TITLE
DATA PROTECTION POLICY
Introduction
1.1 Trinity College London (together with its wholly owned subsidiaries and its wholly owned subsidiaries' own wholly owned subsidiaries, ‘ Trinity ’, ‘ us ’, ‘ we ’) takes its data protection obligations seriously, and in doing so, complies with all applicable laws and regulations in force from time to time governing the use or processing of personal data, including, where applicable, the GDPR [ 1 ] .
1.2 The purpose of the GDPR is to protect the ‘rights and freedoms’ of living individuals and, in particular, to ensure that they retain control over their personal data.
1.3 The GDPR applies to the Processing of Personal Data wholly or partly by automated means (eg. by a computer) and also other than by automated means (eg. paper records that form part of, or are intended to form part of, a Filing System). It applies to all Data Controllers and Data Processors that are established in the UK/EU who process the Personal Data of Data Subjects in the context of that establishment. It also applies to Data Controllers and Data Processors outside of the UK/EU that process Personal Data in order to offer goods and services, or monitor the behaviour of Data Subjects who are resident in the UK/EU.
1.4 Capitalised terms used in this policy and not otherwise defined within this policy shall have the meanings given to them in Appendix 1.
Policy Statement
2.1 Policy Statement
Trinity is committed to:
Trinity’s compliance with the GDPR is covered by this policy and other policies such as Trinity's:
The GDPR and this policy apply to all of Trinity’s Personal Data Processing functions including those performed on customers’, clients’, employees’, suppliers’ and partners’ Personal Data, and any other Personal Data from any source that Trinity processes.
The Data Protection Officer is responsible for commissioning a review by Trinity annually of the record of processing activities for any changes to Trinity’s activities and for any additional requirements which have been identified by means of the data protection impact assessments. This register is available on the Supervisory Authority’s request.
This policy applies to all staff of Trinity and therefore must be read and understood by every employee and contractor as part of their induction to Trinity.
Partners and any other Third Parties working with or for Trinity, and who may be reasonably expected to have access to Personal Data, will be expected to read, understand and comply with this policy. No Third Party may access Personal Data held by Trinity without having first entered into a data confidentiality agreement with Trinity which:
2.2 How does this policy affect Trinity?
The use of Personal Data is critical to Trinity in order to:
To carry out these activities, Trinity collects and processes Personal Data. Set out in this policy is an explanation of how Trinity collects, processes and safeguards Personal Data in accordance with the GDPR. Where national or other local laws have specific requirements in relation to the collection, processing, safeguarding and transfer of Personal Data, Trinity complies with such local specific requirements.
2.3 This policy applies to:
Responsibilities
3.1 Responsibilities and roles under the GDPR
Trinity has a legal responsibility to comply with the GDPR. We take this responsibility seriously and have developed this policy to ensure that we collect, use and safeguard Personal Data in accordance with the GDPR.
The Executive team and all those in managerial or supervisory roles within Trinity are responsible for developing and encouraging good data handling practices.
The Data Protection Officer is accountable for the management of Personal Data and is the first point of contact for staff or Third Parties seeking clarification on any aspect of data protection compliance. The Data Protection Officer also has specific responsibilities for procedures such as handling Data Subject access requests.
All staff are responsible for compliance with the GDPR and for ensuring that any Personal Data about them and supplied by them to Trinity is accurate and up-to-date.
Data protection principles
All Processing of Personal Data must be conducted in accordance with the data protection principles as set out in Article 5 of the GDPR. Trinity’s policies and procedures are designed to ensure compliance with these principles.
4.1 Personal Data must be processed lawfully, fairly and transparently (Lawfulness, Fairness and Transparency)
The GDPR has increased requirements about what information should be available to Data Subjects. The specific information that must be provided to the Data Subject must, as a minimum, include:
The GDPR provides specific basis for Processing, some of which are set out below:
Further information on some of these are set out in the sections of this policy on ‘Consent’, ‘Legal Obligation’, ‘Contractual Relationship’ and ‘Legitimate Interest’.
4.2 Personal Data can only be collected for specific, explicit and legitimate purposes (Purpose Limitation)
Data obtained for a specific purpose must not be used for a purpose that differs from the specified purpose. Details of how Personal Data is processed is set out in Trinity’s Privacy Statement .
4.3 Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (Data Minimisation)
The Data Protection Officer is responsible for ensuring Trinity does not collect information which is not strictly necessary for the purpose for which it is obtained. Please refer to the Data Protection by Design and by Default Policy and the Data Protection Impact Assessment (DPIA) Procedure .
