Data Protection Policy Statement

1 The University's policy is to comply with the requirements of the Data Protection Act 1998. The University will operate procedures in accordance with the Data Protection Act 1998, i.e. personal data held by the University shall:

(i) Be obtained and processed fairly and lawfully.

(ii) Be obtained only for one or more specified and lawful purposes and shall not be processed in any manner incompatible with that purpose or those purposes.

(iii) Be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are processed.

(iv) Be accurate and, where necessary, kept up to date.

(v) Be held no longer than is necessary for the purpose(s).

(vi) Be processed in accordance with the rights of the data subjects under the Act.

(vii) Be surrounded by proper security.

(viii) Shall not be transferred outside the European Economic Area unless the country or territory ensures an adequate level of protection for the rights and freedoms of the data subject.

The University and all staff and others who process or use any personal information must ensure that they follow these principles at all times.

2 The University will register as a Data Controller and will notify the Information Commissioner of:

(i) The personal data being or to be processed

(ii) The category or categories of data subject to which they relate.

(iii) The purposes for which the data are being or are to be processed.

(iv) The people to whom the University may wish to disclose the information.

(v) The names, or a description of any countries or territories outside the European Economic Area to which the University may wish to transfer the personal data.

(vi) A general description of security measures taken to protect the data.

3 Responsibilities for ensuring the University's full compliance with the Act are with:

(i) The Secretary and Registrar has direct responsibility for data protection within the University.

(ii) A member of Secretariat staff to assist in implementing the requirements of the Act as follows:

(iii)  Individual Faculties/Departments that will nominate a representative to:

(iv)  All staff and students have a responsibility to comply fully with the requirements of the Data Protection Act.

Enquiries to Helen Williamson, ext 3361.

Issuing Authority: University Secretary and Registrar

Issue 5, May 2007

Feedback to: shuspace@shu.ac.uk