Data Protection Act
These pages outline the General Data Protection Regime that applies in the UK. The General Data Protection Regulation (GDPR) has been tailored and incorporated into UK legislation by the Data Protection Act 2018.
The Data Protection Act 2018 ("the Act") applies to 'personal data', which is information which relates to individuals. It gives individuals the right to access their own personal data through subject access requests and contains rules which must be followed when personal data is processed.
The Act works in two ways:
- it provides individuals with rights, including the right to know what information is held about them and the right to access that information.
- it states that anyone who processes personal information must comply with the principles in the Act.
You should assume that any personal data relating to an identifiable living individual, held by the University, in any form, are covered by the Data Protection Act.
If you have access to personal data you must familiarise yourself with, and comply with, the following University resources:
If you are going to be working remotely or using a mobile device please also see data security off-campus.
Data covered by the Act
The Data Protection Act covers the processing of all 'Personal Data'. This is data which constitutes information relating to a living individual, (a 'Data Subject') and from which (either on its own or together with other information held) the individual is identifiable, so data held purely in an anonymised form is not covered.
The Data Protection Act covers data held electronically and in hard copy, regardless of where data is held. It covers data held on and off campus, and on employees' or students' mobile devices, so long as it is held for University purposes, regardless of the ownership of the device on which it is stored.
'Processing' is widely defined and includes every possible form of action that can be taken in relation to data including:
- obtaining data
- recording data
- keeping data
- using data in any way
- sharing or disclosing data
- erasing and/or destroying data.
Lawful basis for processing personal data
The University must have a valid lawful basis in order to process personal data and, in most cases, will also need to be satisfied that it is ‘necessary’ to process personal data to achieve the relevant purpose.
There are only six potential lawful bases for processing personal data:
- Public task – this applies when the processing is necessary for the University to perform a task in the public interest or as part of its official functions.
- Legitimate interests - this applies when the processing is necessary for the legitimate interests of the University or a third party, (unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests).
- Contract – this applies when the processing is necessary for a contract the University has with the individual, (any processing of personal data under this category must be targeted and proportionate).
- Legal obligation – this applies when the processing is necessary for the University to comply with the law. This can relate to legal, regulatory and other compliance obligations, as well as matters such as the prevention or detection of crime.
- Vital interests – the processing is necessary to protect the vital interest of someone, normally this means to protect their life.
- Consent – the individual has freely given clear, informed consent for the University to process their personal data (this will always be for a specific purpose).
Additional conditions for special category data
Special Category Data (which used to be called 'Sensitive Personal Data') are personal data that is more sensitive and needs more protection. In order to lawfully process any such special category data, in addition to having a lawful basis for its processing, the University will need an additional condition for processing.
There are ten such potential additional conditions which permit Special Category Data to be processed. The most relevant in the context of the University are set out below:
- The individual has given explicit consent to processing for one or more specified purposes.
- Processing is necessary in relation to employment, social security and social protection law;
- Processing is necessary to - - protect the vital interests of a person, where they are physically or legally incapable of giving consent;
- Processing relates to personal data which is already in the public domain;
- Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
- Processing is necessary for preventive or occupational medicine, for example, assessment the working capacity of an employee and providing health or social case.
Further information about the legal basis for processing personal data and the conditions for processing special categories of data can be found on the Information Commissioner’s Office’s website.
Six legal principles of Data Protection
The Data Protection Act sets out the six legal principles with which the University must comply whenever it processes personal data. These stipulate that the data must:
1 'Be processed fairly, lawfully and transparently' In order for us to process data 'fairly', we should:
- ensure that we have a lawful reason to obtain or process the data
- the Data Subject must never be deceived or misled - they must normally have a clear understanding of the reasons for which it is proposed that their data be used
- care needs to be taken to ensure that personal data is only ever obtained from a person who is legally authorised to supply it.
