Data Protection Act - General Guidance

For data protection areas that this document does not address, further guidance and advice can be sought from the University's Data Protection Officer, (ext. 6071). Comprehensive guidance to the main provisions of the 1998 Data protection Act is also available from the Data Protection Handbook

Links to the 1998 Act and to the OIC:

Advice and Checklist for Schools

Raising Awareness

  • Inform your staff that they are expected to read the University Data Protection Guidelines
  • Consider publicising the Do's and Don'ts section on departmental notice boards.

Ensure that all staff within your department are informed of the following:

  • staff may not hold personal data without consent or good reason
  • staff should be advised to exercise particular care when dealing with sensitive personal data
  • staff should always seek permission before sending personal data to countries outside the EEA
  • staff should always seek permission before putting personal data on the Web,
  • staff should always be factual, discreet and prudent in what they write about other people, whether on paper or in e-mails
  • When writing personal references, staff should refer to the Data Protection Handbook

Security

  • staff should keep secure all personal files whether on paper or on computer
  • staff should be conscious of the need for extra care if taking data home
  • staff should ensure that confidential waste is always disposed of using established confidential waste routines.

Examiners: Internal and External

Ensure that all examiners are informed that their reports are no longer confidential to the University and that any student about whom they are written may gain access to them simply by submitting a Subject Access Request.

Data Protection Act 1998 - Do's and Don'ts

This section of the document seeks to contrast definite 'do's against definite 'don'ts' and is provided as an aid to understanding what the act implies in practice.

Always

  • Seek to comply with the principles of the Data Protection Act
  • Recognise that the new Act applies to paper files as well as to electronic files
  • Think of data that is held about other individuals in the same way as if it were your data
  • Get permission to hold data or establish if consent has already been given
  • Be particularly careful when dealing with sensitive personal data: e.g Data concerning race or ethnic origin, political opinion, religious belief, sexual life, criminal offences, trade union membership, health
  • Hold data about individuals only when it is necessary and for no longer than is necessary
  • Endeavour to ensure that data is accurate
  • Be open with individuals about information held about them; if asked, tell them if you hold data about them and tell them why the data is held
  • Provided the rights of other data subjects are not infringed, let individuals inspect data held about them
  • Respect confidentiality
  • Discard personal files as confidential waste
  • Always consider writing open references
  • Bear in mind, when writing documents, that individuals have the right to see their files
  • Realise that e-mails may be retrieved and revealed to those about whom they are written
  • Pass all Subject Access Requests to the University Data Protection Officer ASAP
  • Hold data in such a way that it can be retrieved for inspection at short notice
  • Take time to read the University's Data Protection web pages

Never

  • Worry about the complexities of the Act - concentrate on the principles
  • Reveal data to third parties without the data subject's explicit permission
  • Hold sensitive data about an individual without the data subject's explicit consent
  • Put data about individuals on the Internet without permission
  • Send personal data outside the EEA,
  • Leave personal data insecure
  • Take personal data home without being acutely aware of the need for security
  • Part with University computers without ensuring they are cleared of personal data
  • Use e-mail for confidential communications
  • Use data held for one purpose for a different purpose without seeking permission to do so
  • In any circumstances, erase or alter data following the receipt of a Subject Access Request.

Return to Top of Document