Info for Staff

Data Protection Act 1998 - Do's and Don'ts

Use our list of 'do's and 'don'ts' as an aid to understanding what the act implies in practice:


  • seek to comply with the principles of the Data Protection Act
  • recognise that the Act applies to paper and electronic files
  • think of data held about other individuals in the same way as if it were your data
  • get permission to hold data or establish if consent has already been given, where needed
  • be particularly careful when dealing with sensitive personal data: eg data concerning race or ethnic origin, political opinion, religious belief, sexual life, criminal offences, trade union membership, health
  • hold data about individuals only when it is necessary and for no longer than is necessary
  • endeavour to ensure that data is accurate and kept up to date, where necessary
  • respect confidentiality
  • discard personal files as confidential waste
  • bear in mind, when writing documents, that individuals have the right to see their files
  • realise that emails may be retrieved and revealed to those about whom they are written
  • pass all Subject Access Requests to the Information Security Officer (Compliance) as soon as possible
  • take time to read the University's Data Protection web pages


  • worry about the complexities of the Act - concentrate on the principles
  • reveal data to third parties without the data subject's explicit permission
  • hold sensitive data about an individual without the data subject's explicit consent
  • put data about individuals on the Internet without permission
  • send personal data outside the EEA
  • leave personal data insecure
  • take personal data home without being acutely aware of the need for security
  • part with University computers without ensuring they are cleared of personal data
  • use email for confidential communications
  • use data held for one purpose for a different purpose without seeking permission to do so