Data Protection Policy
April 2021
1.0 Introduction
The University Of The West Indies (“The UWI” or the “University”) is a regional institution duly constituted by Royal Charter and operates from the following campuses: the Mona Campus situated at Mona in Kingston, Jamaica; the Cave Hill Campus situated at Cave Hill in, St. Michael, Barbados; the St. Augustine campus situated in St. Augustine, Trinidad and Tobago; The Five Islands Campus situated in Five Islands, Antigua and Barbuda (since September 2019); and The Open Campus which serves seventeen countries within the Caribbean region, inclusive of the four countries mentioned above . The UWI Regional Headquarters is located in Kingston, Jamaica.
In order to carry out its functions, The UWI, like other leading institutions, must properly protect the Data it collects from all sources and especially the Personal Data of its staff, students and alumni. This Policy has been drafted to outline the ways in which The UWI manages Personal data at various stages, including the rights of the person to whom the data relates, to access this data. The policy reflects the University’s need to adhere to local, regional, and international laws.
This Policy defines Data Protection as the means by which the privacy rights of individuals are safe guarded in relation to the processing of their Personal Data including the sharing of Personal Data held by The UWI. Each staff member is responsible for the protection of all Data accessed through The UWI’s information and communication technologies (ICT) infrastructure, or accessed in hard-copy format, by virtue of that staff member’s relationship with The UWI.
This policy includes four appendices:
Appendix 1 – General Data Protection Statement
This should be read in conjunction with the Policy and provides information about the collection, processing and storage of personal data, including sensitive personal data, in the possession of The UWI. The Statement explains how The UWI handles and uses the Personal Data it collects about staff, students and other individuals.
Appendix 2 – UWI Data Protection Procedures
This appendix outlines the activities to be undertaken to facilitate compliance with this policy.
Appendix 3 – Policy Breaches Articulated
This appendix identifies what constitutes breaches by agents of The UWI and the associated penalties which might be brought to bear on the person(s) found to be in breach.
Appendix 4 –Procedures for Managing Personal Data Breaches
This appendix outlines the procedures to be used by members of the University community as well as agents of The UWI, for managing Personal Data breaches for data controlled and processed by, or on behalf of, the University. The procedures in this appendix provide the step-by-step details associated with handling and reporting breaches and supplements appendices 2 and 3 (3.1.1) of the Data Protection Policy.
Appendix 5 – Examples of Personal Data and Sensitive Personal Data (currently being, or might potentially be, processed by The UWI)
This appendix provides examples of Personal Data and Sensitive Personal Data that are now being, or might in the future be, processed by the University. Although, fairly detailed, this appendix might not be comprehensive.
1.1 Objectives
The objectives of this Policy are:
- to establish an operating framework for persons handling Personal Data at The UWI;
- to educate persons handling Personal Data at The UWI, of the requirements of the relevant Data Protection legislation and policies within The UWI’s campus countries and those of The UWI’s global partners;
- to raise awareness of the rights of Data Subjects regarding respective Data Protection legislation;
- to outline how The UWI will comply with the relevant Data Protection legislation;
- to provide best practices for staff and students;
- to raise awareness of the consequences of a breach of The UWI’s responsibilities under the various Data Protection legislation; and
- to facilitate and promote The UWI’s compliance with relevant Data Protection legislation.
1.2 Scope
This policy:
- governs Personal Data provided to and /or maintained by The UWI pertaining to previously registered, registered or prospective students, UWI personnel, staff and third parties;
- applies to Personal Data held in both manual and electronic formats;
- covers all Personal Data about staff, students, alumni, suppliers or any person who interacts with The UWI and with which a staff member comes into contact;
- applies to all authorized staff who handle the Personal Data of staff, students, suppliers and alumni on behalf of The UWI; and
- covers all Personal Data received by authorized staff, about staff, students, suppliers or other third parties who process data on behalf of The UWI.
1.3 Review
This Policy will take effect upon the approval of the University Finance and General Purposes Committee on the stated promulgation date. To ensure it remains comprehensive, current with legislation and international best practices, this Policy will be reviewed no later than thirty six (36) months after the promulgation date.
1.4 Complementary Documents
This Policy relies upon a set of other documents to expand some of its provisions, to add clarity to certain elements which, while important, are too extensive to be included in this document, and/or to stipulate the provisions of other University Regulations which should be adhered to. The reader is encouraged to consult these documents to obtain the full context of the statements contained herein. The most important of these Complementary Documents are:
1.4.1 Information Security Policy
The Information Security Policy informs members of The University community, including visitors, of The UWI’s stance on information security, as well as the rights and obligations of members of the University community in matters related to information security. The Information Security Policy adapts best practices, from the wider information security space, to The UWI context. Among other things, The Information Security Policy informs users how to manage passwords, e.g., by making them complex and changing them regularly. This along with other suggested actions are presented in the Information Security Policy Guidelines.
1.4.2 The Information Security Policy Guidelines
The Information Security Policy Guidelines complement The UWI’s Information Security Policy and should be read in conjunction with it. The Guidelines provide guidance to students and staff on actions concerning the general security of the IT resources used by them, selecting secure passwords, the proper use of email, and how to securely use the internet.
1.4.3 Guidelines for Marking and Handling University Information
The Guidelines for Marking and Handling University Information, which also complement The UWI’s Information Security Policy and should be read in conjunction with it, were produced to inform staff how to classify information. The handling, distribution, and disposal of information would be guided by its classification. Also, staff would be given access to information based on their role in relation to the classification of the Data.
1.4.4 Ordinance 8 of The UWI Statutes and Ordinances
Ordinance 8, outlines The UWI’s powers of appointment, promotion and dismissal, including provisions relating to discipline, for Academic, Senior Administrative, and Professional (collectively referred to as ASAP) staff.
