Barony Campus - Adverse Weather Warning

Closed to non residential students on Wednesday, 19th September. Barony Campus will be open on Thursday, 20th September.

Terms and disclaimer

Data Handling and Privacy Policy

SRUC is committed to protecting the privacy of its customers, students, alumni, faculty and staff, as well as protecting the confidentiality, integrity, and availability of information is important to our operations and mission. SRUC is committed to protecting the rights and freedoms of individuals with respect to the processing of their personal data.

Personal data means any information that can link back to a living individual such as name, address or e-mail address. Personal Information can be both in electronic format and paper based.

SRUC uses personal data for management, administration, commercial activities and research.

Where you are asked for your personal data, SRUC will provide you with a privacy notice. Privacy notices will clearly lay out the purposes for which your data will be used, who it will be shared with and how long it will be kept.

Scope

This policy has been established to ensure that SRUC complies with the Data Protection Act (“DPA”), General Data Protection Regulation (“GDPR”), and associated legislation such as the Privacy & Electronic Communications Regulations (“PECR”), the Regulation of the Investigatory Powers Act (“RIPA”), and the Telecommunications (Lawful Business Practice)(Interception of Communications) Regulation.

The policy applies regardless of where the personal data is held and irrespective of IT systems that process personal data. It applies to all personal data held by SRUC, which includes personal data held by all departments and staff, irrespective of its format. Personal data "held" by us includes personal data created or received as well as personal data held by third parties on our behalf.

Responsibilities

SRUC is a Data Controller under the terms of DPA and GDPR. We determine the purpose for which, and the manner in which, personal data is to be processed. SRUC takes all appropriate measures to protect its systems and data against unauthorised or unlawful access or processing of personal data and against accidental loss, destruction, or damage to, personal data.

SRUC maintains a general "right of access" by an individual to their own personal data held by us and maintains its records in accordance with the regulatory environment.

Your rights as an individual

The DPA and GDPR provides the following rights for individuals:

The right to be informed

Individuals have the right to be informed about the collection and use of their personal data. We must provide you with information including: Why we process your data; how long we keep the data; who we will share it with, at the time we collect it from you.

The right of access

Individuals have the right to access their personal data and supplementary information. We will, on request, provide you with confirmation that your data is being processed, access to that data and any other supplementary information.

The right to rectification

Individuals have the right to have inaccurate personal data rectified, or completed if it is incomplete. Requests for rectification can be made verbally or in writing. We will respond to such requests within one calendar month.

The right to erasure

Individuals have the right under certain circumstances to have personal data erased. Requests for erasure can be made verbally or in writing. We will respond to such requests within one calendar month.

The right to restrict processing

Individuals have the right under certain circumstances to request the restriction or suppression of their personal data. Requests for restriction of processing can be made verbally or in writing. We will respond to such requests within one calendar month.

The right to data portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services, and it allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability

The right to object

Individuals have the right to object to:

  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
  • direct marketing (including profiling); and
  • processing for purposes of scientific/historical research and statistics.

Individuals must have an objection on “grounds relating to his or her particular situation”.

Rights in relation to automated decision making and profiling.

Individuals have the right to protection if we carry out solely automated decision-making that has legal or similarly significant effects on them. In these cases, you will be informed if your data is used in this way.

How to make a subject access request (SAR)

An individual has the right to access their personal information. Please note that if your enquiry is concerned with general information (and not information personal to you), then a Request for Information under the Freedom of Information (Scotland) Act is appropriate.

Individuals can request their information by emailing the Data Protection Office (contact below).

SRUC will respond to a SAR within 30 days and will inform you if, for any reason, it is anticipated that the response to the SAR will take longer to fulfil.

All SARs will be treated in the strictest confidence and will only be processed by authorised staff in relevant departments.

Only information which is considered to be personal data will be released under a SAR. The anonymity of other individuals or other information which is not considered to be personal data may be protected, as appropriate, by redaction or omission in accordance with the DPA

Retention and Disposal of Personal Data

DPA and GDPR state that personal data must not be kept for longer than is necessary based on the purpose for which it was initially collected, we will let you know how long this retention period is in our privacy notice for the service at the time of signing up.

The disposal of any documents containing personal data is undertaken securely and confidentially.

Complaints

Any complaints regarding the processing of personal data by SRUC should in the first instance be sent to the Data Protection Officer.

If a satisfactory resolution is not reached by the DPO, you have the right to appeal to the UK Information Commissioner, as the regulator of the Data Protection Act and GDPR.

Contacts

Data Protection Officer:
Email: dpo@sruc.ac.uk
Address: Scotland’s Rural College (SRUC), Peter Wilson Building, Kings Buildings, West Mains Road, Edinburgh EH9 3JG
Tel: 0131 535 4432

Freedom of Information Office:
Email: foi@sruc.ac.uk
Address: Scotland’s Rural College (SRUC), Peter Wilson Building, Kings Buildings, West Mains Road, Edinburgh EH9 3JG
Tel: 0131 535 4129

Information Commissioner's Office:
45 Melville Street Edinburgh EH3 7HL
Tel: 0303 123 1115
Email: scotland@ico.org.uk