The Institute for Children, Youth and Mission: Safeguarding Policy
Purpose and Aim
1.1 The Institute recognises its pastoral duty to safeguard children and vulnerable adults who may participate in any activity or research, organised or managed by the Institute, or come into contact with Institute staff or students on or off campus. This policy supports this; along with specific policies related to safeguarding policies used in practice, adhering to safeguarding legislation in their particular location or context. Examples of these include (but are not limited to) church, health, local authority and care settings.
1.2 The Institute has a Prevent Policy which sets out the Institute duty to have ‘due regard to the need to prevent people from being drawn into terrorism.’ This is known as the Prevent Duty.
1.3 The Institute recognises that within the course of their activities, its staff and students may come into contact with children or vulnerable adults. Additionally, staff and students supervising or undertaking professional placements in ministry settings, clinical settings, health care, teaching and social care will come into regular contact with children and vulnerable adults.
1.4 This policy sets out how the Institute will deal with concerns that are raised that an individual may be at risk of exploitation, harm or abuse (including radicalisation), and the type of action that the Institute may take to manage such matters and provide support.
1.5 For the purposes of this Policy the term “the Institute” is deemed to include all of those participating in any Institute business and representing the Institute. It also includes any placement providers. The Institute is committed to working together with placement providers and sharing information in order to safeguard the interests and wellbeing of children and vulnerable adults, e.g. in relation to individuals and activities with students on placement and volunteering.
1.6 The Institute wishes to ensure that it maintains the highest possible standards to meet its responsibilities to protect and safeguard the welfare of children and vulnerable adults. In order to ensure adherence to legal responsibilities the Institute is committed to practice that protects children and those adults identified as vulnerable; working in partnership with organisations as appropriate to facilitate this. We are committed to taking appropriate prompt action to protect individuals from harm and to respond to any allegations or suspicions.
1.7 This policy is developed in due regard to the following:
· Prevent Duty Guidance for England and Wales (2015)
· Counter Terrorism and Security Act (2015)
· Co-operating where appropriate with those bodies that have duties under the Children Act 1989, 2004 & 2006
· Safeguarding Vulnerable Groups Act 2006
1.8 This Policy is designed to assist the Institute to achieve the commitments set out above and to take reasonable steps to safeguard those who are vulnerable by ensuring there are clear guidelines and procedures for identifying risk, reporting concerns and taking action.
1.9 Examples of areas where the Institute may have contact with children and adults who may be vulnerable may include (this is not an exhaustive list):
· Admission of, teaching, supervision and support of students who are under 18 years of age or who are vulnerable adults;
· Summer schools, school visits, and other events such as work experience;
· On-site conference centre (which has its own safeguarding policies in place);
· Outreach or widening participation activities taking place on or off campus;
· Placements in professional and clinical settings;
· Field trips, excursions and other activities such as volunteering and other social activities;
· The activities of student societies and networks.
1.9 Vulnerable adult The Institute defines a vulnerable adult as a person aged 18 or over who is, or may be, in need of services by reason of mental or other disability, age or illness (including an addiction to alcohol or drugs) or is living in a sheltered or residential care home and who is, or may be, unable to take care of him or herself, or unable to protect him or herself against significant harm, abuse or exploitation, including being drawn into terrorism.
1.10 Child The Institute defines a child as a person who is under the age of 18 (“Child”). The fact that a Child has reached 16 years of age, is living independently or is in Further/Higher education does not change his or her status for the purpose of this Policy.
2. Identifying Safeguarding Concerns
2.1 The Institute will take all safeguarding concerns including suspicions and allegations of exploitation, harm or abuse (including radicalisation) seriously and will report concerns promptly, in accordance with paragraph 3 of the Policy.
2.2 The Institute will ensure that processes are in place to check the suitability of staff and students whose duties and responsibilities involve regular contact or supervision of children or adults who may be vulnerable. The Institute will ensure that appropriate suitability checks are carried out in relation to staff and students including criminal record checks and other checks where appropriate. Details of these processes and checks can be found in the Institute’s Fitness to Practise Procedure Including Disclosure Screening for Applicants and the Recruitment and Employment of Ex-Offenders Policy.
