ATOP Ltd is committed to fully complying with the General Data Protection Regulations May 2018
All personal information will be handled in accordance with the above to ensure that individuals are protected from misuse of personal details and that any information is handled appropriately and within the individual’s rights
Why do we collect information from you?
ATOP Ltd is a third party information processor in the Disabled Students’ Allowance process.
This means that we gather and processes relevant identifiable information on behalf of and to the specifications of DSA data controllers. The data controller will always be the funding body who administers your DSA, which is also likely to be in a joint data controlling agreement with the governmental department or responsible party who’s role it is to administer the allowance.
Examples of DSA data controllers:
- Welsh Government and Student Finance Wales (joint data agreement advised).
- Department for Education and Student Finance England (joint data agreement advised).
- NHS Wales and Universities (joint data agreement details implied by relationship).
- Student Awards Agency for Scotland.
We are passed, collect and process sufficient information from and about you to write a detailed report for DSA data controller. This informs them how DSA funds should be allocated for you.
We have advised relevant DSA data controllers that we are required to have a data sharing agreement with them. However, our data sharing status is largely implied by our relationship and function.
We only collect information from students who have been approved access to Disabled Students’ Allowance by the DSA data controller.
What information do we collect?
- The data controller will ask you to provide us with your DSA1 or equivalent DSA approval letter. We are also required to review a copy of the medical evidence that the data controller has used to approve your DSA.
- We are also required to collect address, contact, study and disability details in a pre-assessment form. This will be added to our database, whilst identifying information will be included in other administrative documents and logs, which are required for DSA processes. These are securely stored on the University’s server system.
- In order to gauge what DSA funds should be allocated to you, we will collect information regarding the historical and current impact of your disability, as well as your educational experience to date. We will only ask about impacts that are relevant to attending and completing relevant academic study.
- We may also contact your higher education provider (HEP) to gather information in advance of the assessment. In some circumstances, this can be completed without recourse to personally identifiable information. In other cases, we may advise that it would be of benefit for you to be personally identified. We would ask permission for this from you and explain why we feel it is necessary.
- The information we collect for you will be presented in a formal DSA report. The personal data fields in this report are defined by the DSA data controller.
Note: For some disabilities or medical conditions (or other reasons relating to personal safety and welfare), it may be necessary to enter into a bespoke information agreement with you. If you feel it is essential that certain information in our care is redacted or limited, please let us know. We will always advise you if the information you wish to limit will impact on your ability to progress through the DSA process, or access DSA funds.
How long do we keep your information?
The DSA data controller may ask us to complete follow on work at any point during your academic course, or follow on academic courses.
Consequently, we need to hold your data:
- as per the requirements of the data controller to facilitate the role above
- for six years from the date of your last assessment/review and in accordance with relevant
- After this time, any indefinable information relating to you will be deleted.
Who might we share your data with?
We will provide a copy of your completed DSA report to the funding body who is your DSA data controller. We will seek your permission for this
- Additionally you have the option of requesting that we send a copy of your completed DSA report to a relevant party in your university.
- We may identify that it is beneficial to seek advice from a knowledgeable third party in order to ensure that the best possible support is recommended for you. We will always share the minimum possible information, and discuss what we intend to do (and why), whilst seeking your explicit consent for this.
- On occasions we may need to brief a third party to carry out a review of ergonomic support requirements in your private accommodation. We may need to pass on narrative of disability related factors and impacts within this brief, as well as agreed contact details. Again, we will always share the minimum possible information, discuss what we intend to do (and why).
- Some DSA data controllers require that assessment centres are members of the accrediting body DSA-QAG. Where the DSA data controller requires membership of DSA-QAG, the DSA-QAG quality assurance framework applies. This means that many of our information gathering administrative processes and administrative forms are defined by the external DSA-QAG standards. At present, no personally identifiable information is passed directly to DSA-QAG. However, centres are audited each year on behalf of DSA-QAG by the forensic accounting company BDO. During audits, we may be asked to show the auditor any information we hold on you as part of our information processing duties. DSA-QAG provide us with forms to confirm whether you give the auditing company permission to see your personal data. This information is collected at the time of your assessment.
- Any sensitive data shared will be encrypted using PGP encryption, or passed to the third party using password protected PDFs. At other times, data is securely stored on our university based server. All staff are provisioned to handle data and written communications from within a secure zone, protected by a logon. Personal data is not allowed outside this secure zone without explanation and explicit agreement being sought from relevant parties.
What are your rights?
For further information on how your information is used, how ATOP Ltd maintains the security of your information and your rights to access information that ATOP Ltd holds on you, please contact firstname.lastname@example.org
You may invoke the right to erasure, or the right to be forgotten by contacting us at: email@example.com
Note: Invoking the right to erasure or the right to be forgotten with ATOP Ltd will only result in action in relation to information we hold on you. It will not extend to the DSA data controller, other DSA third party data processors or your university. We will ask the scope of your request upon receipt, and will advise you if further action is necessary. Similarly, if you invoke the right to erasure or the right to be forgotten with the DSA data controller, ATOP Ltd. data may not be included in the request.
INVOKING THE RIGHT TO ERASURE OR THE RIGHT TO BE FORGOTTEN MAY COMPLICATE SUBSEQUENT ACCESS TO DSA FUNDING, OR CHANGE THE SCOPE AND RANGE OF DSA SUPPORT THAT CAN BE AGREED. WE WILL ADVISE YOU FURTHER ON THIS AS NECESSARY.