The University is committed to complying with the eight Data Protection Principles (“the Principles”) in the Act. To that end:
- Personal data shall be processed fairly and
- Personal data shall be obtained for specific and lawful purposes and not processed in a manner incompatible with those
Personal data should only be obtained if there is a clear purpose or purposes for which it will be used, and must not then be used for a different purpose. Further, personal data may only be processed for purposes identified in the University‟s notification with the Information Commissioner‟s Office.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is
Only the information needed for a specific purpose should be collected. If data are given or obtained which are excessive for the purpose, they should be immediately deleted or destroyed.
- Personal data shall be accurate and, where necessary, kept up to
Data that are kept for a long time must be periodically reviewed and updated as necessary. Data should not be kept unless it is reasonable to assume that they are accurate.
Members of the University are responsible for ensuring that any personal data they supply to the University are accurate and up-to-date.
- Personal data shall be kept only for as long as
Personal data should not be kept for longer than the data are required for the purpose for which the data was originally obtained. Personal data must, however, be disposed of in a way that protects the rights and privacy of data subjects (e.g.. shredding, disposal as confidential waste, secure electronic deletion).
6 Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act.
Personal data should not be disclosed to third parties except in circumstances permitted or required by the Act or with the consent of the individual concerned. In most cases, this consent should be provided in writing. Further guidance on how to respond to requests from third parties for the disclosure of personal data is set out below as well as in the Guidelines and FAQs accompanying this Policy.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of data.
All staff are responsible for ensuring that any personal data that they hold are kept securely.
- Personal data shall not be transferred to a country or a territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal
Data must not be transferred outside of the European Economic Area (EEA)
- the EU Member States together with Iceland, Liechtenstein and Norway - without the explicit consent of the individual.
Disclosure of Data
The University will ensure that personal data are not disclosed to unauthorised third parties which includes family members, friends, government bodies, and in certain circumstances, the police. The University‟s Data Protection Officer must be advised of any request for personal data relating to a student or member of staff and information should not be provided. When asked by the Data Protection Officer to provide data, particularly data related to a police enquiry or other authority, members of staff shall do so within the time frame specified.
Personal data may be disclosed only where at least one of the following conditions apply:
- the individual has given their written consent;
- where the disclosure is in the legitimate interests of the institution (e.g. disclosure to staff - personal information can be disclosed to other University employees if it is clear that those members of staff require the information to enable them to perform their jobs);
- where the institution is legally obliged to disclose the data (e.g. HESA and HESES returns, ethnic minority and disability monitoring);
- where disclosure of data is required for the performance of a contract (e.g. informing a student's LA or sponsor of course changes/withdrawal etc).
Explicit consent must be obtained when processing sensitive personal data.
Disclosure is permitted without consent if the information is requested for one or more of the following purposes and the purpose is supported by clear evidence:
- to safeguard national security;
- to prevent or detect crime including the apprehension or prosecution of offenders;
- to assess or collect tax duty;
- to discharge regulatory functions (includes health, safety and welfare of persons at work);
- to prevent serious harm to a third party;
- to protect the vital interests of the individual, this refers to life and death situations.
DEFINITIONS (adapted from Data Protection Act 1998)
Any living individual who is the subject of personal data held by an organisation.
Data relating to a living individual who can be identified from that information or from that data and other information in possession of the data controller. Includes name, address, telephone number, id number. Also includes expression of opinion about the individual, and of the intentions of the data controller in respect of that individual.
Any operation related to the organisation, retrieval, disclosure and deletion of data and includes: Obtaining and recording data Accessing, altering, adding to, merging, deleting data Retrieval, consultation or use of data Disclosure or otherwise making available of data.
Relevant Filing System
Any paper filing system or other manual filing system which is structured so that information about an individual is readily accessible. Please note that this is the definition of "Relevant Filing System" in the Act. Personal data as defined, and covered, by the Act can be held in any format, electronic (including websites and emails), paper-based, photographic etc. from which the individual's information can be readily extracted.
Different from ordinary personal data (such as name, address, telephone) and relates to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life, criminal convictions. Sensitive data are subject to much stricter conditions of processing.