What are the data protection principles?

The University is committed to complying with the eight Data Protection Principles (“the Principles”) in the Act. To that end:

1. Personal data shall be processed fairly and

2. Personal data shall be obtained for specific and lawful purposes and not processed in a manner incompatible with those

Personal data should only be obtained if there is a clear purpose or purposes for which it will be used, and must not then be used for a different purpose. Further, personal data may only be processed for purposes identified in the University‟s notification with the Information Commissioner‟s Office.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is

Only the information needed for a specific purpose should be collected. If data are given or obtained which are excessive for the purpose, they should be immediately deleted or destroyed.

4. Personal data shall be accurate and, where necessary, kept up to

Data that are kept for a long time must be periodically reviewed and updated as necessary. Data should not be kept unless it is reasonable to assume that they are accurate.

Members of the University are responsible for ensuring that any personal data they supply to the University are accurate and up-to-date.

5. Personal data shall be kept only for as long as

Personal data should not be kept for longer than the data are required for the purpose for which the data was originally obtained. Personal data must, however, be disposed of in a way that protects the rights and privacy of data subjects (e.g.. shredding, disposal as confidential waste, secure electronic deletion).

6   Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act.

Personal data should not be disclosed to third parties except in circumstances permitted or required by the Act or with the consent of the individual concerned. In most cases, this consent should be provided in writing. Further guidance on how to respond to requests from third parties for the disclosure of personal data is set out below as well as in the Guidelines and FAQs accompanying this Policy.

 7.     Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of data.

All staff are responsible for ensuring that any personal data that they hold are kept securely.

8. Personal data shall not be transferred to a country or a territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal

Data must not be transferred outside of the European Economic Area (EEA)

- the EU Member States together with Iceland, Liechtenstein and Norway - without the explicit consent of the individual.

Disclosure of Data

The University will ensure that personal data are not disclosed to unauthorised third parties which includes family members, friends, government bodies, and in certain circumstances, the police. The University‟s Data Protection Officer must be advised of any request for personal data relating to a student or member of staff and information should not be provided. When asked by the Data Protection Officer to provide data, particularly data related to a police enquiry or other authority, members of staff shall do so within the time frame specified.

Personal data may be disclosed only where at least one of the following conditions apply:

• the individual has given their written consent;
• where the disclosure is in the legitimate interests of the institution (e.g. disclosure to staff - personal information can be disclosed to other University employees if it is clear that those members of staff require the information to enable them to perform their jobs);
• where the institution is legally obliged to disclose the data (e.g. HESA and HESES returns, ethnic minority and disability monitoring);
• where disclosure of data is required for the performance of a contract (e.g. informing a student's LA or sponsor of course changes/withdrawal etc).

Explicit consent must be obtained when processing sensitive personal data.

Disclosure is permitted without consent if the information is requested for one or more of the following purposes and the purpose is supported by clear evidence:

• to safeguard national security;
• to prevent or detect crime including the apprehension or prosecution of offenders;
• to assess or collect tax duty;
• to discharge regulatory functions (includes health, safety and welfare of persons at work);
• to prevent serious harm to a third party;
• to protect the vital interests of the individual, this refers to life and death situations.

DEFINITIONS (adapted from Data Protection Act 1998)