Eight principles of Data Protection
The Data Protection Act sets out the eight principles with which the University must comply whenever it processes personal data. These stipulate that the data must:
1. ‘Be collected and processed fairly and lawfully’
In order for us to process data ‘fairly’, we should:
- ensure that we have a legitimate reason to obtain or process the data
- the Data Subject must be made aware that their data is being used and their consent obtained. They must never be deceived or misled - they must have a clear understanding of the reasons for which it is proposed that their data be used
- if any sensitive personal data is involved Data Subjects must have provided their express consent to the processing
- care needs to be taken to ensure that personal data is only ever obtained from a person who is legally authorised to supply it.
2. ‘Be obtained only for the specific and lawful purposes described in the register entry, and shall not be further processed in any manner incompatible with that purpose or those purposes’
The main issues raised by this principle are:
- all personal data which is processed by the University must be covered by our Registration with the Information Commissioner. Most routine uses of personal data by staff will be covered by our Registration. However, if you are processing any data (for example, maintaining a database or running a research project involving the use of personal data) and think it may involve us handling new personal data for the first time or using personal data for a new purpose, please email the Data Protection team at firstname.lastname@example.org for advice.
- personal data held for one purpose should not be used for another
- personal data must not be disclosed to any third person (other than those described in the University’s Registration in certain circumstances), so take great care when you receive a request for data from a third party (see guidance on disclosing data).
3. ‘Be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are held’
To ensure compliance:
- you should not collect any personal data not strictly necessary for the purpose it is obtained. If you are obtaining or holding any sensitive personal data take special care to properly consider its necessity
- records should also be unambiguous, accurate and professionally worded. Abbreviations should be widely agreed. Opinions should be clearly distinguishable from facts.
4. ‘Be accurate and, where necessary, be kept up to date’
Personal data must not be inaccurate or misleading to any matter of fact. This applies to information from a third party. The source of information should always be included on records.
5. 'Be held no longer than is necessary for the registered purpose’
Failure to remove data when its purpose has been served is a breach of the Data Protection Act. As the University needs to hold and process personal data for a variety of different legitimate reasons, it is not always possible to stipulate how long particular data should be retained.
The University has a set of policies on the retention and disposal of different types of records. For other types of data it is often necessary to decide on a case-by-case basis when they should be destroyed.
6. ‘Be processed in accordance with the rights of the Data Subjects under the Act’
The University must ensure that all personal data is processed in accordance with the rights of Data Subjects, who can:
- make Subject Access Requests to find out what information we hold about them, the purposes for which it will be used and to whom it has been disclosed
- prevent processing for the purposes of direct marketing or the processing of data which is likely to cause them substantial damage or distress
- ask, if appropriate, to have the data corrected or deleted
- be informed about automated decision-making processes that affect them and prevent significant decisions that affect them from being made solely on automated processes.
7. ‘Be held under secure conditions, together with appropriate technical and organisational measures to prevent unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’
Access to personal data will only be granted to staff insofar as is necessary for legitimate operational purposes. The personal or private use of personal data held by the University is strictly forbidden.
All staff with access to personal data must be mindful that they play a role in ensuring that it is always kept securely. They must familiarize themselves with the University’s Data Protection Policy and follow our guidance on data security.
8. ‘Not be transferred to a country or territory outside the European Economic Area, unless that country ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of personal data’
Personal data must not be transferred to a country outside European Economic Area unless:
- explicit consent has been obtained from the Data Subject(s)
- the data has been completely anonymised
- that country ensures an adequate level of protection for Data Subjects
- a contract is in place with the recipient of the personal data, which puts the necessary safeguards in place.
Special care should be taken when travelling with a laptop or other mobile device which contains personal data (see data security off-campus).