Wherever possible obtain consent before acquiring, holding or using personal data. Any University of Bath forms, whether paper or web-based, which are designed to gather personal data should contain a statement explaining what the information is to be used for and who it may be disclosed to. Elizabeth Richardson, David Jolly or Lisa Slater can advise on the wording required in specific cases.
2. Sensitive data
Be particularly careful with sensitive personal data (i.e. information relating to race, polictical opinion, physical or mental health, religious belief, trade union membership, sexuality, criminal offences etc). Such information should only be held and used where strictly necessary. Always obtain the consent of the individual concerned and notify them of ther likely use(s) of such data.
3. Individual rights
Wherever possible be open with individuals concerning the information being held about them. When preparing reports or appending notes to official documents, bear in mind that individuals have the right to see all personal data and could therefore read any 'informal' comments made about them. Also be aware that this includes e-mails containing personal data and so the same caution should be used when sending e-mails.
4. Review files
Only create and retain personal data where absolutely necessary. Securely dispose of or delete any personal data which is out of date, irrelevant or no longer required. Hold regular reviews of files and discard unnecessary or obsolete data systematically.
5. Disposal of records
When discarding paper records that contain personal data treat them confidentially (i.e. shred such files if possible). If they have to be otherwise disposed of, you must ensure that they are placed in a confidential waste sack (see the procedures for confidential waste paper disposal below). Similarly any unnecessary or out-of-date electronic records should be deleted. University computers should not be given away or sold unless BUCS have ensured that all information stored on them has been removed or deleted. Computers containing hard drives should only normally be disposed of via RecommIT with whom the University has entered into a data processing agreement.
Keep all personal data up to date and accurate. Note any changes of address and other amendments. If there is any doubt about the accuracy of personal data then it should not be used.
Keep all personal data as securely as possible (e.g. in lockable filing cabinets or in rooms that can be locked when unoccupied). Do not leave records containing personal data unattended in offices or areas accessible to the members of the public. Ensure that personal data is not displayed on computers screens visible to passers-by. Be aware that these security considerations also apply to records taken away from the University e.g. for work at home or for an external meeting. Also bear in mind that e-mail is not necessarily confidential or secure so should not be used for potentially sensitive communications.
8. Disclosing data
Never reveal personal data to third parties without the consent of the individual concerned or other reasonable justification. This includes parents, guardians, relatives and friends of the data subject who have no right to access information without the data subject's cosent. Personal data can only be legitimately disclosed to third parties for purposes connected with a student's studies and to meet statutory requirements (e.g. to HEFCE, LEAs, Council Tax Offices and Research Councils) but only where we are satisfied to the enquirers' identity and the legitimacy of the request.
Requests for personal information are received from time to time from organisations such as the police and the inland revenue. The University endeavours to coooperate with these organisations but steps should first be taken to ensure that requests are genuine and legitimate. Elizabeth Richardson can provide advice on this and they should be contacted before any personal data is disclosed in response to such a request.
9. Worldwide transfer
Always obtain consent from the individuals concerned before placing information about them on the Internet (apart from basic office contact details) and before sending any personal data outside the European Union, Iceland, Lichtenstein or Norway.
10. Third party processors
Be aware that if you are using a third party data processor e.g. for bulk mailings or database management and are giving them access to personal data, then you must have a written contract in place with them to ensure that they treat such information confidentially, securely and in compliance with the Data Protection Act 1998.