April 2021
The University Of The West Indies (“The UWI” or the “University”) is a regional institution duly constituted by Royal Charter and operates from the following campuses: the Mona Campus situated at Mona in Kingston, Jamaica; the Cave Hill Campus situated at Cave Hill in, St. Michael, Barbados; the St. Augustine campus situated in St. Augustine, Trinidad and Tobago; The Five Islands Campus situated in Five Islands, Antigua and Barbuda (since September 2019); and The Open Campus which serves seventeen countries within the Caribbean region, inclusive of the four countries mentioned above . The UWI Regional Headquarters is located in Kingston, Jamaica.
In order to carry out its functions, The UWI, like other leading institutions, must properly protect the Data it collects from all sources and especially the Personal Data of its staff, students and alumni. This Policy has been drafted to outline the ways in which The UWI manages Personal data at various stages, including the rights of the person to whom the data relates, to access this data. The policy reflects the University’s need to adhere to local, regional, and international laws.
This Policy defines Data Protection as the means by which the privacy rights of individuals are safe guarded in relation to the processing of their Personal Data including the sharing of Personal Data held by The UWI. Each staff member is responsible for the protection of all Data accessed through The UWI’s information and communication technologies (ICT) infrastructure, or accessed in hard-copy format, by virtue of that staff member’s relationship with The UWI.
This policy includes four appendices:
This should be read in conjunction with the Policy and provides information about the collection, processing and storage of personal data, including sensitive personal data, in the possession of The UWI. The Statement explains how The UWI handles and uses the Personal Data it collects about staff, students and other individuals.
This appendix outlines the activities to be undertaken to facilitate compliance with this policy.
This appendix identifies what constitutes breaches by agents of The UWI and the associated penalties which might be brought to bear on the person(s) found to be in breach.
This appendix outlines the procedures to be used by members of the University community as well as agents of The UWI, for managing Personal Data breaches for data controlled and processed by, or on behalf of, the University. The procedures in this appendix provide the step-by-step details associated with handling and reporting breaches and supplements appendices 2 and 3 (3.1.1) of the Data Protection Policy.
This appendix provides examples of Personal Data and Sensitive Personal Data that are now being, or might in the future be, processed by the University. Although, fairly detailed, this appendix might not be comprehensive.
The objectives of this Policy are:
This policy:
This Policy will take effect upon the approval of the University Finance and General Purposes Committee on the stated promulgation date. To ensure it remains comprehensive, current with legislation and international best practices, this Policy will be reviewed no later than thirty six (36) months after the promulgation date.
This Policy relies upon a set of other documents to expand some of its provisions, to add clarity to certain elements which, while important, are too extensive to be included in this document, and/or to stipulate the provisions of other University Regulations which should be adhered to. The reader is encouraged to consult these documents to obtain the full context of the statements contained herein. The most important of these Complementary Documents are:
The Information Security Policy informs members of The University community, including visitors, of The UWI’s stance on information security, as well as the rights and obligations of members of the University community in matters related to information security. The Information Security Policy adapts best practices, from the wider information security space, to The UWI context. Among other things, The Information Security Policy informs users how to manage passwords, e.g., by making them complex and changing them regularly. This along with other suggested actions are presented in the Information Security Policy Guidelines.
The Information Security Policy Guidelines complement The UWI’s Information Security Policy and should be read in conjunction with it. The Guidelines provide guidance to students and staff on actions concerning the general security of the IT resources used by them, selecting secure passwords, the proper use of email, and how to securely use the internet.
The Guidelines for Marking and Handling University Information, which also complement The UWI’s Information Security Policy and should be read in conjunction with it, were produced to inform staff how to classify information. The handling, distribution, and disposal of information would be guided by its classification. Also, staff would be given access to information based on their role in relation to the classification of the Data.
Ordinance 8, outlines The UWI’s powers of appointment, promotion and dismissal, including provisions relating to discipline, for Academic, Senior Administrative, and Professional (collectively referred to as ASAP) staff.
The Code of Conduct sets out the ethical and general principles of behaviour, including personal and professional responsibility in respect of confidentiality of information.
Access Request:
a request, made by a person, to any authorized UWI staff member or authorized third party for the disclosure of their Personal Data.
Data:
information in a form that can be processed. This includes automated or electronic data (on a computer or recorded with the intention of putting it on a computer) and manual data (recorded as part of a Relevant Filing System, or with the intention that it should form part of a Relevant Filing System).
