Data Protection at York



	Data Protection

	Background The Data Protection Act 1998 came into force on 1 March 2000. It is concerned with the rights of individuals to gain access to personal information held about them by an organisation or individual within it, and the right to challenge the accuracy of data held. Note that the terms of the Act relate to data held in any form, including written notes and records as well as electronic data. The Act also requires that all staff and others who process or use any personal information must ensure that they adhere to the eight data protection principles. In summary, these require that personal data shall: be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met; be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose; be adequate, relevant and not excessive for those purposes; be accurate and kept up-to-date; not be kept for longer than is necessary (NB Retention of data for historical or statistical research is allowed under Section 33 of the Act); be processed in accordance with the data subject's rights; be kept safe from unauthorised access, accidental loss or destruction; not be transferred to a country outside the EEA (the EU member states, plus Norway, Iceland and Liechtenstein), unless that country has adequate levels of protection for personal data. University Policy and Guidelines The 1998 Data Protection Act : University Policy, Procedures and Guidelines University of York Information Access and Security Policy Guide to References (detailed) Short Guide to References Registration The University's registration and notification of its uses of personal data can be viewed as part of the Public Register of Data Controllers maintained by the Information Commissioner's Office. The University's registration number is Z4855807. Where you use personal data to assist you in carrying out your job or research, where you or your department are collecting, using or processing personal information in a new way or for a new purpose, information on the purpose, type of data involved and the recipients of those data must be notified to the Information Commissioner and our registration updated accordingly. Further information on registration and notifying your uses of personal data is provided separately. The University's Records Manager can also provide fuller details of the Data Protection Act, procedures for compliance, and will be pleased to help with registration. Web page authors should pay particular attention to the necessity to gain permission of staff/students before including photographs or biographical details on the web. The Information Commissioner has stated that: 'There should be nothing in the Data Protection Act which prevents the achievement of a legitimate business objective. What it does ensure is that the rights of the individual are respected.' Useful links / Further information The Information Commissioner's Office Lancaster University Data Protection Project Group Joint Information Services Committee (JISC) The University's Strategy for Records Management Economic and Social Data Service: Guidance for Researchers Data Protection - Information for Students Subject Access Requests HESA Collection Notices (students) HESA Collection Notice (staff) Privacy and Electronic Communications Regulations 2003 Freedom of Information