Further Guidance on the Data Protection Act 1998
1. What is Data Protection?
The Data Protection Act 1998 is a law designed to protect the privacy of individuals, in particular with regards to the processing of their personal information. It should be seen as an extension of human rights legislation. Both manual records (paper files, card index systems, microfilm, microfiche, audio/video tape, notebooks and diaries, etc) and computer records are covered by the Act.
The Act has eight principles which need to be complied with in order to ensure compliance. When carrying out any work involving personal information it is important that these eight principles and their conditions are borne in mind. Broadly the principles state that data should be:
- processed fairly and lawfully;
- obtained and processed for specified purposes;
- adequate, relevant and not excessive;
- accurate and up to date;
- held for no longer than necessary;
- processed in accordance with the rights of individuals
- kept secure;
- transferred outside the European Economic Area only if adequate safeguards exist.
The Data Protection Act complements the Freedom of Information Act 2000, which gives individuals and companies from anywhere in the world access to non-personal information held by the University.
2. How does it affect me?
Individuals can be prosecuted under the legislation. Fines of up to £5000 could result if you use or disclose information about other people without their consent or proper authorisation. You should take particular care when using the Internet, e-mail and the internal network. Special care must also be taken with sensitive data such as ethnic origins, religious/political beliefs, health data, details of offences or alleged offences, sexual life or trade union membership.
There are strict limits on what data (whether on computer, in filing cabinets or whatever) can be stored, used and disclosed. If you are unsure about any work you are asked to do, or any disclosure you are asked to make, contact the Head of Compliance on extension 2413, or e-mail: email@example.com .
Disclosures to outside organisations, including the police and other agencies, should be treated with great care. Contact the Head of Compliance if you receive such a request. Disclosures to colleagues, managers and others within the University will depend upon a number of factors. If the information requested seems excessive, or if you are not sure if you are allowed to supply the data, always ask your line manager and/or Head of Compliance.
In general do not leave people's information on your desk when it is not in use, lock all filing cabinets, do not leave data displayed on screen, do not leave your computer logged on and unattended, do not give your password to anyone under any circumstances, do not choose a password that's easy to guess, never send anything by fax or e-mail that you wouldn't put on the back of a postcard.
3. How should I respond?
Individuals have the right to check the validity of the data held about them by the University. By submitting a request in writing and paying the fee required the individual may obtain a copy of data held about him/her. Individuals may ask any member of staff for information on how to make a request, or a completed request may come into any school or department within the University and therefore it is essential that staff are aware of the procedures to follow.
The appropriate form for making a data subject access request can be found by clicking on Guide to Requesting Information from the University on the University’s data protection web pages alternatively a hard copy can be requested from the Head of Compliance. There will be a charge of £10 for this service and the University will usually have 40 days to respond to the request so it is essential that any requests received are forwarded to the Head of Compliancer as soon as possible.
Bangor University also accepts initial contact with regard to subject access requests via e-mail: firstname.lastname@example.org. However if a request is submitted by e-mail it will be necessary for the individual to supply a contact address so that the University can contact them for verification purposes and if further information is required. It is important to be aware that a fee is payable whether the request is submitted by electronic means or by post and also to be aware that at present BU does not send out the information requested by electronic means.
Some kinds of personal data are exempt from the provisions of the Act, and there are some exceptions to the data subject's right of access.
It is important that you ask for further guidance if you are unsure how to advise an individual regarding this procedure. Further information can be obtained from:
Head of Compliance
Planning and Governance Office
Prifysgol Bangor University
Tel (01248) 382413
References Given by the University
The University has recently received guidance from the Information Commissioner that internal references should be released if a member of staff makes a subject access request under the Data Protection Act.
However references given by the University intended for external use can only be released with the express permission of the author.
References Received by the University
Confidential references received by the University are not exempt from the provisions of a subject access request. However consideration should be given to the rights of the referee and consent should be sought.
5. What about complaints?
An individual may complain to the University if they felt that their personal data had been processed without their consent, or their request for information was not dealt with appropriately, if the University failed to respond within the 40 days deadline or if they felt that the University had failed in its duty to provide them with advice and assistance. The complaint will be dealt with via the University’s complaints procedures in the first instance.
The individual may also take the matter up with the Information Commissioner who is the regulatory authority for the Act and has powers of enforcement.
The Information Commissioner
6. Records management good practice
Make your records easy to understand by a third party!
The Data Protection Act and the recent implementation of the Freedom of Information Act now mean that most of the University’s recorded information is readily accessibly either via data protection or freedom of information legislation. Staff must be aware of this when creating records. Good records are accurate, factual, clear and up to date and staff must refrain from including personal opinions that they would be unable to back up with fact.
The Head of Compliance is available to provide advice to all members of staff on good records management practice. The aim is to ensure that all recorded information is created, maintained, controlled and disposed of in a way that facilitates it's most efficient and effective use. Advice can be given on, for example:
- All aspects of records-keeping.
- Confidential destruction of records when they come to the end of their life cycle.
- Identification of materials for eventual transfer to the Records Centre.
- Identification and transfer of archival material to the archive for permanent preservation.
Guidance is given below on specific aspects of good record keeping:
Committee Agendas and Papers
Best practice suggests that agendas for committees should be divided into two sections – unreserved business and reserved business (which would include sensitive information such as personal information).
Minutes and reports
Staff should assume when writing committee minutes and reports that they may be available to an individual making a subject access request unless it is clear that some or all of the content falls within exemptions. However, this aspect will require careful consideration as whilst a tabled paper for a committee may be covered by an exemption reference to that paper in the minutes of the committee may not.
Staff should take particular care when composing e-mails as although a less formal style of writing is usually adopted e-mails are included in the definition of information under the Act, and could therefore be disclosed to an individual making a subject access request.