Privacy Notice For Members Of DCG Workforce
The Data Protection Act (2018) came into force on the 25th May 2018. It provides a comprehensive and modern framework for data protection in the UK, with stronger sanctions for malpractice. The Act sets new standards for protecting personal data, in accordance with the General Data Protection Regulation (GDPR), giving individual more control over use of their data, and providing them with new rights to move or delete personal data.
DCG is committed to a policy of protecting the rights and privacy of Data Subjects (including, governors’, employees, students and others) in accordance with the Act.
Transparency is a key element of the GDPR and this Privacy Notice is designed to inform you:
- how and why the Group uses your personal data,
- what your rights are under GDPR, and,
- how to contact us so that you can exercise those rights
Data subject rights
One aim of the Act is to empower individuals and give them control over their personal data. The GDPR gives you the following rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
For more information about these rights please visit our DCG Privacy Notice at DCG Data Protection
Which personal data do we collect and use?
The categories of workforce information that we process are included in the table below:
* Denotes information which may contain data classified as sensitive personal data/special categories of personal data under the GDPR
V Denotes information which you provide on a voluntary basis
# Denotes information which will be published/available to the public
DCG hold data securely for the set amount of time shown in our data retention schedule. For more information on our data retention schedule and how we keep your data safe, please visit www.derby-college.ac.uk/gdpr
Why we collect and use workforce information
Workforce data is essential for the College’s operational use. Whilst the majority of personal information you provide to us is mandatory, some of it is requested on a voluntary basis. In order to comply with GDPR, we will inform you at the point of collection, whether you are required to provide certain information to us or if you have a choice in this.
It may also be necessary for the Group to process your personal data in order to protect your vital interests or those of another individual i.e. in emergencies/life or death situations/where we believe that a governor member or another individual is at significant risk of harm.
Where we process sensitive personal data/special categories of personal data, we will rely on the conditions in Article 9 of the GDPR: explicit consent, vital interests, substantial public interest, occupational medicine, archiving/research.
Under the General Data Protection Regulation (GDPR), the legal bases we rely on for processing personal information for general purposes are:
- Legal Obligation
- Vital interest
- Legitimate interest
Who do we share your data with?
All DCG employees should be aware that in order to provide our services we may need to share your personal or sensitive personal data within the organisation or outside Derby College Group. The privacy of your personal data is paramount and will not be disclosed unless there is a justified purpose for doing so. The Group NEVER sells personal data to third parties.
DCG routinely shares this information with:
- Group staff who need the information for administrative purposes.
- Contractors and suppliers, where the Group uses external services or has outsourced work which involves the use of employees’ personal data on our behalf.
- Government bodies and departments, in the UK and overseas, responsible for:
- public funding
- statistical analysis, monitoring and auditing
- regulatory matters, e.g. ESFA
- Hotels and external venues – for bookings, to confirm accommodation, dietary and access requirements
- Funding bodies and partner organisations – for contracts and funding bids
- Public domain:
- the Register of Interests which is available for consultation by members of the public
- the Group’s website
- annual report and financial statements
- other Group publications.
- The Local Authority
The Group takes a robust approach to protecting the information it holds. This includes the installation and use of technical measures including firewalls and intrusion detection and prevention and regular assessment of the technical security of Group systems. Group staff monitor systems and respond to suspicious activity.
Alongside these technical measures there are comprehensive and effective policies and processes in place to ensure that users and administrators of Group information are aware of their obligations and responsibilities for the data they have access to.
Equality Monitoring data is updated annually and completed forms are destroyed once the updated form is received. Anonymised statistics are retained permanently in our archives.
Requesting access to your personal data
Under data protection legislation, you have the right to request access to information about you that we hold. To make a request for your personal information please vist www.derby-college.ac.uk/gdpr or email firstname.lastname@example.org
You also have the right to:
- to ask us for access to information about you that we hold
- to have your personal data rectified, if it is inaccurate or incomplete
- to request the deletion or removal of personal data where there is no compelling reason for its continued processing
- to restrict our processing of your personal data (i.e. permitting its storage but no further processing)
- to object to direct marketing (including profiling) and processing for the purposes of scientific/historical research and statistics
- not to be subject to decisions based purely on automated processing where it produces a legal or similarly significant effect on you
If you have a concern or complaint about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/
If you would like to discuss anything in this privacy notice, please contact the Data Protection Office at DCG via email email@example.com