All data collection forms (electronic or paper-based), including data collection requirements in new information systems, must include a Fair Processing Statement or a link to Trinity’s Privacy Statement and be approved by the Data Protection Officer.
The Data Protection Officer will ensure that all data collection methods are regularly reviewed to ensure that collected data continues to be adequate, relevant and not excessive. Please refer to the Data Protection by Design and by Default Policy and the Data Protection Impact Assessment (DPIA) Procedure.
4.4 Personal Data must be accurate and kept up to date with every effort to erase or rectify without delay (Accuracy)
Data stored by the Data Controller must be reviewed and updated as necessary. No data should be kept unless it is reasonable to assume that it is accurate.
The Data Protection Officer is responsible for ensuring that all staff are trained in the importance of collecting accurate data and maintaining it.
It is also the responsibility of the Data Subject to ensure that data held by Trinity is accurate and up to date. Completion of a registration or application form by a Data Subject will include a statement that the data contained on the application form is accurate at the date of submission.
Employees, contractors, consultants, examiners, Trinity representatives, centres plus any other Third Parties are required to notify Trinity of any changes in circumstances to enable personal records to be updated accordingly. It is the responsibility of Trinity to ensure that any notification regarding change of circumstances is recorded and acted upon.
The Data Protection Officer is responsible for ensuring that appropriate procedures and policies are in place to keep Personal Data accurate and up to date, taking into account the volume of data collected, the speed with which data might change and any other relevant factors.
On at least an annual basis, the Data Protection Officer will review the retention dates of all the Personal Data processed by Trinity by referring to the record of processing activities. Any data that is no longer required in the context of the registered purpose will be identified in order for it to be securely deleted/destroyed in line with Trinity’s Data Destruction Policy .
The Data Protection Officer is responsible for responding to any rectification requests from Data Subjects within one month. This is set out in the Data Subject Access Request Policy. This can be extended to a further two months for complex requests. If Trinity decides not to comply with the request, the Data Protection Officer must respond to the Data Subject to explain its reasoning and inform them of their right to complain to the Supervisory Authority and seek a judicial remedy.
Where Third Party organisations may have been passed inaccurate or out-of-date Personal Data, the Data Protection Officer is responsible for:
4.5 Personal Data must be kept in a form such that the Data Subject can be identified only as long as is necessary for Processing (Storage Limitation).
Personal Data will be retained in line with the Data Retention Policy and the Data Retention Schedule , and once its retention date is passed, it must be securely destroyed as set out in the Data Destruction Policy and the Data Destruction Procedure .
The Data Protection Officer must specifically approve any data retention that exceeds the retention periods defined in the Data Retention Policy and the Data Retention Schedule , and must ensure that the justification is clearly identified and in line with the requirements of the GDPR. This approval must be in writing.
4.6 Personal Data must be processed in a manner that ensures appropriate security (Security, Integrity and Confidentiality)
Personal Data must be processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage.
In determining appropriateness of the technical and organisational measures required to protect Personal Data, the Data Protection Officer should consider the extent of possible damage or loss that might be caused to individuals (e.g. staff or customers) if a security breach occurs, the effect of any security breach on Trinity, and any likely reputational damage.
When assessing appropriate technical measures, the following will also be considered:
When assessing appropriate organisational measures, the following will be considered:
These controls have been selected on the basis of identified risks to Personal Data, the nature of Personal Data to be protected, and the potential for damage or distress to individuals whose data is being processed.
4.7 Personal Data must not be transferred to another country without appropriate safeguards being in place (Transfer Limitation)
This principle is more fully covered under the section on ‘Data Transfers’ later in this policy.
4.8 Personal Data should be made available to Data Subjects and Data Subjects should be allowed to exercise certain rights in relation to their Personal Data (Data Subjects’ Rights and Requests).
This principle is more fully covered under the next section on ‘Data Subjects’ rights’.
4.9 The Data Controller is responsible for and must be able to demonstrate compliance with the principles listed in this section (Accountability)
The GDPR includes provisions that promote accountability and governance. Trinity will demonstrate compliance with the data protection principles by appointing a suitably qualified Data Protection Officer, implementing data protection policies, adhering to codes of conduct, providing regular training on data protection to staff and other relevant personnel, regularly testing privacy measures implemented and conducting periodic reviews and audits to assess compliance, implementing technical and organisational measures, as well as adopting techniques such as data protection impact assessments, data protection by design and by default, breach notification procedures and incident response plans.