Data Controller:
is a person who (either alone or with others) controls the contents and use of Personal Data. The UWI as a ‘legal person’ is a Data Controller.
Data Processing:
the performance of any operation or set of operations on data, including:
Data Processor:
a person who processes personal information (data) on behalf of a Data Controller, but does not include an employee of a Data Controller who processes such data in the course of his/her employment; for example, this might mean an employee of an organization to which the Data Controller out-sources work.
The Data Protection legislation places responsibilities on such Data Processors and Data Controllers in relation to their processing of the data.
Data Subject:
an individual who is the subject of Personal Data.
Personal Data:
data relating to a living individual who is, or can be identified, either from the data or from the data in conjunction with other information, which is in, or is likely to come into the possession of the Data Controller. It includes information in the form of photographs, audio and video recordings, and text messages.
Relevant Filing System:
any set of information organized by name, date of birth, payroll number, employee number, or any other unique identifier.
Sensitive Personal Data:
specific categories of Data which are defined as data relating to a person’s racial origin; political opinions or religious or other beliefs; physical or mental health; sexual life; criminal convictions, or the alleged commission of an offence; trade union membership.
The University must ensure that staff exert due care in the handling of Personal Data. Examples of these data are:
The following eight Data Protection Principles have been identified, in some form, in the Data Protection legislation and Regulations and, therefore, have been adopted by this Policy.
The UWI, as a Data Controller, has a legal responsibility to:
The UWI as a Data Controller will endeavour to:
Violation of this policy will be handled consistent with University Disciplinary Procedures.
Personal data is any information, whether electronic or hard-copy, that relates to an identified or identifiable living individual or someone who has died less than 30 years ago. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. Sensitive Personal data refers to specific categories of data, which are defined as data including information relating to a person’s racial origin; political opinions; religious or other beliefs; physical or mental health; sexual life; criminal convictions, or the alleged commission of an offence; trade union membership.
The data subject is the individual who can be identified from the personal data and the University is referred to as the data controller. The University of the West Indies (hereinafter ‘The UWI’ or ‘us’) is committed to protecting all personal data, including sensitive personal data, in its possession. The UWI understands its obligations to all persons whose personal data, including sensitive personal data, is in its possession.
This statement provides information about the collection, processing and storage of personal data, including sensitive personal data, in the possession of The UWI and should be read in conjunction with The University of the West Indies Data Protection Policy and individual privacy statements developed from time to time. This statement is general and is intended to cover all categories of individuals, however, specific statements are available, with more detailed information concerning the processing of personal data, for staff, students, and alumni.
The UWI will collect, maintain and use your personal data and sensitive personal data only for purposes for which they are collected and to facilitate the administration of your programme of study while you are registered with us and to facilitate the lawful processing of your data after you leave the University.
As a former student, the University will wish to maintain contact with you for several reasons, including, sending details of activities that may be of interest to you and opportunities to network with other alumni. Therefore, some of your details will be passed to Alumni Relations from the campus from which you read for your programme to be included on the alumni database.
The UWI will collect, maintain and use the personal data, including sensitive personal data, of staff members and contractors (non-staff personnel). This collection, maintenance and use, will be for The UWI’s management and administrative purposes only. The personal data will enable The UWI to effectively, lawfully and appropriately manage its relationship with staff and contractors during the recruitment/selection process, while a staff member or contractor is employed to, or engaged with The UWI and after a staff member or contractor has left The UWI.
Additionally, the University holds information about members of staff in order to manage staff recruitment, probation, development, safety, reward, discipline and other functions such as security, equal opportunities and welfare. In some cases, the University may process data to ensure that it is complying with its legal obligations. For certain positions, it is necessary to carry out criminal records checks to ensure that individuals are permitted to undertake the role in question. For sensitive personal data, such as information about gender, health or medical conditions, the University may process these data to ensure compliance with its legal obligations (such as those in relation to employees with disabilities and for health and safety purposes).
If you are engaged with our recruitment process, for example, if you have applied for a job with us, The UWI will collect, maintain and use your personal data, including sensitive personal data, of prospective staff during recruitment, selection, hiring and on-boarding.
Personal data may be obtained directly from application and supporting documents submitted to the University, or from interactions, including interviews, conducted by University staff. In addition, personal data may be obtained from current staff in sections of the University with which you might have had previous interactions, or from external entities from which the University gets background information. These sources include:
Personal data, including sensitive personal data, may be used for any number of operations within the University’s stated intent of delivering educational services. These include:
Within The UWI, personal data, including sensitive personal data, may be shared among authorised members of staff who will process your data for the purpose for which it was collected. Sensitive personal data is data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a person's sexual orientation.
