Data Protection - Staff Handbook

13. Seventh Principle - Security and Disclosure of Data

13.1 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

13.2 This Principle covers both the disclosure of data to 3rd parties and the unauthorised or unlawful processing of data. It is probably the single most important principle and the easiest to get wrong.

Data Subject Consent

13.3 Data may always be disclosed with the consent of the data subject concerned. However, consent cannot be assumed; it must be active and silence cannot imply consent.

Staff who need to know

13.4 Data may always be disclosed to members of University staff who require the information in order to carry out their normal duties. However, only that data required must be disclosed. For example, a member of staff dealing with accommodation matters would not be automatically entitled to see data concerning a student's academic record.

Purposes specified

13.5 Data can only be disclosed for use within the purposes originally specified when it was collected. Any other use amounts to unlawful processing. For example, data collected by a school for the purposes of student administration cannot be passed to or used by another School or Service for any purpose(s) which were unspecified at the time of collection. (eg marketing) Unless, of course, the prior consent of the data subjects have been sought for that purpose or purposes.

Disclosure of data to third parties

13.6 The University's notification under the Act will specify those third parties to which data might be regularly disclosed, for example HESA.

Specific agreement of data subject

13.7 Data may be disclosed to any third party if the data subject gives specific consent. In such cases, consent must be obtained prior to the disclosure.

Embassies and High Commissions

13.8 It is unwise to assume that data may be disclosed to a student's Embassy or High Commission just because it is requested. Such bodies have no automatic right to know data and, in many cases, students would not wish their data to be disclosed.

Family and friends

13.9 It is unwise to assume that data may be disclosed to a student's family and friends just because it is requested. Such individuals have no automatic right to have data disclosed to them and in many cases students would not wish their data to be disclosed.

Telephone enquiries

13.10 Requests from third parties are often made by telephone, with the added problem of verifying the identity of the caller. Even when the call appears to be genuine, for example from a parent worried about their offspring, data must not be disclosed. Instead, an offer should be made to contact the data subject concerned on behalf of the caller or to pass on a message.

Police

13.11 The police have no more right to have data routinely disclosed to them than any other third party. There are set procedures for dealing with routine requests from the police.

For example, the police have special forms that they will fill in and supply before asking for personal data.

Any member of staff receiving a request for personal data from the police should ensure that the request is re-directed to the University Data Protection Officer to enable it to be logged, an assessment made and the relevant checks carried out.

Third party disclosures

13.12 There are a number of circumstances under which data can be disclosed to a third party without the consent of the data subject. These all require an element of judgement and the Data Protection Officer should be consulted in the event of a School or Service receiving such a request.

These circumstances are set out in the Act as follows:

  • data required by law - for example data supplied to statutory bodies, such as HEFCE, HESA;
  • data that is in the vital interests of the data subject - for example in a life or death situation;
  • data that would prevent harm to a third party;
  • data that would prevent crime;
  • data that would be in the interests of national security.

Even in the above circumstances, however, proof of identity and a request in writing should always be sought where it is practicable to do so.

Security of data

13.13 Data security is another way of looking at disclosure and is very important as far as the seventh principle is concerned.

  • Various measures should be taken to ensure that data is kept secure.
  • Technical measures: network security; the proper use of passwords
  • Organisational measures: the physical security of computers and files in cabinets; locked rooms; ensuring that PC screens cannot be overlooked in public spaces.

13.14 Accidental loss, destruction or damage to data has the same effect as an unauthorised disclosure. Good back-up procedures must be in place and used effectively. These should include procedures to recover lost data.

13.15 It is particularly important to be aware of data security when processing data off-site, especially when using a laptop in a public place such as a train. Don't let it out of your sight and ensure others don't have it in theirs.

Data Processors

13.16 This is the new technical term for anyone who processes data on behalf of a Data Controller; the term used to be 'Computer Bureau'. The University makes very little use, if any, of Data Processors, but if they are used, whether by central services or by schools, there are additional requirements to comply with the Act:

  • there must be a written contract which explicitly refers to the Data Protection Act 1998
  • the Processor must agree to adhere to the eight data protection principles
  • the processor must operate the same level of data security as does the University.

13.17 The Data Protection Officer can assist with advice on the wording for such contracts.

Handbook Contents