All members of the University are responsible for ensuring compliance with the Data Protection Act.
The Information Commissioner can impose fines of up to 20 million Euros (or equivalent in sterling) or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher on organisations for breaching the Act and serious breaches may also see individuals involved being prosecuted.
Managing data in compliance with the Act
There are three broad stages of processing data that you need to be aware of to ensure compliance with the Six Principles of the Act:
Keeping data secure is essential to complying with the Data Protection Act. Security is also essential when working off campus and on mobile devices.
Find out more about Data security on and off campus.
Responding to requests for information
The University must normally respond to Subject Access Requests within one month. Follow our guidance for dealing with requests to help us deal with them efficiently.
Academics who supervise students whose research uses personal data should be aware of exemptions to processing research data under the Act and the guidance they should give.
Find out more about complying with the Data Protection Act as an academic.
Photography and filming
Make sure you comply with the Act when taking photographs or making film recordings on behalf of the University or on campus.
Find out more about complying with the Data Protection Act when photographing or filming.
Read our guidance on the types of information that a student can request to help them gather evidence for an academic appeal.
Examiner comments and examination board minutes
Staff and external examiners should take care to understand what information for exam papers should be made available under a subject access request.
Find out more about data protection and University examinations.
Individuals may have the rights to see references which the University has written about them or received in respect of them.
Although references may be marked in such a way as to infer confidentiality, ('private & confidential' or 'for the attention of the addressee and the relevant interviewing panel only'), confidentiality can never be guaranteed.
If you are writing a reference you should assume that it may be disclosed to the Data Subject.