The UWI may disclose certain personal data, including sensitive personal data, to third parties in certain circumstances. For example, relevant data may be shared with your next-of-kin with your consent or in an emergency, with law enforcement authorities or the courts where required.
The UWI will not share your data with any third party, except as allowed for within the context of its Data Protection Policy or where required by law. The UWI will not sell your personal data, including sensitive personal data, to third parties or permit third parties to sell the data we have shared with them.
The UWI is a regional institution and may share your personal data with other campuses or UWI Global partners as lawfully necessary. Where data is shared with a non-UWI entity, the third party will be required to comply with and safeguard the data under the terms of the legislation in that country or, where no legislation exists, under the terms of the UWI Data Protection Policy.
You have the following rights:
To be informed
This Privacy Statement provides the information you are entitled to receive about how The UWI uses your personal data, including sensitive personal data.
Access
Please contact us if you would like confirmation that your data is being processed and to access your personal data, including sensitive personal data. (Usually be provided within a month of the request.)
Correction
Please inform us of any data which you believe is incorrect which you would like corrected and we will respond within 30 days of the request.
Erasure
You may exercise your right to have your personal data, including sensitive personal data, erased in limited circumstances in accordance with University policies and procedures. The University will however keep your data for accreditation and other purposes established from time to time.
You may request that we restrict or suspend the processing of your data. We will comply with your request as long as it does not compromise the University’s legal and administrative obligations.
You may in accordance with this policy require that we restrict the processing of your data. If possible, we will inform any third parties to whom your data has been disclosed of your requirement.
Data portability
Your data is spread across manual records and electronic systems. The UWI will do its best to provide information in a portable format.
However, it might not be able to create a system to provide this information.
To object
The UWI will discontinue processing your data if you object to processing based on legitimate grounds and where the discontinuation of the processing of your data will not compromise the University’s accreditation or lawful obligations.
Not to be subject to automated decision-making including profiling
The UWI does not utilize automated decision-making i.e. (a) making a decision solely by automated means without any human involvement and (b) automated processing of personal data, including sensitive personal data, to evaluate details about an individual.
As stated before, this Policy uses 8 Data Protection principles (see sub-section 1.7) as its foundation (these principles are elaborated in section 2.4). In addition, sections 2.1 to 2.3, respectively, provide additional information in relation to:
All sections shall be adhered to in order to ensure compliance with the Policy. Section 2.5 lists some other rights under Data Protection legislation and 2.6 sets out how photographs and video/audio recordings will be dealt with.
A Data breach might take place due to any number of reasons. Whatever the reason, the Data breach must be reported without delay by staff to the authorized officer, who in turn will immediately notify the Data Protection Officer.
There are three steps to managing a Data breach:
Details of the incident should be recorded accurately by the authorized officer including:
Internal Notification
A Data breach shall be immediately reported to the authorised officer in charge of the area where the breach occurred. The authorised officer shall, upon receiving the report, notify the Data Protection Officer of the breach and provide an incident report. The incident report should address the following questions:
Subsequent to any Data breach, a thorough review of the incident will be made by the Data Protection Officer. The purpose of this review will be to:
The UWI aims to support staff members who process Personal Data, through Data Protection Awareness Training and Data Protection support mechanisms.
Data Protection Awareness Training will take place during the orientation of new staff, and at various intervals throughout an employee’s professional career at The UWI. Training sessions will be conducted at least once each academic year.
Data Protection Support is provided by the individual(s) performing the role of Data Protection Officer(s).
The main purpose of an Internal Compliance Audit is to determine whether The UWI is operating in accordance with the relevant Data Protection legislation and policies and to identify possible contraventions of the legislation and policies. Compliance audits will be the purview of The University Auditor and will form part of the University’s Compliance Framework.
Data Protection legislation confer rights on individuals, as well as placing responsibilities on those persons processing Personal Data. The UWI, as a Data Controller, endeavours to meet its legal responsibilities in relation to the information it processes. In order to safeguard the privacy rights of individuals, all staff, students, contractors and third parties involved in processing Personal Data, must apply the eight Data Protection Principles listed in section 1.7.
