Data Protection Policy

1) Introduction

The Paul Mellon Centre needs to keep certain personal data and sensitive personal data in order to fulfil its purpose. This includes, but is not limited to, personal data about staff, Grant and Fellowship applicants, Yale in London students, event contributors and attendees, researchers, scholars, authors, private owners and others. The provisions of the Data Protection Act (DPA), 1998 which came into force on 1 March 2000, gave the Centre a legal duty to ensure that this personal information was collected and used fairly, stored safely and not disclosed to any other person or organisation unlawfully. The purpose of the DPA was ‘to protect the fundamental rights and freedoms of natural persons, in particular their right to privacy’ and in doing so it also provided data subjects (ie. individuals about whom personal information/sensitive personal information is processed) increased protection through express new rights. The General Data Protection Regulation (GDPR) replaced the DPA on 25 May 2018. The GDPR’s aim is to strengthen and unify data protection for all individuals within the European Union. It also addresses the export of personal data outside the EU. 

2) Scope

The aim of this policy is both to ensure that all staff are aware of their particular responsibilities in relation to the GDPR; and to inform all individuals engaging with the Centre of how it complies with the legislation. It is also to minimise the risk of the Centre breaching the Regulation; thereby potentially damaging valued relationships with staff; stakeholders and audiences, as well as its reputation.

This policy covers all personal data and sensitive personal data held in electronic format or in manual filing systems that is processed by the Paul Mellon Centre. (For definitions see below).

It applies to all individuals working for the Centre in whatever role. This includes permanent and contracted staff, as well as temporary employees; volunteers; interns etc.

This policy is complementary to the Centre’s Archives & Records Management and Information Technology policies. 

3) Definitions

Under the terms of the GDPR:

  • Personal datameans information about a living person who can be identified from that information.
  • Sensitive personal datais a subset of personal data, which the GDPR calls ‘special categories of personal data’. Sensitive personal data includes data revealing an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, and data relating to health. The processing of sensitive personal data is subject to tighter controls than other, less sensitive, personal data.
  • Data subjectmeans the individual about whom the personal data/sensitive personal data is held.
  • Processingmeans obtaining, holding, organising, retrieving, altering etc. In fact virtually any activity concerned with the data constitutes processing.
  • Electronic formatmeans data held as any type of electronic record. e.g. Microsoft Word documents, e-mails, in database, digital images and recordings etc.
  • Manual filing systemsmeans a filing system in which information about individuals is accessible according to specific criteria. For example, files ordered alphabetically by name (staff files) or by which there is another point of access (eg. grants and fellowship records etc.). It does not apply to incidental references to individuals in files structured by reference to topics not relating to those individuals. 

4) Relevant legislation

The Centre’s responsibilities in relation to data protection are determined by the General Data Protection Regulation (Regulation (EU) 2016/679), the UK Data Protection Act 2018, and any related data protection legislation made under those laws.

5) Statement of Principles

The Paul Mellon Centre is committed to the seven Data Protection Principles contained in the General Data Protection Regulation. These represent the minimum standards of practice for any organisation with respect to personal data/sensitive personal data and state that it must be: 

  1. processedlawfully, fairly and in a transparent manner
  2. collected for specified and legitimate purposes and not further processed in a manner incompatible with those purposes
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  4. accurate and, where necessary, kept up to date
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures. 
  7. The controller shall be responsible for, and be able to demonstrate, compliance with the GDPR (known as the “accountability” principle)

6) Rights of Data Subjects

The GDPR gives data subjects certain rights in relation to the processing of their personal data by the Centre, which are as follows:

  1. The right to be informed about processing
  2. The right of access
  3. The right to rectification (in certain circumstances, where data is incorrect)
  4. The right to erasure (in certain circumstances, depending on the legal bases for processing)
  5. The right to restrict processing (in certain circumstances)
  6. The right to data portability
  7. The right to object on grounds relating to the individual’s specific situation
  8. Rights in relation to automated decision making and profiling

None of these rights are absolute or unqualified and the Centre may be permitted (or required) to refuse requests from data subjects to exercise these rights where exceptions or limitations apply.

