Data Protection Training Policy
This policy was approved by University Executive Committee in March 2013.
Durham University is committed to providing adequate data protection training to its employees in order to help protect the rights and freedoms of individuals in accordance with the provisions of the Data Protection Act 1998.
All employees of the University (grades 3 and above) whose work involves accessing personal data shall:
- Be provided by HR with a copy of the University’s Data Protection Policy alongside their contract of employment and be required to confirm to HR that they have read and understood it;
- Be required to undertake the University’s online Data Protection, Freedom of Information, Records Management and Information Security training module and successfully pass the integral test within 4 weeks of receiving IT access. If an employee declines to undertake the module or repeatedly fails the test, HR will investigate and where the reason for this is deemed unacceptable by the Director of HR, the employee’s access to the University’s IT systems will be removed.
All employees whose work does not ordinarily involve accessing personal data and all employees who do not have a work email account shall receive a copy of the University’s Data Protection Act Awareness leaflet. This includes employees and casual workers on grades 1 and 2, drivers, cleaners, caretakers, catering assistants, maintenance supervisors and other maintenance workers, plant operatives, security officers and porters.
All casual workers (including students) and agency temps whose work involves accessing personal data shall be required to undertake the University’s online Data Protection, Freedom of Information, Records Management and Information Security training module as soon as possible after receiving IT access. If they are not to receive IT access then they should receive a paper version of the Data Protection, Freedom of Information, Records Management and Information Security training module. The onus is on supervisors to ensure that such casual staff and agency temps are aware of their responsibilities.
A general data protection training course shall be made available to all employees through HR’s Staff Training Programme.
Tailored group data protection training courses shall be made available to groups of employees, such as departments, colleges and professional support services.
This policy shall be reviewed and updated annually to ensure that it remains appropriate in the light of any changes to data protection law, organisational policies or contractual obligations.
 The Data Protection Act 1998 defines personal data as “data which relate to a living individual who can be identified:
- from those data, or
- from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.”