Purpose of Policy
This policy sets out the responsibilities of the University, its faculty, staff and its students to comply fully with the provisions of the Regulation (EU) 2016/679 General Data Protection Regulation (GDPR). It is accompanied by a list and links to other, associated policies and tools (collectively, the GDPR Tools”) which provides information and guidance on different aspects of data protection and data security. This policy, its associated policies and the Guidance Handbook form the framework from which staff and students should operate to ensure compliance with data protection legislation.
Scope
The policy applies to all faculty, staff and students, and all items of personal data that are created, collected, stored and/or processed through any activity of Hawaii Pacific University, across all areas including faculties, and professional services.
Background
Data Protection principles
1. The University is required to adhere to the six principles of data protection as laid down in the GDPR, which means that information must be collected and used fairly, stored safely and disclosed only in compliance with law. The six principles are:
a. Personal data shall be processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’).
b. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in any manner incompatible with those purposes. Further processing for archiving, scientific or historical research or statistical purposes is permissible (‘purpose limitation’)
c. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed (‘data minimization’).
d. Personal data shall be accurate and where necessary kept up to date (‘accuracy’).
e. Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose (‘storage limitation’).
f. Personal data shall be processed in a manner that ensures appropriate security including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).
Personal Data
1. Personal data is information about a living individual, who is identifiable from that information or who could be identified from that information when combined with other data which the University either holds or is likely to obtain. GDPR also refers separately to ‘special categories’ of personal data which includes particularly sensitive personal information such as health details, racial or ethnic origin or religious beliefs.
2. The definition of ‘processing data’ includes obtaining/collecting, recording, holding, storing, organizing, adapting, aligning, copying, transferring, combining, blocking, erasing and destroying the information or data. It also includes carrying out any operation or set of operations on the information or data, including retrieval, consultation, use and disclosure.
3. The University, as data controller, remains responsible for the control of personal data it collects even if that data is later passed onto another organization or is stored on systems or devices owned by other organizations or individuals (including devices personally owned by members of staff).
4. Staff developing new projects or processes or revising existing processes need to take data protection into account as part of this process and may need to carry out a data protection impact assessment.
5. In the event that there is a data protection breach this will usually have to be reported to the Office of Information Technology Services no later than 72 hours after the breach is discovered.
Policy
The Policy is set out in the following sections:
· General
· Data Security
· Data Retention
· Conditions of Processing and Consent
· Privacy Notices
· Record of Processing Activities
· Children
· Research
· Subject Access Requests and Data Subject Rights
· Data Sharing
· Data Protection Impact Assessments and Data Protection by Design
· Direct Marketing
· Personal Data Breach
· Impact of Non-compliance
General
1. The University is responsible for demonstrating compliance with the six data protection principles.
2. Compliance with the GDPR, and adhering to these principles is the responsibility of all members of the University. Any deliberate breach of this policy may lead to disciplinary action being taken in accordance with all applicable University policies and procedures, employee handbooks, policies and materials, access to University facilities being withdrawn, or even criminal prosecution, where in accordance with existing laws and the GDPR.
3. The University is required to keep a record of its data processing activities as a summary of the processing and sharing of personal information and the retention and security measures that are in place. For more information about these records see section vi Records of Processing Activities.
Data Security
All University users of personal data must ensure that all personal data they hold is kept securely. They must ensure that it is not disclosed to any unauthorized third party in any form either accidentally or otherwise. Data Security should be undertaken in line with the Information Security Policy.
Data Retention
1. Individual areas within the University are responsible for ensuring the appropriate retention periods for the information they hold and manage, in accordance with the University’s Records Retention Policy. Retention periods have been set based upon legal and regulatory requirements and University needs.
2. Personal data must only be kept for the length of time necessary to perform the processing for which it was collected. Once information is no longer needed is should be disposed of securely. Paper records should be shredded or disposed of in confidential waste containers and electronic records should be permanently deleted, all in accordance with University’s Records Retention Policy..
3. If data is fully anonymized, then there may not be required time limits on storage under this Policy for data protection purposes.
Conditions of Processing and Consent
1. In order for it to be legal and appropriate for the University to process personal data, at least one of the following conditions must be met:
a. The data subject has given his or her consent
b. The processing is required due to a contract
c. It is necessary due to a legal obligation
d. It is necessary to protect someone’s vital interests (i.e. life or death situation)
e. It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
f. It is necessary for the legitimate interests of the controller or a third party and does not interfere with the rights and freedoms of the data subject (this condition cannot be used by public authorities in performance of their public tasks).
2. All processing of personal data carried out by the University must meet one or more of the conditions above. In addition, the processing of ‘special categories’ of personal data requires extra, more stringent, conditions to be met in accordance with Article 9 of the GDPR.
