Data Protection Act
About the Data Protection Act
The Data Protection Act and the General Data Protection Regulation (GDPR) (EU) 2016/679 create personal liabilities and responsibilities for every manager and member of staff with responsibility for personal data.
The act regards data as including:
- paper records,
- other electronic files and folders,
- CCTV and other video footage,
- comments on exam scripts, etc.
Additionally the GDPR confers certain rights on individuals which increases their rights of access and control over their own personal information.
Please see our Data Rights Guidance which provides more details about these rights. A form is included with the guidance to assist you if you are wanting to request any personal information about yourself that is held by the University.
University Policy and Procedure
- Data Protection Act policy and procedure
- Procedure for Protecting Confidential Information sent Electronically
- Information regarding data breach at Blackbaud
Handling Personal Information
Designed to protect the rights of the individual and to allow individuals access to their own personal data (with a few exemptions), the Act lays out six principles which must be complied with.
The principles state that personal data should be:
(a) Processed lawfully, fairly and in a transparent manner
(b) Collected for specified, explicit and legitimate purposes
(c) Adequate, relevant and limited to what is necessary
(d) Accurate and where necessary kept up to date
(e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed, and
(f) Processed in a manner that ensures appropriate security of the personal data
In order to comply with the six principles at least one of the conditions below must be met for the processing of personal data to take place:
- The individual has consented to the processing
- Processing is necessary for the performance of a contract with the individual
- Processing is required under a legal obligation (other than one imposed by the contract)
- Processing is necessary to protect the vital interests of the individual
- Processing is necessary to carry out public functions
- Processing is necessary in order to pursue the legitimate interests of the data controller or third parties (unless it could unjustifiably prejudice the interests of the individual)
Handling Special Category Data
Specific provision is made under the Legislation for the processing of sensitive personal information, called special category data.
Special Category data includes:
- racial or ethnic origin
- political opinions
- religious or other beliefs
- trade union membership
- physical or mental health conditions
- sex life
For sensitive personal information to be considered fairly processed, at least one of several extra conditions must be met. For example:
- Having the explicit consent of the individual
- Being required by law to process the data for employment purposes
- Needing to process the information in order to protect the vital interests of the individual or another person
- Dealing with the administration of justice or legal proceedings
If you require further information or help please contact the Records Management Office.