The Data Protection Act 1998 governs the handling of data held about individuals and the rights of individuals to access that data. The University is obliged to comply with the 8 principles of the Data Protection Act for handling personal data as follows:
- Personal data shall be processed fairly and lawfully.
- Personal data shall be processed for one or more specified and lawful purpose.
- Personal data shall be adequate, relevant and not excessive to the purpose of processing.
- Personal data shall be accurate and up-to-date.
- Personal data shall not be kept longer than is necessary.
- Personal data shall be processed in accordance with the individual's rights under the Act.
- Appropriate measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage.
- Personal data shall not be transferred to a country outside the EEA without adequate protection for the rights and freedoms of data subjects.
How does data protection apply to my work?
- Individuals have the right to see any personal information the University holds about them. They do this by making a subject access request and we have 40 calendar days to respond. Avoid complications by following the procedures.
- We must tell people what we are doing with information about them, including whom we are disclosing it to.
- We must use appropriate security measures to protect personal data and do not keep it for longer than necessary. We must not transfer personal information without safeguards; this includes publishing it on the internet.
The University’s Data Protection Policy sets out how the University aims to comply with the Data Protection Act 1998. Details are also available to all staff and students as to how personal information is handled – these can also be found in the Staff Handbook and Student Handbook of Regulations.
Further general guidance is available from the Information Commissioner's Office .
Good records management and information security will help the University comply with the Act. The way our staff go about their daily tasks is vital to this. The University Solictor is the University's Data Protection Officer and is responsible for providing help and guidance on applying the Data Protection Act, as well as for co-ordinating subject access requests from individuals.
Some individual areas of the University have specific and additional Data Protection and/or Confidentiality Policies, for example, Student Services or the Podiatry Clinic, because their work is of a very specialist nature or may involve people who are not staff or students of the University.
Making a request for information
Under the Data Protection Act 1998 individuals have the right to ask whether information is held about them and if so what it is. This is called a "subject access request". Please complete the Subject Access Request Form and return it to the University Solicitor (address on the form) with evidence of your identity and the £10 subject access request fee.
Further information about subject access requests can be obtained from the Information Commissioner's Office.
How does the University handle data? -"fair processing notices"
The University describes in general terms how personal data is handled. These descriptions are called "Privacy Notices".