Appendix 1
PROTOCOL FOR SUBMISSION AND PROCESSING OF SENSITIVE DATA
This Protocol has been constructed to ensure that the Kent and Medway Progression Federation complies with the
requirements of the Data Protection Act 1998 (‘the Act’).
Background to Protocol
The Kent & Medway Progression Federation (from this point forward referred to by the acronym KMPF) is hosted by Canterbury
Christ Church University as the lead banker institution. As a result, all information hosted and processed by KMPF regarding
employees, students, and other data subjects for academic, administrative and commercial purposes must be in accordance
with the hosting institution’s Data Protection Policy, which in turn, needs to comply with the Data Protection Act 1998 (‘the
Act’).
The Act applies to data held in manual paper files as well as on electronic systems. To comply with the Act, information must be
collected and used fairly, stored safely and only disclosed lawfully to a third party.
When handling such information, KMPF, and all staff or others who process or use any personal information on its behalf, must
comply with the Data Protection Principles set out in the Act. In summary, these state that personal data shall be:
i.
ii.
iii.
iv.
v.
vi.
vii.
viii.
processed fairly and lawfully
obtained for specified and lawful purposes and not further processed in a manner incompatible with those purposes
adequate, relevant and not excessive
accurate and, where necessary, up to date
kept for no longer than necessary
processed in accordance with data subjects’ rights
protected by appropriate security
not transferred to a country outside the European Economic Area without adequate protection
KMPF, and all staff or others who process or use any personal information, must ensure that they follow these principles at all
times.
Protocol Objectives
This protocol has been established to meet the commitment to item v.i protected by appropriate security listed above. It is
concerned with the handling of sensitive information related to KMPF and the processes outlined below:
1.
2.
3.
4.
5.
The submission of sensitive information (including emails, forms, folders, invoices) to the KMPF Core Team1
electronically, in person or through postal delivery.
The storage of sensitive information held in manual paper files as well as on electronic systems
The distribution of this sensitive information to third parties either in person (e.g. through the distribution of reports at
meetings), by post or electronically (e.g. by e-mail or through a designated website)
The disposal of sensitive information.
KMPF policy towards employees with access to sensitive information related to the project.
The protocol also details the responsibilities of all parties; KMPF and partner Higher Education Institutions (HEIs), partner
Further Education Colleges (FECs) and partner schools who from this point forward shall be referred to under the collective
term; KMPF partners.
While all KMPF partners will sign their agreement to this protocol, this in no way overrides alternative agreements that might be
made between individual partners. The aim is always to ensure that information collected and distributed by KMPF is secure at
all times.
1
Referred to throughout this document as all KMPF Core Team offices and employees located at the Hall Place campus respectively.
The nature of sensitive information on the Kent & Medway Progression Federation
Sensitive information relating to KMPF includes student baseline forms, post activity questionnaires, activity attendance records
or any other form containing the following details:
1.
2.
3.
4.
5.
6.
7.
Full Name
Date of Birth
School Name
Parental Educational background
Ethnicity
Postcode
Disability
Sensitive information does not include KMPF Activity Record Forms.
The submission of sensitive information to the KMPF Core Team office.
This section concerns the submission of sensitive information either electronically, by post or in person to the KMPF Core Team.
KMPF partners should be aware that the security and safe storage of sensitive information specific to KMPF is the
responsibility of the submitting KMPF partner. This responsibility shall be maintained up to the point that written
acknowledgement of receipt (either in receipt or e-mail form) of the information submitted is issued by the KMPF Core Team.
Postal submission of KMPF sensitive information
1. A KMPF partner wishing to submit information of a sensitive nature (e.g. Student Name, Date of Birth, School, parental
background in HE) by post shall do so using a system that provides a written record of delivery (e.g. Royal Mail Special
Delivery or Recorded Signed For).
