Scope of The UWI Data Protection Policy

  • governs personal data provided to and /or maintained by The UWI pertaining to previously registered, registered or prospective students, UWI personnel, staff and third parties.
  • applies to Data held in both manual and electronic formats
  • covers all Personal Data about staff, students, alumni, suppliers or any person who interacts with The UWI and with which a staff member comes into contact; applies to all authorized staff who handle the Personal Data of staff, students, suppliers and alumni on behalf of The UWI
  • covers all Personal Data received by authorized staff, about staff, students, suppliers or  other third parties who process data on behalf of The UWI

 

Kinds of Personal Data The UWI Processes

  • Student Registration information
  • Examination results
  • Health Records – of both students, staff, and patients external to the UWI community
  • Employment Records
  • Financial Information

 

Policy Statements

The UWI endeavours to:

  • comply with both the Data Protection legislation and policies in the countries in which The UWI operates, and global Data Protection best practices
  • protect the privacy rights of all students, staff, alumni 
  • ensure that the Personal Data in The UWI’s possession are kept safe and secure
  • support staff of The UWI in meeting their legal responsibilities (particularly as summarized in the Eight Data Protection Principles)
  • mandate that third parties processing data on behalf of the University observe this Policy
  • respect the Data Protection rights of individuals; 
  • provide awareness training and support for staff who process Personal Data
     

 

Enforcement 

Violation of The UWI Data Protection Policy will be handled consistent with University Disciplinary Procedures.

 

Complementary Resources

Information Security Policy

The Information Security Policy informs members of The University community, including visitors, of The UWI’s stance on information security, as well as the rights and obligations of members of the University community in matters related to information security.  The Information Security Policy adapts best practices, from the wider information security space, to The UWI context.  Among other things, The Information Security Policy informs users how to manage passwords, e.g., by making them complex and changing them regularly. 

The Information Security Policy Guidelines

The Information Security Policy Guidelines complement The UWI’s Information Security Policy and provide guidance to students and staff on actions concerning the general security of the IT resources used by them, selecting secure passwords, the proper use of email, and how to securely use the internet.

Guidelines for Marking and Handling University Information

The Guidelines for Marking and Handling University Information, which also complement The UWI’s Information Security Policy inform staff how to classify information.  The handling, distribution, and disposal of information would be guided by its classification.  Staff are given access to information based on their role in relation to the classification of the Data. 

Ordinance 8 of The UWI Statutes and Ordinances

Ordinance 8, outlines The UWI’s powers of appointment, promotion and dismissal, including provisions relating to discipline, for Academic, Senior Administrative, and Professional (collectively referred to as ASAP) staff. 

Statement of Ethical Principles and Code of Conduct

The Code of Conduct sets out the ethical and general principles of behaviour, including personal and professional responsibility in respect of confidentiality of information. 

 

Key Definitions

Access Request: a request, made by a person, to any authorized UWI staff member or authorized third party for the disclosure of their Personal Data. 

Data: information in a form that can be processed. This includes automated or electronic Data (on computer or recorded with the intention of putting it on computer) and manual Data (recorded as part of a Relevant Filing System, or with the intention that it should form part of a Relevant Filing System).

Data Controller: is a person who (either alone or with others) controls the contents and use of Personal Data.  The UWI as a ‘legal person’ is a Data Controller.

Data Processing: the performance of any operation or set of operations on Data, including:

  • i. obtaining, recording or keeping Data;
  • ii. collecting, organizing, storing, altering or adapting Data;
  • iii. retrieving, consulting or using Data;
  • iv. disclosing Data by transmitting, disseminating or otherwise making it available;
  • v. aligning, combining, blocking, erasing or destroying Data.

Data Processor: a person who processes personal information (Data) on behalf of a Data Controller, but does not include an employee of a Data Controller who processes such Data in the course of his/her employment; for example, this might mean an employee of an organization to which the Data Controller out-sources work. 

The Data Protection legislation places responsibilities on such Data Processors and Data Controllers in relation to their processing of the Data.

Data Subject: an individual who is the subject of Personal Data.

Personal Data: Data relating to a living individual who is or can be identified, either from the Data or from the Data in conjunction with other information, which is in, or is likely to come into the possession of the Data Controller. It includes information in the form of photographs, audio and video recordings, and text messages.

Relevant Filing System: any set of information organized by name, date of birth, payroll number, employee number, or any other unique identifier.

Sensitive Personal Data: specific categories of Data which are defined as Data relating to a person’s racial origin; political opinions or religious or other beliefs; physical or mental health; sexual life; criminal convictions, or the alleged commission of an offence; trade union membership.
 

General Data Protection Statement

See UWI's General Data Protection Statement

 

Data Breach Management

There are three steps to managing a Data breach:

  1. Collection of Incident Details
  2. Notification of Data Breach and Risk Assessment
  3. Evaluation and Response

 

Data Protection Awareness Training

Data Protection Awareness Training will take place during the orientation of new staff, and at various intervals throughout an employee’s professional career at The UWI.  See Training Session Schedule 

 

Data Protection Support

Data Protection Awareness Training will take place during the orientation of new staff, and at various intervals throughout an employee’s professional career at The UWI.  See Training Session Schedule 

 

Compliance Audits (Risk Management)

Internal Compliance Audit
An Internal Compliance Audit determines whether The UWI is operating in accordance with the relevant Data Protection legislation and policies and to identify possible contraventions of the legislation and policies.  Compliance audits are the purview of the University Auditor and form part of the University’s Compliance Framework.

 

Other rights under the Data Protection Policy

 

  • The Right to have any inaccurate Data rectified (corrected) or erased
  • The Right to have Personal Data taken off a mailing list
  • Right to complain to the Data Protection authority in the particular jurisdiction

 

Photographs/Video/Audio Recordings

 

  • Photographs, videos or audio recordings of a person constitute their Personal
  • Data and are therefore, subject to the provisions of this Data Protection Policy. Where no legislation exists in the particular jurisdiction, the University will use international best practices to govern the management of these Personal Data.
  • Except under specified circumstances for example for graduation exercises, where a photograph is taken, a video or audio recording is made, the explicit consent of the person and/or their parent/guardian/advocate should be sought for its use or publication in any medium, for example in the local newspaper, annual report or a website.
  • Members of the University community (staff, students, visiting scholars), their parents/guardians/advocates, where appropriate, are permitted to take photographs or make video/audio recordings, for example at concerts or award events etc., for their own personal use.