Data protection policy
- The University needs to process certain information about its employees, students and other individuals. In so doing, the University is obliged to comply with the provisions of the Data Protection Act 1998. The eight Principles of the Act are described in Appendix A.
- The Act imposes restrictions on how the University may 'process' personal data. This term covers the collection, recording, retrieval, consultation, use and disclosure of data. Definitions of other terms used in the Act may be found in Appendix B.
- The University has appointed a Data Protection Co-ordinator to deal with day-to-day Data Protection matters and to encourage good information handling practice within the University.
- The Act gives to staff and students the right of access (with very limited exemptions) to any personal data the University may hold about them. It also places an obligation on the University to respond to such requests within a set time. For this reason, all formal access requests by staff and students - i.e. Subject Access Requests - must be directed through the University's Data Protection Co-ordinator. (See Appendix B for Definition of Data Protection Terms.)
- The University, all staff and any others who process personal information on behalf of the University, must ensure that they comply with the principles of the Act and with the provisions laid out in 'The Data Protection Act: Staff Guidelines'.
II. Status of the policy
- This policy has been approved by the University Court. Any breach will be taken seriously, and may result in disciplinary action.
- This policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and policies made by the University. Any failures to follow the policy can therefore result in disciplinary proceedings.
- Those with honorary contracts or 'visitor' status will also be expected to comply with this policy insofar as they come into contact with personal data through the University.
- Staff or students who consider that the policy has not been followed in respect of personal data should raise the matter with the University's Data Protection Co-ordinator.
III. The University's responsibilities
- The University is committed to protecting the right of individuals to privacy with respect to the processing of their personal data.
- Under the terms of the Data Protection Act, the University is the Data Controller (see Appendix B for Definition of Data Protection Terms), and ultimate responsibility for compliance with the Act lies with the University Court.
- Deans, Heads of School / Units and all in managerial or supervisory roles have a responsibility to ensure good information handling practice amongst all members of the University.
IV. Staff responsibilities
- When processing personal data about students or colleagues, staff must comply with the Staff Guidelines as described above.
- Staff are responsible for the security of the data they process, and for ensuring that it is not disclosed to anyone who is not entitled to it.
- Staff are also Data Subjects (see Appendix B for Definition of Data Protection Terms). They should ensure, therefore, that any information they supply to the University in connection with their employment is accurate and up to date. The University cannot be held accountable for errors arising from changes about which it has not been informed.
V. Right of access
- Staff, students and other users of the University have the right to access personal data held about them by the University, whether in manual or electronic format.
- Any individual wishing to exercise this right should apply using the Subject Access Request form available from the Data Protection Co-ordinator.
- The University will charge £10 per request.
VI. Information and guidance
Further information on the application of the policy and practice may be obtained from the University's Data Protection Co-ordinator.