天美影院

Update Schedule The Data Protection Policy (the 鈥淧olicy鈥�) is reviewed on an as needs basis, but no less than once in any rolling 24-month period and may be amended at any time. The Data Protection Office (鈥淒P Office鈥�) will continue to review the effectiveness of this Policy to ensure it is achieving its stated objectives. Recommendations for any amendments should be emailed to the DP Office (please refer to section 8 below for contact details).

Applicability The requirements in this Policy apply to all permanent, temporary and contract workers employed or engaged by Student Loans Company Limited (鈥淪LC鈥�) (collectively hereinafter referred to as an 鈥渆mployee鈥�) and to any 3rd party organisations while working or engaged on SLC business.

Compliance Any employee found to have violated this Policy could be subject to disciplinary action, up to and including termination of their employment. At its sole discretion, SLC may require the removal from the service provision account of any employee of a 3rd party organisation contractually engaged on SLC business, who has been evidenced to have violated this Policy

1. Overview

1.1 Introduction

1.1.1 Student Loans Company Limited (鈥淪LC鈥�, 鈥渨e鈥�, 鈥渦s鈥� and 鈥渙ur鈥�) is a non-profit making Government owned organisation set up to provide loans and grants to students in universities and colleges in the United Kingdom (鈥淯K鈥�).

1.1.2 The UK General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (together referred to as 鈥淒ata Protection Legislation鈥�) regulate the processing of personal data and protect the rights of the data subject.

1.1.3 As SLC processes personal data, we are registered as a data controller (Registration Number Z7261665) with the Information Commissioner鈥檚 Office (鈥淚CO鈥�). This means we are responsible for deciding how we hold and use personal data. In certain circumstances, we may act as a joint data controller (please refer to section 2.5 Purposes of Processing, which refers to SLC鈥檚 Privacy Notices for more detail).

1.1.4 Data Protection Legislation imposes restrictions on how we obtain, handle, store, destroy and process personal data.

1.2 Scope

1.2.1 This Policy applies to all data subjects in relation to whom SLC holds or has received personal data in order to carry out SLC functions.

1.3 Risk Appetite Alignment

1.3.1 The requirements of this Policy support the mitigation of risks within the Security risk category outlined in the SLC risk language.

1.3.2 Compliance with Policy requirements ensures that SLC continues to operate within its risk appetite, which is:

• Cautious appetite towards Security risks arising from a failure to prevent unauthorised and/or inappropriate access to the estate and information, including cyber security and non-compliance with Data Protection Act 2018 requirements.

1.3.3 A number of scenarios where a more granular risk tolerance applies are defined in the Security and Information Risk Appetite Statement, representing a greater or lesser appetite for risks posed by a specific system, process or asset.

1.4 Status of Policy

1.4.1 This Policy sets out SLC鈥檚 rules on data protection and the legal conditions that must be satisfied in relation to the obtaining, handling, processing, storage, and destruction of personal data.

1.4.2 SLC鈥檚 designated Data Protection Officer (DPO) is responsible for monitoring compliance with Data Protection Legislation and this Policy. Any questions or concerns about the operation of this Policy should be referred in the first instance to the DP Office (please refer to section 9 below for contact details).

1.4.3If you consider this Policy has not been complied with, then you should raise the matter with SLC鈥檚 DP Office at DPO@slc.co.uk.

2. Data Protection Legislation

2.1 Background

2.1.1 Data Protection Legislation regulates the processing of personal data in order to protect the interests of the data subject.

2.1.2 This covers many data protection issues in detail and therefore you may find that guidance covering some aspects of data protection are set out in more detail in separate SLC policies and guidelines referred to within this Policy.

2.2 Definitions

2.2.1 There are a number of key definitions used within Data Protection Legislation that are essential to understanding this Policy and SLC鈥檚 obligations under Data Protection Legislation.

• 鈥渄补迟补鈥� 鈥� means information held electronically (eg. computers, personal organisers, laptops), manually or in paper form as part of a filing system.
• A 鈥渇iling system鈥� means any structured set of personal data accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
• 鈥減ersonal data鈥� 鈥� means any information relating to an identified or identifiable natural person (鈥榙ata subject鈥�). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Examples of personal data include name, telephone number, age, qualifications and employment history.
• 鈥渄ata controller鈥� 鈥� means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. 鈥�
• 鈥渄ata processor鈥� 鈥� means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
• 鈥渄ata protection officer鈥� - the individual whose primary role is to ensure that their organisation processes the personal data of its employees, customers, providers or any other data subjects in compliance with the applicable Data Protection Legislation.
• 鈥渄ata subject鈥� 鈥� means an identified or identifiable natural person. Data subjects may include employees, contractors, customers, job applicants, candidates and suppliers; and the data processed may relate to present, past and prospective data subjects.
• 鈥减谤辞肠别蝉蝉颈苍驳鈥� 鈥� means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 鈥淧rocess鈥� and 鈥減rocessed鈥� will be construed accordingly.
• 鈥渟pecial category data鈥� 鈥� means racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person鈥檚 sex life or sexual orientation.

2.3 Data Protection Principles

2.3.1 SLC has a duty to ensure that all personal data (however collected) is processed in accordance with the below data protection principles, as detailed in Data Protection Legislation.

