Data Protection Policy Statement

1 The University's policy is to comply with the requirements of the Data Protection Act 1998. The University will operate procedures in accordance with the Data Protection Act 1998, i.e. personal data held by the University shall:

(i) Be obtained and processed fairly and lawfully.

(ii) Be obtained only for one or more specified and lawful purposes and shall not be processed in any manner incompatible with that purpose or those purposes.

(iii) Be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are processed.

(iv) Be accurate and, where necessary, kept up to date.

(v) Be held no longer than is necessary for the purpose(s).

(vi) Be processed in accordance with the rights of the data subjects under the Act.

(vii) Be surrounded by proper security.

(viii) Shall not be transferred outside the European Economic Area unless the country or territory ensures an adequate level of protection for the rights and freedoms of the data subject.

The University and all staff and others who process or use any personal information must ensure that they follow these principles at all times.

2 The University will register as a Data Controller and will notify the Information Commissioner of:

(i) The personal data being or to be processed

(ii) The category or categories of data subject to which they relate.

(iii) The purposes for which the data are being or are to be processed.

(iv) The people to whom the University may wish to disclose the information.

(v) The names, or a description of any countries or territories outside the European Economic Area to which the University may wish to transfer the personal data.

(vi) A general description of security measures taken to protect the data.

3 Responsibilities for ensuring the University's full compliance with the Act are with:

(i) The Secretary and Registrar has direct responsibility for data protection within the University.

(ii) A member of Secretariat staff to assist in implementing the requirements of the Act as follows:

• advise and support Faculties/Departments on all matters relating to compliance with the Act and notification
• disseminate information relating to the Act
• respond to requests, queries and complaints from data subjects
• publish a statement concerning the use of student personal data on the student portal
• publish guidance to staff concerning the use of personal data
• provide appropriate training to staff on data protection
• take part in University staff induction events

(iii)  Individual Faculties/Departments that will nominate a representative to:

• liaise with Secretariat as appropriate for guidance on notification
• ensure that personal data processed by their Faculty/Department is registered and kept up to date
• act as a communication link between Secretariat and the Faculty/ Department in terms of disseminating information about data protection issues
• coordinate searches for personal data in the Faculty/Department in the event of a formal subject access request (SAR) being submitted to the University

(iv)  All staff and students have a responsibility to comply fully with the requirements of the Data Protection Act.

Enquiries to Helen Williamson, ext 3361.

Issuing Authority: University Secretary and Registrar

Issue 5, May 2007