Guidance for better Data Protection compliance

General Guidelines

• If staff wish and/or need to take photographs of individuals (data subjects) or small groups then they must notify and seek the explicit consent of the people being photographed
• Do not express unsubstantiated opinions about individuals in emails or other correspondence, verbally in public areas, or in notes made on, for example, examination scripts. They are all potentially accessible to the person concerned via a Subject Access Request made under the Act.
• Unless you have the written consent of the data subject never reveal personal data to unauthorised third parties, including family members, friends and landlords.
• Do not leave an individual’s personal data lying around on your desk when you are not using it – if possible keep personal data in a locked cabinet to prevent any unauthorised access.
• Do not leave an individual’s data displayed on a screen after you have finished processing it, and always lock your workstation when you are leaving it unattended
• Limit the sharing of personal information to those colleagues who really need to use it. Putting sensitive personal data on the Internet or Intranet without the explicit consent of the individual is particularly bad practice and is, in the case of the internet, in breach of the 8th Data Protection principle
• Be aware that individuals may be identifiable without having the details of their names and addresses. For example, in the case of a table of statistics showing a set of students numbering less than 4, it would be unwise from a Data Protection perspective to provide a breakdown of nationality, race, ethnicity, disability, etc. to staff who don’t need that level of information. Where such small numbers exist they can potentially be used to identify an individual.

Guidance produced by the Records Management Unit

Advice and guidance on keeping personal and sensitive information secure has been produced by the Records Management Office:

• Add security to confidential information to be sent via email
• Data rights – guidance and form
• Examples of potential Data Protection problems and suggested solutions
• Guidance on the storage, transmission and use of personal and confidential information outside of computing systems provided by the University
• Instructions on how to delay the sending of emails
• What is classified by the University as confidential
• Data Protection for casual/temporary staff
• Guidance on sending a fax

Further information

More guidance and information is available online from the Information Commissioner’s website.

Additionally The Lights Are On, a short Data Protection training DVD produced by the Information Commissioner’s Office, is available to view online.

• View The Lights Are On online

Contact us

If you require further information or help please contact the Records Management Office.