2.3 Safeguarding referrals to the relevant statutory authority will be made on the basis of identified and considered risk.
2.4 Institute staff dealing with students or staff who are subject to safeguarding concerns will consider what support may be offered to them both from within the Institute (e.g. Right Management Workplace Wellness for staff and support from Student Services for students) and externally (e.g. signposting to local GPs, mental health services or Occupational Health (if they are a member of staff)).
2.5 Research which involves children or vulnerable adults must comply with the partner University Research Ethics Procedure. DBS checks will be conducted in relation to individuals involved in such research where permitted by law. Guidance on this may be sought from the relevant Chair of Research Ethics Committees.
It is not possible to guarantee confidentiality when a safeguarding concern is reported because the Institute owes a duty of care toward its staff, students or visitors and the Institute may need to take action on receipt of a report of a safeguarding concern that may result in the same being reported to an external third party. However, any reports will be dealt with sensitively and only disclosed to those people who need to be made aware of an incident or concern, whether internal or external to the Institute.
What is a Safeguarding Concern?
2.6 Examples of safeguarding concerns include, but are not limited to:
· A child or adult raises an allegation of abuse, harm or other inappropriate behaviour.
2.7 A student or staff member discloses information involving themselves or others which gives rise to possible concerns that a potential perpetrator may be harming or abusing vulnerable individuals or children involved in Institute activities.
2.8 There are suspicions or indicators that a child or adult is being abused or harmed or is at risk of exploitation, harm or abuse (including radicalisation). The indicators of abuse or harm or risk of abuse or harm or radicalisation can be very difficult to recognise and it is not a staff member’s responsibility to decide whether a child or adult has been abused or harmed or subjected to abuse or harm, but only to raise concerns that they may have.
2.9 There are observable changes in a child or adult’s appearance or behaviour that may be related to exploitation, harm or abuse (including radicalisation).
2.10 A concern is raised that an individual presents a risk of abuse or harm towards a child or adult in relation to, for example, his/her criminal convictions, or downloading, possession or distribution of inappropriate images or extremist material.
2.11 Concerns arise that a student or member of staff is vulnerable to radicalisation and there is an identifiable risk of being drawn into terrorism.
3. Reporting Safeguarding Concerns
Designated Safeguarding Officers
3.1 For any safeguarding concerns involving staff members, the appropriate person to report concerns to is the Designated Safeguarding Trustee. For any safeguarding concerns involving students, the appropriate person to report concerns to is the Director of Studies.
The Director of Studies and the Designated Safeguarding Trustee are the Institute’s Designated Safeguarding Officers. The Designated Safeguarding Officers may delegate responsibility under this Policy to an appropriate nominee.
In a placement or work based learning environment (such as a professional or clinical setting) a member of staff or student should normally report any safeguarding concern in the first instance to the relevant Agency or Council Safeguarding Team in accordance with the Professional Practice Handbook. Additionally, staff working in practice placements will be made aware of their own local safeguarding procedure.
If the Designated Safeguarding Officer is not available, or the safeguarding concern involves a concern against them, then the referral should be made to the Head of Institute.
Responsibilities of the Designated Safeguarding Officers
3.2 It is the responsibility of the Designated Safeguarding Officers to:
. Undertake relevant training in safeguarding procedures and ensure their knowledge is kept up to date;
. Act as a point of contact for those who have safeguarding concerns, receiving information and recording those concerns;
. Act upon concerns as appropriate in the circumstances, for example, by carrying out a risk assessment in accordance with this Policy and acting in accordance with the outcomes. This may range from taking no further action to making external referrals for example to Social Services or Police.
. Monitoring the implementation of this Policy and procedure.