To fairly obtain information, the Data Subject must, at the time their Personal Data is collected, be made aware of the following:
To fairly process Personal Data, these data must have been fairly obtained, and the Data Subject must have given consent to the processing, or the processing must be necessary for at least one of the following reasons:
To fairly process Sensitive Personal Data, the Personal Data must be fairly obtained and the Data Subject must give explicit consent (or where they are unable to do so for reasons of incapacity or age, explicit consent must be given by a parent or legal guardian) to the processing, or the processing is necessary for at least one of the following reasons:
To comply with this principle, staff who process Personal Data should be aware:
Personal Data may be disclosed without the express written consent of the Data Subject in the following circumstances:
The University will employ appropriate security measures against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction. The UWI Information Security Policy and The UWI Information Security Policy Guidelines provide details of The UWI’s standards of security, in addition, the standards include the following, some of which, are found in the aforementioned Complementary Documents:
The UWI, in order to meet its obligations to members of the University community and others, will endeavour to maintain accurate, complete and up-to- date records of personal information. It is therefore important that:
On making a written request, under the appropriate section of an applicable legislation or policy, any individual about whom an organization, including The UWI, keeps personal information electronically or otherwise, may be entitled, within a timeframe specified by the legislation or policy, to:
To make an access request the Data Subject must:
Other rights include:
This Policy is grounded upon eight Data Protection Principles (1.7, p.7 and A2.4, pp 14-20) and, in order to adhere to these Principles, imposes a legal responsibility on The UWI, as Data Controller. As a corporate entity, The UWI executes its activities through its agents: staff; students (when acting as agents of The UWI); and contractors. This appendix states what constitutes breaches by these agents and the associated penalties which might be brought to bear on the person(s) found to be in breach.
As stated in Policy Statement 2.(1.)(p.7) - The UWI as a Data Controller will endeavour to comply with both the Data Protection legislation and policies in the countries in which it operates, as well as global Data Protection best practices.
Any member of staff, contractor (acting as agent of The UWI), or student (acting as an agent of The UWI), who violates the Data Protection laws, regulations, and/or policies in effect in the country in which they (the staff member, contractor, or student) is resident or is asked to work (whether on a temporary or permanent basis), will be in breach of this Policy.
The University may choose to disassociate itself from any member of staff, contractor (acting as agent of The UWI), or student (acting as an agent of The UWI) and allow the system of redress in the jurisdiction where the breach occurred to take action directly against the member of staff, contractor (acting as agent of The UWI), or student (acting as an agent of The UWI).
Notwithstanding A.3.1.2
The University may choose to pursue action against a member of staff under the relevant sections of Ordinance 8 of The UWI Statutes and Ordinances.
Where a member of staff is not governed by the provisions of Ordinance 8 of The UWI Statutes and Ordinances, the University may pursue disciplinary action based on the provisions of the relevant Collective Bargaining Agreement between the University and the Trade Union, Staff Association or similar body, representing the staff member.
Where the staff member is not a member of any Trade Union, Staff Association or similar body, action against the staff member may be pursued based on the provisions of the Collective Bargaining Agreement between the University and the Trade Union representing staff at a level similar to that of the staff member who committed the breach.
Where no disciplinary provisions exist in the appropriate Collective Bargaining Agreement or where the person who committed the breach is not a member of staff, the University may pursue the remedies outlined in the contract governing the engagement between the University and the person who committed the breach. The University may also pursue legal action in the courts in the jurisdiction where the breach occurred.
Notwithstanding A.3.1.2 – A.3.1.6, the University reserves the right to, where it deems appropriate, pursue recourse through the civil courts.
As stated in Policy Statements 2.(2.), 2.(3.), and 2.(6.) (p.7) - The UWI as a Data Controller will endeavour to protect the privacy rights of all students, staff, and alumni and ensure that the Personal Data in its possession are kept safe and secure.
Any member of staff, contractor (acting as agent of The UWI), or student (acting as an agent of The UWI) who discloses the Personal Data to which he or she has access, as a result of his or her relationship with The UWI, to any person, internal or external to The UWI, including, where internal, someone of a higher organizational rank, shall be in breach of this Policy. Personal Data includes, but are not restricted to:
The University may choose to pursue action against a member of staff under the relevant sections of Ordinance 8 of The UWI Statutes and Ordinances.
Where a member of staff is not governed by the provisions of Ordinance 8 of The UWI Statutes and Ordinances, the University may pursue disciplinary action based on the provisions of the relevant Collective Bargaining Agreement between the University and the Trade Union, Staff Association or similar body, representing the staff member.
