Data Protection - Staff Handbook
13. Seventh Principle - Security and Disclosure of Data
13.1 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
13.2 This Principle covers both the disclosure of data to 3rd parties and the unauthorised or unlawful processing of data. It is probably the single most important principle and the easiest to get wrong.
- Data Subject Consent
- Staff who need to know
- Purposes specified
- Disclosure of data to third parties
- Specific agreement of data subject
- Embassies and High Commissions
- Family and friends
- Telephone enquiries
- Third party disclosures
- Security of data
- Data Processors
13.3 Data may always be disclosed with the consent of the data subject concerned. However, consent cannot be assumed; it must be active and silence cannot imply consent.
13.4 Data may always be disclosed to members of University staff who require the information in order to carry out their normal duties. However, only that data required must be disclosed. For example, a member of staff dealing with accommodation matters would not be automatically entitled to see data concerning a student's academic record.
13.5 Data can only be disclosed for use within the purposes originally specified when it was collected. Any other use amounts to unlawful processing. For example, data collected by a school for the purposes of student administration cannot be passed to or used by another School or Service for any purpose(s) which were unspecified at the time of collection. (eg marketing) Unless, of course, the prior consent of the data subjects have been sought for that purpose or purposes.
13.6 The University's notification under the Act will specify those third parties to which data might be regularly disclosed, for example HESA.
13.7 Data may be disclosed to any third party if the data subject gives specific consent. In such cases, consent must be obtained prior to the disclosure.
13.8 It is unwise to assume that data may be disclosed to a student's Embassy or High Commission just because it is requested. Such bodies have no automatic right to know data and, in many cases, students would not wish their data to be disclosed.
13.9 It is unwise to assume that data may be disclosed to a student's family and friends just because it is requested. Such individuals have no automatic right to have data disclosed to them and in many cases students would not wish their data to be disclosed.
13.10 Requests from third parties are often made by telephone, with the added problem of verifying the identity of the caller. Even when the call appears to be genuine, for example from a parent worried about their offspring, data must not be disclosed. Instead, an offer should be made to contact the data subject concerned on behalf of the caller or to pass on a message.
13.11 The police have no more right to have data routinely disclosed to them than any other third party. There are set procedures for dealing with routine requests from the police.
For example, the police have special forms that they will fill in and supply before asking for personal data.
Any member of staff receiving a request for personal data from the police should ensure that the request is re-directed to the University Data Protection Officer to enable it to be logged, an assessment made and the relevant checks carried out.
13.12 There are a number of circumstances under which data can be disclosed to a third party without the consent of the data subject. These all require an element of judgement and the Data Protection Officer should be consulted in the event of a School or Service receiving such a request.
These circumstances are set out in the Act as follows:
- data required by law - for example data supplied to statutory bodies, such as HEFCE, HESA;
- data that is in the vital interests of the data subject - for example in a life or death situation;
- data that would prevent harm to a third party;
- data that would prevent crime;
- data that would be in the interests of national security.
Even in the above circumstances, however, proof of identity and a request in writing should always be sought where it is practicable to do so.
13.13 Data security is another way of looking at disclosure and is very important as far as the seventh principle is concerned.
- Various measures should be taken to ensure that data is kept secure.
- Technical measures: network security; the proper use of passwords
- Organisational measures: the physical security of computers and files in cabinets; locked rooms; ensuring that PC screens cannot be overlooked in public spaces.
13.14 Accidental loss, destruction or damage to data has the same effect as an unauthorised disclosure. Good back-up procedures must be in place and used effectively. These should include procedures to recover lost data.
13.15 It is particularly important to be aware of data security when processing data off-site, especially when using a laptop in a public place such as a train. Don't let it out of your sight and ensure others don't have it in theirs.
13.16 This is the new technical term for anyone who processes data on behalf of a Data Controller; the term used to be 'Computer Bureau'. The University makes very little use, if any, of Data Processors, but if they are used, whether by central services or by schools, there are additional requirements to comply with the Act:
- there must be a written contract which explicitly refers to the Data Protection Act 1998
- the Processor must agree to adhere to the eight data protection principles
- the processor must operate the same level of data security as does the University.
13.17 The Data Protection Officer can assist with advice on the wording for such contracts.