Privacy and Data Protection Policy

DPA Act 1998

The Data Protection Act 1998 (DPA) gives individuals the right to know what information is held about them, and provides a framework to ensure that personal information is handled properly.

The Act came into force on 1 March 2000 and covers personal data held on computer and in manual files. It also imposes restrictions on the transfer of data outside the European Economic Area, which has particular implications for placing material on the web. The EtP must comply with eight data protection principles, which make sure that personal information is:

  1. fairly and lawfully processed;
  2. processed for limited purposes;
  3. adequate, relevant and not excessive;
  4. accurate and up to date;
  5. not kept for longer than is necessary;
  6. processed in line with the rights of individuals;
  7. secure; and
  8. not transferred to other countries without adequate protection.

 

Anyone holding information relating to individuals in the course of their work must therefore consider:

  •      whether the information they hold is subject to the provisions of the new Act;
  •      whether the arrangements they have in place satisfy the requirements of the Act, for example in relation to security of the data concerned; and
  •      whilst data access requests are handled centrally by the EtP’s Data Protection Officer, what procedures are in place to facilitate a prompt response to requests for data.

The Information Commissioner’s Office is the UK’s independent authority set up to promote access to official information and to protect personal information. Every organisation that processes (i.e. holds and uses) personal information must be registered with the Information Commissioner’s Office (ICO), unless they are exempt. The Educate The Planet’s registration number is ZA151759.

For more detailed guidance

The legislation is complex and more detailed guidance is available on this website, from the EtP’s Data Protection team and on the Information Commissioner’s website.

Definitions

Data controller the person (or organisation) who determines the purposes for which and the manner in which any personal data are, or are to be, processed (e.g. the EtP).

Data subject any living individual who is the subject of personal data (e.g. student, applicant, member of staff, supervisor, referee etc).

Duty of confidentiality in the case of some subject access requests, the Data Protection Officer may have to take a decision on whether a document containing third party data was written in confidence and whether the breach of that confidence in releasing the document outweighs the requirement to comply with a subject access request.

Fair and lawful processing means one of the following conditions must be met:

  •      The data subject has given his or her consent to the processing.
  •   The processing is necessary:

(1)  for the performance of a contract to which the data subject is a party; or

(2)  for the taking of steps at the request of the data subject with a view to entering into a contract.

  •      The processing is necessary to comply with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
  •      The processing is necessary in order to protect the vital interests of the data subject.
  •      The processing is necessary for the administration of justice; for the exercise of any functions conferred by or under enactment; for the exercise of any functions of the Crown, a Minister of the Crown or a government department; for the exercise of any other functions of a public nature exercised in the public interest.
  •      The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case because of prejudice to the rights and freedoms or legitimate interests of the data subject.

In the case of processing sensitive data, at least one of the following conditions must be satisfied (in addition to at least one of the conditions outlined above):

  •      The data subject has given explicit consent.
  •      The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred by law on the data controller in connection with employment.

Information Commissioner’s Office the UK’s independent authority set up to promote access to official information and to protect personal information.

Personal data data which relate to a living individual who can be identified from that information, or from that and other information which is in the possession of or is likely to come into the possession of, the data controller. It includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual (subject to very limited exceptions).

Processing obtaining, recording, holding or using the information or data (which includes, in relation to personal data, obtaining or recording the information to be contained in the data) or carrying out any operation or set of operation on the information or data. Under the new Act, processing is very widely defined, to the extent that guidelines produced by the Information Commissioner suggest that it is difficult to envisage any action involving data which does not amount to processing within this definition.

Sensitive data information relating to race or ethnic origin, political opinions, religious beliefs, physical/mental health, trade union membership, sexual life or criminal activities. Special conditions apply to the processing of this type of information, including an obligation to obtain the explicit consent of the individual (except in limited circumstances).

Third Party Information information relating to another individual (other than the data subject) who can be identified by that information.

Principles

Organisations processing personal data must comply with the principles below:

First Principle

  •   Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Amongst the key conditions in Schedule 2 are that either the data controller has the consent of the data subject or the processing is necessary to fulfil a contract with the data subject or to comply with other legal obligations.

