Data Protection Act
About the Data Protection Act
The Data Protection Act creates personal liabilities and responsibilities for every member of staff and every manager with responsibility for personal data. The act regards data as including paper records, emails, other electronic files and folders, databases, CCTV and other video footage, photographs, comments on exam scripts, etc.
The Act is designed to protect the rights of the individual and to allow that individual access to their own personal data (with a few exemptions).
University policy and procedure
Principles of good practice under the Act
The Act puts in place eight principles of good information handling practice which need to be complied with.
The principles state that personal data must be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in accordance with an individual's rights
- Secure
- Not transferred to countries that do not have adequate data protection legislation
Conditions of processing
To comply with the principles at least one of six conditions must be met in order to process personal information:
- The individual has consented to the processing
- Processing is necessary for the performance of a contract with the individual
- Processing is required under a legal obligation (other than one imposed by the contract)
- Processing is necessary to protect the vital interests of the individual
- Processing is necessary to carry out public functions
- Processing is necessary in order to pursue the legitimate interests of the data controller or third parties (unless it could unjustifiably prejudice the interests of the individual)
Guidance and advice
The Records Management Unit produces guidance on staying compliant with the Act and is always happy to answer any further queries you may have.
Contact us
If you require further information or help please contact the Records Management Unit.
Follow us