Guide to best practice in Data Protection

Yüklə 27.25 Kb.
ölçüsü27.25 Kb.
The purpose of these guidance notes is to underpin the University Data Protection Policy and to provide a guide to best practice in Data Protection.
Data Protection Acts 1984 and 1998

  1. The Data Protection Act 1984, introduced basic principles of data protection, which set standards that all registered users were required to observe. It was designed to protect individuals from any disadvantage which might result from the misuse of their personal details, for example if the information became out of date, was lost, or was made available to people or used for purposes other than those it was collected for. The 1984 Act also set up the framework for compulsory registration of data users, and appointed the Information Commissioner (formerly the Data Protection Registrar) to organise this process and to oversee compliance.

  1. The Data Protection Act 1998 replaces the 1984 Act, and builds upon and expands the controls on personal data under the 1984 Act. Under the 1998 Act, the Data Protection Principles have been extended and 'personal data' includes information held in certain manual filing systems. Individuals are given enhanced rights to receive details of data held about them and why it is being held, and to prevent its misuse. The processing of personal data will only be fair if certain conditions have been met, and certain categories of information are classed as 'sensitive personal data' and there are particular restrictions on the use of them. There are also restrictions on the transfer of personal data to countries outside the European Economic Area. The 1998 Act replaces the Office of the Data Protection Registrar with that of the Information Commissioner’s Office, and the registration of data users is replaced by notification.

  1. Although the 1998 Act came into force on 1 March 2000, some of the provisions did not come into effect until October 2001, and others will not be fully effective until 23 October 2007. This is because of periods of transitional relief. The first transitional period (which lasted until 24 October 2001) provided exemptions for certain categories of personal data held both in paper form and electronically. The second transitional period (which lasts until 24 October 2007) makes additional transitional provisions available for paper files only, and not files held in electronic or other automated form. These further exemptions apply largely to the processing of information which was held prior to 24 October 1998.


  1. The University holds a notification as a data controller under the 1998 Act. Notification by a data controller includes details of the classes of person whose personal data may be held, the purposes for which it is held, the sources from which it may be obtained, and the classes of persons to whom it may be disclosed. Details of the University's current notification can be accessed on the web site of the Information Commissioner's Office at

The University's notification is reviewed and updated from time to time. If a new activity involving personal data is being set up, or personal data already held are to be made available to different categories of people or used for a different purpose than the original, the person responsible must inform the University's Data Protection Officer.
Any formal requests under the 1998 Act from data subjects regarding personal data held on them must be referred to the Registrar of the University, no matter which office or department is processing the data.
Staff Guidelines for Data Protection

  1. All staff will process data about students on a regular basis, when compiling registers or contact lists, marking coursework and examinations, writing reports or references, or as part of a pastoral or academic supervisory role. The University will ensure, through registration procedures, that all students are informed that the University undertakes this sort of processing, are notified of the categories of processing, and provide their consent to this processing, as required by the 1998 Act. The information that staff will deal with on a day to day basis will be 'ordinary' personal data and will cover categories such as:

  • General personal details e.g. name and address

  • Details about class attendance, course work marks and grades and associated comments

  • Notes of personal supervision, including matters of behaviour and discipline

  1. Information about an individual's physical or mental health, sexual life, political or religious views, trade union membership, commission or alleged commission of any offence, ethnicity or race is 'sensitive' personal data and, except in limited specific circumstances, can only be collected and processed with that individual's explicit consent, which would generally require the consent to be written. If staff need to record this information about a student they should use the standard form obtainable from Registry. This might be required, for example, for health reasons prior to taking students on a field trip, for pastoral duties when a student has health problems, or for personnel records.

  1. Staff may also collect and process data about other staff in the University. Heads of Departments may, for example, process personal data about the staff in their departments, or research group leaders may process personal data about the members of their groups. The University will ensure that all staff are notified of the types of personal data held on them and the purposes for which that personal data is processed. Most of the information collected will be ‘ordinary’ personal data, but if, for any reason, sensitive personal data, as set out in paragraph 6, is required to be collected and processed, then the express consent of the individuals concerned must be obtained.

