- What is the DPA for?
- Conditions for processing any personal data
- Conditions for processing sensitive personal data
- Information which must be supplied to the data subject
- When should the data subject's consent for processing be obtained?
- Rules concerning data quality
- Manual files
- Confidential references
- Direct marketing and alumni activities
- Access and other rights of data subjects - the role of Faculties and Departments
- Transmission of data to other countries
- Security provisions
The Act applies to personal data, held not only in electronic records but also in structured 'manual' (e.g. paper) records in a 'relevant filing system'. Personal data means data about a living individual who can be identified from the data, or from the data in conjunction with other information (e.g. via code numbers); 'data' includes expressions of opinion about the person. The living individual is referred to as the data subject.
The Act governs the 'processing' of all personal data, which covers almost everything: the obtaining of the data, its retention, its use, and its disclosure, its alteration or destruction.
The Act contains eight data protection principles which apply to all personal data and the processing of it.
Principle 1 states that personal data may only be processed if at least one of the conditions listed in Schedule 2 of the Act applies. The following are the two conditions most likely to be relevant:
- the processing is necessary for the purposes of legitimate interests pursued by the University (except where processing would prejudice the rights, freedoms and legitimate interests of the data subject); or
- the data subject has given their consent to the processing.
Section 5 explains the desirability of using the first of these conditions where possible.
The Act defines 'sensitive personal data' as data relating to a subject's racial or ethnic origin, political opinions, religious or other similar beliefs, state of health, 'sexual life', membership of a trade union, or (alleged) commission of any offence. The processing of sensitive personal data requires not only one of the Schedule 2 conditions to apply, but also one of the further conditions listed in Schedule 3 of the Act. The following are the four conditions most likely to be relevant:
- the data subject has given their 'explicit consent'; or
- for medical research - under specified safeguards; or
- for monitoring equality of opportunity - again under specified safeguards;
- for research purposes (which includes archival research) in the substantial public interest, subject to the safeguards:
- that the data are not processed to support measures or decisions with respect to particular individuals; and
- that the data are not processed in such a way that substantial damage or distress is, or is likely to be, caused to any individual.
When data are collected, the data subject must be told the purpose(s) that their data will be processed for. The data subject should also be told the identity of the data controller (the University) and any third parties to which the data will or might be disclosed. This information has to be given at the time of collecting the data or as soon as possible thereafter. Data collected for given purpose(s) can only legitimately be processed for those purpose(s) - not for others of which the data subject has not been informed.
If consent is the condition for the processing of personal data, then provision must be made for ceasing the data processing (which includes holding the data) if the consent is withdrawn. Note that the data subject does not have to give a reason for withdrawing consent.
Where processing is necessary for the purposes of 'legitimate interests' pursued by the University, then the University is entitled to process non-sensitive data without consent. Given this, it is undesirable to seek consent where the processing is necessary for the purposes of legitimate interests pursued by the University. Seeking consent in such a case, and then continuing with the data processing if consent is not given or is withdrawn, is not possible.
However, consent as the condition of processing has the advantage of extending the processing from what is necessary for the purposes of the University to what is simply pursuant or helpful to its purposes.
The 3rd, 4th and 5th data protection principles are relevant in this regard.
The requirement to not hold data for longer than necessary does not mean that all data need be destroyed. Suitably weeded staff and student records (or other historically valuable records) can be transferred to the University Archives, where they can be managed in a way which conforms to the requirements of the Act.
To support the University's work its records must be:
- created, maintained and administered in such a way that they fully and accurately document the University's principal activities;
- available for administrative and research purposes;
- held in compliance with the law and University guidelines.
The Act covers structured 'manual' (e.g. paper or microfiche) records in a 'relevant filing system' that is structured by reference to individuals.
A file of assorted information that is not structured to support access to information about particular individuals is exempt from most of the Act's provisions.
Confidential references received by the University and kept electronically or in a relevant filing system are personal data.
Although the identity of the referee will be clear from the entire reference, the University is still obliged (a) to determine whether the referee consents to have a copy given to the data subject, and (b) to seek to provide a copy of as much of the reference as can be given without disclosing the identity of the referee.
Under the Act, the University is not required to disclose the references it provides. However, these references may be disclosed by organisations receiving them. References should therefore always be written on the assumption that they may be seen by the subject, and when providing references University staff should include a statement as to whether or not they agree to disclosure.
Written references for job applicants will be sought by the University in confidence and applicants and referees will be advised of this practice.
The Act has many implications for alumni activities, direct marketing and fundraising.
Direct marketing is defined in the Act as 'the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals'. This is a broad definition that is not restricted to commercial products or offering goods for sale. The term direct marketing applies to the promotion of an organisation's aims and ideals, including appeals for funds or support. Therefore, both alumni/development activities and the inclusion of advertising inserts in newsletters are direct marketing. The Act gives data subjects the right to prevent the processing of their data for the purposes of direct marketing.
Staff are strongly encouraged to obtain advice from CUDAR before undertaking any fundraising, direct marketing operations or alumni activities.
The Act gives the data subject certain rights, including these relevant ones:
- the right of access to the data;
- the right to prevent processing likely to cause damage or distress; and
- the right to take action to rectify, block, erase or destroy inaccurate data.
To exercise the right of access the data subject must make a request to the University and pay a fee of £10. Usually the request will be sent to the Information Compliance Office, but it doesn't have to be; any requests received locally should be forwarded to the Information Compliance Office to handle. The data subject is entitled:
- to be told (within 40 days) about all the personal data held about them, the purposes for which it is being processed, and to whom it may be disclosed;
- to be supplied with the requested information held on them, in an intelligible form, and in permanent form unless this is impossible;
- to be given information about the source of the data (unless this is impossible without identifying another individual).
In order to comply with the Act, the University must be able to supply this data, and that means that each Institution must have in place a system for obtaining this. The Institution need not make decisions about what data should be excluded (for example to preserve the confidentiality of a third party); instead the University Data Protection Officer will make this decision.
As well as containing provisions about how to deal with data that identifies third parties, the Act specifies certain types of personal data that the data subject will not be entitled to have access to. These include:
- confidential references given on behalf of the University;
- data used in management forecasting or management planning;
- actual examination scripts (but not comments made upon/about them);
- health data, where a health professional considers that the release of the information would be likely to cause serious harm to the individual or any other person.
The Act prevents the transmission of personal data to any country outside the European Economic Area (EEA), unless that country has an adequate level of data protection. However, transfers are allowed where the data subject has given their consent to it, or via the imposition of standard clauses or other EU-sanctioned conditions.
The 7th data protection principle states that all reasonable steps should be taken to ensure that personal data is secure, and the following steps are suggested:
- Access to electronic files and systems should be restricted using privilege levels and passwords.
- Regular password changes should be enforced and the number of attempted logins limited.
- Equipment should be sited in a secure location where access can be restricted to authorised personnel.
- Computers and other devices should be locked when unattended and should be logged-off at the end of a session.
- Redundant data should be wiped or overwritten.
- Appropriate back-up and storage should be observed.
- Portable storage media should be stored carefully.
- Network systems are insecure, and the Cambridge University Data Network is under constant attack from people looking for vulnerabilities. Data must kept as secure as possible, using encryption, de-personalisation and password-protection if possible. Recognised firewalls should be installed.
- Hard copy papers containing personal information should be shredded before disposal; they should not be used as scrap paper.
- Store hard copy files securely. Sensitive personal data should be stored in locked rooms and/or filing cabinets.
- All requests for access to data, including those from the police, should be directed to the Information Compliance Office.