2. Under no circumstances should sensitive information be submitted by regular post by a KMPF partner.
3. A KMPF partner, when submitting sensitive information by post, shall make sure that it is clearly labelled to show which
College, Academy or School has sent it and will include the name of the sender.
Submission in person of KMPF sensitive information
1. Whilst recorded delivery is KMPF’s preferred method of submission, KMPF partners shall continue to submit sensitive
information in person to the KMPF Core team where appropriate.
2. However, KMPF partners must be aware that the responsibility for this sensitive information shall remain with the
submitting institution up to the point that written acknowledgement of receipt (either in receipt or e-mail form) of the
information submitted is issued by the KMPF offices. This responsibility includes maintaining the secure storage of this
sensitive information in compliance with the Data Protection Act at all times (including in transit).
The receipt and storage of sensitive information by KMPF offices and KMPF partners
1. As soon as sensitive information is received by the KMPF offices, a written acknowledgement of receipt shall be issued
to the submitting KMPF partner. Depending on the method of submission this shall either take the form of a written
receipt (if the information is handed in person) or a confirmation by e-mail.
2. Both the submitting and receiving party shall keep a copy of this receipt for future reference.
3. The KMPF partner shall be responsible for the secure storage of any sensitive information related to the KMPF project
prior to its submission to KMPF offices.
4. Once received, it shall be the responsibility of KMPF offices to ensure that sensitive information is logged by an
appropriate member of staff to ensure that accurate records are maintained and available on request (e.g. audit
purposes).
5. Similarly, once in receipt of sensitive information from a KMPF partner, it shall be the responsibility of the KMPF Core
Team to ensure that any sensitive information that is either awaiting processing or has been processed is stored in a
secure location.
6. Sensitive information relating to the former Aimhigher project is stored on the electronic HEAT database and will be
shared with HEAT administrators for the sole purpose of research.
7. The database is password protected and different permission levels are set up to ensure only a small number of named
database users have access to sensitive information at Area Administration level. KMPF has a list of all the users located
in the Kent and Medway area who have access to sensitive information through the HEAT database and their
permission level.
8. All new and existing KMPF staff that have access to sensitive information relating to the project shall be made aware of
the conditions of this protocol and sign a confidentially agreement with KMPF which shall be kept on file.
9. KMPF Partners shall add to participant information and activities on the HEAT database but must not change or delete
student records or activities without discussion with the KMPF Core Team.
The distribution of this sensitive information to third parties
1. KMPF participant details may be shared with colleagues and educational partners involved in KMPF, including the
Higher Education Access Tracker (HEAT), HEFCE, UCAS, Higher Education Statistics Agency, the DfE and the Data Service
but personal information will not be disclosed unless absolutely necessary and only for the purposes of monitoring and
evaluating the programme or where there is a clear legal requirement to provide information.
2. We shall ask school partners to communicate the recording of sensitive data and data protection regarding student
participants with parents. Parents and students can opt out of student data recording and data sharing if they wish to
do so.
The disposal of sensitive information
1.
Sensitive information kept in paper form shall be destroyed one year after the information has been electronically
recorded. The paperwork must either be shredded or arrangements made for a special collection by Canterbury
Christ Church University by those responsible for the safe destruction of confidential waste. Records of destruction
are kept by Canterbury Christ Church University.
2.
Sensitive data stored electronically shall only be deleted once approval has been sought from the KMPF
Supervisory Directorate.
3.
The KMPF Core Team shall retain a written summary of the sensitive data destroyed either physically or
electronically. The summary shall contain details of data type e.g. questionnaire, baseline student data, the
sensitive data held within it e.g. Date of Birth, home address, the time period the data refers to and the quantity.
The summary shall be produced on request by appropriate bodies (e.g. funding councils).
Appendix 2
University of Kent
Disclosure and Barring
DBS Policy and procedures: Students in outreach settings (updated 2016)
Policy
The University of Kent employs current undergraduate and postgraduate student ambassadors to support outreach activities
within schools, colleges and community settings. These ambassadors undertake a combination of supervised and regular
unsupervised activity.