  1. All staff have a duty to make sure that they comply with the Data Protection Principles contained in the 1998 Act, which are set out in the University Data Protection Policy. In particular, staff must ensure that records are:

  • Accurate

  • Up-to-date

  • Kept and disposed of safely and in accordance with the University's Data Retention Schedule.

  • Staff must not disclose personal data unless for institutional purposes in line with the University ‘Data Disclosure Policy’. The only exception to this is where the disclosure is necessary to protect the vital interests of the data subject or another person. The Information Commissioner has, however, advised that this exception will only apply where the life of the data subject or another individual is at risk.

Where disclosure is requested by the police, without exception, the matter should be referred to the University Registrar.
Data Security

  1. The need to ensure that personal data is kept securely means that precautions must be taken against physical loss or damage, and that both access and disclosure must be restricted. All staff should ensure that:

  • Any personal data which they hold is kept securely

  • Personal data is not disclosed either orally or in writing, intentionally or otherwise to any unauthorised third party.

  1. Staff must ensure that, where personal data is processed by a third party on behalf of the University (a data processor, e.g. payroll system or mailing agency), there is a written contract between the parties which specifies that the data processor agrees to act on the University’s instructions only and to abide by the provisions of the 1998 Act in connection with data security.

  1. All personal information in the form of manual records should be:

  • Kept in a locked filing cabinet: or

  • Kept in a locked drawer

If information is computerised, it should be:

  • Password protected, with passwords being regularly changed, so that only authorised people can view or alter the data; or

  • Kept only on a disk which is itself kept securely in a desk or cabinet to avoid physical loss or damage.

  1. To avoid unauthorised disclosure, care must be taken to site PCs and terminals so that they are not visible except to authorised people. Screens should not be left unattended when personal data is being processed. Similarly, care must be taken to ensure that manual records, e.g. staff or student files, or printouts containing personal data, are not left where they can be accessed by unauthorised staff.

  1. When manual records, or printouts containing personal data, are no longer required, they should be shredded or bagged and disposed of securely.

  1. Particular care must be taken of any data taken away from the University, for example manual records to be used at home, or computerised data to use on portable computers or home machines. Where personal data is processed outwith the University's premises all terms of the Data Protection Policy and the Data Protection Policy – Guidance Notes will nevertheless apply. Ensure that all work is kept confidential and, in the case of computerised information, that files are not exposed to risk from virus infection. You should also ensure that all equipment which may contain personal data, e.g. laptops, is kept secure at all times and is not exposed to the risk of theft.

Use of Personal Data for Research Purposes

  1. There are some exemptions from the 1998 Act for personal data processed for academic, scientific, historical or statistical research. Provided that personal data has been obtained fairly and lawfully, then the subsequent use of that data for research purposes will not breach the second data protection principle. Data collected for the purposes of one piece of research can, in some instances, be used for other research, and may be kept indefinitely. However, there must be no direct consequences for the individuals in respect of whom the research is carried out and the personal data must not be processed in a way which is likely to cause damage or distress to any data subject. Those conducting research involving the processing of personal data in accordance with ethical guidelines or codes of practice particular to their field of study should confirm the compatibility of such codes with the 1998 Act. Any questions regarding the use of personal data for research purposes should be referred to the Dean of Research.

  1. In order to avoid subject access provisions, the results of research or statistics should be ‘anonymised’ as far as possible, i.e. should not be recorded in a form which identifies the individuals concerned. Wherever possible, researchers should follow a principle of 'anonymity' in handling personal data.


  1. Care should be taken when writing confidential references. Under the 1998 Act, a confidential reference given by the University to a third party, for the purposes of education, employment, training, appointment to a public office or any service being provided by the individual who is the subject of the reference, should remain confidential and is exempt from the subject access provisions, in that the subject cannot gain access from the person writing the reference. However, the data subject can ask the third party to see any references which have been provided. For practical purposes, staff must assume that we can neither guarantee confidentiality in respect of references received by the University nor expect that those we provide will remain confidential.