. In addition to the explicit responsibilities set out above, the established management structures within each team and/or service area have a responsibility to ensure staff and students are aware of the Institute’s safeguarding principles and procedures (including this Policy) and are able to refer concerns appropriately. Furthermore, managers and staff in faculties and services will promote awareness of safeguarding to reduce the potential for abuse and to promote wellbeing.
Reporting Safeguarding Concerns
3.3 A safeguarding concern is reported by completing Section 1 of the Safeguarding Incident Referral Report Form (appended to this procedure). The form should be submitted by email to the appropriate Designated Safeguarding Officer as promptly as possible, but generally within 24 hours of the incident giving rise to the concern. In circumstances where a teaching centre or placement has a local Safeguarding Officer (such as in a placement agency) the localised procedure should be followed. It is better to refer any safeguarding concern and enable a risk assessment to take place, than not to make one due to uncertainty. Staff may wish to discuss safeguarding concerns with the Designated Safeguarding Officer should they be in any doubt as to whether to make a report.
4. Taking Action
When completing the form, the Designated Safeguarding Officer will decide:
a) That no further action is required. b) To refer the concerns to the Senior Management Team, in order for them to decide whether a precautionary suspension is required. c) To refer the matter to an alternative Institute policy or procedure, such as the Staff or Student Disciplinary Procedure or the Fitness to Study or Practise procedure. d) To report the matter to the local Safeguarding Team. e) To report the matter to the Police, Social Services or alternative appropriate external agency.
If a member of the Institute, staff or student, has any immediate safeguarding concerns (including outside normal Institute hours) they may refer directly to the Police or Social Services, but otherwise they should follow the internal referral process described in this Policy or their local policy. If a direct referral is made, the member of staff or student should inform the Designated Safeguarding Officer at the earliest opportunity.
4.3 The Designated Safeguarding Officer (or their nominee) will liaise with other partner agencies, such as the Denominational Safeguarding Officer (or equivalent) as appropriate in order to address the safeguarding concerns identified.
4.4 The Institute reserves the right to take action under its disciplinary procedures and/or its fitness to practise procedures and/or fitness to study procedures should it later receive information that suggests that its conduct standards may have been breached and/or that reported safeguarding concerns give rise to an allegation that a student is not fit to practise/study. Staff or students who are dismissed from the Institute and/or found unfit to practise/study as a result of safeguarding concerns will be reported to the Disclosure and Barring Service and any relevant professional body.
4.5 Support from internal or external services, such as the local safeguarding authority, will be provided as appropriate for any individuals, staff or students, impacted by safeguarding issues
5. Retention of Information
5.1 The Institute complies with the principles of data protection law in the way that it retains and disposes of personal information.
5.2 Written records of any safeguarding concerns will be retained for as long as is necessary for the purpose for which it was obtained or as legally required or lawfully permitted.
5.3 Such written records will be held centrally and separately from a member of staff or student’s personal records.
6.1 All staff and students whose roles and responsibilities include regular contact with children and potentially vulnerable individuals will receive training and guidance appropriate to their role. All staff will be made aware of this Policy and procedure and related guidance.
7. Review of Policy and Procedure
7.1 The Trustee Board will review this procedure on an annual basis and is responsible for overseeing and updating this policy and procedure particularly with respect to the legal obligations and other external requirements.
Equality issues have been taken into account during the development of this policy and all protected characteristics have been considered as part of the Equality Analysis undertaken.
For concerns related to students:
Robin Smith, Director of Studies Mobile: 07912 160323. Email Address: [email protected]
For concerns related to staff:
Alistair Langton, Designated Safeguarding Trustee Email Address: [email protected]
For concerns that require immediate Local Authority attention when based in Leicester City:
Local Authority Designated Officer (LADO) Tel: 0116 454 2440 Email: [email protected]
The Institute for Children, Youth and Mission: Prevent Duty
The new Prevent Duty, which came into force for educational settings in September 2015 as part of the Counter-Terrorism and Security Act 2015, places legal requirements on the Institute to minimise the risk of individuals being drawn into terrorism and to ensure vulnerable individuals receive timely and appropriate support. These pages are intended to provide our community with an understanding of what the Prevent Duty is, how it relates to the Institute and our approach in meeting our obligations and keeping those within our community safe and protected.