2 'Be processed only for specific, explicit and legitimate purposes and shall not be further processed in any manner incompatible with that purpose or those purposes'
The main issues raised by the principle are:
- all personal data which is processed by the University must be covered by our registration with the Information Commissioner. Most routine uses of personal data by staff will be covered by our registration. However, if you are processing any data (for example, maintaining a database or running a research project involving the use of personal data) and think it may involve us handling new personal data for the first time or using personal data for a new purpose, please email the Data Protection team at firstname.lastname@example.org for advice.
- personal data held for one purpose should not be used for another
- personal data must not be disclosed to any third person (other than those described in the University's registration in certain circumstances), so take great care when you receive a request for data from a third party (see guidance on disclosing data).
3 ' Be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are held'
To ensure compliance:
- you should not collect any personal data not strictly necessary for the specified purpose. If you are obtaining or holding any special category data take special care to properly consider its necessity
- records should also be unambiguous, accurate and professionally worded. Abbreviations should be widely agreed. Opinions should be clearly distinguishable from facts.
4 'Be accurate and, where necessary, be kept up to date'
Personal data must not be inaccurate or misleading to any matter of fact. This applies to information from a third party. The source of information should always be included on records.
5 'Be kept for no longer than is necessary for the specified purpose'
As the University needs to hold and process personal data for a variety of different legitimate reasons, it is not always possible to stipulate how long particular data should be retained.
The university has a set of policies on the retention and disposal of different types of records. For other types of data, it is often necessary to decide on a case-by-case basis when they should be destroyed.
6 'Be processed in a secure manner, taking appropriate security measures with regard to rights of accidental or unauthorised access to personal data, or accidental or unauthorised destruction, lose, use modification or disclosure of personal data'
Access to personal data will only be granted to staff insofar as is necessary for legitimate operational purposes. The personal or private use of personal data held by the university is strictly forbidden.
All staff with access to personal data must be mindful that they play a role in ensuring that it is always kept securely. They must familiarize themselves with the University's Data Protection Policy and follow our guidance on data security.
Data Protection Policy
The University is committed to protecting the rights and freedoms of all individuals in relation to the processing of their personal data and provides the Data Protection Policy for everyone to follow.
- The Scope of this policy
- Personal data
- Special category data
- Confidential data
- Legal Framework
- Responsibilities of staff and students
- Personal Data in the public domain
- Lawful basis for processing personal data
- Addition conditions for Special Category Data
- Data Protection Act Principles
- Data Security
- Keeping personal data secure
- Prohibited activities
- Right to access information
- Research - special considerations
- Implications of breaching this policy
The Scope of this Policy
We need to comply with the Data Protection Act (as amended from time to time) in relation to all personal data that is processed by the University. To ensure this happens, it has developed this policy which sets out the obligations of staff in this respect.
This policy and the Data Protection Act apply to all personal data handled by the University, both that held in paper files and data held electronically. So long as the processing of the data is carried out for University purposes, it also applies regardless of where data is held, (for example, it covers data held on campus and on mobile devices such as electronic notebooks or laptops) and regardless of who owns the PC/device on which it is stored.
'Processing' data is widely defined and includes every plausible form of action that could be taken in relation to the data such as obtaining, recording and keeping, or using it in any way; sharing or disclosing it; erasing and destroying it.
Data which relates to a living individual who can be identified from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller. The University is the data controller.
Examples of personal data are the name and address of an individual or a student ID number which when put with other information held by the university could identify a student, staff member or participant in a researcher's survey. The majority of staff (including all line managers) will, therefore, handle personal data at least occasionally.
Special Category Data (previously called Sensitive Personal Data)
Some personal data are more sensitive in nature and therefore requires a higher level of protection. The legislation refers to the processing of certain data as ‘special categories of personal data’. This means personal data about an individual’s:
- race or ethnic origin of the data subject
- their political opinions
- their religious beliefs or philosophical beliefs
- whether they are a member of a trade union
- their physical or mental health or condition
- their sexual life
- sexual orientation
- biometric data (where this is used for identification purposes)
- any commission or alleged commission by them of any offence
- any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.
Staff working in certain research areas (e.g. Psychology/Health), or in certain roles (e.g. Student Disability Advice Service, HR, SREO) will have regular access to special category data, others are likely to do so only rarely if at all.
