Information for Staff on the Data Protection Act
On this page:
» About the Data Protection Act
The Data Protection Act creates personal liabilities and responsibilities for every member of staff and every manager with responsibility for personal data. The act regards data as including paper records, emails, other electronic files and folders, databases, CCTV and other video footage, photographs, comments on exam scripts, etc.
The Act is designed to protect the rights of the individual and to allow that individual access to their own personal data (with a few exemptions).
» Principles of good practice under the Act
The Act puts in place 8 eight principles of good information handling practice which need to be complied with.
The principles state that personal data must be:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in accordance with an individual's rights
- Secure
- Not transferred to countries that do not have adequate data protection legislation
» Basic guidance for better Data Protection compliance
If staff wish and/or need to take photographs of individuals (data subjects) or small groups then they must notify and seek explicit consent of the people being photographed.
Do not express unsubstantiated opinions about individuals in emails, other correspondence, verbally in public areas, or notes made on such as exam scripts. They are all potentially accessible by the person concerned via a Subject Access Request made under the Act.
Unless you have the written consent of the data subject never reveal personal data to unauthorised third parties and this includes family, landlords and friends.
Do not leave an individual's personal data lying around on your desk when you are not using it - if possible keep personal data in a locked cabinet to prevent unauthorised access.
Do not leave an individual's data displayed on a screen after you have finished processing it, and lock your workstation when you are leaving it unattended.
Limit the sharing of personal information to those colleagues who really need to use it. Putting sensitive personal data on the Internet or Intranet without the explicit consent of the individual is particularly bad practice and is in the case of the internet, in breach of the 8th Data Protection principle.
Bear in mind that an individual may be regarded as being identified without necessarily having the details of that person's name and address. For example, in the case of a table of statistics that shows a set of students that number less than 5 it would be unwise from a Data Protection context to provide a breakdown of nationality, race, ethnicity, disability, etc to staff who don't need that level of information because such small numbers can potentially be used to identify individuals.
The Information Commissioner's Office has produced two short DVDs, The Lights are On and Beware! Blaggers Coming to a Phone Near You.
- View The Lights are On online.
- View Beware! Blaggers online (direct movie link - may require Realplayer).
» Conditions of processing
To comply with the principles at least one of six conditions must be met in order to process personal information:
- The individual has consented to the processing
- Processing is necessary for the performance of a contract with the individual
- Processing is required under a legal obligation (other than one imposed by the contract)
- Processing is necessary to protect the vital interests of the individual
- Processing is necessary to carry out public functions
- Processing is necessary in order to pursue the legitimate interests of the data controller or third parties (unless it could unjustifiably prejudice the interests of the individual)
» Data protection for casual/temporary staff
Basic guidance is available in the document Data protection for casual/temporary staff (Word), which includes:
- Disclosures of personal data
- Control of access to personal data
- Disposal / transfer of personal data
- Removal of personal data from University premises
It also includes a copy of the form 'Declaration of Confidentiality for Temporary and Casual Staff'.
» Sensitive data
Specific provision is made under the Act for processing sensitive personal information. This includes racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, physical or mental health condition, sex life, criminal proceedings or convictions. For personal information to be considered fairly processed, at least one of several extra conditions must be met. These include:
- Having the explicit consent of the individual
- Being required by law to process the information for employment purposes
- Needing to process the information in order to protect the vital interests of the individual or another person
- Dealing with the administration of justice or legal proceedings
If you require further information or help please contact the Records Management Unit on x2823 or email recordsmanager@northampton.ac.uk.