Special conditions apply to sensitive personal data, which is defined as information relating to race or ethnic origin, political opinions, religious beliefs, physical/mental health, trade union membership, sexual life or criminal activities. These data cannot be processed in most circumstances unless the data subject has given explicit consent to the processing, or the processing is necessary for strictly limited purposes which are defined (e.g. the administration of justice).

Second Principle

  •   Personal data shall be obtained for one or more lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

It is important to be aware of the discipline that this implies. Material in a file may in the normal course of events be used for a number of purposes. It is now clear that use must adhere strictly to the purposes to which the attention of the data subject has been drawn.

Thus in future information obtained for the purpose of EtP’s applications records cannot be used for other purpose, unless the applicant has given prior consent.

Third Principle

  •   Personal data shall be adequate, relevant and not excessive for the purpose or purposes for which they are processed.

This implies not only that compiling too much information should be avoided, but also that sufficient information should be obtained for the proper performance of the operation.

Fourth Principle

  •   Personal data shall be accurate and, where necessary, kept up to date.

This principle requires that the data controller take reasonable steps to ensure the accuracy of data or, where the data subject has expressed a view that the data is inaccurate, that the data records that view.

Fifth Principle

  •   Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

Sixth Principle

  •   Personal data shall be processed in accordance with the rights of data subjects under this act.

Seventh Principle

  •   Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Thus data must be kept secure. It is the responsibility of the data controller to take reasonable steps to ensure the reliability of any employees who have access to personal data. In addition, if the data controller is using a third party processor then he must ensure that there is a contract in place with that data processor which provides for appropriate security measures.

Central administration, departments and faculties should consider the way in which manual as well as electronic data are held, to ensure that they comply with the requirements as to security.

Eighth Principle

  •   Personal data shall not be transferred to a country or territory outside the European Economic Area (the 15 EU member states together with Norway, Iceland and Liechtenstein) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to processing of personal data. This principle does not apply where the data subject has given consent to the transfer or where the transfer is necessary for a contract with the data subject.

Of particular note is the fact that material placed on the world wide web is in effect available to any country and thus personal data should not be placed on the web unless the subject has consented (subject to very limited exceptions). The European Commission has now approved the US “Safe Harbor” arrangement, which will involve organisations in the States committing themselves to comply with a set of data protection principles. Commitment to “safe harbours” will provide an adequate level of protection for transfers of personal data to the US from EU Member States. This will of course provide a basis for compliance with the 8th Principle of the DP Act in the UK in relation to transfers to US organisations that have signed up to the scheme.

Online application form data protection policy

By choosing to submit your registration to the online application system,  you agree to the processing of your personal data as set out below and in accordance with the EtP’s notification to the Information Commissioner under the Data Protection Act (DPA) 1998 by the EtP, which is the ‘data controller’ for the purposes of the DPA.

Your personal data will be used to assess your suitability and verify your eligibility for an EtP Scholarship and to complete all necessary procedures of the selection process, including notifying you of the result. Your personal data may also be used in the collation of statistical information, relating to EtP applicants, which will assist the EtP and the EtP Scholarship Committee (‘EtPSC’) in the management and administration of the EtP scholarship programme.

It is impossible to apply for an EtP Scholarship (‘EtPS’) without providing the personal data requested in the application form. Only data necessary for these purposes will be collected and application data will be stored for a limited period of no more than 24 months.

You will be able to correct the information inputted into the form up until the time of submission. After submission you will need to contact the Help Desk to request an amendment. You will be able to check the progress of your application and view your application at any point.

Educate The Planet Scholarship data protection policy

The information you provide when you apply for an EtP Scholarship (‘EtPS’) will be used in the following ways:

  •      To verify that you are entitled to an EtP Scholarship;
  •      To assess your application for an EtP Scholarship and education partner whose programme you applied for;
  •      To contact you with the outcome of your application.

If you are not willing to provide all the information requested, we will be unable to process your application.

You may correct the information entered onto the application form up until the time of submission. After submission, corrections are only permitted to personal data (name, contact details etc.) and you must contact the helpdesk to request an amendment.