Data Subjects’ rights
5.1 Data Subjects have rights regarding Data Processing, and the Personal Data that is recorded about them. These include rights to:
5.2 Trinity ensures that Data Subjects may exercise these rights through the following:
Consent
6.1 Trinity understands ‘consent’ of the Data Subject to mean any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which the Data Subject, by statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her. The Data Subject can withdraw their consent at any time and must be able to do so easily.
6.2 Trinity understands ‘consent’ to mean that the Data Subject has been fully informed of the intended Processing and has signified their agreement while in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information will not be a valid basis for Processing.
6.3 To demonstrate consent, there must be some active communication between the parties concerned. To demonstrate active consent, consent cannot be inferred from non-response to a communication. The Controller must be able to demonstrate that consent was obtained for the Processing operation.
6.4 For Special Categories of Personal Data, explicit written consent must be obtained unless an alternative basis for Processing exists. Where Processing of Special Categories of Personal Data is on the basis of explicit written consent, then Trinity must issue a privacy notice to the Data Subject.
6.5 The Data Protection Officer is responsible for ensuring that appropriate procedures and policies are in place to capture and keep records of all consents received and withdrawn so that Trinity can demonstrate compliance with the GDPR.
Legal Obligation
7.1 Trinity can use this basis of Processing to comply with a common law or statutory obligation that Trinity is subject to where the Processing of Personal Data is necessary in order to comply. For example, Trinity processes Personal Data of candidates to comply with Trinity’s obligation to provide reasonable adjustments to candidates with disability.
7.2 Trinity should document any decision to rely on this lawful basis and should be able to identify the specific legal provision or an appropriate source of advice or guidance that sets out the legal obligation concerned.
Contractual Relationship
8.1 Trinity can use this basis of Processing a person’s Personal Data to deliver a contracted service to them or because they have asked Trinity to do something before entering into a contract. The Processing must be necessary and Trinity should document when this lawful basis of Processing is relied upon.
Legitimate Interest
9.1 The GDPR allows Trinity to collect and use personal information where Trinity uses people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the Processing.
9.2 Where Trinity relies on legitimate interests to process data, Trinity must:
9.3 For example, it is in Trinity’s legitimate interest to process Personal Data of any person who contacts Trinity with an enquiry in order to respond to such enquiry, or when Trinity makes recordings of its examinations in order to monitor quality of its assessments and/or for research and training.
9.4 Trinity must keep a record of the legitimate interests’ assessments carried out to help demonstrate compliance if required. Details of the legitimate interests should also be included in the privacy statement.
Security of data
10.1 All staff must comply with all applicable sections of Trinity’s Information Security Policy . In addition to complying with the measures described in paragraph 4.6 of this policy, all staff are responsible for protecting any Personal Data that Trinity holds and are to follow all security measures adopted by Trinity:
10.2 Staff are responsible for exercising particular care in protecting Special Categories of Personal Data from loss and unauthorised access, use or disclosure. Staff must ensure that Personal Data is not disclosed to any Third Party unless that Third Party has been specifically authorised by Trinity to receive such Personal Data and has entered into a confidentiality agreement with Trinity.
10.3 All Personal Data should be accessible only to those who need to use it, and access may only be granted in line with Trinity’s Access Control Policy . All Personal Data should be treated with the highest security and kept securely, for example in a locked drawer or filing cabinet or, if computerised, password protected. Any data that needs to be destroyed, needs to be done so in line with Trinity’s Data Destruction Policy and Data Destruction Schedule .
Disclosure of data
11.1 Trinity must ensure that Personal Data is not disclosed to unauthorised third parties, which includes family members, friends, government bodies, and in certain circumstances, the police. All staff should exercise caution when asked to disclose Personal Data held on another individual to a third party. It is important to bear in mind whether or not disclosure of the information is relevant to, and necessary for, the conduct of Trinity’s business.
11.2 All requests to provide data to a third party must be supported by appropriate paperwork and all such disclosures must be specifically authorised by the Data Protection Officer. For guidelines please refer to the Data Subject Access Request Policy .
Retention and disposal of data
12.1 Trinity shall not keep Personal Data in a form that permits identification of Data Subjects for longer a period than is necessary, in relation to the purpose(s) for which the data was originally collected.
12.2 Trinity may store Personal Data for longer periods if the Personal Data will be processed solely for archiving purposes in the public interest or statistical purposes, subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of the Data Subject.
12.3 The retention period for Personal Data will be set out in the Data Retention Policy and Data Retention Schedule including any statutory obligations Trinity has to retain the data.