2.3.2 Personal data must be:

• processed lawfully, fairly and in a transparent manner in relation to the data subject (鈥榣awfulness, fairness and transparency鈥�);
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (鈥榩urpose limitation鈥�);
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (鈥榙ata minimisation鈥�);
• accurate and, where necessary, be kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purpose for which they are processed, are erased or rectified without delay (鈥榓ccuracy鈥�);
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (鈥榮torage limitation鈥�); and
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (鈥榠ntegrity and confidentiality鈥�)

2.4 Special Category, Criminal Convictions Data and SLC Sensitive Information

2.4.1 SLC employees may in certain circumstances become privy to special category and criminal convictions data.

2.4.2 Data Protection Legislation states that special category data should only be collected, processed, or disclosed in very specific circumstances eg. explicit consent, as it is recognised that the processing of this data may create significant risks to the data subject鈥檚 rights and freedoms.

2.4.3 Criminal record data is not special category data, it does however have protections under Data Protection Legislation.

2.4.4 SLC Sensitive Information - SLC may also store and process sensitive information, not meeting the definition of special category data, but it is deemed sensitive and therefore requires additional handling arrangements. For example, bank and financial details and interview transcripts.

2.5 Purposes of Processing

2.5.1 Please see the applicable Privacy Notice for information in relation to the purpose for which personal data is processed.

• Customer Privacy Notice

2.6 Data Retention

2.6.1 Please see the Records Management Policy for more detail in relation to the period for which personal data is retained.

2.7 Rights of the Data Subject

2.7.1 Data Protection Legislation establishes rights for data subjects with regard to the processing of their personal data i.e., their right to:

• be informed about the collection and use of their personal data;
• obtain access to their personal data (please refer to section 5 for more detail);
• request to have certain personal data corrected, or completed if it is incomplete;
• have personal data erased;
• request certain personal data is restricted from processing. This enables the data subject to ask us to suspend the processing of personal data about the data subject, where for example the data subject wants us to establish its accuracy or the reason for processing;
• data portability, allowing individuals to obtain and reuse their personal data for their own purposes across different services;
• object to the processing of their personal data;
• be informed about any automated decision-making activity (including profiling);
• complain to the appropriate supervisory body eg. the Information Commissioners Office; and
• withdraw consent to personal data being processed (where consent is being relied upon by SLC).

2.7.2 Further information on these rights (including how to exercise these rights), is available to view via .

3. Changes to Personal Data

3.1 Accuracy of Personal Data

3.1.1 SLC is required to maintain accurate records of the personal data it processes. The accuracy of personal data is checked at regular intervals, and it is in your interest to keep your personal data up to date e.g., by updating your address when you have moved

3.2 Changes to Personal Data

3.2.1 To assist SLC with its obligation to maintain accurate records, if a data subject鈥檚 personal data changes, then this can be updated through one of the following channels:

• a customer can confirm/update their personal data using the self-serve online portal. If they are unable to access this portal, then they can contact the appropriate support team using Contact SLC via SLC Home Page/Gov.UK;
• an employee can update their personal data using the internal employee system.
• a contractor can鈥檛 update their details through the employee self-serve function, so they should contact the People department or their agency;
• a supplier should contact their relevant business contact within SLC; and data subjects who do not fall within one of the aforementioned categories, should visit the SLC Internet web pages and choose their most appropriate contact channel.

4. Data Sharing

4.1 Sharing and Transferring of Personal Data

4.1.1 We may need to share personal data with some third parties, including our service providers. When this occurs, SLC require third parties to respect the security of that data and to treat it in accordance with Data Protection Legislation.

4.1.2 SLC will only transfer personal data outside of the European Economic Area (鈥淓EA鈥�) in limited circumstances. When this occurs, SLC will ensure that adequate technical and organisational safeguards are in place, so that any personal data transferred remains secure and is protected.

5. Data Subject Access Requests (鈥淒SARs鈥�)

5.1 Contact Points for DSARs 5.1.1 Individuals that SLC holds personal data about have the right to request a copy of their data, by phone, online eg. social media or in writing.

5.1.2 Customers or individuals who are not SLC employees can submit a request using the Customer or Sponsor DSAR form, and send to the address or email below:

Email: dsr_slc@slc.co.uk

5.1.3 Employees/Former Employees can submit a request using the available on the SLC intranet (accessible to SLC employees only) or contact People_DSAR_Team@SLC.co.uk

6. Security Breaches

6.1 Notification of Security Breaches

6.1.1 A security breach (which may also be referred to as a personal data breach) is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

6.1.2 If you become aware of a security breach or believe an event may constitute a security breach, you should raise this matter immediately by following the standard SLC complaints procedure.

7. Enforcement

7.1 ICO enforcement and Escalation

7.1.1 The ICO has certain enforcement powers provided under Data Protection Legislation, and may serve information, reprimands, enforcement or monetary penalty notices on an organisation, where it considers Data Protection Legislation has been breached.

7.1.2 Data Subjects have the right to make a complaint to the ICO in relation to SLC鈥檚 processing of personal data, by writing to:

Emailing: icocasework@ico.org.uk; or

Calling: 0303 1231113 7.1.3

Live Chat:

Raising a Data Breach:

8. Contact Details

For further guidance on this Policy please contact SLC鈥檚 DP Office at:

or email: DPO@slc.co.uk

9. Related Documents

This document forms an essential part of SLC鈥檚 overall policy framework and should be read in accordance with all relevant related documents, including: