Text only 

skip | University  | Search  | News  | A-Z Index  | Contact Us 

data storage

Data Protection

 University of Bath logo - links to University home

Introduction

 

University of Bath Data Protection Statement

 

University Data Protection Policy

 

Guidelines for
staff & students

 

Guidelines for staff in SREO

 

Guidelines for staff in academic depts

 

Guidelines on academic research

 

Glossary of Data Protection terms

 

Frequently
Asked Questions

 

University's Data Protection notification

 

Data Protection Statement for Student Registration

 

___________

University Records Management Service

 

Ten golden rules for Data Protection compliance

1. Consent

Wherever possible obtain consent before acquiring, holding or using personal data. Any University of Bath forms, whether paper or web-based, which are designed to gather personal data should contain a statement explaining what the information is to be used for and who it may be disclosed to. Elizabeth Richardson, David Jolly or Lisa Slater can advise on the wording required in specific cases.

See Data Protection Statement for Student Registration

2. Sensitive data

Be particularly careful with sensitive personal data (i.e. information relating to race, polictical opinion, physical or mental health, religious belief, trade union membership, sexuality, criminal offences etc). Such information should only be held and used where strictly necessary. Always obtain the consent of the individual concerned and notify them of ther likely use(s) of such data.

See Human Resources Department Data Protection Statement

3. Individual rights

Wherever possible be open with individuals concerning the information being held about them. When preparing reports or appending notes to official documents, bear in mind that individuals have the right to see all personal data and could therefore read any 'informal' comments made about them. Also be aware that this includes e-mails containing personal data and so the same caution should be used when sending e-mails.

4. Review files

Only create and retain personal data where absolutely necessary. Securely dispose of or delete any personal data which is out of date, irrelevant or no longer required. Hold regular reviews of files and discard unnecessary or obsolete data systematically.

See University of Bath Records Management Service

5. Disposal of records

When discarding paper records that contain personal data treat them confidentially (i.e. shred such files if possible). If they have to be otherwise disposed of, you must ensure that they are placed in a confidential waste sack (see the procedures for confidential waste paper disposal below). Similarly any unnecessary or out-of-date electronic records should be deleted. University computers should not be given away or sold unless BUCS have ensured that all information stored on them has been removed or deleted. Computers containing hard drives should only normally be disposed of via RecommIT with whom the University has entered into a data processing agreement.

See BUCS and University procedure for the disposal of confidential waste paper.

6. Accuracy

Keep all personal data up to date and accurate. Note any changes of address and other amendments. If there is any doubt about the accuracy of personal data then it should not be used.

7. Security

Keep all personal data as securely as possible (e.g. in lockable filing cabinets or in rooms that can be locked when unoccupied). Do not leave records containing personal data unattended in offices or areas accessible to the members of the public. Ensure that personal data is not displayed on computers screens visible to passers-by. Be aware that these security considerations also apply to records taken away from the University e.g. for work at home or for an external meeting. Also bear in mind that e-mail is not necessarily confidential or secure so should not be used for potentially sensitive communications.

See BUCS IT Security Policy

8. Disclosing data

Never reveal personal data to third parties without the consent of the individual concerned or other reasonable justification. This includes parents, guardians, relatives and friends of the data subject who have no right to access information without the data subject's cosent. Personal data can only be legitimately disclosed to third parties for purposes connected with a student's studies and to meet statutory requirements (e.g. to HEFCE, LEAs, Council Tax Offices and Research Councils) but only where we are satisfied to the enquirers' identity and the legitimacy of the request.

Requests for personal information are received from time to time from organisations such as the police and the inland revenue. The University endeavours to coooperate with these organisations but steps should first be taken to ensure that requests are genuine and legitimate. Elizabeth Richardson can provide advice on this and they should be contacted before any personal data is disclosed in response to such a request.

9. Worldwide transfer

Always obtain consent from the individuals concerned before placing information about them on the Internet (apart from basic office contact details) and before sending any personal data outside the European Union, Iceland, Lichtenstein or Norway.

See University of Bath website Data Protection Statement

10. Third party processors

Be aware that if you are using a third party data processor e.g. for bulk mailings or database management and are giving them access to personal data, then you must have a written contract in place with them to ensure that they treat such information confidentially, securely and in compliance with the Data Protection Act 1998.

Back to top
-

Data Protection Officer, University of Bath, Bath BA2 7AY
Tel: +44 (0) 1225 386966 · Fax: +44 (0) 1225 386709
E-mail: dataprotection-queries@lists.bath.ac.uk

This page maintained by OUS web team. Last updated: 25 February, 2013
Copyright ©2002 University of Bath · Disclaimer · Privacy Statement