The purpose of these guidance notes is to underpin the University Data Protection Policy and to provide a guide to best practice in Data Protection.
Data Protection Acts 1984 and 1998
1. The Data Protection Act, 1984, introduced basic principles of data protection, which set standards that all registered users were required to observe. It was designed to protect individuals from any disadvantage which might result from their personal details being held on computer, for example if the information became out of date, was lost, or was made available to people or used for purposes other than those it was collected for. The Act also set up the framework for compulsory registration of data users, and established the Data Protection Registrar to organise this process and to ensure compliance.
2. The Data Protection Act, 1998, replaces the 1984 Act, and builds upon and expands the controls on personal data under the 1984 Act. Under the 1998 Act, the data protection principles have been extended and 'personal data' now includes information held in certain manual filing systems. In particular, this includes paper or manual records which are kept in an organised filing system. Individuals are given enhanced rights to receive details of data held about them and why it is being held, and to prevent its use. The processing of data will only be fair if certain conditions have been met, and some information is classed as 'sensitive data' and there are particular restrictions on the use of it. There are also restrictions on the transfer of data to countries outside the European Economic Area. The 1998 Act replaces the office of the Data Protection Registrar with that of the Information Commissioner, and the registration of data users is replaced by notification.
3. The University has an entry in the Data Protection Register under registration number Z6390975 . This includes details of the classes of person whose data may be held, the purposes for which it is held, the sources from which it may be obtained, and the classes of persons to whom it may be disclosed. Details of the University's current notification can be accessed on the Information Commissioner's web site at http://www.informationcommissioner.gov.uk/.
The University's registration is reviewed and updated annually. If a new project involving personal data is being set up, or data already held are to be made available to different categories of people or used for a different purpose than the original, the person responsible must inform the University's Data Controller.
Any formal requests under the Act from data subjects regarding information held on them must be referred to the Director of Legal & Compliance who is the University's Data Protection Officer, no matter which office or department is processing the information.
Staff Guidelines for Data Protection
4. All staff will process data about students on a regular basis, when marking registers, marking coursework and examinations, writing reports or references, or as part of a pastoral or academic supervisory role. The University will ensure, through registration procedures, that all students are informed that the University undertakes this sort of processing, are notified of the categories of processing, as required by the 1998 Act. The information that staff will deal with on a day to day basis will be 'standard' and will cover categories such as:
General personal details e.g. name and address
Details about class attendance, course work marks and grades and associated comments
Notes of personal supervision, including matters of behaviour and discipline
5. Information about a student's physical or mental health, sexual life, political or religious views, trade union membership, ethnicity or race is 'sensitive' data and can only be collected and processed with the student's explicit consent. If staff need to record this information they should contact Student Administrative Services. This might be required, for example, for health reasons prior to taking students on a field trip, or for pastoral duties when a student has health problems.
6. Staff may also collect and process data about other staff in the University. Heads of Departments may, for example, process data about the staff in their departments, or research group leaders may process data about the members of their groups. The University will ensure that all staff are notified of the types of data held on them and the categories of processing. Most of the information collected will be standard data, but if, for any reason, sensitive data, as set out in paragraph 5, is required to be collected and processed, then the express consent of the individuals concerned must be obtained.
7. All staff have a duty to make sure that they comply with the data protection principles, which are set out in the University Data Protection Policy. In particular, staff must ensure that records are:
Kept and disposed of safely and in accordance with University's Records Retention and Disposal Policy.
8. Staff must not disclose personal data unless for institutional purposes in line with University policy. The only exception to this will be if a member of staff is satisfied that the disclosure of the personal data is necessary:
In the best interests of the student or staff member, or a third person, or the University: AND
He or she has either informed the Data Subject of this, or has been unable to do so and disclosure is urgent and necessary.
This should happen only in exceptional circumstances, e.g. medical emergency.
9. The need to ensure that data is kept securely means that precautions must be taken against physical loss or damage, and that both access and disclosure must be restricted. All staff should ensure that:
Any personal data which they hold is kept securely
Personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party.
10. All personal information in the form of manual records should be:
Kept in a locked filing cabinet: or
Kept in a locked drawer
If information is computerised, it should be:
Password protected, with passwords being regularly changed, so that only authorised people can view or alter confidential data; or
Kept only on a disk which is itself kept securely in a desk or cabinet to avoid physical loss or damage.
11. To avoid unauthorised disclosure, care must be taken to site PC's and terminals so that they are not visible except to authorised people. Screens should not be left unattended when personal data is being processed. Similarly, care must be taken to ensure that manual records, e.g. staff or student files, or printout containing personal data, are not left where they can be accessed by unauthorised staff.
12. When manual records, or printout containing personal data, are no longer required, they should be shredded or bagged and disposed of securely.
13. Particular care must be taken of any data taken away from the University, for example manual records to be used at home, or computerised data to use on portable computers or home machines. Ensure that all work is kept confidential and, in the case of computerised information, that files are not exposed to risk from virus infection.
Use of Personal Data for Research Purposes
14. There are some exemptions from the 1998 Act for personal data processed for academic, scientific, historical or statistical research. Provided that personal data has been obtained fairly and lawfully, then the subsequent use of that data for research purposes will not breach the second data protection principle. Data collected for the purposes of one piece of research can be used for other research, and may be kept indefinitely. However, there must be no direct consequences for the individuals in respect of whom the research is carried out and the personal data must not be processed in a way which is likely to cause damage or distress to any data subject.
15. In order to avoid subject access provisions, the results of research or statistics should not be made available in a form which identifies the individuals concerned. Wherever possible, researchers should follow a principle of 'pseudonymity' in handling personal data and, for example, avoid the storage of names and addresses directly on computer by relying on reference codes instead.
16. Care should be taken when writing confidential references. Under Data Protection legislation, a confidential reference given by the University to a third party, for the purposes of education, employment, training, appointment to a public office or any service being provided by the individual who is the subject of the reference, should remain confidential and is exempt from the subject access provisions, in that the subject cannot gain access from the person writing the reference. However, there are occasions when references will have to be disclosed, for example all references received and kept on file.
Staff Checklist for Recording Data
17. Before processing any personal data, all staff should consider the following checklist:
Do you really need to record the information?
Is the information 'standard' or is it 'sensitive'?
If it is sensitive, do you have the data subject's express consent?
Has the subject been told that this type of data will be processed?
Are you authorised to collect/store/process the data?
Have you checked with the data subject that the data is accurate?
Are you sure that the data will be secure?
If you do not have the data subject's consent to process, are you satisfied that it is in the best interests of the student or staff member to collect and retain the data?
Do you know how long to keep the data for, and when and how to dispose of it?
18. Further information and advice can be obtained from the University's Data Controller, Kevan Ryan, Legal & Compliance, Ext. 42110, and from the University web pages on Data Protection at http://www.liv.ac.uk/legal/data_protection/index.htm. Advice on how long to keep information may be obtained from the University's Records Manager, Michelle Alexander, Computing Services Department, Ext. 45675.