Data Protection Act 1998

Please contact Fiona Dumbelton for further information. Tel: 01782 733373.

The University is registered with the Information Commissioner under the terms of the Data Protection Act 1998. The Act allows individuals to obtain a copy of their own personal data, which includes electronic files, paper files, video, CCTV and any other medium. It seeks to strike a balance between the rights of individuals and the interests of those with legitimate reasons for using personal information.

Guidance to the Data Protection Act 1998

Introduction

The University is registered with the Information Commissioner under the terms of the Data Protection Act 1998. The Act allows individuals to obtain a copy of their own personal data, which includes electronic files, paper files, video, CCTV and any other medium. It seeks to strike a balance between the rights of individuals and the interests of those with legitimate reasons for using personal information.

Definition of Personal Data

The Data Protection Act 1998 applies to 'personal data', that is data about living individuals. ‘Personal data’ is defined under the Act as “data which relates to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or likely to come into the possession of the data controller” (the University).

It includes any expressions of opinion about the individual as well as statements of fact. Certain classes of data are classified as ‘sensitive personal data’ under the Act, for example, race or ethnic origin, religious beliefs, physical or mental health or condition, sexuality or criminal offences, whether proven or alleged.

 

The Data Protection Principles

When processing personal information, the University must do so in accordance with the eight Data Protection Principles, which states that information must be:

  • Fairly and lawfully processed;
  • Processed for limited purposes;
  • Adequate, relevant and not excessive;
  • Accurate;
  • Not kept for longer than is necessary;
  • Processed in line with your rights;
  • Secure;
  • Not transferred to countries without adequate protection.

 

Authorised Recipients

The University is registered to hold data under ten Purposes, which are: Staff, Agent and Contractor Administration; Advertising, Marketing, Public Relations, General Advice Services; Accounts and Records; Education; Student and Staff Support Services; Research; Other Commercial Services; Publication of the University Magazines and Handbooks; Crime Prevention and Prosecution of Offenders (e.g. use of CCTV) and Alumni Relations.

Each registered Purpose for which the University holds data on individuals contains a listing of authorised recipients of the data concerned. These are the individuals and bodies to which, if appropriate, the University may disclose this data within the terms of our registration. This does not mean that these authorised recipients have an automatic right to disclosure on request, eg. if the information requested contains sensitive or personal material relating to another individual whose own rights must be protected under the Act. If in doubt, please contact Governance.

Data Protection Act Policy

The University approved a revised Data Protection Act Policy in June 2011 to support the Universities compliance with the legislation. All members of University staff must abide by the policy and should follow the Guidance for Staff outlined below when doing so.

 

Guidance for Staff

In addition to the Data Protection Principles above, members of staff should be aware that whatever they put in writing about a student or member of staff, that person is entitled to request a copy of it under the DP Act. 

Members of staff have an obligation under the DP Act to store personal and sensitive information about students and staff securely.  It must be kept safe from unauthorised access, accidental loss or destruction. 

Compliance with the Data Protection Act is the responsibility of all members of the University. 

Information concerning individuals learnt in the course of your duties must not be communicated to other persons or bodies unless you are required to do so by law, for the purposes of University business or with the consent of the individual concerned.

It is the responsibility of all staff to ensure that appropriate measures are taken to prevent personal information (in whatever format) from being accidentally divulged to unauthorised persons and that appropriate case is taken in disposing of printed information containing personal information.

The University's registration covers the storage of data on the mainframe, for which individuals register as users with Information Services, and as an institution to hold similar information in hard copy form.

It also covers use by staff of their own personal computers at home, hand-held devices, personal computers owned by the University and hard copy files held in places other than on University premises. To be included in this registration staff must complete a Data Protection Registration Form.

 

Releasing Data To Parents and Third Parties

The University regularly receives enquiries from parents, relatives, landlords, friends and other third parties regarding students. However, the University’s ‘contract’ is with the student and we are not obliged to release information to parents or any other third parties. In most cases the law (Data Protection Act 1998) strictly prevents us from disclosing information, even if the third party is contributing significantly to tuition fees or is the sponsoring employer of a student on a professionally accredited course.