Data given in confidence or data agreed to be kept confidential (in other words, a secret between two parties) and that is not in the public domain.
Some confidential data will also be personal data and/or sensitive personal data and therefore come within the terms of this policy. Staff working in certain functions and in senior management roles will handle confidential data regularly.
The University also handles research data which comprises materials collected or created for the purposes of analysis to generate original research results. Some research data will contain personal data and/or sensitive personal data and in all such cases, the provisions of this policy apply. For information on how to deal with other aspects of research data see Research Data Management.
The University needs to collect and keep certain types of information about the people with whom it deals. This includes information relating to its staff, students and other individuals. It needs to process 'personal data' for a variety of reasons, such as to recruit and pay its staff, to record the academic progress of its students and to comply with statutory obligations (for example, health and safety requirements).
The Data Protection Act applies to all 'personal data' processed by the University and to comply with the law all personal data must be collected and used fairly, stored safely and not disclosed to anyone else unlawfully.
Responsibilities of staff and students
All staff and students must:
- Be mindful of the fact that individuals have the right to see their 'personal data' (and this may include for example information received from prospective students or staff written in connection with an application to the University or any comments written about them in emails). They should not, therefore, record comments or other data about individuals which they would not be comfortable with the individual seeing, either in emails or elsewhere.
- Immediately report the matter to their line manager and bring it to the Data Protection team's attention, if they find any lost or discarded data which they believe contains personal data, (for example, may include a memory stick).
- Immediately report the matter to their line manager and bring it to the Data Protection team's attention, if they become aware that personal data has been accidentally lost or stolen or inadvertently disclosed (for example, if their laptop is stolen or their phone is lost and it has personal data stored on it),
- Hold the contents of any personal data which comes into their possession securely.
- Ensure that any personal data they provide to the University (for example, their contact details) is accurate.
- Notify the University promptly of any changes to their personal data (for example, change of address or emergency contact details).
- Only ever obtain or use personal data relating to third parties for approved work or study-related purposes.
Staff and students who process 'personal data' must:
- Ensure that they only ever process personal data in accordance with requirements of the Data Protection Act and in particular:
- ensure that they have a valid lawful basis in order to process the data before commencing the processing; and
- only process ‘special category data’, if the processing meets one of the additional conditions for special category data; and
- follow the 6 Data Protection principles. The best way to ensure compliance is through familiarisation with this policy and the guidance we provide. Key points insofar as compliance is concerned include:
- Fair processing - for example, ensure that the individual consents to their data being used and knows what it will be used for, and ensure that it is not subsequently used for something else
- Data Security - ensure any personal data which is held is always kept and disposed of securely, (taking into account any cybersecurity considerations).
- Non-disclosure - ensure personal data is not disclosed to any unauthorised third party.
- Familiarise themselves with the guidance and other information published on our Data Protection site and follow it at all times.
- If they are going to be working remotely or using a mobile device to store data (for example, a laptop, tablet or mobile phone), it is vital that they are familiar with our Remote Working & Use of Mobile Device Guidance, and comply with it and the University's IT Security Policy as special considerations apply.
- Be mindful of the scope of Data Protection regulations. This includes that fact that 'personal data' is widely defined, (and so will cover for example comments made about an individual in an email to someone else), and the fact that it covers data held on remote devices (such as tablets and on mobile phones) regardless of who owns the actual device and where the device is stored.
- Seek advice whenever a new or novel form of processing personal data is contemplated or if any data protection related concerns ever arise.
Personal data in the public domain
We hold certain information about staff and students in the public domain. Personal data classified as being in the 'public domain' refers to information which will be publicly available worldwide and may be disclosed to third parties without recourse to the data subject.
Our practice is to make the following items of data freely available unless individuals have objected:
- names of members of Council and Senate
- staff workplace email addresses and telephone numbers
- student university email addresses
- academic staff biographies and curricula vitae where supplied
- names and academic qualifications of academic and support staff where appropriate
- any additional information relating to data subjects which they have agreed to be placed in the public domain and which may be in automated and/or manual form.