The Prevent Duty has three main objectives:
1. Respond to the ideological challenge of terrorism and the threat faced from those who promote it
2. Prevent people from being drawn into terrorism and give them advice and support
3. Work with sectors and institutions where there are risks of radicalisation
The statutory guidance for higher education institutions highlights key areas of attention. These are:
· external speakers
· partnerships with other local organisations engaged with Prevent
· risk assessment and action plan
· staff training
· welfare and pastoral care/chaplaincy support
· IT policies
· Students’ Union and societies.
The Office for Students is the monitoring body for Prevent for HE providers. The full guidance is available here
· The Institute takes a proactive, safeguarding-focused approach to implementing our Prevent duty.
· We are committed to encouraging events which stimulate open debate and broaden the learning experience for all members of the Institute community. To ensure we provide an environment conducive to this commitment, our Code of Practice for Freedom of Speech and Lawful Assembly and Event Booking processes clearly set out the expectations placed upon all speakers at the Institute. We have systems for assessing and mitigating risks around external speakers and events on campus, while maintaining the existing duty to promote freedom of speech
· The Institute’s Board of Studies is responsible for overseeing the Institute’s response to its obligations under the 2015 Counter Terrorism and Security Act. It is chaired by the Director of Studies and consists of senior staff from all key areas including members of the Student body.
· We have a risk assessment and action plan in place which is updated annually
· We provide in house training sessions to increase staff awareness of Prevent
Our Risk Assessment and Action Plan
In accordance with the statutory guidance for higher education providers we have a risk assessment and action plan which will be reviewed regularly and is subject to monitoring and enforcement.
All Institute staff are required to undertake Prevent training as part of their induction programme, and then regular refresher training at set intervals.
In addition, we provide targeted safeguarding training for those staff working closely with students, particularly in areas such as Student Support and Wellbeing, Security and Placements, making sure students are supported throughout their studies.
All of the training we provide is aimed at identifying vulnerable individuals and providing the support they need academically, personally and pastorally.
The guidance for booking External Speakers has been developed to assist staff and students when organising talks, seminars and lectures on campus, and to form a checklist that will help with ensuring that the talks are successfully planned and delivered.
At the Institute we support the open expression of views and the right to hold, challenge and rigorously debate a wide range of beliefs and positions. However, we also take our responsibility to our communities and audiences very seriously, and we prohibit any public expression of views on our premises that are in breach of the law or incite intimidation or violence. This must be taken into account when inviting an external speaker to the Institute.
Some events are open to the public (and/or publicised externally) and the speaker may not be a current student or member of staff at the Institute. In these cases we will ensure our protocols and procedures require engagement with the Institute’s senior management team. This is to ensure that appropriate consideration has been given to Freedom of Speech (1986 Education Act) and to statutory duties included in Prevent guidance and any other relevant legislation.
For any member of the Institute’s community, staff or students, organising an event as outlined above, written permission to host the event should be gained from the senior management team. Ordinarily this is a quick and straightforward process that can be carried out at a local level. In these cases, following the steps outlined in the “Local assessment of proposed external speaker(s)” below will suffice.
There will, however, be a few more complex requests which will require further consideration and approval. There will be fewer of these but will be necessary where either an event or a speaker is deemed to be a higher risk.
Prior to the confirmation of any external speaker, the event organiser will be responsible for assessing the speaker against the following set of questions:
1. Has the speaker previously been prevented from speaking at the Institute or any other Institute or similar establishment or previously been known to express views that may be in breach of the Code of Practice for Freedom of Speech and Lawful Assembly and/or the Prevent Duty?
