The Data Protection Act 1998 governs the University's use of personal information: information about identifiable, living individuals. It seeks to balance the needs of an organisation to collect and process personal details with the rights of the individual.
Most staff, and many students engaged on research projects, will have will have access to personal information in the course of their employment or studies. This might range from someone’s name and private address in a letter, to an interview transcript, file or computer record relating to an individual.
The Act covers all uses of personal information: from reading it (viewing it on a computer screen, having access to it in paper records), gathering it (e.g. from application or survey forms or through research), disclosing it (within or outside the University), or simply holding or storing personal information (where and for how long?). Personal information might be on paper or held electronically, it might be a written document, a file, or a picture (e.g. a photograph, CCTV images).
To make sure we use and manage personal information responsibly, the Act establishes 8 rules for using personal data. To ensure that organisations adhere to these rules, it also provides those whom the information is about with a right of access to their data.
The government office responsible for overseeing the enforcement and promotion of the Data Protection Act is that of the Information Commissioner.
Further information on the purposes for which the University uses personal data can be found in the:
'Data' covers all information: whether held electronically, on paper, fiche or film.
Personal data means data which relate to a living individual who can be identified:
Personal information covers both recorded facts and any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Information is most likely to be deemed personal data where the information
- ICO Guide: Determining what is personal data
Certain types of personal data are classed as being particularly sensitive by the Data Protection Act. These are personal data which consist of information as to an individual's
Sensitive personal data are subject to a higher standard of protection and stricter conditions under the Act. They can only be processed under certain circumstances and with appropriate grounds. These are outlined in Schedule 3 of the Data Protection Act (a Schedule 2 condition must also be met). In many cases the explicit consent of the Data Subject will be required to hold and process sensitive personal details. This means that opt-outs or gaining consent for very broad purposes will not be appropriate for such data.