Freedom of Information and Data Protection

Freedom of Information and Data Protection – how does this impact on the data held on the UCard database?

Data Protection

Personal data will be processed in accordance with the Data Protection Act 2018
Access Control System (ACS) system managers and administrative staff will ensure that ACS data is only used for its intended purpose.
Personal usage information will not be extracted from the ACS or shared with other University systems without the explicit consent of the Director of Legal Services and Deputy Secretary, or the Information Governance Manager, or an appropriate nominee of either position. (See also Personal access reports)
Unless specifically requested, for legislative or academic reasons, personal usage data will be removed from the system after 90 days.
Access preferences, for disabled users, may only be made available to an authorised member of University staff.
Information relating to an individual's health will usually constitute Special Category Data under the Data Protection Act, and will therefore be subject to additional safeguards when processed.

Personal access reports

Personal access information will not routinely be divulged to any third parties. Typical reasons for requesting this information may include; a disciplinary investigation; after a crime has occurred or because of health and safety concerns. If approved, the Director of Legal Services and Deputy Secretary, or the Information Governance Manager, or an appropriate nominee of either position will inform the Head of Security to release the requested information to the enquirer.

UCard users can make a subject access request for their own usage information via the Secretary's Office.

In an emergency Security Services may also make use of personal access reports, as part of its crime prevention and safety role, without prior authorisation from the Director of Legal Services and Deputy Secretary or the Information Governance Manager.

Personal access information will not be divulged to third parties unless the cardholder is the subject of a Data Protection Act request by a relevant external agency (e.g. the police).