Records Management

University of Edinburgh data protection policy

The Data Protection Act 1998 (DPA) was passed in order to implement the European Directive on data protection and applies to all personal data which are held either electronically or in a manual filing system. The Act commenced on 1st March 2000 with most of its provisions becoming effective on 24th October 2001.

The University of Edinburgh is committed to a policy of protecting the rights and freedoms of individuals with respect to the processing of their personal data.

The University holds personal information about individuals such as employees, students, graduates and others, defined as data subjects in the Act. Such data must only be processed in accordance with this policy and with the terms of the University's Notification to the Information Commissioner, which sets out the purposes for which the University holds and processes personal data. Any breach of the policy may result in the University, as the registered Data Controller, being liable in law for the consequences of the breach. This liability may extend to the individual processing the data and his/her Head of Department under certain circumstances.

This policy applies regardless of where the data is held and, in respect of automatically processed data, the ownership of the equipment used, if the processing is for University of Edinburgh purposes.


All data users must comply with the eight Data Protection Principles. The Principles define how data can be legally processed. 'Processing' includes obtaining, recording, holding or storing information and carrying out any operations on the data, including adaptation, alteration, use, disclosure, transfer, erasure, and destruction.

  1. Personal data shall be processed fairly and lawfully.
  2. Personal data shall be held only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed.
  4. Personal data shall be accurate and where necessary kept up to date.
  5. Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
  6. Personal data shall be processed in accordance with the rights of data subject under the DPA.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of the data.
  8. Personal data shall not be transferred to a country or a territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The DPA defines both personal data and sensitive personal data. Data users must ensure that the necessary conditions are satisfied for the processing of personal data and in addition that the extra, more stringent, conditions are satisfied for the processing of sensitive personal data.

Personal data has a broad ranging definition and can include not only items such as home and work address, age, telephone number and schools attended but also photographs and other images. Sensitive personal data consists of racial/ethnic origin, political opinion, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life and criminal record.

Status of the Policy

The policy has been approved by the University Court on 9 July 2001 and any breach will be taken seriously and may result in action being taken under the appropriate disciplinary code.

Responsibilities of Heads of Departments and Data Users

Heads of School and managers of administrative and support services have a responsibility to ensure compliance with the Act and this Code, and to develop and encourage good information handling practices, within their areas of responsibility. All users of personal data within the University have a responsibility to ensure that they process the data in accordance with the eight Principles and the other conditions set down in the DPA.

The University has issued detailed guidance to assist Heads of School and managers fulfil these obligations.

Heads of School may choose to delegate the management of, but not the responsibility for, Data Protection matters to a departmental Data Protection adviser.

The University will perform periodic audits to ensure compliance with this Code and the Act and to ensure that the notification is kept up-to-date.

Responsibility for ensuring the University's compliance with the Act with respect to alumni has been delegated to the Director of Development & Alumni Services (DAS). Heads of Schools holding and using information on alumni must keep DAS informed about all activities involving former students.

Handling of Personal Data by Students

Academic and academic-related staff are responsible for the conduct in these matters of the students whom they supervise. The use of personal data by students is governed by the following

  • A student should only use personal data for a University-related purpose with the knowledge and express consent of an appropriate member of staff (normally, for a postgraduate, this would be the supervisor, and for an undergraduate the person responsible for teaching the relevant class/course).
  • The use of University-notified personal data by students should be limited to the minimum consistent with the achievement of academic objectives. Wherever possible data should be de-personalised so that students are not able to identify the subject.

Use of personal data by students is subject to the regulations set out below. The University's policy stated above and the regulations are based on the principle that students must only use personal data under the guidance of a member of staff. A breach of these regulations is an offence against University discipline.

  1. Students must not construct or maintain files of personal data for use in connection with their academic studies/research without the express authority of the appropriate member of staff.
  2. When giving such authority, the member of staff shall make the student aware of the requirements of the Data Protection Act and of the appropriate level of security arrangements which attach to the particular set of personal data.
  3. Students must abide by the Data Protection Principles and follow the instructions of the University in relation to any uses of personal data notified by the University.

Access to data

The Act gives data subjects a right to access to personal data held about them by the University, and allows the University to charge a fee for such access (up to a prescribed maximum). The University will seek to take an approach which facilitates access to their personal data by individuals without them having to make formal subject access requests under the Act, whilst acting within the Data Protection Principles. A record must be kept of all requests for access to personal data.

All formal subject access requests must be responded to within the terms laid down by the Act, and must be notified to the Data Protection Officer as soon as they are received. Any cases of doubt as to whether a request for access to personal data is a subject access request under the Act must be referred to the Data Protection Officer without delay.

The University will normally charge the prescribed maximum fee (currently £10) for subject access requests.

Retention of Data

Personal data must only be kept for the length of time necessary to perform the processing for which it was collected. This applies to both electronic and non-electronic personal data. The University will publish a policy on retention that will allow users to apply a common standard University-wide in relation to disposal of personal data.

Data Transfer

When personal data is transferred internally the recipient must only process the data in a manner consistent with the University's Notification and the original purpose for which the data was collected.

Personal data can only be transferred out of the European Economic Area under certain circumstances. The Act lists the factors to be considered to ensure an adequate level of protection for the data and some exemptions under which the data can be exported. Information published on the Web must be considered to be an export of data outside the EEA.

Data Security

All University users of personal data must ensure that all personal data they hold is kept securely. They must ensure that it is not disclosed to any unauthorised third party in any form either accidentally or otherwise.

Automatic Processing of Examinations

The University has adopted a policy that the outcome of examinations or assessments should not be determined solely by automatic processing without any human intervention. This condition can be met, for example, by a member of staff reviewing the outcome of automatic processing, or by an Examination Board reaching the final decision on the result.

(Explanatory Note: 'Reviewing' the outcome of automatic processing does not mean checking it in detail, but rather implies inspecting the results in order to so as to identify possible errors or anomalies so that these may be investigated further, and as such is consistent with good academic practice.)

Data Protection Officer

The University has notified the Office of the Information Commissioner that it to processes personal data. Questions related to the terms of the notification and other day to day matters on the operation of the policy and the Act can be dealt with by the Data Protection Officer for the University. The Data Protection Officer can be contacted using the email address below.

Records Management Section

Contact details