About the Data Protection Act

The Data Protection Act creates personal liabilities and responsibilities for every manager and member of staff with responsibility for personal data.

The act regards data as including:

  • paper records
  • emails
  • other electronic files and folders
  • databases
  • CCTV and other video footage
  • photographs
  • comments on exam scripts, etc.

University Policy and Procedure

Handling Personal Information

The Act is designed to protect the rights of the individual and to allow individuals access to their own personal data (with a few exemptions). The Act lays out eight principles which must be complied with, these state that personal data must be:

  • fairly and lawfully processed
  • processed for limited purposes
  • adequate, relevant and not excessive
  • accurate and up to date
  • not kept for longer than is necessary
  • processed in accordance with an individual’s rights
  • secure
  • not transferred to countries that do not have adequate data protection legislation

In order to comply with the eight principles at least one of six conditions must be met for the processing of personal information to take place:

  • the individual has consented to the processing
  • processing is necessary for the performance of a contract with the individual
  • processing is required under a legal obligation (other than one imposed by the contract)
  • processing is necessary to protect the vital interests of the individual
  • processing is necessary to carry out public functions
  • processing is necessary in order to pursue the legitimate interests of the data controller or third parties (unless it could unjustifiably prejudice the interests of the individual)

Handling Sensitive Personal Information

Specific provision is made under the Act for the processing of sensitive personal information.

Sensitive personal data includes:

  • racial or ethnic origin
  • political opinions
  • religious or other beliefs
  • trade union membership
  • physical or mental health conditions
  • sex life
  • criminal proceedings or convictions

For sensitive personal information to be considered fairly processed, at least one of several extra conditions must be met. These include:

  • having the explicit consent of the individual
  • being required by law to process the data for employment purposes
  • needing to process the information in order to protect the vital interests of the individual or another person
  • dealing with the administration of justice or legal proceedings