3. Under the GDPR, universities may be classified as public authorities, in which case the use of the ‘legitimate interests’ justification is not available for certain core activities (public tasks). Nonetheless, it may be possible to use legitimate interests for processing that is undertaken for non-core activities (outside the University’s public task).
4. Consent is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she by statement or other clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. The GDPR clarifies that silence, pre-ticked boxes or inactivity does not constitute consent.
5. Anyone who has provided consent has the right to revoke their consent at any time.
Privacy Notices
1. Under the ‘fair and transparent’ requirements of the first data protection principle, the University is required to provide data subjects with a ‘privacy notice’ to let them know what it does with their personal data (the main privacy notices for the University can be viewed here.
2. Privacy notices are published on the University website and are therefore available to faculty, staff and students from their first point of contact with the University. Any processing of faculty, staff or student data beyond the scope of the standard privacy notice, or processing of the personal information of any other individuals will mean that a separate privacy notice will need to be provided.
Records of Processing Activities
As a data controller the University is required to maintain a record of processing activities which covers all the processing of personal data carried out by the University. Amongst other things this record contains details of why the personal data is being processed, the types of individuals about which information is held, who the personal information is shared with and when personal information is transferred to countries outside the EU. The University has three Records of Processing activities:
· Faculty and Staff data (including job applicants, current and previous faculty and staff, and any visiting or temporary staff)
· Student data (including applicants, current and former students and alumni)
· Data subjects other than staff, students, applicants, alumni and past employees, such as vendors.
Children
Under GDPR the following restrictions apply to the processing of personal information relating to children:
· Online services offered directly to children require parental consent.
· Any information provided to a child in relation to their rights as a data subject has to be concise, transparent, intelligible and easily accessible, using clear and plain language.
· The use of child data for marketing or for profiling requires specific protection.
Legislation regarding the age used to define a child in the context of data protection is still to be finalized
Research
Data collected for the purposes of research are covered by the GDPR. It is important that faculty and staff collecting data for the purpose of research or consultancy incorporate an appropriate form of consent on any data collection form, when it is applicable.
Subject Access Requests and Data Subject Rights
1. The GDPR gives data subjects the right to access personal information held about them by the University. The purpose of a subject access request is to allow individuals to confirm the accuracy of personal data and check the lawfulness of processing to allow them to exercise rights of correction or objection if necessary.
2. The University must respond to all requests by an individual for his/her own personal information.
3. References may be subject to disclosure to the person about whom they are written under the subject access provisions of the GDPR. This includes references received by the University from external sources and confidential references given and received internally (e.g. as part of advancement and promotions procedures). There is an exemption from disclosure for references written by University staff and sent externally, however these references would still be accessible to the applicant from the organization to which the reference was sent. In order to maintain confidentiality and to prevent the unauthorized disclosure of information, staff should not provide references without a prior request from the student concerned.
Data subjects have a number of other rights under the GDPR. These include:
· Right to Object – Data subjects have the right to object to specific types of processing which includes processing for direct marketing. The data subject needs to demonstrate grounds for objecting to the processing relating to their particular situation except in the case of direct marketing where it is an absolute right. Online services must offer an automated method of objecting. In some cases there may be an exemption to this right for research or statistical purposes done in the public interest.
· Right to be forgotten (erasure) – Individuals have the right to have their data erased in certain situations such as where the data are no longer required for the purpose for which they were collected, the individual withdraws consent and there is no legal basis, need or legal obligation to retain the information. . The right to be forgotten (erasure) for current, former or future enrolled students is as set forth at the Registrar’s site and in accordance with that the University Records Retention Policy applicable to that department. There is an exemption to this for scientific or historical research purposes or statistical purposes if the erasure would render impossible or seriously impair the achievement of the objectives of the research. Individuals can ask the controller to ‘restrict’ processing of the data whilst complaints (for example, about accuracy) are resolved or the processing is unlawful.
· Rights in relation to automated decision making and profiling – The right relates to automated decisions or profiling that could result in significant affects to an individual. Profiling is the processing of data to evaluate, analyze or predict behavior or any feature of their behavior, preferences or identity. Individuals have the right not to be subject to decisions based solely on automated processing. When profiling is used, measures must be put in place to ensure security and reliability of services. Automated decision-taking based on sensitive data can only be done with explicit consent.
· Right to Rectification - The right to require a controller to rectify inaccuracies in personal data held about them. In some circumstances, if personal data is incomplete, an individual can require the controller to complete the data, or to record a supplementary statement.