1.4.5 Statement of Ethical Principles and Code of Conduct
The Code of Conduct sets out the ethical and general principles of behaviour, including personal and professional responsibility in respect of confidentiality of information.
1.5 Key Definitions
Access Request: |
a request, made by a person, to any authorized UWI staff member or authorized third party for the disclosure of their Personal Data. |
Data: |
information in a form that can be processed. This includes automated or electronic data (on a computer or recorded with the intention of putting it on a computer) and manual data (recorded as part of a Relevant Filing System, or with the intention that it should form part of a Relevant Filing System). |
Data Controller: |
is a person who (either alone or with others) controls the contents and use of Personal Data. The UWI as a ‘legal person’ is a Data Controller. |
Data Processing: |
the performance of any operation or set of operations on data, including:
|
Data Processor: |
a person who processes personal information (data) on behalf of a Data Controller, but does not include an employee of a Data Controller who processes such data in the course of his/her employment; for example, this might mean an employee of an organization to which the Data Controller out-sources work.
The Data Protection legislation places responsibilities on such Data Processors and Data Controllers in relation to their processing of the data. |
Data Subject: |
an individual who is the subject of Personal Data. |
Personal Data: |
data relating to a living individual who is, or can be identified, either from the data or from the data in conjunction with other information, which is in, or is likely to come into the possession of the Data Controller. It includes information in the form of photographs, audio and video recordings, and text messages. |
Relevant Filing System: |
any set of information organized by name, date of birth, payroll number, employee number, or any other unique identifier. |
Sensitive Personal Data: |
specific categories of Data which are defined as data relating to a person’s racial origin; political opinions or religious or other beliefs; physical or mental health; sexual life; criminal convictions, or the alleged commission of an offence; trade union membership. |
1.6 What are the kinds of Data that The UWI processes?
The University must ensure that staff exert due care in the handling of Personal Data. Examples of these data are:
- Student Registration information;
- Examination results;
- Health Records – of both students, staff, and patients external to the UWI community;
- Employment Records; and
- Financial Information.
1.7 Data Protection - Governing Principles (See Appendix II – A2.4 for details)
The following eight Data Protection Principles have been identified, in some form, in the Data Protection legislation and Regulations and, therefore, have been adopted by this Policy.
The UWI, as a Data Controller, has a legal responsibility to:
- Obtain and process information (data) fairly (with consent and without making false claims about the intended use of the data);
- Keep Personal Data only for one or more specified, explicit and lawful purpose(s) and not be further processed in any manner incompatible with those purposes;
- Process Personal Data only in ways compatible with the purposes for which it was given initially;
- Keep Personal Data safe and secure;
- Keep Personal Data accurate, complete and up-to-date;
- Ensure that Personal Data are adequate, relevant and not excessive;
- Retain Personal Data no longer than is necessary for the specified purpose or purposes;
- Provide a copy of his/her Personal Data to any individual, on request.
2. Policy Statements
The UWI as a Data Controller will endeavour to:
- comply with both the Data Protection legislation and policies in the countries in which The UWI operates, and global Data Protection best practices;
- protect the privacy rights of all students, staff, and alumni;
- ensure that the Personal Data in The UWI’s possession are kept safe and secure;
- support staff of The UWI in meeting their legal responsibilities (particularly as summarized in the Eight Data Protection Principles outlined in 1.7);
- mandate that third parties processing data on behalf of the University observe this Policy;
- respect the Data Protection rights of individuals; and
- provide awareness training and support for staff who process Personal Data.
3. Enforcement
Violation of this policy will be handled consistent with University Disciplinary Procedures.
APPENDIX 1 – General Data Protection Statement
The University of the West Indies
General Data Protection Statement
Commitment to Individual Privacy
Personal data is any information, whether electronic or hard-copy, that relates to an identified or identifiable living individual or someone who has died less than 30 years ago. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. Sensitive Personal data refers to specific categories of data, which are defined as data including information relating to a person’s racial origin; political opinions; religious or other beliefs; physical or mental health; sexual life; criminal convictions, or the alleged commission of an offence; trade union membership.
The data subject is the individual who can be identified from the personal data and the University is referred to as the data controller. The University of the West Indies (hereinafter ‘The UWI’ or ‘us’) is committed to protecting all personal data, including sensitive personal data, in its possession. The UWI understands its obligations to all persons whose personal data, including sensitive personal data, is in its possession.
This statement provides information about the collection, processing and storage of personal data, including sensitive personal data, in the possession of The UWI and should be read in conjunction with The University of the West Indies Data Protection Policy and individual privacy statements developed from time to time. This statement is general and is intended to cover all categories of individuals, however, specific statements are available, with more detailed information concerning the processing of personal data, for staff, students, and alumni.
Information Collected
Students
The UWI will collect, maintain and use your personal data and sensitive personal data only for purposes for which they are collected and to facilitate the administration of your programme of study while you are registered with us and to facilitate the lawful processing of your data after you leave the University.
Alumni
As a former student, the University will wish to maintain contact with you for several reasons, including, sending details of activities that may be of interest to you and opportunities to network with other alumni. Therefore, some of your details will be passed to Alumni Relations from the campus from which you read for your programme to be included on the alumni database.
Staff (including contractors)
The UWI will collect, maintain and use the personal data, including sensitive personal data, of staff members and contractors (non-staff personnel). This collection, maintenance and use, will be for The UWI’s management and administrative purposes only. The personal data will enable The UWI to effectively, lawfully and appropriately manage its relationship with staff and contractors during the recruitment/selection process, while a staff member or contractor is employed to, or engaged with The UWI and after a staff member or contractor has left The UWI.