2. Does the proposed title or theme of the event present a potential risk that views/opinions expressed by speakers may be in breach of the Code of Practice for Freedom of Speech and Lawful Assembly and/or the Prevent Duty?
3. Is the proposed speaker/theme likely to attract attendance from individuals/groups that have previously been known to express views that may be in breach of the Code of Practice for Freedom of Speech and Lawful Assembly and/or the Prevent Duty?
If the answer to all three questions is NO then the event organiser can confirm the external speaker and ‘book’ them to speak at their event or activity in the normal way. A record of the speaker and event should be recorded and acknowledged by the Senior Management Team for information.
If the answer to any of the questions is unclear: The event organiser must seek guidance from their line manager, whose responsibility it will be to further review the speaker(s) against the questions above.
If the answer to any of the questions is YES: It is the responsibility of the event organiser to defer the decisions until the senior management team have considered the request in full. The request will then be reviewed by the Head of Centre. They will respond within 48 hours to either approve the speaker, request further details/assurances or decline the speaker.
If you have concerns about a member of our Institute community, you are advised to speak with one of our designated safeguarding officers. If you are unsure who to approach, you can send your concerns via email to: [email protected] or call: 0115 968 322
The Institute for Children, Youth and Mission: Student Protection Plan
These processes articulate the Institute’s procedures for applicants and students.
1.1. This policy sets out the Institute’s procedures for closing, suspending or changing any programme of study. It is designed to reflect the Statement of Good Practice adopted by HEFCE, UUK, Guild HE, NUS in October 2015. It is also designed to meet the requirements for the CMA Student Protection Plan.
2. Closure and Suspension
2.1. The Institute or partner University may wish to close and remove a programme of study from its portfolio. Closure of a programme, whether at undergraduate or postgraduate level, means that the Institute will cease to recognise the programme as one for which a student may be registered.
2.2. Suspension of a programme of study is defined by a fixed timeframe in which the programme will not be delivered.
2.3. The Institute will not close or suspend a programme without the University’s approval because of the implications for the contractual relationship between current and prospective students and the University.
2.4. A request to close or suspend a programme will be made by the Head of Institute following agreement with the Institutes Board of Trustees. The Board should approve the proposal in line with their strategic plans. The Head of Institute is required to make a business case to the Institutes Board of Trustees who will make the final decision.
2.5 On receipt of a request to close or suspend a programme, the Institutes Board of Trustees may agree one of the following:
· Decline the request
· Approve the request without condition(s)
· Approve the request with condition(s)
2.6 A request to suspend or remove a programme that has been approved by the Institutes Board of Trustees should then be submitted to the partner University, by the Head of Institute, on any required proforma and be accompanied by the following information:
· Market rationale
· Strategic and financial implications
· Impact, if any, on arrangements with partner institutions and/or PSRBs
· Impact on current and prospective students and sponsored students
· Impact on existing or proposed programmes
· Impact on relationships with sponsors and employers
· The expected impact on staff and resources
2.7. The proforma shall also confirm that consultation will take place with academic staff affected by the request.
2.8. Where there are any expected changes to staff/staffing structure consultation with HR must be sought
3. Programme Changes Prior to Registration
3.1. The Institute may be required to make changes to programmes at the following times:
· between publication of the prospectus and registration
· after registration
3.2. Where material changes (such as a number of changes to the structure of the programme, or the removal or addition of a number of modules) are made between the publication of the prospectus and registration, the Institute will draw these changes to the attention of applicants as soon as possible and advise them of their right to seek entry to another Institute programme for which they may be qualified or to withdraw their application and seek entry to another institution.
3.3. Where the applicant has already accepted an offer, they shall be furnished with all necessary information, advice and guidance by the Institute to help them make an informed decision on their future course of action.
3.4. In normal circumstances, material changes to programmes should not be made after registration, but where this is unavoidable, students and their representatives shall be consulted at the earliest opportunity on the changes and, where practicable, their views shall be taken into account.
