Data Protection Act



The Data Protection Act 1998 governs the University's use of personal information: information about identifiable, living individuals. It seeks to balance the needs of an organisation to collect and process personal details with the rights of the individual.

Most staff, and many students engaged on research projects, will have will have access to personal information in the course of their employment or studies. This might range from someone’s name and private address in a letter, to an interview transcript, file or computer record relating to an individual.

The Act covers all uses of personal information: from reading it (viewing it on a computer screen, having access to it in paper records), gathering it (e.g. from application or survey forms or through research), disclosing it (within or outside the University), or simply holding or storing personal information (where and for how long?). Personal information might be on paper or held electronically, it might be a written document, a file, or a picture (e.g. a photograph, CCTV images).

To make sure we use and manage personal information responsibly, the Act establishes 8 rules for using personal data. To ensure that organisations adhere to these rules, it also provides those whom the information is about with a right of access to their data.

The government office responsible for overseeing the enforcement and promotion of the Data Protection Act is that of the Information Commissioner.


What is the DPA for?

  • The Act aims to protect the privacy of the individual in relation to the personal information we as an organisation may hold about them. An individual may be an employee, a student, an alumnus, a contractor, a third-party or a customer.
  • It recognises that organisations like the University have many legitimate reasons for holding and processing personal data and so seeks to ensure that everyone who works with personal information does so responsibly and with regard to the rights of the individuals whom the data is about.
  • It places obligations on those who process information (data controllers) while giving rights to those who are the subject of that data (data subjects). Accordingly the Act is intended to "strike a helpful balance between the rights of individuals and the sometimes competing interests of those with legitimate reasons for using personal information."

Further information

Further information on the purposes for which the University uses personal data can be found in the:

Personal data

Personal data

What are personal data?

'Data' covers all information: whether held electronically, on paper, fiche or film.

Personal data means data which relate to a living individual who can be identified:

  • from those data, or
  • from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (e.g. the University).

Personal information covers both recorded facts and any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Information is most likely to be deemed personal data where the information

  • affects the privacy of the individual concerned
  • is biographical, or
  • where the individual is the focus of the information.


  • Personal file
  • Notes on, or discussion about someone – e.g. interview notes
  • Job reference
  • Name and home or personal address
  • National insurance number
  • Passport photograph
  • Medical or health data

When is something not personal data?

  • When it is completely anonymised (and an individual cannot be identified directly or indirectly)
  • When the individual is deceased

Further information

Sensitive personal data

Sensitive personal data

What are sensitive personal data?

Certain types of personal data are classed as being particularly sensitive by the Data Protection Act. These are personal data which consist of information as to an individual's

  • racial or ethnic origin,
  • political opinions,
  • religious beliefs or other beliefs of a similar nature,
  • membership of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
  • physical or mental health or condition,
  • sexual life,
  • commission or alleged commission any offence, or
  • any proceedings for any offence committed or alleged to have been committed by the individual, the disposal of such proceedings or the sentence of any court in such proceedings.

Sensitive personal data are subject to a higher standard of protection and stricter conditions under the Act. They can only be processed under certain circumstances and with appropriate grounds. These are outlined in Schedule 3 of the Data Protection Act (a Schedule 2 condition must also be met). In many cases the explicit consent of the Data Subject will be required to hold and process sensitive personal details. This means that opt-outs or gaining consent for very broad purposes will not be appropriate for such data.