The protection of data relating to individuals is a requirement of the law: it cannot be ignored.
The Data Protection Act 1998 re-inforces legal rights, established under the Data Protection Act 1984, for individuals concerning the use of data held about them. The Data Protection Act of 1998 also extends the limits of coverage to include data included in manual, relevant filing systems.
The Act also requires that data users (data controllers) register their activities, and also requires that data users honour eight principles of good practice. These Data Protection Principles are: That
- data shall be obtained and processed fairly and lawfully
- data shall only be held for specified, lawful, registered purposes
- data held shall be adequate, relevant and not excessive in relation to the purposes for which it is processed
- data shall be accurate and, where necessary, up-to-date
- data shall not be kept for longer than is necessary
- data shall be processed in accordance with the rights of data subjects i.e. an individual (data subject) is entitled to be informed by the Data Controller as to whether data is held about them, and to have access to such data with the right to have the data corrected or erased
- data should be secure against unauthorised access, alteration, disclosure and destruction (including accidental loss or destruction)
- personal data shall not be transferred to a country or territory outside the European Economic Area unless certain data protection rights exist in that country or territory
The Act and its implications
As required by law, the University is registered as a Data Controller and as a Data Processor (i.e. an organisation which processes data on behalf of others). Individuals about whom we hold data (data subjects) have the right to access those data (as in 6 above) and the right to seek compensation from the University should they suffer damage or distress because of inaccurate data.
Furthermore, individual employees (or agents) of the University may be criminally liable under the Act where there is a breach of the Data Protection Principles. For this reason, it is ESSENTIAL that the University's Data Protection Officer BE KEPT INFORMED of:
- any registered processing you STOP doing
- any processing you START (or plan) to do
You are obliged to comply with this request - it is not optional. We are legally required to keep our Data Protection registration correct. If you are unsure what is registered or should be registered, ASK.
Disclosure of personal information
The University has a policy on the disclosure of personal information which must be adhered to.