At Walsall College we take data protection seriously, and so to help staff understand their responsibilities we issue regular updates on the law and best practice.
Overview of Data Protection
The General Data Protection Regulations (GDPR) and the UK Data Protection Act governs how personal information should be processed by organisations. The College is the data controller, which means the College is responsible for compliance with GDPR and the Act.
Since 25 May 2018, the legislation in the UK is the EU General Data Protection Regulation (GDPR), coupled with the UK Data Protection Act 2018 (DPA 2018) that supplements the GDPR in specific ways. These two pieces of legislation replaced the Data Protection Act 1998 (DPA 1998). All of the legislation is based around the notions of principles, rights and accountability obligations. The legislation is regulated in the UK by the
Information Commissioner's Office (ICO) as well as the courts.
The College's register entry number is Z5015525.
Under Article 5 of the GDPR, there are six principles:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods as long as the personal data will be processed solely for archiving purposesin the public interest, scientific or historical research purposes or statistical purposes; subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The College also have to be able to demonstrate compliance with these principles.
For Students and the Public
Walsall College's Data Protection Policy is available here.
An important aspect of complying with GDPR is being open and transparent with individuals about how their personal data will be used. The supply of this information - through documents variously known as 'privacy notices', 'data protection statement', 'data collection notices', 'privacy policies' and numerous other interchangeable terms - takes places in numerous targeted ways depending on the context of the interaction with the individual.
The College's Data Protection Privacy Notice for Students can be accessed here. This privacy notice gives you information about how and why the College uses your personal data.
Under GDPR Individuals have a number of rights in relation to their personal data including;
- the right to be informer
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- rights in relation to automated decision making
If you wish to exercise any of your individual rights, please click here. The ICO's website provides further information on scope of these rights further information please visit
Data protection legislation imposes certain accountability obligations on all data controllers. Under the GDPR, the main obligations for large data controllers include:
- Implementing policies, procedures, processes and training to promote 'data protection by design and by default'
- Where necessary, carrying out systematic Data Protection Impact Assessments (DPIAs) on 'high risk' processing activities
- Having appropriate contracts in place when sharing personal data - especially when outsourcing functions that involve the processing of personal data and/or transferring the personal data outside the European Economic Area (EEA)
- Maintaining records of the data processing that is carried out across the organsiation
- Documenting and reporting personal data breaches both to the ICO and the affected data subjects
One of the most important accountability obligations concerns personal data breaches - that is, personal data held by Walsall College is lost, stolen, inadvertently disclosed to an external party, or accidentally published. If a personal data breach occurs, this should be reported immediately to the data protection officer.
Remedial work can then be done so that the breach can be contained. On occasion, we need to report breaches to relevant external authorities, including the ICO, within a 72 hour timeframe.
Share This Post