Additionally, the University holds information about members of staff in order to manage staff recruitment, probation, development, safety, reward, discipline and other functions such as security, equal opportunities and welfare. In some cases, the University may process data to ensure that it is complying with its legal obligations. For certain positions, it is necessary to carry out criminal records checks to ensure that individuals are permitted to undertake the role in question. For sensitive personal data, such as information about gender, health or medical conditions, the University may process these data to ensure compliance with its legal obligations (such as those in relation to employees with disabilities and for health and safety purposes).
Prospective Staff
If you are engaged with our recruitment process, for example, if you have applied for a job with us, The UWI will collect, maintain and use your personal data, including sensitive personal data, of prospective staff during recruitment, selection, hiring and on-boarding.
Information Collection
Personal data may be obtained directly from application and supporting documents submitted to the University, or from interactions, including interviews, conducted by University staff. In addition, personal data may be obtained from current staff in sections of the University with which you might have had previous interactions, or from external entities from which the University gets background information. These sources include:
- referees who have been listed on your application documents;
- other institutions (academic and otherwise) listed in your documentation;
- publicly available sources, example Social Media.
Information Use and Sharing
Personal data, including sensitive personal data, may be used for any number of operations within the University’s stated intent of delivering educational services. These include:
- assessing the accuracy of the information provided by contacting other parties referenced in the information provided;
- analysing the information to determine if the data subject is suitable as a student, staff member, contractor, supplier, researcher, or any other collaborator with The UWI;
- preparing payments (payroll, refunds, transfers, etc.) to either the data subject or to a third party once the data subject has given their consent for this to be done.
Within The UWI, personal data, including sensitive personal data, may be shared among authorised members of staff who will process your data for the purpose for which it was collected. Sensitive personal data is data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a person's sexual orientation.
The UWI may disclose certain personal data, including sensitive personal data, to third parties in certain circumstances. For example, relevant data may be shared with your next-of-kin with your consent or in an emergency, with law enforcement authorities or the courts where required.
The UWI will not share your data with any third party, except as allowed for within the context of its Data Protection Policy or where required by law. The UWI will not sell your personal data, including sensitive personal data, to third parties or permit third parties to sell the data we have shared with them.
Transfer of Personal Data, including Sensitive Personal Data, to other jurisdictions
The UWI is a regional institution and may share your personal data with other campuses or UWI Global partners as lawfully necessary. Where data is shared with a non-UWI entity, the third party will be required to comply with and safeguard the data under the terms of the legislation in that country or, where no legislation exists, under the terms of the UWI Data Protection Policy.
Your Rights
You have the following rights
|
This Privacy Statement provides the information you are entitled to receive about how The UWI uses your personal data, including sensitive personal data. |
|
Please contact us if you would like confirmation that your data is being processed and to access your personal data, including sensitive personal data. (Usually be provided within a month of the request.) |
|
Please inform us of any data which you believe is incorrect which you would like corrected and we will respond within 30 days of the request. |
|
You may exercise your right to have your personal data, including sensitive personal data, erased in limited circumstances in accordance with University policies and procedures. The University will however keep your data for accreditation and other purposes established from time to time.
You may request that we restrict or suspend the processing of your data. We will comply with your request as long as it does not compromise the University’s legal and administrative obligations.
You may in accordance with this policy require that we restrict the processing of your data. If possible, we will inform any third parties to whom your data has been disclosed of your requirement.
|
|
Your data is spread across manual records and electronic systems. The UWI will do its best to provide information in a portable format. However, it might not be able to create a system to provide this information.
|
to automated decision-making including profiling |
The UWI will discontinue processing your data if you object to processing based on legitimate grounds and where the discontinuation of the processing of your data will not compromise the University’s accreditation or lawful obligations.
The UWI does not utilize automated decision-making i.e. (a) making a decision solely by automated means without any human involvement and (b) automated processing of personal data, including sensitive personal data, to evaluate details about an individual.
|
APPENDIX 2 – The UWI Data Protection Procedures
As stated before, this Policy uses 8 Data Protection principles (see sub-section 1.7) as its foundation (these principles are elaborated in section A2.4). In addition, sections A2.1 to A2.3, respectively, provide additional information in relation to:
- Data Breach Management;
- Awareness Training and Support for staff which process Personal Data; and
- Compliance Audits.
All sections shall be adhered to in order to ensure compliance with the Policy. Section A2.5 lists some other rights under Data Protection legislation and A2.6 sets out how photographs and video/audio recordings will be dealt with.
A2.1 Data Breach Management
A Data breach might take place due to any number of reasons. Whatever the reason, the Data breach must be reported without delay by staff to the authorized officer, who in turn will immediately notify the Data Protection Officer.
A2.1.1 Management of a Data Breach
There are three steps to managing a Data breach:
1. Collection of Incident Details;
2. Notification of Data Breach and Risk Assessment;
3. Evaluation and Response.
A2.1.1.1 Incident Details
Details of the incident should be recorded accurately by the authorized officer including:
- Description of the incident;
- Date and time of the incident;
- Date and time the incident was detected;
- Who reported the incident and to whom it was reported;
- The type of Data involved and its sensitivity;
- The number of individuals affected by the breach;
- Whether the Data were encrypted?
- Details of any Information Technology (IT) systems involved;
- Corroborating material(s).
A2.1.1.2 Notification of Data Breach & Risk Assessment
Internal Notification
-
- A Data breach shall be immediately reported to the authorised officer in charge of the area where the breach occurred. The authorised officer shall, upon receiving the report, notify the Data Protection Officer of the breach and provide an incident report. The incident report should address the following questions:
- What type of data are involved?
- How sensitive are the data involved?
- How many individuals’ Personal Data are affected by the breach?
- Were there protections (e.g. encryption) in place?
- What are the potential adverse consequences for individuals and how serious or substantial are they likely to be?
- How likely is it that adverse consequences will materialize?
- The Data Protection Officer shall then determine how best to address the breach.
