. Procedures - Personal Data Request
A9.5.1 Who is authorized to make a request for Personal Data?
A Personal Data request may come from an individual, University department or an external entity (Auditors, Government, Unions, Alumni, etc.).
A9.5.2 Identifying the person/entity making the request for Personal Data
Before responding to a Personal Data request, the relevant Data Custodian (or Data Executive) shall take reasonable steps to verify the identity of the person or entity (sub-entity) making the request.
Where the Data Custodian (or Data Executive) is unable to verify the identity of the requestor, the Data Custodian (or Data Executive) may ask the requestor to provide additional information to confirm his or her identity.
A9.5.3 To whom should a request for Personal Data be made and how might it be made?
- Requests for Personal Data shall be made to the relevant Data Custodian or Data Executive.
- Requests for Personal Data made to the relevant Data Custodian shall be copied to the relevant Data Executive.
- Requests for Personal Data, made to either a Data Custodian or a Data Executive, shall be in writing.
- Oral requests made, even if the requestor is a direct supervisor of the Data Custodian or Data Executive shall not be entertained
- Note: A Data Custodian and/or Data Executive shall be in breach of these Procedures if he or she fulfils an oral request which is not supported by a written request. This support shall be either simultaneous or within 24 calendar hours
- Requests for Personal Data to either a Data Custodian or Data Executive shall use the prescribed form (See Appendix I – Prescribed Forms).
- Once the form has been completed, and the request approved, it can then be forwarded to Enterprise Systems Support for fulfillment, if required.
A9.5.4 How to handle improperly submitted requests for Personal Data
Where a request for Personal Data is made directly to a member of ESS and does not come from a Data Custodian or Data Executive, such a request shall be forwarded to the appropriate Data Custodian or Data Executive for approval.
A9.5.5 Limitations
Data Custodians shall provide Personal Data to only those Data Requestors who have a need for the data in compliance with The UWI Data Protection policy.
If a personal data request is complex or the individual has made several requests, ESS may extend the period of fulfillment by a time agreed on with the Data Custodian. The Data Custodian shall, within a reasonable time from the receipt of the request, inform the Data Requestor of the extension and explain why the extension is necessary.
A9.5.6 Response to request for Personal Data
The relevant Data Custodian (or Data Executive) shall confirm receipt of the request for Personal Data within 24 hours. This confirmation shall include:
- Date (and time) the request was received
- The due date to produce the data requested. This will be negotiated based on the urgency of the data, the complexity of the request and the present workload of staff who will fulfill the request.
It is important that when a request is made, the Data Custodian (or Data Executive):
- is very clear on what data are required;
- has knowledge as to whether the required data are available;
- fully understands the purpose/reason for the data so as to convey this to Enterprise Systems Support (if necessary); the urgency of the data.
A9.5.6.1 What to do when you have fulfilled a personal data request (ESS)
Once a request for Personal Data has been fulfilled:
- the data should be sent, in the required format, to the Data Custodian (or Data Executive);
- the Data Custodian (or Data Executive) will then forward the data to the Data Requestor.
A9.5.6.2 Denying a personal data request
The Data Custodian (or Data Executive) may deny a Personal Data request where even after requesting additional information, Data Custodian (or Data Executive) is still not able to identify the Data Requestor making the Personal Data request.
The Data Custodian (or Data Executive) may also deny a Personal Data request if it is determined that the purpose for which the data is requested is in breach of the University’s Data Protection policy.
In instances where a request for Personal Data is denied, the Data Custodian (or Data Executive) shall inform the Data Requestor no later than 2 days after receiving their request. The response from the Data Custodian (or Data Executive) should provide: the reason(s) the request could not be honored.
A9.9.I – Prescribed Forms
Personal Data Request Form
The following form should be used for all requests for Personal Data, in relation to yourself, a staff member or student, or past staff member or student or other UWI affiliate. Please complete each section carefully as required. Incomplete forms cannot be processed.