3.5. If a student reasonably believes that a material change to their programme adversely affects them, they may cancel their contract with the Institute and/or partner University. In such circumstances the Institute, in consultation with any partner University, will offer suitable information, advice and guidance to a student and, where possible, facilitate their transfer to another institution which offers an appropriate programme for which they are qualified.
3.6. Further to commencement of the programme and during the course of a student’s studies, the Institute may make minor amendments to programmes in order to improve the quality; to meet the latest requirements of an accrediting body; or in response to student feedback. Where such minor amendments to the delivery of a programme are necessary, the Institute will consult with or inform students and their representatives of these changes, as appropriate, and in line with Institute quality assurance processes.
4. Student Protection
4.1. Current students
4.1.1. Current students should normally be allowed to complete the programme of study for which they are registered unless each gives their explicit written consent to the contrary. Such consent must not be sought until a closure or suspension recommendation has been agreed.
4.1.2. Where a programme is being closed to new entrants only, the Institute’s proposed arrangements for students currently registered on the programme (including those whose registration is suspended but have not yet completed the programme) must comply with the following:
4.1.3. Current students should be informed of their option. The Institute will provide all necessary information, advice, guidance and support to facilitate students in deciding which option to follow.
4.1.4. The standard of academic provision and the student experience must, as far as is reasonably practicable, be maintained throughout their period of registration. In particular, the conditions must be maintained to enable the stated learning outcomes in the relevant Programme Specification to be achievable by students who are being ‘taught out’.
4.1.5 To ensure the student experience and to support the students, the Director of Studies together with the Director of Operations will monitor their experience.
4.2.1. In the event of a programme closure, suspension or material changes to programme content, all communications with applicants must be undertaken by the Admissions team of the partner University.
4.2.2. Applicants who have accepted offers should not be contacted until the closure or suspension process has been fully completed.
4.2.3. Applicants thus affected should then be informed of their options to transfer their applications to another programme within the Institute or to another institution.
4.2.4. Applicants who have been made offers, but have not yet accepted them, may however be advised that a closure or suspension request has been made. Such applicants should be advised that the offer of a place is suspended until a final decision has been made and will be withdrawn if the request is accepted. They should also be advised that they may choose another programme or institution.
4.2.5. UCAS should be notified when the closure or suspension request has been finalised by the University
5.1. Wherever possible, requests to delete, suspend or make material changes to the content of programmes should be made in a timely manner.
5.2. Since preparation for the production of the printed prospectus takes place sometime ahead of publication, the process of strategic planning should identify those programmes which are likely to be closed prior to the commencement of the prospectus production process.
5.3. As a result of unforeseen and unforeseeable circumstances (e.g. loss of specialist staff) it may be necessary to close or suspend a programme within a foreshortened timescale. In such circumstances, the student interest is paramount and full consultation should be undertaken with all affected students and their nominated representatives.
5.4. In order to ensure full compliance with the Consumer Rights Act 2015 and related regulations, students should be given the fullest information, advice and guidance to enable them to make well-informed decisions in the event of programme closure or suspension.
6. Partnership Provision
6.1 Where a partner University is the owning party (i.e. registers the students as the University’s students), but the delivery is undertaken by the Institute the processes as detailed above in section 4 will apply:
· Current students should be informed of their option to complete their programme of study or transfer to another programme within the University or to another University. The Institute will provide all necessary information, advice, guidance and support to facilitate students in deciding which option to follow.
· The standard of academic provision and the student experience must, as far as is reasonably practicable, be maintained throughout their period of registration. In particular, the conditions must be maintained to enable the stated learning outcomes in the relevant Programme Specification to be achievable by students who are being ‘taught out’.
6.2 To ensure the student experience and to support the students, the designated Academic Link Tutor, together with the Collaborative Provision Unit at the partner University will monitor their experience.
6.3 Where the Institute through staff changes/resources is unable to deliver the programme at their premises, at least one full academic year’s notice is expected and the Institute is expected to bear any expenses related to supporting the students in completing their studies. The Institute will provide all necessary information, advice, guidance and support to facilitate students in completing their studies.
