FAQ - What do I need to know about data protection and the Data Protection Act 1998?

Answer

Personal data, including sensitive personal data, needs to be registered, accurate, secured, and disposed of when no longer required.  Legislation can be found on-line, and further information found at the Information Commissioner's Office website.  The Data Protection Act 1998 (DPA) completely superseded the Data Protection Act 1984.

Anyone processing personal data must comply with the eight enforceable principles of good practice. They say that data must be:

• fairly and lawfully processed;
• processed for limited purposes;
• adequate, relevant and not excessive;
• accurate;
• not kept longer than necessary;
• processed in accordance with the data subject's rights;
• secure;
• not transferred to countries without adequate protection.

Personal data covers both facts and opinions about the individual. It also includes information regarding the intentions of the data controller towards the individual, although in some limited circumstances exemptions will apply. With processing, the definition is far wider than before.  For example, it incorporates the concepts of 'obtaining', holding' and 'disclosing'.   A data subject (student, employee, potential employee, parent, etc.) is entitled to:

• make a request to see exactly what personal data is 'processed' about them and to whom it is disclosed (by paying a small fee, not usually more than £10 for a request which could be to ask for all personal data held about them by, for example, the institution)
• to request to see an example of a reasonable selection of actual documents held about that person

The DPA covers the 'processing' and 'retrieval' of data in/on all forms of medium, e.g. electronic (stored or processed electronically), paper (such as a filing cabinet).  Data which is stored haphazardly (no way to systematically retrieve an individual's record) may be exempt from the Act.
What sort of 'data' is considered to be 'personal' data?

• all data stored in management information systems (e.g. name and home address, date of birth, payment of fees)
• library (e.g. library number), computer (e.g. email address), health and safety, student union data (affinities)
• faculty or departmental data, including examination marks, markers written comments on scripts
• CVs, emails, documents and any archived versions of emails and documents written about a person
• references

What kind of data would be considered to be 'sensitive' personal data (requiring a higher level of security and protection)?

• student photograph
• ethnic information, sexual orientation, health record

There are some instances when 'personal data' might be considerd to be 'sensitive personal data' and vice versa.  The exact definition has not yet been tested in the courts. You are required to register your processing of personal data, and declare who it is disclosed to (this is called notification), with your data controller.  Each institution usually has a data controller who is registered with the national Information Commissioner.  You can search for your institution's entry in the register of data controllers website.  If your institution is registered, then you should 'notify' your processing of data with your data controller.  You can contact the named individual or department, and ask for details for registering data or notifying.

What are some of the things that you mustn't you do?

• disclose your data to someone who is not included in 'notification' statement (e.g. sell a list of names and home addresses without the consent of the data subjects, dispose of a computer hard disc without professional and complete removal of all information stored on it)
• allow data to become inaccurate, or keep data for longer than it is required (e.g. an original reference for an employee who has been in your service for 20 years)
• see the Act for further details

You are required to obtain CONSENT to the processing of personal data prior to processing.  This can take the form of 'implicit consent' (e.g. handing over a credit card in order to make a purchase) or 'explicit consent' (e.g. signed statement giving permission for data to be processed for the purposes outlined in the statement).  A data subject can refuse to give consent and you must cease processing their personal data.

Disclaimer: This FAQ was originally written by Megan Quentin-Baxter, and amended by Christopher Smith and does not reflect an official endorsement by the HEA or any other organisation.  Any questions of queries should be sent to: megan@medev.ac.uk or enquiries@medev.ac.uk

Last updated: 04 July 2011