In order to comply with government policy the University of Kent performs Disclosure and Barring Service checks on all
ambassadors.
All schools, colleges and community venues that are in formal partnerships with the University are required to sign a
Memorandum of Association which includes the University of Kent DBS policy. Where less formal arrangements exist, the
University requests that institutions observe our DBS policy which complies with statutory guidance on the safeguarding of
children in education.
By working with the University of Kent the school, college or outreach venue accepts that all visiting ambassadors have
undertaken the appropriate safeguarding checks. All student ambassadors are fully screened by the University. Where an
offence is disclosed a decision regarding the individual’s suitability to work is made on a case-by-case basis following established
University procedure.
To avoid contravening legislation and the Data Protection Act 1998 which protects sensitive information including ‘the
commission or alleged commission of any offence1’, the University does not permit schools or colleges to request to view,
photocopy or scan the DBS certificate. The University is unable to distribute sensitive information including the disclosure
number.
Procedure
The following outlines our procedure with regard to carrying out DBS checks and the appropriate disclosure of this information
to third parties.
1.
2.
3.
The students that we employ to work in outreach settings on a regular and unsupervised capacity are all DBS checked.
If there is no communication from the University about an individual student the hosting outreach institution can be
assured that the individual has been approved for employment.
Where a disclosure indicates that a student has a record that does not directly involve the safeguarding of children we
will take the following steps:
3.1 We will discuss the disclosure with the applicant.
3.2 If they wish to proceed with their application to work in schools we will then gain their consent to share the
relevant details of their Disclosure with the Headteacher / Head of programme/provision on a confidential basis.
3.3 The Headteacher/appropriate Head will be asked to use their discretion as to whether they will allow the
student to work in their school/other setting. We ask that the decision is put in writing so that the University can
maintain an accurate and confidential record.
4. Any student with any recorded offence deemed to relate to the safeguarding of children will NOT be allowed to work in
schools, colleges or with vulnerable adults.
1
http://www.legislation.gov.uk/ukpga/1998/29/contents
Keeping children safe in education: statutory guidance for schools and colleges: September 2016
The University’s policy regarding DBS checks on its student ambassadors complies with statutory advice regarding the use by
schools of agency and third-party staff. The guidance states (part 3, point 116) that:
Schools and colleges must obtain written notification from any agency, or third-party organisation they use that the
organisation has carried out the checks (in respect of the enhanced DBS certificate, written notification that confirms
the certificate has been obtained by either the employment business or another such business), on an individual who
will be working at the school or college that the school or college would otherwise perform. Where the position
requires a barred list check, this must be obtained by the agency or third-party prior to appointing that individual. The
school must also check that the person presenting themselves for work is the same person on whom the checks have
been made.2
2https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/550511/Keeping_children_safe_in_education.pdf
Canterbury Christ Church University
Disclosure and Barring Service
Policy statement on the use of DBS Disclosures and job applicants with convictions.
Introduction
This document outlines the policy of Canterbury Christ Church University on the employment of ex-offenders and is made
available, prior to interview, to all applicants for whom a Disclosure and Barring Service (DBS) Disclosure (formerly known as a
Criminal Records Bureau (CRB) Disclosure) will be required, as well as to any existing member of staff for whom a Disclosure
Check is requested.
A DBS Disclosure Check is a document containing information held by the police and government departments, which gives
details of a person's criminal record including convictions, cautions, reprimands, final warnings or other non-conviction
information. Disclosures are provided by the DBS, an executive non-departmental public body of the Home Office. The
University makes use of the DBS Disclosure service as part of the recruitment process to assess a candidate's suitability for
certain posts such as those involving contact with children or other vulnerable groups. This Disclosure service may also be used
to check existing members of staff, where this is considered to be relevant and appropriate by the University.