Where the staff member is not a member of any Trade Union, Staff Association or similar body, action against the staff member may be pursued based on the provisions of the Collective Bargaining Agreement between the University and the Trade Union representing staff at a level similar to that of the staff member who committed the breach.
Where no disciplinary provisions exist in the appropriate Collective Bargaining Agreement or where the person who committed the breach is not a member of staff, the University may pursue the remedies outlined in the contract governing the engagement between the University and the person who committed the breach. The University may also pursue legal action in the courts in the jurisdiction where the breach occurred.
Notwithstanding A.3.2.2 – A.3.2.4, the University reserves the right to, where it deems appropriate, pursue recourse through the civil courts.
The University is committed to ensuring that it does not violate the privacy rights of individuals – be they staff, students, or others - in relation to their Personal Data. These Procedures are to be used by members of the University community as well as agents of The UWI, for managing Personal Data breaches for data controlled and processed by, or on behalf of, the University. These Procedures provide the step-by-step details associated with handling and reporting these breaches and supplements the Data Protection Policy, particularly appendices 2 and 3. These Procedures also guides staff, staff, students, or others how to proceed if they are unsure if an incident is a Personal Data Breach.
A Personal Data breach is a violation of security resulting in the accidental or deliberate destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data acquired or transmitted, processed, stored, or outputted. This definition applies whether the conduct was malicious, due to inappropriate data protection, system or human failure, or error. Breaches of the Data Protection Policy should be reported to the Data Protection Officer (DPO) as soon as these have been identified. Some legislation require that Data Protection breaches be reported to the Supervisory Authority (also known as the Information Commissioner) within 72 hours, including weekends and holidays, after becoming aware of the breach.
These Procedures apply to all who handle Personal Data on behalf of The UWI. The persons include:
Any person who has access to University-controlled (acquisitioned, processed, stored, or outputted) Personal Data
These Procedures apply to all University-controlled (acquisitioned, processed, stored, or outputted) Personal Data, such as:
Determining whether an incident rises to the level of a Personal Data breaches should be done on a case-by-case basis. Not all incidents involving Personal Data are data breaches. Although it is not possible to provide a comprehensive list of Personal Data breaches, some of the more common examples of Personal Data breaches are listed below.
The Data Protection Officer (Campus or University) shall keep a record of all reported incidents. Reported incidents shall be classified into those that are Personal Data Breaches and those which have not been so identified (see 4.8.2 Data Protection Officer Incident Record). When the DPO (Campus or University) receives a Possible Personal Data Breach - Incident Report, he/she, with the assistance of the appropriate staff shall:
If the incident is a Personal Data Breach:
The Possible Personal Data Breach - Incident Report provides the initial information which the DPO (Campus or University) will use to identify the issue. The DPO (Campus or University), by consulting with the staff involved, will verify the details of the incident and amend, as necessary, the initial description.
The Possible Personal Data Breach - Incident Report also provides the initial information to be used by the DPO (Campus or University) to assess the incident to determine if it was, in fact, a Personal Data Breach. The assessment will seek to determine:
In order to minimize the effects of the Personal Data Breach and to facilitate recovery in the shortest timeframe, the DPO (Campus or University) shall:
The Personal Data Breach Risk Assessment form (see A4.4.8, under “Forms”) will provide the information to be used by the DPO (Campus or University) to perform the risk assessment.
Some Personal Data Breaches, even after addressed, might require additional actions in order to, among other things, prevent a similar breach in the future or address weaknesses in the processing of Personal Data which might lead to Personal Data Breaches.
To accomplish this, at least one Post Incident Review meeting should be convened among the DPO and the internal stakeholders involved with, or affected by, the Personal Data Breach. Using the Personal Data Breach – Post Incident Review form, the following information should be collected:
The outcome of the Personal Data Breach evaluation process will guide The UWI’s response. Several options are open to the institution, some of which include:
This section contains the various forms to be used to record/report incidents and Personal Data Breaches.
A Personal Data Breach Risk Assessment is the evaluation of the effect the breach in respect of Personal Data might have on the organisation and the probability of the breach happening.
What should be in each column?
Note: Some elements apply to both staff (including contractors and temporary staff) and students, others apply to only either staff only (†) or students only (*).
Personal Data | Sensitive Personal Data |
---|---|
Biographic Data
Contact Details
Education Data
Identification Data
Name
Occupation Data (†)
Multimedia Data
Financial Data
General Personal Data
IT Data (including metadata)
|
Biometric data
Justice System related Data
Political Data
|