The Institute for Children, Youth and Mission: Data Protection Policy
1.1 Personal data is information which relates to a living individual and from which they can be identified, either directly or indirectly.
1.2 Personal data is held at the Institute in a variety of ways and for many different purposes. These purposes include, but are not limited to, the maintenance of staff and student records and other matters such as research data and the relationships with alumni, supporters, marketing contacts and other persons.
1.3 Personal data will be handled with care and in compliance with the law governing data protection, the General Data Protection Regulation (GDPR)
1.4 This policy sets out the commitment of the Institute to the maintenance of high standards of protection for the personal data it holds, whether in digital or manual records.
2.1 The Institute confirms its commitment to compliance with the GDPR.
2.2 This policy covers all Institute activity in which personal data is used. It applies to all members of the Institute including staff, students, trustees and others acting for or on behalf of the Institute or who are otherwise given access to the Institute’s information infrastructure.
2.3 This policy should be read and interpreted in conjunction with the other related Institute policies and partner University procedures which are relevant to this policy.
3. Registration at the Information Commissioner’s Office
3.1 The Institute maintains and complies with its registration at the Information Commissioner’s Office in accordance with the requirements of the GDPR and is committed to co-operating with the Office in the fulfilment of its obligations and support of the principles underpinning data protection law.
4. Principles governing the processing of personal data
In compliance with Article 5 of the GDPR, personal data will be: 4.1 processed lawfully, fairly and in a transparent manner
4.2 collected for specific, explicit and legitimate purposes
4.3 adequate, relevant and limited to what is necessary for the purpose
4.4 accurate and kept up to date
4.5 only kept for as long as it is needed
4.6 kept safe using appropriate technical and organisational measures
5. The legal basis for processing
5.1 The Institute makes Privacy Statements readily available to students, staff and others. Privacy Statements set out the type of data generally held by the Institute, the reasons for the collection of the personal data, an explanation about circumstances in which data may be shared with others and a statement of the rights of individuals under the GDPR.
5.2 Individuals will be informed of the lawful basis for the intended processing of their personal data. In the case of students and staff the lawful basis will generally be the need to fulfil the contract between the individual and the Institute.
5.3 If there is an intention to use the data for marketing purposes or other purposes where the Institute is relying on consent as the lawful basis for processing, the individual will be notified of this intention and will be asked for clear and specific consent before any such use will be made of the data. The Institute will maintain records of consents given and withdrawn.
6. Use and disposal of Data
The Institute has processes in place to ensure that the personal data it holds remains accurate and up to date and is disposed of in accordance with its Data Classification and Handling Policy. In particular:
6.1 The Institute will seek to maintain high standards of data integrity and aim to avoid duplication, inaccuracy and inconsistencies across personal data retention locations.
6.2 The Institute will maintain a comprehensive Retention of Records Policy to help avoid excessive retention or premature destruction of personal data.
6.3 Personal data which is no longer required, or which should no longer be held under GDPR will be disposed of in a manner appropriate to its nature and the need for security in accordance with its Data Classification, Handling and Disposal Policy.
6.4 The Institute will maintain an Information Asset Register detailing all processing activity including the data held, its source, details of sharing of the data and the lawful basis for the processing.
The Institute will maintain appropriate technical and organisational measures to ensure the security of personal data. In particular:
7.1 Data security is created, reviewed, tested and improved on an on-going basis
7.2 Procedures are in place to analyse and respond to any identified threats to data security
7.3 Policies specifically relating to digital security measures are listed at the end of this policy
8. Risk Management
8.1 The Institute assesses and identifies areas that could cause data protection compliance or security problems and records these through the Institute’s risk registers which is actively managed. Controls are applied to mitigate the identified risks and these are regularly verified for effectiveness as part of this process.
