Data Protection Act
The Data Protection Act 1998 ("the Act") applies to ‘personal data’, which is information about individuals. It gives individuals the right to access their own personal data through Subject Access Requests, and contains rules which must be followed when personal data is processed.
The Act works in two ways:
- it provides individuals with rights, including the right to know what information is held about them and the right to access that information
- it states that anyone who processes personal information must comply with the eight principles it contains.
You should assume that any personal data relating to an identifiable living individual, held by the University, in any form, are covered by the Data Protection Act.
If you have access to personal data you must familiarise yourself with, and comply with, the following University resources:
If you are going to be working remotely or using a mobile device please also see data security off-campus.
Data covered by the Act
The Data Protection Act 1998 covers the processing of all ‘Personal Data’. This is data which constitutes information relating to a living individual, (a ‘Data Subject’) and from which (either on its own or together with other information held) the individual is identifiable, so data held purely in an anonymised form is not covered.
The definition of data specifically includes both expressions of opinion about the individual and any indication of intentions towards them. Comments in emails such as ‘X did very well in securing this contract …’ and ‘I plan to ask X to take over responsibility for this matter next semester’ could both constitute X’s personal data.
The Data Protection Act covers data held electronically and in hard copy, regardless of where data is held. It covers data held on and off campus, and on employee’s or student’s mobile devices, so long as it is held for University purposes, regardless of the ownership of the device on which it is stored.
‘Processing’ is widely defined and includes every possible form of action that can be taken in relation to data including:
- obtaining data
- recording data
- keeping data
- using data in any way
- sharing or disclosing data
- erasing and/or destroying data.