All members of the University are responsible for ensuring compliance with the Data Protection Act 1998.
The Information Commissioner can impose fines of up to £500,000 on organisations for breaching the Act and serious breaches may also see individuals involved being prosecuted.
Managing data in compliance with the Act
There are three broad stages of processing data that you need to be aware of to ensure compliance with the Eight Principles of the Act:
Responding to requests for information
The University has to respond to Subject Access Requests within 40 days. Follow our guidance for dealing with requests to help us deal with them efficiently.
Academics who supervise students whose research uses personal data should be aware of exemptions to processing research data under the Act and the guidance they should give.
Photography and filming
Ensure you comply with the Act when taking photographs or making film recordings on behalf of the University or on campus.
Guidance on the types of information that a student can request to help them gather evidence for an Academic Appeal.
Examiner comments and Examination board minutes
Staff and external examiners should take care to understand what information from exam papers is available under a Subject Access Request.
individuals may have the right to see references which the University has written about them or received in respect of them.
Although references may be marked in such a way as to infer confidentiality, (‘private & confidential’ or ‘for the attention of the addressee and the relevant interviewing panel only’), confidentiality can never be guaranteed.
If you are writing a reference you should assume that it may be disclosed to the Data Subject.