Purpose & Scope

• This policy covers all Institute activities and processes in which personal data is used, whether in
electronic or hard copy form.
• This policy applies to all members of the Institute including staff, students and others acting for,
or on behalf of, the Institute or who are otherwise given access to the Institute’s information
infrastructure.
• This policy takes precedence over any other Institute policy on matters relating to data
protection.

Definitions

The following terms are defined in data protection legislation:
• Personal data – any information relating to an identifiable person who can be directly or indirectly
identified, in particular by reference to an identifier (e.g. name, identification number, location data or
online identifier).
• Special category personal data – the following types of personal data (specified in data protection
legislation) which are particularly sensitive and private in nature, and therefore more likely to cause
distress and damage if compromised:
o Racial or ethnic origin
o Political opinions
o Religious or philosophical beliefs
o Trade union membership
o Health related conditions (physical or mental health)
o sexual orientation
o Commission or alleged commission of any criminal offence
o Genetic data
o Biometric data, where processed to uniquely identify an individual
• Data subject – the individual to whom the personal data relates
• Data controller – determines the purposes and means of processing personal data
• Data processor – responsible for processing personal data on behalf of a controller
• Data breach – a security incident that affects the confidentiality, integrity or availability of personal
data.
A data breach occurs whenever any personal data is:
o lost;
o corrupted;
o unintentionally destroyed or disclosed;
o accessed or passed on without proper authorisation; or made unavailable and this unavailability has a
significant negative effect on the data subjects

Policy

Overseas Industrial Technical Institute is committed to complying with any legislation enacted in respect
of the protection of personal data (together “data protection legislation”).
To do this, the Institute will:
a) Only use personal data where strictly necessary, and will rely on an appropriate lawful basis for
processing personal data
b) Inform data subjects of the lawful basis and explain the purpose and manner of the processing in the
form of privacy notices and other similar methods
c) Keep personal data secure and manage incidents effectively when things go wrong
d) Observe the rights of individuals under data protection legislation
e) Ensure staff are trained appropriately in managing personal data
f) Ensure that records containing personal data are managed effectively
g) Only share personal data with third parties where adequate standards of data protection can be
guaranteed and, where necessary, contractual arrangements are put in place
h) Implement comprehensive and proportionate governance measures to demonstrate compliance with
data protection legislation principles

Roles and responsibilities

Individuals must ensure any personal data they handle is processed in accordance with this policy and
the data protection legislation principles.
The Senior Management Team/Director is responsible for approving this policy.
The Director is responsible for:
• Informing and advising the Institute of its data protection obligations
• Monitoring compliance
• Awareness-raising and training of staff involved with processing operations
• Undertaking internal audits of data protection
• Providing advice on data protection impact assessments
Heads of Services are responsible for ensuring awareness of, and compliance with, this policy in their
respective areas.
The Information Compliance team is responsible for:
• Maintaining this policy
• Providing guidance, support, training and advice on data protection compliance
• Processing all subject access requests for the Institute
• Supporting the responsibilities of the Data Protection Officer
The Security Review Group is responsible for managing information security across the Institute. The
purpose of the group is to review the information security landscape (both digital and physical), assess
the Institute’s performance and readiness, and ensure risk reduction, remediation and response.