In accordance with these rights, the Centre is committed to providing clear and transparent privacy notices at the point of data collection.

Any individual data subject, including a member of staff, has the right to ask what information the Centre holds about them and why this is being held. 

If an access request is received by any other members of staff it should be forwarded to the Data Protection Manager as soon as possible.

The Centre will comply with requests for access to personal information as quickly as possible. In compliance with the law, this will always be at the latest within 40 calendar days of receipt of a request, even if this is just to send a ‘holding’ response, to clarify the scope of the request, or send a first batch of personal information to which the data subject is entitled.

7) Accountability and Governance

The Paul Mellon Centre is committed to the accountability principle contained in the GDPR.

This requires the Centre to demonstrate compliance by ensuring it has in place, for example, a Data Protection Policy (i.e. this document), staff training, internal audits, transparent privacy notices and regular reviews of HR policies. 

8) Responsibilities

The Board of Governors of the Centre is the Data Controller. The Data Controller is the legal entity who must comply with the GDPR and ensure that its provisions are upheld in all processing across the Centre. For example, the Board of Governors is responsible for implementing appropriate technical and organisational measures that ensure the integrity and confidentiality of personal data. The Board of Governors has primary and ultimate responsibility for compliance with the GDPR at the Centre.

The Director of Studies is responsible for promoting accountability and compliance with GDPR within the Centre.

The Data Protection Manager is responsible for developing and implementing a strategy for Data Protection legislation adherence across the institution. Working with the Director and relevant staff they are also responsible for implementing data protection policies, internal audits, privacy notices, staff training, and other relevant procedure. They will act as the first point of contact for all internal and external queries and are responsible for seeking legal advice where necessary and reporting any breach to the Information Commissioner’s Office. 

Line Managers are responsible for ensuring that all processing in their area complies with the provisions of the GDPR. In particular they are responsible for liaising with the Data Protection Manager to ensure that in their area transparent privacy notices are included at all points of personal data/sensitive data and that any contracts or agreements with external contractors processing personal data/sensitive personal data on the Centre’s behalf are compliant with the GDPR. They are also responsible for notifying the Data Protection Manager of any significant changes to data processing that may require a change to Centre policy, training etc.

The HR Manager is responsible for ensuring that appropriate guidance and training on compliance with the GDPR is made available to all staff engaged in the processing of personal data/sensitive personal data. They have delegated responsibility from the Data Controller to ensure that staff personal data is processed in accordance with the GDPR.

Archive and Records Management staff are responsible for determining retention periods for records.

Staff who process personal data/sensitive personal data in the course of their work are responsible for ensuring compliance with the GDPR and this Data Protection Policy in their area of work. It is their responsibility to be aware of the GDPR’s data processing principles (see section 5 above) and to raise any concerns about how personal data/sensitive personal data is collected and managed in their line manager. The Centre will ensure they are given appropriate training to fulfil this responsibility.

All external data processors processing personal data/sensitive personal data on behalf of the Centre (i.e. third parties) are contractually required to comply with the GDPR and associated codes of practice. Line Managers, in conjunction with the Data Protection Manager, are responsible for ensuring that this is upheld (see above).

9) Procedures

The Centre will organise training for all new staff and annual training for staff regularly processing personal data/sensitive data. Additional best practice procedures are available on the shared drive. 

10) Breach

Breach of the General Data Protection Regulation can have serious consequences for the Centre and the Centre will regard wilful or reckless breach of this policy as a disciplinary offence and such breaches will be subject to the Centre’s disciplinary procedures.

It is the duty of all members of staff to flag immediately to their line manager and the Head of Finance and Administration any matter arising which involves, or is thought to involve, a breach of the GDPR. Any serious breach will be reported to the Trustees of the Paul Mellon Centre. 

11) Review

This policy will be reviewed every two years.

Next review: May 2020.

12) Date of Approval

Approved by the Director of Studies on 25 June 2018.

13) Updates

Published 26 June 2018.