A2.1.1.3 Evaluation and Response
Subsequent to any Data breach, a thorough review of the incident will be made by the Data Protection Officer. The purpose of this review will be to:
- Ensure that the steps taken during the incident were appropriate;
- Describe and record the measures taken to prevent a repetition of the incident;
- Identify areas in need of improvement;
- Document any recommended changes to the Policy and/or Procedures.
A2.2. Awareness Training & Support for Staff who process Personal Data
The UWI aims to support staff members who process Personal Data, through Data Protection Awareness Training and Data Protection support mechanisms.
A2.2.1 Data Protection Awareness Training
Data Protection Awareness Training will take place during the orientation of new staff, and at various intervals throughout an employee’s professional career at The UWI. Training sessions will be conducted at least once each academic year.
A2.2.2 Data Protection Support
Data Protection Support is provided by the individual(s) performing the role of Data Protection Officer(s).
A2.3. Compliance Audits (Risk Management)
A2.3.1 Internal Compliance Audit
The main purpose of an Internal Compliance Audit is to determine whether The UWI is operating in accordance with the relevant Data Protection legislation and policies and to identify possible contraventions of the legislation and policies. Compliance audits will be the purview of The University Auditor and will form part of the University’s Compliance Framework.
- Annual Internal Compliance Audits will be undertaken by members of one or more of the following: the Data Protection Working Group; the Data Protection Officer; the University Management Audit Department; any other authorized unit. The purpose of these audits is to identify existing and potential risks.
- Internal Compliance Audits will review both manual and electronic Data Procedures and compliance.
- In order to ensure that the requirements of the Data Protection legislation and policies are observed, immediate remedial action may be prescribed by the auditor / audit team.
- Managers/ Staff shall cooperate fully with the auditor/ audit team in completing Internal Compliance Audit questionnaires and site visits.
- Audit results will be recorded.
A2.4. Data Protection Principles Elaborated
Data Protection legislation confer rights on individuals, as well as placing responsibilities on those persons processing Personal Data. The UWI, as a Data Controller, endeavours to meet its legal responsibilities in relation to the information it processes. In order to safeguard the privacy rights of individuals, all staff, students, contractors and third parties involved in processing Personal Data, must apply the eight Data Protection Principles listed in section 1.7.
A2.4.1 Obtain and process Data fairly
To fairly obtain information, the Data Subject must, at the time their Personal Data is collected, be made aware of the following:
- The name of the Data Controller: The University of the West Indies;
- The purpose for collecting the data;
- The persons or categories of persons to whom the data may be disclosed;
- The existence of the right of access to their Personal Data;
- The right to rectify (correct) the data if inaccurate or processed unfairly;
- Any other information which is necessary to ensure fair processing and that the Data Subject has all the information necessary in relation to the processing of their data.
To fairly process Personal Data, these data must have been fairly obtained, and the Data Subject must have given consent to the processing, or the processing must be necessary for at least one of the following reasons:
- The performance of a contract to which the Data Subject is a party;
- In order to take steps at the request of the Data Subject, prior to entering into a contract;
- Compliance with a legal obligation, other than that imposed by contract;
- To prevent injury or other damage to the health of the Data Subject;
- To prevent serious loss or damage to the property of the Data Subject;
- To protect the vital interests of the Data Subject, where consent cannot be obtained;
- Where seeking the consent of the Data Subject is likely to result in their interests being damaged;
- For the administration of justice;
- For the purpose of the legitimate interests of The UWI, except where the processing is unwarranted in any specific instance, if such processing violates the fundamental rights and freedoms and legitimate interests of the Data Subject.
To fairly process Sensitive Personal Data, the Personal Data must be fairly obtained and the Data Subject must give explicit consent (or where they are unable to do so for reasons of incapacity or age, explicit consent must be given by a parent or legal guardian) to the processing, or the processing is necessary for at least one of the following reasons:
- For the purpose of exercising or performing any right or obligation which is conferred or imposed by law on the Data Controller in connection with employment;
- To prevent injury or other damage to the health of the Data Subject or another person;
- To prevent serious loss or damage to property;
- To protect the vital interests of the Data Subject or of another person in a case where, consent cannot be given, or the Data Controller cannot reasonably be expected to obtain consent;
- For the purpose of obtaining legal advice, or in connection with legal proceedings, or is necessary for the purposes of establishing, exercising or defending legal rights;
- For medical purposes;
- For the purpose of the assessment or payment of a tax liability;
- In relation to the administration of a Social Welfare scheme;
- It is carried out by a not for profit organization in respect of its members or other persons in regular contact with The UWI;
- The information being processed has been made public as a result of steps deliberately taken by the Data Subject.
A2.4.2 Only keep Personal Data for one or more specified, explicit and lawful purpose(s)
To comply with this principle, staff who process Personal Data should be aware:
- that the Data Subject should know the specific reason/s for the collection and retention of the information;
- that the purpose for which the information is being collected is a lawful one;
- of the different categories of data which are held and the specific purpose for each.
A2.4.3 Process Personal Data only in ways compatible with the purpose for which the Data were given initially
- Personal Data should only be used and disclosed in ways that are necessary or compatible with the original purpose for which they were obtained.
- Staff are not to disclose any Personal Data to any third party without the consent of the Data Subject (see A2.4.3.1 - Permitted Disclosures of Personal Data).
- Personal Data should not be disclosed to work colleagues unless they have a legitimate interest in the data in order to fulfill official employment duties.
A2.4.3.1 Permitted Disclosures of Personal Data
Personal Data may be disclosed without the express written consent of the Data Subject in the following circumstances:
- where the Data Subject has already been made aware of the person/organisation to whom the data may be disclosed;
- where disclosure is required by law;
- where disclosure is required for legal advice or legal proceedings, and the person making the disclosure is a party or a witness;
- where disclosure is required for the purposes of preventing, detecting or investigating offences, apprehending or prosecuting offenders, or assessing moneys due to the State;
- where disclosure is required urgently to prevent injury or damage to health, or serious loss of or damage to property.