12.4 Personal Data must be disposed of securely in accordance with the GDPR. Trinity’s Data Retention Policy and Data Destruction Policy will apply in all cases.
Data erasure
13.1 Data Subjects have the right to have their inaccurate Personal Data erased. This is also known as ‘the right to be forgotten’. It is not, however, an absolute right and applies in the circumstances listed below. Data Subjects also have the right for inaccurate Personal Data to be rectified or completed (if it is incomplete).
13.2 Trinity is not required to rectify or erase Personal Data of a Data Subject where to do so would prevent the Data Subject from meeting their contractual obligations to Trinity or where Trinity is required to process (including retaining) such Personal Data for a lawful purpose in accordance with the GDPR.
13.3 Individuals have the right to have their Personal Data erased if:
13.4 Where Personal Data is erased, Trinity will search databases and other systems and applications where the Personal Data may be held and erase it within 1 month from the date of the request.
13.5 In the case of rectifying inaccurate Personal Data, Trinity must rectify the information without delay and notify the Data Subject that this has been completed within one month using the same procedures as for a data subject access request as set out in the Data Subject Access Request Policy .
Data Subject access requests
14.1 Subject to certain statutory exceptions, Data Subjects have the right to request confirmation that we process their Personal Data, obtain certain information about the processing of their Personal Data by Trinity and obtain a copy of the Personal Data processed. Data Subjects can make data access requests following the procedure set out in the Data Subject Access Request Policy . The Data Subject Access Request Policy describes how Trinity will ensure that its response to data access requests complies with the requirements of the GDPR.
14.2 As noted, exemptions may apply. For example, under the GDPR, Trinity is not required to provide Personal Data comprising information recorded by candidates during examinations and/or in circumstances where its release would adversely affect our rights in the intellectual property and confidentiality of our examinations or reveal the Personal Data of another Data Subject. Accordingly, where necessary for these reasons, Trinity may withhold or obscure parts of recordings or examination scripts when responding to a subject access request.
Data transfers
15.1 The GDPR imposes restrictions on the transfer of Personal Data outside the UK, to third countries or international organisations. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
15.2 Transfers of Personal Data outside the UK can only take place where a condition set out in Appendix 2 to this policy applies. See Appendix 2 for details of specified safeguards or exceptions.
15.3 The UK and the EU have each recognised the adequacy of the other from a personal data safeguarding perspective. Transfers of Personal Data from the UK to the EEA and from the EEA to the UK are not restricted in most cases (there are only restrictions in relation to personal data connected with immigration and immigration control).
Reporting a Personal Data Breach
16.1 Trinity’s Data Breach/Loss Notification Procedure should be followed where a Personal Data Breach or loss of Personal Data occurs. All staff should be aware that any breach of Data Protection legislation may result in Trinity’s disciplinary procedures or termination proceedings being instigated, as appropriate.
16.2 The GDPR requires Trinity to notify any Personal Data Breach that meets the threshold for notification to the Supervisory Authority and, in certain instances, the Data Subject.
16.3 Trinity has put in place procedures to deal with any suspected Personal Data Breach and will notify Data Subjects or any applicable regulator where we are legally required to do so.
16.4 If a Personal Data Breach has occurred or is suspected to have occurred, staff must not attempt to investigate the matter themselves but should immediately contact the Data Protection Officer. Staff should preserve all evidence relating to the potential Personal Data Breach.
Children’s Personal Data
17.1 Trinity is committed to ensuring that children are safe online and follows the applicable laws and recommendations in relation to the protection of children’s Personal Data, including the Age Appropriate Design Code.
17.2 When we refer to a ‘child’ or ‘children’, we refer to anyone under the age of 18 years in accordance with the Age Appropriate Design Code, though in accordance with the GDPR, certain additional measures apply in relation to anyone under the age of 13 years.
17.3 Trinity’s online services are not aimed or targeted at children, but we believe that children are likely to access our online services and so have taken measures to ensure that all users of our online services benefit from the protections afforded to children in accordance with the Age Appropriate Design Code.
17.4 We keep in mind the best interests of children when we design and develop our online services and have undertaken DPIA’s where relevant to assess and mitigate the risks our data processing might pose to the rights and freedoms of such children.
17.5 We would never use children’s Personal Data in ways that might be detrimental to their wellbeing or go against industry practice, regulatory provisions or Government advice. The Personal Data that we collect from children, the ways in which we use that Personal Data, and whether and with whom we may share that information is set out in our Privacy Statement . Our Privacy Statement includes language which is prominent, concise and clear and suited to the ages of children that we believe are likely to access our online services.
