Privacy Notice For Members Of The Board Of Governors
Introduction
The Data Protection Act (2018) came into force on the 25th May 2018. It provides a comprehensive and modern framework for data protection in the UK, with stronger sanctions for malpractice. The Act sets new standards for protecting personal data, in accordance with the General Data Protection Regulation (GDPR), giving individual more control over use of their data, and providing them with new rights to move or delete personal data.
DCG is committed to a policy of protecting the rights and privacy of Data Subjects (including, governors’ employees, students and others) in accordance with the Act.
Transparency is a key element of the GDPR and this Privacy Notice is designed to inform you:
- how and why the Group uses your personal data,
- what your rights are under GDPR, and,
- how to contact us so that you can exercise those rights
Data subject rights
One aim of the Act is to empower individuals and give them control over their personal data. The GDPR gives you the following rights:
- The right to be informed
- The right of access
- The right to rectification
The right to erase - The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
For more information about these rights please visit our DCG Privacy Notice ay DCG Data Protection
Which personal data do we collect and use?
The categories of governor information that we process are included in the table below:
Obtained from | Person category |
---|---|
From your application (external governors and co-opted members of the Board’s committees): |
|
From the staff governor election process |
|
From your Equality Monitoring Form: |
|
Additional data collected during your term of office: |
|
* Denotes information which may contain data classified as sensitive personal data/special categories of personal data under the GDPR
V Denotes information which you provide on a voluntary basis
# Denotes information which will be published/available to the public
DCG hold data securely for the set amount of time shown in our data retention schedule. For more information on our data retention schedule and how we keep your data safe, please visit www.derby-college.ac.uk/gdpr
Why we collect and use governor information
The personal data collected is essential for DCG to fulfil their official functions and meet legal requirements. DCG collect and use governor information, for the following purposes:
- Recruitment and selection of new members by the Nominations Committee of the Board
- to contact you in connection with Board business
- for inclusion in minutes of Board and Committee meetings
- for inclusion in the Group’s annual report and financial statements
- to maintain a Register of Interests containing declarations from each member of the Board and its committees.
- to provide reports and returns required by funding agencies, government departments, and public bodies
- to monitor and promote equality and diversity within the Group in accordance with the Equality Act 2010
- for inclusion in the Group’s Publication Scheme which is a requirement of the Freedom of Information Act 2000
- for funding bids and contracts which need to satisfy the requirements of the US Patriot Act.
- to ensure that governors have not been disqualified as a charity trustee in accordance with the Charities Act 2006
- to meet the requirements of the Office for Students
- to meet the requirements of companies legislation if you are also a director of one of the Group’s subsidiary undertakings.
- to issue parking permits for Group car parks
- to share contact details with other members of the Board
- to confirm accommodation, dietary and access requirements for events
- to book training with external organisations
- to circulate a statement to the electorate and production of ballot papers (staff seeking election to the Board)
- to add you to relevant mailing lists for Group publications.
It may also be necessary for the Group to process your personal data in order to protect your vital interests or those of another individual i.e. in emergencies/life or death situations/where we believe that a governor member or another individual is at significant risk of harm.
There are also several legitimate business purposes for which the Group processes your data:
- funding bids to UK and international funding bodies
- to fulfil the requirements of the Group’s banking arrangements
- to create and update Pen Portraits for the Group’s website and publications
- for the administration of expenses claims
Where we process sensitive personal data/special categories of personal data, we will rely on the conditions in Article 9 of the GDPR: explicit consent, vital interests, substantial public interest, occupational medicine, archiving/research.
Under the General Data Protection Regulation (GDPR), the legal bases we rely on for processing personal information for general purposes are:
- Consent
- Contract
- Legal Obligation
- Vital interest
- Public task
- Legitimate interest
Who do we share your data with?
Governors should be aware that in order to provide our services we may need to share your personal or sensitive personal data within the organisation or outside Derby College Group. The privacy of your personal data is paramount and will not be disclosed unless there is a justified purpose for doing so. The Group NEVER sells personal data to third parties.
DCG routinely shares this information with:
- Group staff who need the information for administrative purposes. In the case of candidates for staff governor posts, the statement to the electorate will be shared with all Group staff.
- Contractors and suppliers, where the Group uses external services or has outsourced work which involves the use of governors’ personal data on our behalf.
- Government bodies and departments, in the UK and overseas, responsible for:
- public funding
- statistical analysis, monitoring and auditing
- sponsorship
- regulatory matters, e.g. ESFA
- Hotels and external venues – for bookings, to confirm accommodation, dietary and access requirements
- Funding bodies and partner organisations – for contracts and funding bids
- Group’s banks – copies of minutes of the Board and the Finance and Employment Committee which take the budget are provided to the bank within 14 days of the date of the meeting in line with loan agreement covenants and bank mandates.
- Companies House – for governors who are directors of one of the Group’s subsidiary undertakings.
- Public domain:
- the Register of Interests which is available for consultation by members of the public
- the Group’s website
- annual report and financial statements
- other Group publications.
PLEASE NOTE that equality and diversity information is only published in the form of anonymised reports
- Equality and Diversity data is also shared with the Nominations Committee of the Board to inform its review of the balance of Board memberships and with the Board in relevant reports
- the Group’s insurers, legal advisers and auditors
Security
The Group takes a robust approach to protecting the information it holds. This includes the installation and use of technical measures including firewalls and intrusion detection and prevention and regular assessment of the technical security of Group systems. Group staff monitor systems and respond to suspicious activity.
Alongside these technical measures there are comprehensive and effective policies and processes in place to ensure that users and administrators of Group information are aware of their obligations and responsibilities for the data they have access to.
Retention
Equality Monitoring data is updated annually and completed forms are destroyed once the updated form is received. Anonymised statistics are retained permanently in our archives.
Information relating to events bookings and parking permits will be retained for the period of office of each member.
The following records are retained for 6 years after the end of a member’s period of office:
- application forms
- declarations of interests
- Records of expenses claims and payments and banking details are retained by the Finance Directorate for 7 years for tax and audit purposes and are then held in the archive indefinitely.
The following records are retained permanently in our archives:
- Minutes of Board and Committee meetings, annual reports and financial statements
- pen portraits and photographs.
Where a governor is also a director of a subsidiary undertaking, related records are retained for 10 years after the wind- up/disposal of the company.
Statements to the electorate made by successful candidates for staff governor posts are kept for their period of office. In the case of unsuccessful candidates, the retention period is 6 months after the completion of the election.
Election results (votes cast, turnout) have a retention period of completion of election plus 6 years.
Requesting access to your personal data
Under data protection legislation, you have the right to request access to information about you that we hold. To make a request for your personal information please vist www.derby-college.ac.uk/gdpr or email dpo@derby-college.ac.uk
You also have the right to:
- to ask us for access to information about you that we hold
- to have your personal data rectified, if it is inaccurate or incomplete
- to request the deletion or removal of personal data where there is no compelling reason for its continued processing
- to restrict our processing of your personal data (i.e. permitting its storage but no further processing)
- to object to direct marketing (including profiling) and processing for the purposes of scientific/historical research and statistics
- not to be subject to decisions based purely on automated processing where it produces a legal or similarly significant effect on you
If you have a concern or complaint about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/
Contact
If you would like to discuss anything in this privacy notice, please contact the Data Protection Office at DCG via email dpo@derby-college.ac.uk