A2.4.4 Keep Personal Data Safe and Secure
The University will employ appropriate security measures against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction. The UWI Information Security Policy and The UWI Information Security Policy Guidelines provide details of The UWI’s standards of security, in addition, the standards include the following, some of which, are found in the aforementioned Complementary Documents:
- Access to The UWI IT servers is restricted to a limited number of staff, with appropriate procedures for the accompaniment of any non-authorized staff or contractors;
- Access to any Personal Data within The UWI is restricted to authorized staff for legitimate purposes only;
- Access to computer systems is password protected with other factors of authentication as appropriate to the sensitivity of the information;
- Non-disclosure of personal security passwords to any other individual (including other employees in The UWI) is a principle which should be observed by all;
- Information on computer screens and manual files are to be kept out of sight to visitors to offices where such information is managed;
- Back-up procedures, including off-site back-up, are in operation for data held on computer servers;
- Personal Data which are stored in a non-electronic format are to be held securely in locked cabinets, locked rooms, or rooms with limited access;
- Personal Data are not to be stored on portable devices except in essential circumstances. Where deemed essential, these data should be encrypted. Arrangements are to be in place to fully delete the data on the portable device when it (the portable device) is no longer being used;
- All reasonable measures are to be taken to ensure that staff are made aware of The UWI’s security measures, and comply with them;
- All waste papers, printouts and any other hard-copy materials are to be disposed of appropriately.
A2.4.5 Keep Personal Data accurate, complete and up-to-date
The UWI, in order to meet its obligations to members of the University community and others, will endeavour to maintain accurate, complete and up-to- date records of personal information. It is therefore important that:
- Manual and computer procedures are adequate to maintain high levels of Data accuracy;
- Staff regularly audit their files to ensure that Data are accurate and up to date;
- Appropriate procedures are in place, including periodic review and audit by managers, to ensure that data are kept up-to-date;
- Procedures, including the regular review of records by managers, are in place to ensure Personal Data are accurate;
- Where a Data Subject informs or advises of any errors or changes to their data, that it is amended accordingly, and as soon as reasonably possible.
A2.4.6 Ensure that Personal Data is adequate, relevant and not excessive
- A periodic review should be carried out by managers and their staff, to examine the relevance of the Personal Data sought, through the various collection channels, from Data Subjects.
- The Personal Data in the possession of the University should be periodically reviewed to ensure these are adequate, relevant and not excessive for the purpose for which they were collected.
A2.4.7 Retain Personal Data no longer than is necessary for the specified purpose or
purposes
- Staff are to be clear about the length of time that data will be kept and the reason why the data is being retained;
- Generally, Personal Data collected for one purpose, should not be retained once that purpose has ceased - exceptions may apply from specific legislation which require information to be retained for particular periods;
- The University may, for purposes of its own accreditation and to retain accurate records on staff and student populations, retain Personal Data after the data subject has left the University.
- Personal Data should be securely disposed of when no longer required. The method should be appropriate to the sensitivity of the data. Shredding or incineration is appropriate in respect of non-electronic data; and reformatting or overwriting in the case of electronic data;
-
- Particular care is to be taken when PCs or laptops are transferred from one person to another, or when being disposed of.
-
A2.4.8 Provide a copy of his/her Personal Data to any individual, on request
On making a written request, under the appropriate section of an applicable legislation or policy, any individual about whom an organization, including The UWI, keeps personal information electronically or otherwise, may be entitled, within a timeframe specified by the legislation or policy, to:
- A copy of the data being kept about him/her;
- Know the purpose(s) for processing his/her data;
- Know the identity of any third parties to whom The UWI discloses the data;
- Know the source of the data, unless this would be contrary to the public interest;
- Be informed of the logic involved in processing the data, where the processing, by automatic means, of the data has/is likely to constitute, the sole basis for any decision significantly affecting him/her;
- Know the reasons involved in decisions made about the Data Subject;
- Receive a copy of any data held in the form of opinions expressed about the individual, except where such opinions were given in confidence;
- Clearly outlined reasons for an access refusal.
A2.4.8.1 Access Requests by Data Subjects
To make an access request the Data Subject must:
- Apply in writing (which may be via email);
- Give any details which might be needed to help identify him/her and locate the information kept about him/her.
A2.5. Other rights under the Data Protection Policy
Other rights include:
- The Right to have any inaccurate data rectified (corrected) or erased;
- The Right to have Personal Data taken off a mailing list;
- Right to complain to the Data Protection authority in the particular jurisdiction.
A2.6. Photographs/Video/Audio Recordings
- Photographs, videos or audio recordings of a person constitute their Personal
Data and are therefore, subject to the provisions of The UWI Data Protection Policy. Where no legislation exists in the particular jurisdiction, the University will use international best practices to govern the management of these Personal Data.
- Except under specified circumstances for example for graduation exercises, where a photograph is taken, a video or audio recording is made, the explicit consent of the person and/or their parent/guardian/advocate should be sought for its use or publication in any medium, for example in the local newspaper, annual report or a website.
- Members of the University community (staff, students, visiting scholars), their parents/guardians/advocates, where appropriate, are permitted to take photographs or make video/audio recordings, for example at concerts or award events etc., for their own personal use.
APPENDIX 3 – Policy Breaches Articulated
This Policy is grounded upon eight Data Protection Principles (1.7, p.7 and A2.4, pp 14-20) and, in order to adhere to these Principles, imposes a legal responsibility on The UWI, as Data Controller. As a corporate entity, The UWI executes its activities through its agents: staff; students (when acting as agents of The UWI); and contractors. This appendix states what constitutes breaches by these agents and the associated penalties which might be brought to bear on the person(s) found to be in breach.
