CCAF Regulator Knowledge Exchange Platform Data Protection Policy
The Chancellor Masters and Scholars of the University of Cambridge acting through Cambridge Centre for Alternative Finance - Centres - Faculty & research - (referred to as CCAF in this document), is committed to protecting and respecting individuals’ privacy in compliance with data protection legislation.
Purpose and scope
1. The purpose of this policy is to ensure compliance with the UK GDPR (‘data protection law’) in relation to the Regulator Knowledge Exchange Platform. Data protection law applies to the storing or handling (‘processing’) of information (‘personal data’) about living identifiable individuals (‘data subjects’).
2. This policy applies to CCAF (‘data controller’).
3. This policy applies to all staff except when acting in a private or non-CCAF capacity. In this policy, the term ‘staff’ means anyone working in any context within CCAF at whatever level or whether permanent, fixed term of temporary, including but not limited to employees, workers, trainees, interns, seconded staff, agency staff, agents and volunteers.
4. This policy is not, and should not be confused with, a privacy notice (a statement informing data subjects how their personal data is used by CCAF). The privacy note is set out separately, further below.
5. This policy should be read in conjunction with the obligations in the following documents, which supplement this policy where applicable:
i. Information security policies, procedures and terms and conditions, which concern the confidentiality, integrity and availability of CCAF information, and which include rules about acceptable use, breach reporting, IT monitoring, and the use of personal mobile devices;
ii. Records management policies and guidance, which govern the appropriate retention and destruction of CCAF information;
iii. Any other contractual obligations on CCAF or individual staff which impose confidentiality or data management obligations in respect of information held by CCAF, which may at times exceed the obligations of this and/or other policies in specific ways.
1. CCAF is committed to complying with data protection law as part of everyday working practices and specifically in relation to the CCAF Regulator Knowledge Exchange Community Platform.
2. Complying with data protection law may be summarised as but is not limited to:
i. Understanding, and applying as necessary, the data protection principles when processing personal data (lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality)
ii. Understanding, and fulfilling as necessary, the rights given to data subjects under data protection law (to be informed; access; rectification; erasure; restriction; data portability; and objection (including in relation to automated decision-making); and
iii. Understanding, and implementing as necessary, CCAF’s accountability obligations under data protection law (these include: implementing appropriate data protection policies; implementing data protection by design and default in projects, procurement and systems; using appropriate contracts with third party data controllers and data processors; holding relevant records about personal data processing; implementing appropriate technical and organisational security measures to protect personal data; reporting certain personal data breaches to the Information Commissioner’s Office; conducting Data Protection Impact Assessments where required; and ensuring adequate levels of protection when transferring personal data).
Roles and responsibilities
1. CCAF has a corporate responsibility as a data controller (or when acting as a joint data controller or a data processor) for:
i. Complying with data protection law and holding records demonstrating this;
ii. Cooperating with the Information Commissioner’s Office (ICO) as the UK regulator of data protection law; and
iii. Responding to regulatory/court action and paying administrative levies and fines issued by the ICO.
2. CCAF has a Data Protection Officer who is responsible for:
i. Advising CCAF on all aspects of its compliance with data protection law;
ii. Acting as CCAF’s standard point of contact with the ICO with regard to data protection law, including in the case of personal data breaches; and
iii. Acting as an available point of contact for complaints from data subjects.
3. Individual staff, as appropriate for their role and in order to enable CCAF to comply with data protection law, are responsible for:
i. Completing relevant data protection training;
ii. Following relevant advice, guidance and tools/methods provided by the Data Protection Officer depending on their role, regardless of whether access to and processing of personal data is through CCAF or University-owned and managed systems, or through their own or a third party’s systems and devices;
iii. When processing personal data on behalf of CCAF, only using it as necessary for their contractual duties and/or other CCAF roles and not disclosing it unnecessarily or inappropriately;
iv. Recognising, reporting internally, and cooperating with any remedial work arising from personal data breaches;
v. Recognising, reporting internally, and cooperating with the fulfilment of data subject rights requests;
vi. Only deleting, copying or removing personal data when leaving CCAF as agreed with their line manager and as appropriate.
4. Non-observance of the responsibilities in paragraph (3) may result in disciplinary action.
5. The roles and responsibilities in paragraphs (1) to (4) do not waive any personal liability for individual criminal offences for the wilful misuse of personal data under data protection law (these criminal offences include: unlawfully obtaining, disclosing or retaining personal data; recklessly re-identifying de-identified personal data without the data controller’s consent; deliberately altering or deleting personal data to prevent disclosure in accordance with data subject access rights; forcing a data subject to exercise their access rights; and knowingly giving false statements to the ICO).
Contact and date of last revision
This policy was last revised in March 2021.
Who to contact
For data protection and records management: firstname.lastname@example.org
For Freedom of Information requests and enquiries: email@example.com
How we use the Personal information of the CCAF Regulator Knowledge Exchange Platform Users
What information do we collect about you and how do we use it?
We use the information you have supplied to us to enable your registration on the Regulator Knowledge Exchange Community Platform (RKE), administration and user participation, granting you access to our programmes, research data, digital tools, alumni administration and communication, internal record keeping including, marketing and promoting CCAF and its activities and collaboration network programmes worldwide (where you have specifically consented to receiving this information), research participation, improving CCAF’s products and services or statutory and public interest purposes.
Who will your information be shared with?
We do not share your information with any third parties outside CCAF other than those who have a legitimate interest in it to enable your participation on the RKE, delivery and administration of all or part of our programmes, courses, research, initiatives or events or for alumni administration except with your explicit permission.
To make your interactions with us as efficient as possible we may share your information with a call-handling company which manages phone calls for us. We may also share your information with third parties if we are under a duty to disclose it in order to comply with any legal obligation. We do not sell any information to third parties.
How long is your information kept for?
Your information is stored for as long as may be necessary to fulfil the purpose(s) set out above. This will usually be at least one year following the last recorded transaction or interaction (unless consent is given for future marketing). For alumni and past attendees to our programmes we will keep a limited amount of information indefinitely as record of your completion of a programme or involvement with our work, unless you request us otherwise.
Where do we keep your information?
When you visit any of the webpages within the www.jbs.cam.ac.uk domain we hold certain information about you for service and security reasons.
How can your information be accessed?
You have the right to request a copy of the information that we hold about you. Please email firstname.lastname@example.org. We will respond within 30 days.
You may also ask us to restrict the processing of your information or delete or correct any information you think is inaccurate. This right can be exercised by ticking certain boxes on the forms that we use to collect information, through clicking on the “unsubscribe” link in our emails or by emailing us directly at email@example.com
How to make a complaint?
If you are not happy with the way your information is being handled, or with the response received from us, you have the right to lodge a complaint with the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow SK9 5AF
Last updated March 2021
This document is reviewed when necessary and at least annually.