Text only 

skip | University  | Search  | News  | A-Z Index  | Contact Us 

data storage

Data Protection

 University of Bath logo - links to University home

Introduction

 

University of Bath Data Protection Statement

 

University Data Protection Policy

 

Ten golden rules
for compliance

 

General Guidelines for staff and students

 

Guidelines for staff in SREO

 

Guidelines for staff in academic depts

 

Guidelines on academic research

 

Glossary of Data Protection terms

 

Frequently
Asked Questions

 

University's Data Protection notification

 

Data Protection Statement for Student Registration

__________

University Records Management Service

 

General Data Protection guidelines for staff and students

Introduction

The Data Protection Act 1998 concerns personal privacy and regulates how information about living individuals may be collected, used, retained and disclosed. All processing of personal data must be notified to the Information Commissioner.

The new Act applies to all personal data whether it is in manual or electronic format. Individuals are entitled to see all information kept about themselves. Members of staff should be open with individuals about any information held about them. Staff should also be careful about passing any personal information on to third parties.

These guidelines give a brief and simple outline of the responsibilities of staff and students under the Data Protection Act 1998.

Data Protection principles

Staff and students must comply with the eight principles governing the legal processing of personal data.

  1. Personal data shall be processed fairly and lawfully.
  2. Personal data shall be held only for one or more specified and lawful purpose(s) and shall not be further processed in any manner incompatible with that purpose(s).
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed.
  4. Personal data shall be accurate and where necessary kept up to date.
  5. Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
  6. Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area (without the individual's express consent) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Achieving compliance with the Data Protection principles

Principle 1
No personal data should be created or held unless the individual has given his/her consent. Where sensitive data is concerned specific consent must be obtained - the individual must be informed that this type of personal data is being held, told the reason for it and must then agree.
Photographs are classified as sensitive data because they may reveal information about the subject's race and ethnicity. Permission should always be obtained to keep or use a photograph of an individual.

Principle 2
Do not use data obtained for one purpose for a different purpose. For example, a departmental list of members of staff or students should not be used for commercial mail shots.

Principle 3
Do not collect information about individuals which is not absolutely necessary. Do not ask questions seeking data without ensuring that the questions is strictly relevant. If excessive or superfluous personal data is acquired it should be deleted or destroyed immediately.

Principle 4
If data is retained it must be reviewed and if necessary amended or updated. No data should be kept unless it is reasonable to assume that it is accurate.

Principle 5
Regular and systematic reviews of files (both manual and electronic) containing personal data should take place to ensure that information is not retained for longer than is necssary.

Principle 6
The rights of individuals in respect of their data should always be considered. Consent should be obtained if personal data is to be generated or retained for any purpose. Data subjects are legally entitled to know what information is being held about them. It is also important that no personal data is disclosed to anyone, either inside or outside the University, unless strictly necessary or unless the consent of the data subject has been obtained.

Principle 7
Staff must ensure that any personal data is kept in a secure place - in lockable filing cabinets or in rooms which can be locked when unoccupied. They must also seek to prevent unauthorised access to any computers in which personal data is stored.

Principle 8
No personal data should be transferred, even for a legitimate purpose, outside of the European Economic Area (EEA) except with the specific consent of the data subject. This is particularly important when considering the global publication of personal information via the World Wide Web.

Rights of the individual

Under the Data Protection Act 1998 individuals have the right to inspect all personal information held about themselves. This includes the contents of student files, staff files, unit enrolment forms, and lists of members of staff who, for example, are on leave. Data subjects might include staff, students, alumni, job applicants, consultants, former employees, staff of other institutions, members of University Council and members of the public.

Back to top
-

Data Protection Officer, University of Bath, Bath BA2 7AY
Tel: +44 (0) 1225 386966 · Fax: +44 (0) 1225 386709
E-mail: dataprotection-queries@lists.bath.ac.uk

This page maintained by OUS web team. Last updated: 21 October, 2008
Copyright ©2002 University of Bath · Disclaimer · Privacy Statement