General Compliance with Data Protection
Where staff, in the normal course of their work, collect, access or process personal data about other staff or students, the following guidelines should be followed:
- They must comply with the data protection principles set out in the University Data Protection Policy. In particular, staff must ensure that the records are:
- Fair - which requires that they are not used for purposes other than those for which the information was obtained and the subject of the information is not deceived in any way as to these purposes
- Kept and disposed of safely, and in accordance with the University Data Protection Policy.
- Personal Information
Staff should be aware that, for the purposes of the Act, and the University’s policy, Personal Information or Data includes information kept as part of “a relevant filing system”, i.e. information which is stored in manual records, such that information is structured with references to individuals, or criteria relating to them, so that specific information relating to them is readily accessible. This may include human resources records, or student registers or files which are stored alphabetically as well as information collected with the intention that it will be filed in such a system. In other words, it is not just computerised information that is included. Paper records are also covered and the duty of care exercised by staff when collecting, accessing or processing data extends to paper records stored in “a relevant filing system”.
- Data Security
All staff are responsible for ensuring that:
- Any personal data which they hold is kept securely;
- Personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised party.
Unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases.
Personal information should be kept securely, for instance;
- in a locked filing cabinet; or
- a locked drawer; or
- a locked office
- if computerised, be password protected; or
- kept only on a disk, which is itself kept securely.
- Staff Checklist for Recording Data
Before processing any personal data, all staff should consider the following checklist.
a) Do you really need to record the information?
b) Is the information ‘standard’ or is it ‘sensitive’?
c) If it is sensitive, has the data subject’s express consent been obtained?
d) Has the student/member of staff been told that this type of data will be processed?
e) Are you authorised by your Head of Department to collect, store or process the data?
f) If yes, have you checked with the data subject (i.e. the student or member of staff concerned) that the data is accurate?
g) Are you sure that the data is secure?