Data Protection Act 1998

  1. The Data Protection Act 1998 governs the collection, storage, use and disclosure of personal data, whether held electronically (e.g. in emails, on computer) or in paper/microfiche records. It applies to all staff who create, store, handle or view personal information that relates to any living individual who can be identified from that data or other information held by the University.
  2. An employer's first priority is to comply with the law and to inform staff that they can in some cases be held responsible if any personal data are improperly disclosed or collected. The University must:
    • be quite open about the reasons why there is a need to collect personal data;
    • ensure that any personal data collected are relevant, adequate and not excessive, accurate and held for no longer than necessary;
    • ensure that personal data are only used for the purposes registered under the Act;
    • ensure the security of the personal data held;
    • have measures in place to provide subject access allowing individuals to reassure themselves that everything operates properly to protect the confidentiality and accuracy of personal data.
  3. The University’s Data Protection Policy and Guidelines can be viewed at http://www.york.ac.uk/recordsmanagement/dpa/. Any breach or violation of this policy or the regulations governing the use of computing facilities will be regarded as a disciplinary offence and be dealt with under the University’s disciplinary procedures.
  4. Registered data users must comply with the Data Protection Principles in relation to the personal data they hold. Personal data shall be:
    • obtained and processed fairly and lawfully;
    • held for specified lawful purpose(s) and not be used or disclosed in a way incompatible with the purpose(s);
    • adequate, relevant and not excessive for the purpose(s);
    • accurate and, where necessary, kept up to date;
    • not kept longer than necessary;
    • available to the data subject and processed in accordance with their rights;
    • kept secure (safe from unauthorised access, accidental damage or loss);
    • not transferred outside the European Economic Area unless certain safeguards are in place and certain conditions are met.
  5. The Data Protection Principles also provide for individuals to have access to data held about themselves and, where appropriate, to have the data corrected or deleted.
  6. Written requests from individuals to have access to the data held about them should be directed to the Records Manager who co-ordinates such requests. A standard ‘subject access request form’ is available from the Data Protection website and the Records Manager.
  7. As a data controller, the University is legally obliged to notify its uses of personal data to the Information Commissioner, as part of a public register of data controllers.
  8. The University’s Records Manager is the University’s Data Protection Officer. Besides overseeing subject access requests, he undertakes the registration of data on behalf of the University. It is, therefore, essential that departments supply as much information as possible about their use of personal data. Individuals are not expected to register independently but it is vitally important that all qualifying activity is recorded. Registration is an ongoing process. Penalties can be imposed for material which is not registered and it will be easier to withdraw than to undertake subsequent registration of specific items. Staff are therefore asked to undertake annually a survey of all their records and to determine those which fall within the scope of the Act. For further information and guidelines, please contact the Records Manager.

Document Control

Title:
Data Protection Act 1998
Applicable to:
All Staff
Date Last Reviewed:
October 2006
Procedure Owner:
Human Resources