17.6 Where processing of Personal Data is based on the consent of the Data Subject, Trinity will only process the Personal Data of a child under the age of 13 years where consent is given by the holder of parental responsibility over the child, i.e., the parent or guardian of the child. We will take reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child.
17.7 We limit the Personal Data we collect from children to only that which is reasonably required for the purposes for which it is processed. We also provide additional specific summaries about how we use Personal Data at the point that such use is activated online. Our settings are ‘high privacy’ by default (unless there is a compelling reason for them not to be, in which case, the Data Protection Officer will record such reason in an associated risk assessment). Any profiling options on our websites are ‘off’ by default (unless there is a compelling reason for profiling to be ‘on’ by default, taking account of the best interests of the child, in which case the Data Protection Officer will record such reason in an associated risk assessment). Where profiling is used, we ensure that all users, including children, are protected from being exposed to content that might have a harmful effect on them. We do not use nudge techniques or methods to encourage children to provide unnecessary Personal Data.
17.8 We give parents and guardians the ability to request access to the Personal Data that we have collected from their children and the ability to request that such Personal Data of their children is deleted. We will notify children of any such requests from their parents or guardians.
17.9 The Data Protection Officer’s contact details are listed prominently online so that all users, including children, can have direct access to the Data Protection Officer to help them exercise their data protection rights and report concerns.
Effective date
April 2018, last amended 21 May 2024
Document Owner and Approval
The Data Protection Officer is the owner of this document and is responsible for ensuring that this policy document is reviewed in line with the review requirements.
This policy was approved by Trinity’s Executive on 11 May 2018 and is issued on a version controlled basis.
Data Controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
Data Processor – means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller.
Data Subject – any living identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Filing System – any structured set of Personal Data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
Personal Data – any information relating to a Data Subject.
Personal Data Breach – a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed. There is an obligation on the Data Controller to report Personal Data Breaches to the Supervisory Authority where the breach is likely to adversely affect the Personal Data or privacy of the Data Subject.
Processing – any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Profiling – is any form of automated Processing of Personal Data intended to evaluate certain personal aspects relating to a natural person, or to analyse or predict that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. This definition is linked to the right of the Data Subject to object to Profiling and a right to be informed about the existence of Profiling, of measures based on Profiling and the envisaged effects of Profiling on the individual.
Special Categories of Personal Data – Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Supervisory Authority – means an independent public authority which is established pursuant to the GDPR. In the UK the Supervisory Authority is the Information Commissioner’s Office (ICO).
Third Party – a natural or legal person, public authority, agency or body other than the Data Subject, Data Controller, Data Processor and persons who, under the direct authority of the Data Controller or Data Processor, are authorised to process Personal Data.
An adequacy decision
The UK can and does assess third countries, a territory and/or specific sectors within third countries to assess whether there is an appropriate level of protection for the rights and freedoms of natural persons. Where the UK makes a finding of appropriateness or adequacy, no authorisation is required for the transfer of Personal Data.
Countries that are members of the European Economic Area (EEA) but not of the EU are accepted as having met the conditions for an adequacy decision.
A list of the other countries that currently satisfy the adequacy requirements of the Commission can be found here https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
At present, the UK has adopted the adequacy decisions of the European Commission in force at the end of the Brexit transition period on 31 December 2020.
Binding corporate rules
Trinity may adopt approved binding corporate rules for the transfer of Personal Data outside the EU or the UK. This requires submission to the relevant Supervisory Authority for approval of the rules that Trinity is seeking to rely upon.
Model contract clauses or Standard Contractual Clauses (SCCs)
Trinity may adopt approved SCCs for the transfer of Personal Data outside of the EEA. The most recent SCCs can be found here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
Similarly, Trinity may adopt the UK’s International Data Transfer Agreement or alternately the UK’s International Data Transfer Addendum to the European Commission’s SCCs, each of which can be found here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/
Trinity is responsible for carrying out a transfer assessmne to assess whether Personal Data transferred to the third country receives protection ‘essentially equivalent’ to that provided under UK law in order to determine if the guarantees provided by the SCCs can be complied with in practice.
In making this assessment, Trinity should take account of the following factors:
Exceptions
In the absence of an adequacy decision, binding corporate rules and/or model contract clauses, a transfer of Personal Data to a third country or international organisation shall only take place on one of the following conditions:
Make sure you don’t miss the latest news from Trinity College London. Sign up for email updates about your subject area.