Similarly, as part of its regular business activities, the University may process personal information about third parties which is already in the public domain where such processing is carried out in accordance with the Data Protection Act principles set out below and is unlikely to cause any damage or distress to the data subject.
Data Protection Act principles
Anyone using personal data must comply with the 6 Data Protection Principles contained in the Data Protection Act 2018 as they define how personal data can be legally processed: In summary these state that personal data shall:
- Be obtained and processed fairly, lawfully and transparently.
- Be processed for specified explicit and lawful purposes and shall not be processed in any manner incompatible with these purposes.
- Be adequate, relevant and not excessive for those purposes.
- Be accurate and kept up to date.
- Not be kept for any longer than is necessary.
- Be processed in a secure manner.
Keeping personal data properly secure is key in complying with the Data Protection Act. All staff are therefore responsible for ensuring that if they keep personal data, it is kept securely and is not disclosed (either orally or in writing or accidentally) to any unauthorised party.
Please see the guidance on Disclosing Data for further information on this point.
Keeping personal data secure
This includes, as a minimum:
- Ensuring that any personal data recorded in paper form or hard copy documents are kept in locked filing cabinets or locked drawers or in locked offices.
- Ensuring that the same measures are taken in regards to any discs or memory sticks or similar devices on which personal data is held, for example, they must also be kept in a secure and locked location.
- Ensure that if any personal data is held on a Mobile Device that it is properly password protected and where appropriate encrypted.
- Ensuring special care is taken whenever data is transferred from one place to another to ensure the security of the data is paramount, (for example, to avoid losing memory sticks in transit or to avoid sensitive personal data being transferred to a PC which is not password protected and encrypted).
The following activities are strictly prohibited:
- using data obtained for one purpose for another supplemental purpose (for example, using contact details provided for HR-related purposes for marketing purposes)
- disclosing personal data to a third person outside the University without the consent of the data subject.
Right to access information
Individuals have the right to access any personal data that relates to them which the University holds. Any person who wishes to exercise this right should see the Subject Access Rights Page for details on how to do so.
Research - special consideration
Before commencing any research which will involve obtaining or using personal data, the researcher (whether a student or member of staff) and their academic supervisor or Head of Group must give proper consideration to this policy and the guidance contained on our Data Protection webpages and our Research Data Policy and how these will be properly complied with.
In particular, they will need to consider the type of personal data which may be collected, the applicable lawful basis for the processing, whether any special category data is to be processed and if so what additional condition for special category data will be relied on and what additional safeguards required, how ethical consent is to be recorded, the extent to which such data may legitimately be required for the academic objective, how the data will be securely stored, and the duration for which it will be retained.
Personal data obtained or used for research should be limited to the minimum amount of data which is reasonably required to achieve the desired academic objectives and wherever possible any such personal data should be made anonymous so that the data subjects cannot be identified.
For more information refer to the Research Data Policy.
Implications of breaching this policy
It is a condition of employment in the case of staff and enrolment in the case of students that staff and students will abide by the policies and rules of the University. Any breach of this policy will be considered to be a disciplinary offence and may lead to disciplinary action. A serious breach of the Data Protection Act may also result in the University and/or the individual being held liable in law.
Compliance with the Data Protection Act is the responsibility of all members of the University. Any questions about this policy or any queries concerning data protection matters should be raised with the Data Protection team
Data protection notification
The Information Commissioner maintains a public register of organisations that use personal data. The University has an entry on this register which specifies the main types of data we hold (for example, personal details, education and training info), the main purposes for which we use the data (for example, HR administration, student and staff support services, education and research, and so on) and those to whom it may be disclosed (for example, funding councils, central government).
The University's Registration Number is Z6290890. Our registration is renewable annually, although we can make additions or changes to it at any time, (for example, if we start to process a new type of data).
In practice, most routine uses of personal data by staff will be covered by our Registration. However, if you are processing any data (for example, maintaining a database or running a research project involving the use of personal data) and think it may involve us handling new personal data for the first time or using personal data for a new purpose, please email the Data Protection team for advice, and so that our Registration can be amended if necessary.
The University's current Registration can be viewed via the search facility on the Information Commissioner's website.