A.3.1. Breaches of local Data Protection legislation
A.3.1.1 As stated in Policy Statement 2.(1.)(p.7) - The UWI as a Data Controller will endeavour to comply with both the Data Protection legislation and policies in the countries in which it operates, as well as global Data Protection best practices.
Any member of staff, contractor (acting as agent of The UWI), or student (acting as an agent of The UWI), who violates the Data Protection laws, regulations, and/or policies in effect in the country in which they (the staff member, contractor, or student) is resident or is asked to work (whether on a temporary or permanent basis), will be in breach of this Policy.
Penalty
A.3.1.2 The University may choose to disassociate itself from any member of staff, contractor (acting as agent of The UWI), or student (acting as an agent of The UWI) and allow the system of redress in the jurisdiction where the breach occurred to take action directly against the member of staff, contractor (acting as agent of The UWI), or student (acting as an agent of The UWI).
Notwithstanding A.3.1.2
A.3.1.3 The University may choose to pursue action against a member of staff under the relevant sections of Ordinance 8 of The UWI Statutes and Ordinances.
A.3.1.4 Where a member of staff is not governed by the provisions of Ordinance 8 of The UWI Statutes and Ordinances, the University may pursue disciplinary action based on the provisions of the relevant Collective Bargaining Agreement between the University and the Trade Union, Staff Association or similar body, representing the staff member.
A.3.1.5 Where the staff member is not a member of any Trade Union, Staff Association or similar body, action against the staff member may be pursued based on the provisions of the Collective Bargaining Agreement between the University and the Trade Union representing staff at a level similar to that of the staff member who committed the breach.
A.3.1.6 Where no disciplinary provisions exist in the appropriate Collective Bargaining Agreement or where the person who committed the breach is not a member of staff, the University may pursue the remedies outlined in the contract governing the engagement between the University and the person who committed the breach. The University may also pursue legal action in the courts in the jurisdiction where the breach occurred.
A.3.1.7 Notwithstanding A.3.1.2 – A.3.1.6, the University reserves the right to, where it deems appropriate, pursue recourse through the civil courts.
A.3.2. Disclosure of Personal Data
A.3.2.1 As stated in Policy Statements 2.(2.), 2.(3.), and 2.(6.) (p.7) - The UWI as a Data Controller will endeavour to protect the privacy rights of all students, staff, and alumni and ensure that the Personal Data in its possession are kept safe and secure.
Any member of staff, contractor (acting as agent of The UWI), or student (acting as an agent of The UWI) who discloses the Personal Data to which he or she has access, as a result of his or her relationship with The UWI, to any person, internal or external to The UWI, including, where internal, someone of a higher organizational rank, shall be in breach of this Policy. Personal Data includes, but are not restricted to:
- biographic;
- student registration information;
- examination results;
- health records – of both students, staff, and patients external to the UWI community;
- employment records; and
- financial information.
Penalty
A.3.2.2 The University may choose to pursue action against a member of staff under the relevant sections of Ordinance 8 of The UWI Statutes and Ordinances.
A.3.2.3 Where a member of staff is not governed by the provisions of Ordinance 8 of The UWI Statutes and Ordinances, the University may pursue disciplinary action based on the provisions of the relevant Collective Bargaining Agreement between the University and the Trade Union, Staff Association or similar body, representing the staff member.
A.3.2.4 Where the staff member is not a member of any Trade Union, Staff Association or similar body, action against the staff member may be pursued based on the provisions of the Collective Bargaining Agreement between the University and the Trade Union representing staff at a level similar to that of the staff member who committed the breach.
A.3.2.5 Where no disciplinary provisions exist in the appropriate Collective Bargaining Agreement or where the person who committed the breach is not a member of staff, the University may pursue the remedies outlined in the contract governing the engagement between the University and the person who committed the breach. The University may also pursue legal action in the courts in the jurisdiction where the breach occurred.
A.3.2.6 Notwithstanding A.3.2.2 – A.3.2.4, the University reserves the right to, where it deems appropriate, pursue recourse through the civil courts.
APPENDIX 4 – Procedures for Managing Personal Data Breaches
A4.1 Introduction
The University is committed to ensuring that it does not violate the privacy rights of individuals – be they staff, students, or others - in relation to their Personal Data. These Procedures are to be used by members of the University community as well as agents of The UWI, for managing Personal Data breaches for data controlled and processed by, or on behalf of, the University. These Procedures provide the step-by-step details associated with handling and reporting these breaches and supplements the Data Protection Policy, particularly appendices 2 and 3. These Procedures also guides staff, staff, students, or others how to proceed if they are unsure if an incident is a Personal Data Breach.
A Personal Data breach is a violation of security resulting in the accidental or deliberate destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data acquired or transmitted, processed, stored, or outputted. This definition applies whether the conduct was malicious, due to inappropriate data protection, system or human failure, or error. Breaches of the Data Protection Policy should be reported to the Data Protection Officer (DPO) as soon as these have been identified. Some legislation require that Data Protection breaches be reported to the Supervisory Authority (also known as the Information Commissioner) within 72 hours, including weekends and holidays, after becoming aware of the breach.
A4.2 Scope
A4.2.1 To whom do these Procedures apply?
These Procedures apply to all who handle Personal Data on behalf of The UWI. The persons include:
- Any person who has access to University-controlled (acquisitioned, processed, stored, or outputted) Personal Data
- Full-time staff employed to The UWI;
- Students (including exchange students);
- Visitors (including visiting scholars, researchers and exchange staff);
- Data Processors
- Contractors and part-time staff;
- Persons employed to contractors who process University data
A4.2.2 To what do these Procedures apply?
