- Email: email@example.com
The Data Protection Act 1998 (DPA) was passed in order to implement the European Directive on data protection and applies to all personal data which are held either electronically or in a manual filing system. The Act commenced on 1st March 2000 with most of its provisions becoming effective on 24th October 2001.
The University of Edinburgh is committed to a policy of protecting the rights and freedoms of individuals with respect to the processing of their personal data.
The University holds personal information about individuals such as employees, students, graduates and others, defined as data subjects in the Act. Such data must only be processed in accordance with this policy and with the terms of the University's Notification to the Information Commissioner, which sets out the purposes for which the University holds and processes personal data. Any breach of the policy may result in the University, as the registered Data Controller, being liable in law for the consequences of the breach. This liability may extend to the individual processing the data and his/her Head of Department under certain circumstances.
This policy applies regardless of where the data is held and, in respect of automatically processed data, the ownership of the equipment used, if the processing is for University of Edinburgh purposes.
All data users must comply with the eight Data Protection Principles. The Principles define how data can be legally processed. 'Processing' includes obtaining, recording, holding or storing information and carrying out any operations on the data, including adaptation, alteration, use, disclosure, transfer, erasure, and destruction.
The DPA defines both personal data and sensitive personal data. Data users must ensure that the necessary conditions are satisfied for the processing of personal data and in addition that the extra, more stringent, conditions are satisfied for the processing of sensitive personal data.
Personal data has a broad ranging definition and can include not only items such as home and work address, age, telephone number and schools attended but also photographs and other images. Sensitive personal data consists of racial/ethnic origin, political opinion, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life and criminal record.
The policy has been approved by the University Court on 9 July 2001 and any breach will be taken seriously and may result in action being taken under the appropriate disciplinary code.
Heads of School and managers of administrative and support services have a responsibility to ensure compliance with the Act and this Code, and to develop and encourage good information handling practices, within their areas of responsibility. All users of personal data within the University have a responsibility to ensure that they process the data in accordance with the eight Principles and the other conditions set down in the DPA.
The University has issued detailed guidance to assist Heads of School and managers fulfil these obligations.
Heads of School may choose to delegate the management of, but not the responsibility for, Data Protection matters to a departmental Data Protection adviser.
The University will perform periodic audits to ensure compliance with this Code and the Act and to ensure that the notification is kept up-to-date.
Responsibility for ensuring the University's compliance with the Act with respect to alumni has been delegated to the Director of Development & Alumni Services (DAS). Heads of Schools holding and using information on alumni must keep DAS informed about all activities involving former students.
Academic and academic-related staff are responsible for the conduct in these matters of the students whom they supervise. The use of personal data by students is governed by the following
Use of personal data by students is subject to the regulations set out below. The University's policy stated above and the regulations are based on the principle that students must only use personal data under the guidance of a member of staff. A breach of these regulations is an offence against University discipline.
The Act gives data subjects a right to access to personal data held about them by the University, and allows the University to charge a fee for such access (up to a prescribed maximum). The University will seek to take an approach which facilitates access to their personal data by individuals without them having to make formal subject access requests under the Act, whilst acting within the Data Protection Principles. A record must be kept of all requests for access to personal data.
All formal subject access requests must be responded to within the terms laid down by the Act, and must be notified to the Data Protection Officer as soon as they are received. Any cases of doubt as to whether a request for access to personal data is a subject access request under the Act must be referred to the Data Protection Officer without delay.
The University will normally charge the prescribed maximum fee (currently £10) for subject access requests.
Personal data must only be kept for the length of time necessary to perform the processing for which it was collected. This applies to both electronic and non-electronic personal data. The University will publish a policy on retention that will allow users to apply a common standard University-wide in relation to disposal of personal data.
When personal data is transferred internally the recipient must only process the data in a manner consistent with the University's Notification and the original purpose for which the data was collected.
Personal data can only be transferred out of the European Economic Area under certain circumstances. The Act lists the factors to be considered to ensure an adequate level of protection for the data and some exemptions under which the data can be exported. Information published on the Web must be considered to be an export of data outside the EEA.
All University users of personal data must ensure that all personal data they hold is kept securely. They must ensure that it is not disclosed to any unauthorised third party in any form either accidentally or otherwise.
The University has adopted a policy that the outcome of examinations or assessments should not be determined solely by automatic processing without any human intervention. This condition can be met, for example, by a member of staff reviewing the outcome of automatic processing, or by an Examination Board reaching the final decision on the result.
(Explanatory Note: 'Reviewing' the outcome of automatic processing does not mean checking it in detail, but rather implies inspecting the results in order to so as to identify possible errors or anomalies so that these may be investigated further, and as such is consistent with good academic practice.)
The University has notified the Office of the Information Commissioner that it to processes personal data. Questions related to the terms of the notification and other day to day matters on the operation of the policy and the Act can be dealt with by the Data Protection Officer for the University. The Data Protection Officer can be contacted using the email address below.