8.2 The Institute acknowledges its duty under GDPR to conduct a Data Protection Impact Assessment when introducing new technologies or procedures which may involve a high risk to the rights and freedoms of individuals.
9. The rights of data subjects
The rights of data subjects under GDPR will be respected. In particular:
9.1 the Institute recognises that data subjects have the right to have access to the personal data held about them; to have errors corrected; to have data erased in some circumstances; to object to or to restrict processing in some circumstances; to have data securely transferred to another organisation; and to assert the right to human intervention, to express their opinion and to obtain and challenge explanations where automated decision-making is used and has an impact on them;
9.2 the Institute will respond to requests for access to data or the assertion of other GDPR rights within the statutory time limits in accordance with its Access Request Procedure.
10. Sharing data with other organisations
10.1 Data may be shared with other organisations in accordance with the Institute Privacy Statements and as permitted by law.
10.2 The Institute enters into written agreements with all processors of personal data controlled by the Institute which comply with the stipulations of GDPR
10.3 Data is only transferred outside the EEA in compliance with the conditions for transfer set out in GDPR. In particular, personal data will only be transferred to territories outside the EEA where there are adequate standards of privacy protection, by virtue of national laws or via contractual arrangements, and in other circumstances where transfers are permitted by GDPR. The Institute takes steps to ensure that there are adequate safeguards and data security in place and has measures to audit security arrangements on a periodic basis.
10.4 Mechanisms are in place to notify third parties, where required, of any change in the status of consent given by a data subject where consent is the lawful basis for the processing of data.
11. Staff training and personal responsibility
11.1 The Institute provides data protection training for all staff. This is done as part of the on-boarding procedure for new staff and when updates are required. Completion of data protection training is an essential element of a successful probation. The training reinforces personal responsibility and good security behaviours, including how to recognise and report breaches and the safe movement of data through appropriate channels.
11.2 Specialist training is provided to staff with specific roles, such as marketing, information security, and Human Resources.
11.3 Breaches of this or a related policy will be dealt with in accordance with the Institute’s Disciplinary Procedure.
12. Roles and Responsibilities
12.1 The Institute has a designated Data Protection Officer, the Director of Operations, with overall responsibility for data protection compliance in accordance with the duties set out in GDPR.
12.2 The Data Protection Officer is responsible for:
12.2.1 Maintaining this policy and all records relating to data protection;
12.2.2 Providing guidance, support, training and advice on compliance with GDPR;
12.2.3 Liaison with the Information Commissioner’s Office;
12.2.4 Taking legal advice on matters relating to the GDPR where necessary;
12.2.5 Supervising the management of access and other requests from data subjects;
12.2.6 Managing the procedure for the reporting and resolving of personal data breaches;
12.2.7 Reviewing and auditing the way personal information is managed, and ensuring that methods of handling personal information are regularly assessed and evaluated;
12.2.8 Monitoring and reporting on compliance with data protection training.
12.3 The Director of Operations is responsible for ensuring awareness of and compliance with this policy in their areas
12.4 Principal investigators are responsible for personal data management in their own research studies and for ensuring that secure information systems and operating procedures are in place with regards to data handling. Where personal data is processed, research staff and students must adhere to the personal data processing requirements set out in this policy, as well as the Institute’s Code of Practice for Research.
12.5 Staff training reinforces personal responsibility and good security behaviours, including how to recognise and report breaches
13. Identifying and resolving personal data breaches
The Institute has a procedure for the reporting of breaches to the appropriate individuals as soon as they are discovered, and to investigate and implement recovery plans. This procedure is part of the Institute’s Incident Management process and includes assessment of the likely risk to individuals and, if required, notification of affected individuals and reporting to the Information Commissioner’s Office in line with GDPR requirements.
14. Reporting and Governance
The Institute has a process to monitor compliance with this policy and related policies. The Institute Senior Leadership Team receives an annual report from the Data Protection Officer, as does the Audit and Risk Committee of the Board of Trustees. Data protection at the Institute is monitored as part of the annual internal audit plan.