Privacy Governance

Privacy Governance


1. Contact details of the Data Protection Officer (DPO)

The data protection officer for the Practice Assessment Record and Evaluation project is:

Rob Dawson BA (Hons), MA, MAUA
Data Protection Officer

University of Chester
Parkgate Road
Chester
CH1 4BJ

2. The legal basis for processing the data are:

Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
And
Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

3. The categories of personal data to be processed are:

1. Students:

Student ID Number; Forename; Surname; email address*; Programme of study; Cohort Year; Username**; placement provider, location and placement dates


*A PARE system generated email will be sent to the user’s email address inviting them to authentication their account and set an encrypted password.


**Student’s education provider email address will be used as their P@RE Username.

2. Clinical Educators

Forename; Surname; email address*; Username, date of last educator update, and date of last relevant profession specific update (where applicable), place of work, educator level/qualifications ( as appropriate)


*A PARE system generated email will be sent to the user’s email address inviting them to authentication their account and set an encrypted password.

3. University administrators / educators:

Forename; Surname; email address*; Username

4. The recipients of the data:

The data will be shared between the data controllers (Universities, Practice placement providers and Health Education England) for the sole purpose of administering, monitoring, and evaluating student practice placements.

  • Data will not be transferred outside the EEA, should this become necessary, parties will need to get approval from the data controllers and to review this protocol.

5. Period of storage

Students: Data shall be stored within the PARE system for the duration of a student’s programme of study and until final award ratification. All data will then be transferred by encrypted and password protected electronic medium to the University for further storage in line with their own legal requirements and policies. At this point all student data will be deleted from the PARE system.


Clinical Educator details will remain within the PARE system whilst users are actively engaged in placement supervision, and / or until told the data is to be removed by the user by contacting the PARE team via info@onlinepare.net. Accounts inactive for three years will be deleted.


University Educator and administrator details will remain within the PARE system whilst users are actively engaged in placement supervision, and / or until told the data is to be removed by the user by contacting the PARE team via info@onlinepare.net. Accounts inactive for three years will be deleted.

6. The rights of the data subject

The rights of all data subjects will be in accordance with the 2018 GDPR regulations.

  • There is no automated decision making within the PARE system that affects the data subjects beyond assessment calculations in accordance with normal university summative marking processes.

PARE Information Security Arrangements

1.1    Any Information shared under the PARE programme will be transferred securely between the Parties (with the exception of HEE, who do not require this provision) through encrypted and password protected directly up-loaded CSV file


1.2    The Parties will have regard to each other’s’ information security and governance needs and take appropriate measures (including any which are requested by the Party disclosing the Information) to keep the Information secure and prevent unauthorised access to or other processing of the Information. In particular, this means that each Party will ensure that:


1.2.1    its staff will be appropriately trained in matters relating to data protection and confidentiality;


1.2.2   its offices and equipment (including in particular portable IT equipment) on which the Information is used or stored will be kept secure;


1.2.3   any Information which is not needed temporarily is stored securely;


1.2.4   any Information which is no longer needed permanently is securely destroyed;

The Parties will comply with the requirements of all relevant laws, good practice, and Codes of Practice issued by the Information Commissioner’s Office. In particular, the Parties will abide by the terms of their data protection policy which they confirm complies with the GDPR and the Data Protection Act 2018.