These Procedures apply to all University-controlled (acquisitioned, processed, stored, or outputted) Personal Data, such as:
- [Location] All Personal Data whether controlled (acquisitioned, processed, stored, or outputted) using the IT systems owned by The UWI, any other IT systems, including email, Cloud-based platforms, or IT system of a company or individual to which/whom Personal Data control (acquisition, processing, storage, or outputting) has been sub-contracted.
- [Format] All Personal Data controlled (acquisitioned, processed, stored, or outputted) in any format, digital and non-digital;
- [Hardware/Device] All Personal Data whether controlled (acquisitioned, processed, stored, or outputted) on a University-owned device or on another device not owned by the University;
- [Management] All Personal Data whether controlled (acquisitioned, processed, stored, or outputted) using The UWI’s central (including by the Technology Services division at a campus) IT systems or distributed IT systems of a Faculty/School, Division, Institute, Centre, Department or Unit.
A4.3 Data Breaches identified
Determining whether an incident rises to the level of a Personal Data breaches should be done on a case-by-case basis. Not all incidents involving Personal Data are data breaches. Although it is not possible to provide a comprehensive list of Personal Data breaches, some of the more common examples of Personal Data breaches are listed below.
- Accidental Destruction
- Inadvertently deleting an electronic file or destroying a physical one.
Note: If there exists a full and up-to-date back-up of the Personal Data which were deleted, this might not constitute a Personal Data breach.
- Inadvertently deleting an electronic file or destroying a physical one.
- Loss
- Equipment (laptop, smartphone, tablet, external hard-drive, flash/thumb drive) on which Personal Data are stored, or hard-copy records, are misplaced – even temporarily (see 4.1.1).
- Equipment on which Personal Data are stored fails/crashes causing data to be unrecoverable.
- Breaches of physical security (e.g. break-ins to filing cabinet or other storage medium; break-ins to rooms/spaces) in areas where Personal Data is housed. [This scenario might also lead to Unauthorised Access.]
- Alteration
- Changing an entire, or parts of a, data record in error.
- Deleting an entire, or parts of a, data record in error.
- Unauthorised Disclosure or Unauthorised Access
- Human error – inadvertently disclosing Personal Data to an individual whom it was thought had the requisite authorization to view/process this data.
- Accidental disclosure
- Inadvertently disclosing the wrong type of Personal Data to an individual who has the requisite authorization to view/process this data. E.g. more data than what they are authorized to view/processed is disclosed to the individual in fulfilling a legitimate Personal Data request.
- Leaving confidential information in accessible areas or leaving a device which is logged-in to an information system, application, data repository (including local storage), or electronic mail unattended.
- Inappropriate/insufficient IT controls and/or precautions
- Allowing transfer of information to external or unauthorised IT systems. E.g. uploading Personal Data to an unauthorised website or domain.
- Allowing access to Personal Data or Sensitive Personal Data using insecure passwords.
- Malware attacks or information security intrusions on IT infrastructure allowing unauthorised users access to Personal Data.
Note: If Personal Data is securely encrypted or anonymized, this might not constitute a Personal Data breach.
A4.4 Procedure for reporting Personal Data breaches
- A person to whom these Procedures apply (see 4.2.1), having become aware of a suspected, potential or actual Personal Data breach (see 4.3) shall immediately report the incident to the head of their area (Unit/Department/School/Faculty/Division) or, in the case of contractors, University contact.
- The head of their area (Unit/Department/School/Faculty/Division) or, in the case of contractors, University contact, shall, upon receipt of the report, then make a preliminary incident report to the Data Protection Officer (dpo@uwi.edu).
Note: Each campus might have its own Data Protection Officer. If the incident occurs at a campus with a DPO, the incident may be reported to the Campus DPO via email. The Campus DPO, shall, upon receipt of the report of the incident, forward the email notification to the University DPO.
- After reporting the incident, the head of area (Unit/Department/School/Faculty/Division) or, in the case of contractors, University contact, shall, complete Possible Personal Data Breach - Incident Report (See A4.8 – “Personal Data Breach Incident Report”) within 24 hours or as soon as they are able to do so.
A4.5 Activities of the DPO upon being notified of an incident
The Data Protection Officer (Campus or University) shall keep a record of all reported incidents. Reported incidents shall be classified into those that are Personal Data Breaches and those which have not been so identified (see 4.8.2 Data Protection Officer Incident Record). When the DPO (Campus or University) receives a Possible Personal Data Breach - Incident Report, he/she, with the assistance of the appropriate staff shall:
- Identify the incident;
- Assess the incident – to determine whether it is, in fact, a Personal Data Breach;
If the incident is a Personal Data Breach
- Personal Data Breach Containment and Recovery;
- Perform a Risk Assessment;
- Notify Data Subject and Supervisory Authority;
- Conduct an Evaluation of Personal Data Breach;
- Determine The UWI’s response.
A4.5.1 Incident Identification
The Possible Personal Data Breach - Incident Report provides the initial information which the DPO (Campus or University) will use to identify the issue. The DPO (Campus or University), by consulting with the staff involved, will verify the details of the incident and amend, as necessary, the initial description.
A4.5.2 Incident Assessment
The Possible Personal Data Breach - Incident Report also provides the initial information to be used by the DPO (Campus or University) to assess the incident to determine if it was, in fact, a Personal Data Breach. The assessment will seek to determine:
- Whether a Personal Data Breach has occurred;
- The Personal Data or Sensitive Personal Data involved in the breach;
- The cause of the Personal Data Breach;
- The number of Data Subjects affected by the Personal Data Breach;
- The potential effect of the Personal Data Breach on the Data Subjects;
- The steps required to contain the Personal Data Breach. (Note: Containment may require the participation of staff in areas outside the Data Protection Office, e.g. IT, Registry, HR, Bursary)
A4.5.3 Personal Data Breach Containment and Recovery
In order to minimize the effects of the Personal Data Breach and to facilitate recovery in the shortest timeframe, the DPO (Campus or University) shall:
- Consult with relevant staff (in the area where the Personal Data Breach occurred as well as outside) to determine whether the Personal Data Breach might have an effect outside the area where it occurred;
- Determine who within The UWI should be made aware of the Personal Data Breach;
- Inform those who should be made aware of their expected role, if any, in containing the Personal Data Breach or in connection to the Data Subject;
- In conjunction with relevant stakeholders (e.g. staff in the affected area, IT, Registry, Marketing and Communication, etc.), outline the containment steps to be taken in relation to the Personal Data Breach;
- In conjunction with relevant stakeholders (e.g. staff in the affected area, IT, Registry, Marketing and Communication, etc.), outline the steps required to, if possible, recover/correct/secure the Personal Data affected by the breach.