  1. Explicit consent must always be sought from the data subject where references are provided for organisations located outside the European Economic Area. (see para 20 below for further details).

Examination Marks

  1. Students may, in some cases, be entitled to information about examination marks. However, this may take longer than other information to provide. The University may withhold certificates, accreditation or references in the event that the full course fees have not been paid, or all books and equipment returned to the University, but may not withhold marks for these reasons.

Internal and external examiner comments, whether made on the script or in another format, e.g. an examiner’s report, are covered by the 1998 Act. A data subject has the right to request that a copy or summary of such data is provided within the stipulated timescale (generally within 40 days of receipt of the request) ‘in an intelligible form’. This implies that examiner’s comments on scripts and assessed work should be capable of being produced for a data subject in a meaningful form and they should be both intelligible and appropriate.

Cross-Border Data Transfers

  1. Staff must take special care in connection with requests for the transfer of personal data outwith the European Economic Area (EEA). In particular, staff should not:

  • disclose personal data requested by non-EEA governments, agencies and organisations, or any other party outwith the EEA, for the purposes of assessing the names, numbers and whereabouts of foreign nationals studying overseas without the specific and informed consent of the data subjects concerned

  • disclose personal data requested by non-EEA governments, or any other party outwith the EEA, for the purpose of determining liability to attend National Service, without the specific and informed consent of the data subjects concerned

  • put personal data on web pages without the explicit consent of the data subjects (unless access is restricted in some way to the EEA only, in which case normal procedures for obtaining consent should be followed).

Subject Access Requests

  1. The 1998 Act gives individuals the right to access data held about them by the University. However, this is not an entitlement to immediate access – in most cases the University will have 40 days in which to comply. All subject access requests should be submitted in writing on the Request Form, available from the University Data Protection Officer or the Data Protection folders on Outlook. Forms should be sent to the University Data Protection Officer.

  1. The 1998 Act also means that expressions of opinion about or intentions regarding a person are also personal data to which a data subject may gain access. This should be borne in mind when written or other records are made (including emails, audio-recordings, computer and manual files) and when files are weeded for unnecessary or duplicative material. The following is a useful test to apply to 'doubtful' comments:

  • Is this comment fair, accurate and justifiable?

  • If I were to show this to the data subject, would I still be confident that the comment is fair, accurate and justifiable?

If the answer to the questions is 'No', then the comment should go unrecorded.

  1. Access rights also mean that confidentiality of references provided internally or for external bodies can no longer be assumed. Again this should be borne in mind when references are drawn up. In general terms, the information provided in references should:

  • confirm the accuracy of or provide factual information

  • differentiate between statements of fact and opinion

  • express only justifiable opinions, based on first-hand experience

  • be fair and accurate

  • avoid ambiguous or coded language

  1. Inappropriate data should not be recorded, and once a data subject has requested access, data relating to him or her must not be ‘weeded’.

Staff Checklist for Recording Data

  1. Before processing any personal data, all staff should consider the following checklist:

  • Do you really need to record the information?

  • Is the information 'ordinary' personal data or is it 'sensitive' personal data?

  • If it is sensitive personal data, do you have the data subject's express consent?

  • Has the subject been told that this type of personal data will be processed?

  • Are you authorised to collect/store/process the personal data?

  • Have you checked with the data subject that the personal data is accurate?

  • Are you sure that the personal data will be secure during the process?

  • If you do not have the data subject's consent to process, are you satisfied that the collection/retention of the personal data is permitted in terms of the 1998 Act?

Further Information

  1. Further information and advice can be obtained from the University's Data Protection Officer and from the University’s Data Protection folders on Outlook.

Data Protection Working Group

January 2003

Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur © 2016
rəhbərliyinə müraciət

    Ana səhifə