As an organisation using the DBS Disclosure service to assess applicants' suitability for positions of trust, the University complies
fully with the DBS Code of Practice and undertakes not to discriminate unfairly against any subject of a Disclosure on the basis of
conviction or other information revealed.
The University's Disclosure Policy
Unless the nature of the position applied for allows the University to ask questions about an entire criminal record, we will only
ask about 'unspent' convictions as defined in the Rehabilitation of Offenders Act 1974 in the recruitment process.
It is University policy to require applicants to disclose all "spent" and "unspent" criminal convictions as part of their application
for any job or profession which is excluded under the Act (see 'Excluded Jobs and Professions' below).
Canterbury Christ Church University reserves the right to request a Disclosure for any current or prospective employee where it
considers it to be a reasonable measure for the protection of the interests of the University (e.g. security, financial, protection of
the student body). Normally, however, a Disclosure will only be requested where it is relevant to the position concerned, such as
posts where appointees are involved in caring for, training, supervising or being in sole charge of young people under the age of
18, or of vulnerable adults.
For such appointments all further particulars will contain a statement explaining that a Disclosure will be requested in the event
of an individual being offered the position. Any subsequent offer of employment would be made subject to receipt of a DBS
disclosure which is satisfactory to the University.
Where a prospective or existing member of staff has an offence revealed by a DBS disclosure, the University would consider the
relevance of the offence to the position applied for or held at the University and the provisions of the Rehabilitation of
Offenders Act 1974.
The Rehabilitation of Offenders Act 1974
Spent and Unspent Conviction
The Rehabilitation of Offenders Act 1974 was introduced to prevent people being discriminated against in their employment
because of an offence committed in their past. For employers, this means that people whose convictions are "spent" should be
treated as rehabilitated and as if their conviction had never taken place.
However, there are certain sentences excluded from rehabilitation under the Act which are never considered 'spent'. These are:


A sentence of life imprisonment
A sentence of preventive detention

A sentence of imprisonment, youth custody or corrective training for a term exceeding 30 months
Excluded Jobs and Professions
There is also a list of excluded jobs and professions under the Rehabilitation of Offenders Act 1974 which means that for certain
types of employment it is lawful to reject a person for employment on the grounds of a spent conviction. When making an
application for one of the excluded job categories, job applicants are obliged to disclose all convictions, whether or not they are
spent.
The relevant excluded job categories within the University include:





Medical practitioner, nurse, midwife
Medical laboratory technician
Radiographer, occupational therapist, physiotherapist
Health services personnel
Posts involving schooling or other dealings with young people
Declaring Previous Unspent (and Spent) Convictions at the Point of Application for a Post at the University
Applicants for all posts at the University are required to disclose previous unspent convictions, and for all 'excluded posts' (see
definitions above) to previous spent and unspent convictions, at the point of application.
In such cases, the applicant (or employee, if the person is already in post) should provide this information using the form
enclosed with the application pack under separate cover to the Director of Human Resources & Organisational Development at
Canterbury Christ Church University, Rochester House, St George's Place, Canterbury, Kent CT1 1UT. The information will only be
made available to those persons who need to see it as part of the recruitment process. It is the University's policy to seek a
Disclosure Certificate via the DBS even where an applicant has made details of their criminal record known to the University at
an earlier stage.
Where an individual has disclosed a conviction in his or her application for a post at the University or a conviction is revealed
through a Disclosure, a discussion will take place with the applicant regarding the offence and its relevance to the position.
Failure to reveal information relating to unspent convictions (and also spent convictions in the case of 'excluded' occupations)
could lead to withdrawal of an offer of employment/termination of employment.
The University will not discriminate unfairly against applicants with a criminal record. Having a criminal record will not
necessarily bar an applicant from working for the University: the nature of a disclosed conviction and its relevance to the post in
question, will be considered.
Validity / Expiry of Disclosure Information
A DBS disclosure obtained for a position with another organisation cannot be re-used for any position being applied for at CCCU.