A4.5.4 Personal Data Breach Risk Assessment
The Personal Data Breach Risk Assessment form (see A4.4.8, under “Forms”) will provide the information to be used by the DPO (Campus or University) to perform the risk assessment.
A4.5.5 Personal Data Breach Notification
- Some legislation state that Personal Data Breaches should be reported within 72 hours (including weekends and holidays) of recognizing the breach. Therefore, in order to comply with this 72 hour requirement, notification to the DPO, subsequent investigation, and notification to the supervisory authority should be done without delay.
- If the requisite details concerning the breach are unavailable or unclear within the 72 hour period, an initial notification should be made to the supervisory authority. Contact with the supervisory authority should be made by the University Data Protection Officer.
- The decision to report a Personal Data Breach to the supervisory authority will be made by the Campus Principal or Vice Chancellor.
- Data subjects should be notified of the Personal Data Breach without undue delay and should include:
- description of Personal Data Breach;
- likely/possible consequences of the Personal Data Breach;
- how and when the Personal Data Breach occurred;
- what data was involved;
- measures taken by The UWI to address the Personal Data Breach;
- measures which might be taken by the Data Subject to minimize risks to them as a result of the Personal Data Breach;
- name and contact information for the University Data Protection Officer
A4.5.6 Evaluation of Personal Data Breach
Some Personal Data Breaches, even after addressed, might require additional actions in order to, among other things, prevent a similar breach in the future or address weaknesses in the processing of Personal Data which might lead to Personal Data Breaches.
To accomplish this, at least one Post Incident Review meeting should be convened among the DPO and the internal stakeholders involved with, or affected by, the Personal Data Breach. Using the Personal Data Breach – Post Incident Review form, the following information should be collected:
- Date of the Incident Review Meeting
- Incident Details
- Id
- Name
- Description/Summary
- Recorded by
- Location
- Root cause
- Lessons Learnt
- Redress
- Planned Activities
- Owner (responsible for each activity)
A4.5.7 Determining The UWI’s Response the Personal Data Breach
The outcome of the Personal Data Breach evaluation process will guide The UWI’s response. Several options are open to the institution, some of which include:
- Staff (re)sensitization – training new and existing staff on the procedures to be followed when handling Personal Data and Sensitive Personal Data;
- Re-visiting business processes concerning how Personal Data and Sensitive Personal Data are processed in one or several departments/units, etc.;
- Reviewing the rights of access assigned to respective pieces of Personal Data and Sensitive Personal Data.
- Reviewing information technology policies and practices in respect of security assignments in the various information systems at the University;
- Reviewing information technology policies and practices in respect of the automated collection, retention and disposition of data by IT components (web servers, etc.).
A4.6 – Forms
This section contains the various forms to be used to record/report incidents and Personal Data Breaches.
A4.6.1 - Possible Personal Data Breach - Incident Report
Details of Incident |
To be completed by head of area (Unit/Department/School/Faculty/Division) or, in the case of contractors, University contact |
|||
|
Date: |
|||
|
Date: |
|||
|
Area:
Location within area: |
|||
|
Name |
Email Address |
Position |
|
|
|
|
||
|
|
|||
|
|
|||
|
Name |
Email Address |
Office Address |
Telephone Number |
|
|
|
|
|
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
A4.6.2 - Data Protection Officer Incident Record
Description of Incident |
Date Email Notification Received |
Sender of Email Notification |
Date Incident Report Received |
Sender of Incident Report |
Date Investigation of Personal Data Breach began |
Date Investigation of Personal Data Breach ended |
Personal Data Breach? (Y/N) |
Reported to Supervisory Authority |
Date of report to Supervisory Authority |
Details of SA to which report was made |
||||||
Name |
Position |
Email Address |
Name |
Position |
Email Address |
(Y/N) |
Reason |
Name |
Email Address |
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A4.6.3 - Personal Data Breach Risk Assessment Form
A Personal Data Breach Risk Assessment is the evaluation of the effect the breach in respect of Personal Data might have on the organisation and the probability of the breach happening.
What should be in each column?
- Risk or Risk Category – the nature of the risk, e.g. financial data, student biographic data, student grades, staff medical records
- How many persons affected – the number (or best guess) of persons who might be affected by the breach
- Nature of effect (explain as necessary)- how did the breach affect the various (reputational, financial, regulatory, or other) aspects of the University. Bullets points (e.g. ‘possible loss of confidence by staff/students/contractors’, ‘loss of revenue’, ‘requires a report to the Information Commissioner’, ‘requires a report to the Government’)
Risk or Risk Category |
How many persons affected |
Nature of effect (explain – as necessary) |
|||||
Staff |
Students |
Other |
Reputational |
Financial |
Regulatory |
Other |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A4.6.4 - Personal Data Breach – Post Incident Review Form
APPENDIX 5 – Examples of Personal Data and Sensitive Personal Data (currently being, or might potentially be, processed by The UWI)
Note: Some elements apply to both staff (including contractors and temporary staff) and students, others apply to only either staff only (†) or students only (*).
Personal Data |
Sensitive Personal Data |
|
|