skip to content

Information Compliance

 

Legislation

Data protection legislation sets out rules and standards for the use and handling ('processing') of information ('personal data') about living identifiable individuals ('data subjects') by organisations ('data controllers'). The law applies to organisations in all sectors, both public and private. It doesn’t apply to anonymous information or to information about the deceased. The current legislation in the UK is the Data Protection Act 1998 (DPA).  From 25 May 2018, this will be replaced by the EU General Data Protection Regulation (GDPR), coupled with a new Data Protection Act that supplements the GDPR in specific ways and which is currently being debated by the UK Parliament. All of the legislation is based around the notions of principles, rights and responsibilities. The legislation is regulated in the UK by the Information Commissioner's Office (ICO) as well as the courts.

Principles

The DPA applies to some paper records as well as all those held in electronic form. It imposes obligations on those who record and use personal information to be open about how that information is used and requires them to follow the eight data protection principles.

Personal data must be processed following these principles so that data are:

  1. processed fairly and lawfully and only if certain conditions are met;
  2. obtained for specified and lawful purposes;
  3. adequate, relevant and not excessive;
  4. accurate and where necessary kept up-to-date;
  5. not kept for longer than necessary;
  6. processed in accordance with an individual's rights;
  7. kept in a secure manner;
  8. not transferred outside of the EEA without adequate protection.

These principles broadly are carried through into the GDPR, though they are strengthened and expressed somewhat differently.

Privacy Notices

An important aspect of complying with data protection legislation is being open and transparent with individuals about how their personal data will be used by the organisation.  The supply of this information - through documents variously known as 'privacy notices', 'data protection statements', 'data collection notices', 'privacy policies' and numerous other interchangeable terms - takes places in numerous targeted ways depending on the context of the interaction with the individual.  The University's core privacy notices - each titled 'How we use your personal information (for ...)' - are available from the menu on this page.

Rights

Under data protection legislation an individual has the right, subject to certain exemptions, to access the personal information that an organisation holds about them. Accessing personal data in this way is known as making a 'subject access request'.

Individuals have certain additional rights under the DPA, such as the right to prevent data processing which is likely to cause substantial and unwarranted damage or distress, the right to prevent processing for the purpose of direct marketing, and the right to correct inaccurate personal data. These existing rights are enhanced and supplemented in the GDPR.

Responsibilities

Data protection legislation imposes certain responsibilities on all those who process personal data at the University, whether members of staff holding, using, sharing or destroying personal data in their teaching, research or administration, or students accessing and recording personal data in their studies or other activities.  The responsibilities apply to the handling of all personal data, but are strengthened when using more sensitive types of information about individuals.

These obligations include holding and using data in a secure manner, making sure that data is handled in line with what individuals have been told in the privacy notices, having appropriate arrangements in place for the access to (and sharing of) data, and making sure that data is accurate and retained for a suitable period.

Most importantly, if a data breach occurs (e.g. personal data held by the University is lost, stolen, inadvertently disclosed to an external party, or accidentally published), this should be reported immediately to the Information Compliance Office and/or (if the breach is technical) University Information Services so that the breach can be contained. On occasion, we need to report breaches to relevant external authorities.

Under the GDPR, greater emphasis is placed on an organisation's accountability for its data protection compliance.  Certain record-keeping and policy/procedural requirements become mandatory in some circumstances.

The Information Commissioner

Under the DPA, the University maintains a data protection registration (also known as a notification) with the Information Commissioner. This outlines, in very general terms, the personal data being processed by the University. The University's register entry number is Z6641083 and may be found by searching the Information Commissioner's public register. (The registration system will cease when the GDPR applies.) Each of the 31 Colleges of the University is a separate legal entity and data controller for the purposes of data protection legislation.