The Data Protection Act protects individuals’ rights with regards to their personal data, regulating the information that can be held, how it is processed and to whom it can be disclosed. All members of staff and students are obliged to abide by the Data Protection Act and agree to do so upon registering with the University as a student or signing a contract of employment. Breaching the Act is a disciplinary offence for both staff and students under the provisions of Regulation 21.4.

The University’s registration under the Act outlines the main ways in which the University will process a student’s personal data. Normally, personal data will only be disclosed to third parties if the disclosure is the purpose for which the data was collected and provided the data subject is aware or would reasonably expect the release.

What can the University tell a parent or a third party?

Confirming/denying that an individual is a student here would infringe the DPA and may in extreme circumstances result in placing an individual in danger. However, we do understand that parents may be concerned about their son/daughter and will happily discuss University procedures, for example, explaining examination procedures, the graduation ceremony timetable, discussing the implications of failing a module, accommodation costs etc. The specific circumstances of an individual student cannot be discussed without the explicit written consent of that student.

In some circumstances you may have major concerns (e.g. have not heard from your son/daughter for months), in these cases if you leave contact details/correspondence with us, should the individual be a student here, we will endeavour to pass them on and encourage the student to make contact. If the individual is not a student the details will be securely destroyed.

There may be occasional, exceptional circumstances (e.g. when a student’s life or health is threatened) in which the usual need to get consent before disclosing to parents/guardians may be waived. The University holds details of students' "next of kin" for such purposes.

If an enquirer claims to have a legal right to the information we would assume that they represent an official organisation which is fully aware of the Data Protection Act and which has its own code or procedures. We would, therefore, not expect any objection to a small delay in providing the information while we check credentials and the claimed right of access.

In the case of the Police, information may be disclosed on completion of the relevant form. Court orders should always be issued by the Court concerned. An assertion by a litigant's solicitor that data will be required is not sufficient to authorise disclosure.

Staff should not be bullied or persuaded into releasing information to an unauthorised recipient but instead explain that:

“Keele University respects the confidentiality of all personal information it holds under the Data Protection Act 1998 and as a result of this, the information you request cannot be disclosed. If you require further clarification, please contact the University’s Data Protection Manager.”

Requests from third parties should always be referred to Governance.

If a student has given us consent to discuss a certain matter with a third party then we will, of course, happily do so. Students should put the details in writing to the University's Data Protection Manager. Please note that an email or phone call will not suffice under the terms of the Act.

The University’s Data Protection Manager is Fiona Dumbelton who can be contacted on the details provided below:

Planning and Academic Administration
Keele University
Staffordshire
ST5 5BG

 

HESA Fair Processing Notices

The University sends some of the information it holds on staff and students to the Higher Education Statistics Agency (HESA) each year. Further details are available at:

 

Requests for Information

Students or staff who wish to request information that the University holds on them must do so by submitting a formal Data Subject Access Request, in writing, to the Governance Manager who administers such matters on behalf of the University at:

Governance Manager
Keele University
Staffordshire
ST5 5BG

It is important that all requests are logged centrally, as there is a strict timescale under the Act to respond, which is 40 calendar days from receipt of the request (opposed to 20 working days for requests under the Freedom of Information Act). It is also important that the material to be disclosed is vetted centrally before dispatch to ensure that it contains no personal material specific to another person whose own rights must be protected under the terms of the Act.

Individuals have rights of access to information held about them if it is kept in a structured way so as to enable easy retrieval. This includes personnel files, students files, emails including the individual’s name in the subject line or if the Data Subject can specify a document stored by another reference elsewhere which relates to her/him. There is no requirement to search at random in case such a file is found.

It is the responsibility of the individual (staff and students) to inform the University of any changes in their personal details to ensure that the information it retains is accurate.

It is permissible for the University to levy a charge of £10 in respect of each separate access request.

Requests for personal data held in the form of a CCTV image should be made by completing the CCTV Subject Access Request Form

 

 

Further Information

Further information and guidance on the Data Protection Act 1998 can be obtained from Governance.

Contact details for the Information Commissioner are: http://www.ico.gov.uk

The Information Commissioner
Wycliffe House
Water Lane
Wilmslow 
Cheshire 
SK9 5AF 
Telephone: 01625 545745