The Disclosure Certificate is valid for the date of issue only, as it represents information available to the DBS on that date only.
Storage, Use, Retention and Disposal of Disclosures and Disclosure Information
General principles
As an organisation using the DBS Disclosure service to help assess the suitability of applicants for positions of trust, Canterbury
Christ Church University complies fully with the DBS Code of Practice regarding the correct handling, use, storage, retention and
disposal of Disclosures and Disclosure information. It also complies fully with its obligations under the Data Protection Act 1998
and other relevant legislation pertaining to the safe handling, use, storage, retention and disposal of Disclosure information and
has a written policy on these matters, which is available to those who wish to see it on request.
Storage & Access
Disclosure information is never kept on an applicant's personnel file and is always kept separately and securely, in lockable, nonportable, storage containers with access strictly controlled and limited to those who are entitled to see it as part of their duties.
Handling
In accordance with section 124 of the Police Act 1997, Disclosure information is only passed to those who are authorised to
receive it in the course of their duties. We maintain a record of all those to whom Disclosures or Disclosure information has
been revealed and we recognise that it is a criminal offence to pass this information to anyone who is not entitled to receive it.
Usage
Disclosure information is only used for the specific purpose for which it was requested and for which the applicant's full consent
has been given.
Retention
Once a recruitment (or other relevant) decision has been made, we do not keep Disclosure information for any longer than is
absolutely necessary. This is generally for a period of up to six months, to allow for the consideration and resolution of any
disputes or complaints. If, in very exceptional circumstances, it is considered necessary to keep Disclosure information for longer
than six months, we will consult the DBS about this and will give full consideration to the Data Protection and Human Rights Act
before doing so. Throughout this time, the usual conditions regarding safe storage and strictly controlled access will prevail.
Disposal
Once the retention period has elapsed, we will ensure that any Disclosure information is immediately suitably destroyed by
secure means, i.e. by shredding, pulping or burning. While awaiting destruction, Disclosure information will not be kept in any
insecure receptacle (e.g. waste bin or confidential waste sack). We will not keep any photocopy or other image of the Disclosure
or any copy or representation of the contents of a Disclosure. However, notwithstanding the above, we may keep a record of
the date of issue of a Disclosure, the name of the subject, the type of Disclosure requested, the position for which the Disclosure
was requested, the unique reference number of the Disclosure and the details of the recruitment decision taken.
Responsibility for ensuring these processes are adhered to rests with the HR&OD Operations Manager.
Other Information
We ensure that all those at the University who are involved in handling Disclosure information as part of the recruitment
process have been suitably briefed to identify and assess the relevance and circumstances of offences. We also ensure that they
have received appropriate briefing in the relevant legislation relating to the employment of ex-offenders, e.g. the Rehabilitation
of Offenders Act 1974.
We make every subject of a DBS Disclosure aware of the existence of the DBS Code of Practice and will make a copy available on
request.
The University will cover the full cost of a Disclosure Application.
Equality of Opportunity
The University is committed to promoting equality, diversity and an inclusive and supportive environment for students, staff and
others closely associated with the University. The University seeks to ensure that people are treated equitably regardless of their
gender, race, colour, ethnic or national origins, age, disability, socio-economic background, religious or political beliefs and
affiliations, marital status, family responsibilities, sexual orientation or other inappropriate distinction. The University's policies
on Equal Opportunities and Race Equality provide further information.
We actively promote equality of opportunity for all with an appropriate mix of talent, skills and potential and welcome
applications from a wide range of candidates, including those with criminal records. We select all candidates for interview based
on their experience, qualifications, skills and knowledge as indicated on their application form or curriculum vitae.
Useful Links
DBS Code of Practice (also available from HR&OD on request)
DBS Website
Human Resources & Organisational Development, April 2009 (Revised May 2013)
University for the Creative Arts
Disclosure and Barring
The document is undergoing a review and will be made available on the Kent and Medway Progression Federation
website:.http://kmpf.org/ in due course.