For definitions of terms used in the guidance, please see the Data Protection Definitions section of the University website http://www.northumbria.ac.uk/vc/leservteam/ndp/dpdef/ The Data Protection Act 1998 requires that all staff and others who process or use any personal information must ensure that they adhere to the 8 data protection principles. The principles are based on three key concepts: Purpose personal data must only be held for a clear purpose or purposes Fairness personal data must only be processed for legitimate purposes Transparency data subjects must be given certain basic information about the personal data held about them The Eight : 1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-... 2 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.... 4 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.... 4 4. Personal data shall be accurate and, where necessary, kept up to date.... 4 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.... 5 6. Personal data shall be processed in accordance with the rights of data subjects under this Act.... 5 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.... 6 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.... 6 Page 1 of 7 Updated on: 05/06/2013
The Eight : 1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless- (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. SCHEDULE 2 - Conditions relevant for purposes of the first principle: processing of any personal data 1. The data subject has given his consent to the processing. 2. The processing is necessary for the performance of a contract to which the data subject is a party, 3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract. 4. The processing is necessary in order to protect the vital interests of the data subject. 5. The processing is necessary for the administration of justice, 6. The processing is necessary for the purposes of legitimate interests of the Data Controller (the University). SCHEDULE3 - Conditions relevant for purposes of the first principle: processing of sensitive personal data. 1. The data subject has given his explicit consent to the processing of the personal data. 2. The processing is necessary for the purposes of any obligations conferred or imposed by law on the data controller in connection with employment. Page 2 of 7 Updated on: 05/06/2013
3. The processing is necessary in order to protect the vital interests of the data subject or another person, in a case where consent cannot be given by or on behalf of the data subject, or the data controller cannot reasonably be expected to obtain the consent of the data subject, or in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld. 4. The processing is carried out in the course of its legitimate activities by anybody or association. For example Trade unions, religious or philosophical organisations or political parties. 5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject. 6. The processing is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), 7 The processing is necessary for the administration of justice, This means that the purpose for which personal data is being collected and processed needs to be made clear to the data subject in a fair processing notice. Personal data should only be obtained from a person who is legally authorised to supply it, which in most cases will be the data subjects themselves. Data subjects should never be deceived as to the purpose for which their personal data is held or used. University systems containing personal data should have defined: what data will be held the purposes for which the data will be held whether any of the data will be disclosed to any third party, and if so, to whom any non-obvious consequences of the processing personal data for which the data subject may withdraw consent for the University to hold/use a contact name, email address or telephone number through which the data subject can check or amend the data held, or request the deletion of that data Page 3 of 7 Updated on: 05/06/2013
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. Personal data that has been collected and held for one purpose should not be used for another purpose. For example, data collected by a researcher for the purpose of conducting their research should not be used by a Faculty for direct marketing. Each purpose should be listed in the fair processing notice, including any intention to share the data with any third parties for legitimate purposes only, as defined in the notice. Staff should always notify the University's Records and Information Manager if they wish to collect and/or process personal data. 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. The level of personal data held should only be to the extent where those details are relevant and required to fulfill the stated purpose(s). Holding personal data because it might be useful later on is not acceptable. Sensitive Personal data must only be held if absolutely necessary. For example, if a researcher does no need to know a person s ethnic origins, collecting such information would be excessive. However, if the ethnic origin was key information as part of the research, collecting it would be relevant. Staff should always notify the University's Records and Information Manager if they wish to collect and/or process personal data so that adequacy levels can be checked. Staff responsible for systems collecting or processing personal data should keep a record of the reasons why that data is required. Amendments to forms used for collection personal data should be reviewed as appropriate. 4. Personal data shall be accurate and, where necessary, kept up to date. Page 4 of 7 Updated on: 05/06/2013
Personal data must be kept up to date where the records are current, this included ensuring that data is accurate. The University has procedures in place for keeping personal data up to date (for example, students update information at (re)enrollment, Human Resources have procedures to enable staff to update their details) but it is wrong to assume that every data subject will comply with the request to update their details. Details could change at any time making the last update out of date and an individual may request that their details are changed at any time. Staff processing personal data should be vigilant and raise any concerns they have with data accuracy with the systems manager or the Records and Information Manager. Staff should comply with requests from individuals to make amendments to their data by passing the request on to the systems manager or the Records and Information Manager. 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. In basic terms this means that when data is no longer needed for its purposes, it must be disposed of securely in accordance with the University Retention Schedule. Personal data must not be retained for longer than the defined time periods. Where no statutory time limit is recorded or known, Staff should consult the Records and Information Manager. 6. Personal data shall be processed in accordance with the rights of data subjects under this Act. 1. The right to subject access allows data subjects to access copies of personal information the University holds about them either on computer or in a structured manual filing system. This is done via a Subject Access request (see http://www.northumbria.ac.uk/vc/leservteam/ndp/subjar) 2. Data subjects have the right to ask in writing that the University not to process information where it is likely to cause them damage or distress. Page 5 of 7 Updated on: 05/06/2013
3. Data subjects have the right to ask the University in writing to cease processing their personal data for direct marketing purposes. 4. Data subjects have the right to object to the University in writing to decisions affecting them where they are made by automated processes and can request that decisions are made with human involvement. 5. Right to compensation through the courts for any damage and distress suffered as a result of any breaches of the Data Protection Act committed by the University. 6. The right to rectification data which is inaccurate or contains expressions of opinion based on inaccurate information. 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Appropriate measures should be taken by the University, irrespective of format (paper or electronic) to keep the information secure to prevent unlawful and or unauthorised processing and to ensure that the data is protected against accidental loss and destruction or damage. This obligation extends to staff working from home, traveling between meetings or using mobile devices capable of accessing University systems. Staff are required to process data securely and only in line with authorised University procedures. 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Personal data must not be transferred to a country outside European Economic Area unless: explicit consent has been obtained from the data subject(s); the data has been completely anonymised; that country ensures an adequate level of protection for data subjects; Page 6 of 7 Updated on: 05/06/2013
a contract is in place with the recipient of the personal data, which puts the necessary safeguards in place. The Data Protection Act is derived from a European Directive which EEA member states have signed up to. This ensures that they all have data protection laws in place which allows the sharing of information between them in the knowledge that the data will be protected. The following are EEA members: Austria Belgium Bulgaria Czech Republic Cyprus Denmark Estonia Finland France Germany Greece Hungary Iceland Ireland Italy Latvia Liechtenstein Lithuania Luxembourg Malta Netherlands Norway Poland Portugal Romania Slovakia Slovenia Spain Sweden UK Remember that publication on the Internet puts information beyond the EEA Safe Harbor The USA does not have general data protection law and so the European Commission requires a 'Safe Harbor' scheme to provide an adequate level of protection for personal information. Under safe harbor, US companies sign up to agree by seven principles in relation to information handling. Explicit consent of the individual to share their personal data with US based (or none EEA) organisations should always be in place. Staff who require personal data to be shared with organisations or individuals within the USA should consult the University Records and Information Manager first. Page 7 of 7 Updated on: 05/06/2013