· Right to Portability – the data subject has the right to request information about them is provided in a structured, commonly used and machine readable form so it can be sent to another data controller. This only applies to personal data that is processed by automated means (not paper records); to personal data which the data subject has provided to the controller, and only when it is being processed on the basis of consent or a contract.
The availability of rights largely depends on the legal justification for processing. The table below summarizes when rights are available.
|
Legal Justification |
Right to: | ||||
|
Object |
Erasure |
Automated decision making |
Rectification |
Portability | |
|
Consent |
No - but can withdraw consent |
Yes |
No- but can withdraw consent |
Yes |
Yes |
|
Contract |
No |
Yes |
No |
Yes |
Yes |
|
Legal Obligation |
No |
No |
No |
Yes |
No |
|
Vital Interest |
No |
Yes |
No |
Yes |
No |
|
Public task |
Yes |
No |
Yes |
Yes |
No |
|
Legitimate Interests |
Yes |
Yes |
Yes |
Yes |
No |
Any requests made to invoke any of the rights above must be dealt with promptly and in any case within one month or receiving the request.
Data Sharing
1. Certain conditions need to be met before personal data can be shared with a third party or before an external data processor is used to process data on behalf of the University.
2. As a general rule personal data should not be passed on to third parties, particularly if it involves special categories of personal data but there are certain circumstances when it is permissible.
· Any transfers of personal data must meet the data processing principles, in particular it must be lawful and fair to the data subjects concerned.
· It must meet one of the conditions of processing. Legitimate reasons for transferring data would include:
· If no other conditions are met then consent must be obtained from the individuals concerned and appropriate privacy notices provided.
· The University must be satisfied that the third party will meet all the requirements of GDPR particularly in terms of holding the information securely.
· Where a third party is processing personal data on behalf of the University, a written contract must be in place. A contract is also advisable when data is being shared for reasons other than data processing so the University has assurances that GDPR requirements are being met. All such contracts shall contain language as approved by the Office of University Counsel, as compliant with the GDPR and as available in the GDPR Tools.
Data Protection Impact Assessments and Data Protection by Design
1. Under the GDPR, the University has an obligation to consider the impact on data privacy during all processing activities. This includes implementing appropriate technical and organizational measures to minimize the risk to personal data.
2. It is particularly important to consider privacy issues when considering new processing activities or setting up new procedures or systems that involve personal data. GDPR imposes a specific ‘privacy by design’ requirement emphasizing the need to implement appropriate technical and organizational measures during the design stages of a process and throughout the lifecycle of the relevant data processing to ensure that privacy and protection of data is not an after-thought.
3. For some projects, the GDPR requires that a Data Protection Impact Assessment (DPIA) is carried out. The types of circumstances when this is required include: those involving processing of large amounts of personal data, where there is automatic processing/profiling, processing of special categories of personal data. The DPIA is a mechanism for identifying and examining the impact of new initiatives and putting in place measures to minimize or reduce risks.
Direct Marketing
Direct marketing relates to communication (regardless of media) with respect to advertising or marketing material that is directed to individuals e.g. directed mail for fund raising, advertising courses etc. Individuals must be given the opportunity to remove themselves from lists or databases used for direct marketing purposes. The University must cease direct marketing activity if an individual requests the marketing to stop.
Personal Data Breach
1. The University is responsible for ensuring appropriate and proportionate security for the personal data that we hold. This includes protecting the data against unauthorized or unlawful processing and against accidental loss, destruction or damage of the data. The University makes every effort to avoid personal data breaches, however, it is possible that mistakes will occur on occasions. Examples of personal data breaches include:
· Loss or theft of data or equipment
· Inappropriate access controls allowing unauthorized use
· Equipment failure
· Unauthorized disclosure (e.g. email sent to the incorrect recipient)
· Human error
· Hacking attack
In the event of a breach, the University will follow the guidelines outlined on the “Guidelines on Personal data breach notification under Regulation 2016/679 (wp250rev.01)” website. If a data protection breach occurs, the University is required in most circumstances to report this as soon as possible to the Office of Information Technology Services, and not later than 72 hours after becoming aware of it.
Impact of Non-compliance
1. All faculty, staff and students of the University are required to comply with this Data Protection Policy, its supporting guidance and the requirements specified in the GDPR. Any member of staff or student who is found to have made an unauthorized disclosure of personal information or breached the terms of this Policy may be subject to disciplinary action in accordance with this Policy and all other University policies and procedures along with the employee handbooks and all other rules, regulations and guidelines. Faculty and staff may also incur criminal liability if they knowingly or recklessly obtain and/or disclose personal information without the consent of the University (i.e. for their own purposes, which are outside the legitimate purposes of the University).
2. The University could be fined for non-compliance with the GDPR. There are two tiers of fines depending on the type of infringement.