The information you provide will also be used to collate statistics and may be used for research (although no information that could identify you as an individual shall be published).

The information will be protected in accordance with the UK’s Data Protection Act 1998.

Where necessary your information will be shared with people and organisations involved in the assessment of your application or administration of the scholarship scheme, including:

  •      The British Embassy or High Commission in your country or the Embassy of the country you selected to study which is located in your country;
  •      Your country’s Embassy or High Commission in the UK/other country of study;
  •      Any joint sponsor who is contributing to your Scholarship.

If your application is successful:

  •      Data you provided at application will be used to administer your scholarship;
  •      Your name, subject, institution, level of study, certificate/diploma/degree outcome, year of award and country of origin may be published in any EtP or its partners publication, briefing or website, you also may be asked to participate free of charge in the process of recording and filming a story about you and EtP and you can’t reject this;
  •      The EtP Scholarships Committee may contact your academic supervisor in the UK/other country of study to obtain information on your progress;
  •      Your school/college/university will release details of your certificate/diploma/degree results to the EtP;
  •      Reports on your progress may be sent to the British Embassy or High Commission or the Embassy of other country you selected to study in your home country;
  •      Your details may be included in the online and print versions of the Alumni Open Book following the completion of your studies.

On your application form you have the opportunity to say that you do not want your information used in the following ways, and we will do everything we can to respect these preferences:

  •      Sharing your details with other EtP Scholars so that you have access to the best networking and engagement opportunities we can offer while you are in the UK/other country, allowing you to forge connections you will keep beyond your Scholarship
  •      Providing your email to future EtP Scholars as part of the EtP Scholars Networking Scheme to discuss life and study in the UK/other country of study. Under this scheme Scholars can request to be paired with alumni who have studied at their UK/other country of study school/college/university or subject area, or request to be connected to alumni from their home country;
  •      Publishing any images, photographs or videos in which you may appear.

You may change these optional data preferences at any point during your award by informing your Programme Officer of the change you wish to make.

If notice that any documentation you receive from your programme officer contains incorrect information, please notify them immediately so that they can correct the records.

If your application is unsuccessful your application will be held for two years and then destroyed.

If your application is successful, your data will be transferred to the EtP Scholarship Committee for the purposes of administering your award and will then be held for the EtP indefinitely.

Records held about you for immigration purposes will be held for a period of two years only before they are destroyed.

Freedom of Information

The Freedom of Information Act 2000 provides a right of access to information held by public authorities and sets out exemptions to that right of access. Any person or body who makes a request in writing to a public authority for access to recorded information must be informed whether the public authority holds that information and be supplied with it, subject to the application of various exemptions specified within the Act. The public authority must normally respond within 20 working days of the receipt of the request.

The EtP proactively publishes a wide range of information, the majority of which is available on its website.

If the information is not already available on the website or has not yet been published it will facilitate the response process if requests could be submitted on the Request for Information form below and sent to the EtP at the above address.

Request form – pdf format  (100 kb)

Request form – Word format  (60 kb)

 

Requests for personal data

The Data Protection Act 1998 governs the processing of personal data (information relating to living individuals). This legislation makes it possible for you to request access to personal data that the EtP may hold about you. A request for disclosure of such information is called a subject access request. Any such requests should be addressed to the Data Protection Officer, at the same address as above.

Should you wish to know more about your rights under the Data Protection Act 1998 you should consult the Office of the Information Commissioner.

Limits of Disclosure

The Educate the Planet will disclose information wherever possible. However, in certain limited circumstances, it will be necessary to employ one of the exemptions to the general requirement to release information. In any case where information is refused, the Educate the Planet will specify which exemption is being claimed and why. All requests for information will be carefully considered on their own merits and with close regard to the public interest.

Fees

The fees chargeable under the Fees Regulations will be operated according to those regulations. Given the limits set out in those regulations it is expected that many requests for information will be met without charge; however a charge may be made for costs of postage, photocopying, tapes, disks or computer runs.

Last updated November 2015

 

If you have found a spelling error, please, notify us by selecting that text and pressing Ctrl+Enter.

Spelling error report

The following text will be sent to our editors: