University of Stirling
  
 
 
 
 
 
 
 
  		  

Data Protection - A Guide

Contents

INTRODUCTION

THIS GUIDE

1 PERSONAL DATA TO BE PROCESSED BY THE UNIVERSITY.

2. RETURNS TO EXTERNAL BODIES

3. STAFF

4. STUDENTS

5. RESEARCH SUBJECTS

6. ALUMNI

7. ACTUAL AND POTENTIAL BENEFACTORS

APPENDIX 1

WELFARE SERVICES COMMITTEE: WORKING GROUP ON CONFIDENTIALITY
Policy Statement
General policy
External communications
Internal Communications
Counselling, Welfare and Medical services
Wardennial, Accommodation, Portering, Cleaning and Security services
Storage of information
Access to information

APPENDIX 2
THE LEGAL BACKGROUND

APPENDIX 3
PRINCIPLES OF PROCESSING PERSONAL DATA
1. FIRST PRINCIPLE
2. SECOND PRINCIPLE
3. THIRD PRINCIPLE
4. FOURTH PRINCIPLE
5. FIFTH PRINCIPLE
6. SIXTH PRINCIPLE
7. SEVENTH PRINCIPLE
8. EIGHTH PRINCIPLE

LIST OF USEFUL WEBSITES

 

UNIVERSITY OF STIRLING

GUIDANCE ON DATA PROTECTION
July 2001

 

INTRODUCTION

The Data Protection Act 1998 is one of a number of recent Acts of the UK and Scottish Parliaments which affect the rights of individuals. The University of Stirling as a 'data controller' for the purposes of the Act intends to be and remain fully compliant with its provisions.

It is the responsibility of every member of staff within the University to ensure that they handle personal 'data' (an expression which will be used interchangeably with 'information' in this Guide) about others in a lawful manner. However the Act, in particular in its interaction with other legislation, is extremely complicated. The purpose of this guidance is to explain what the practical effects are for individuals. All staff are expected to read it and to apply it. It will be a serious disciplinary offence to misuse personal data so it is worth spending some time familiarising yourself with this guidance.

One useful principle to bear in mind is that members of staff should treat information about other people as they would expect information about themselves to be treated. If, having consulted this Guide, you are not sure that the other person would be willing for, or would expect, you to obtain or otherwise process that information, you should refer the matter to your line manager and not take on the responsibility yourself.

The University is the owner of and data controller for all personal information processed for its official purposes. No section of the University or individual member of staff owns or controls any data in the legal sense. Individuals should not create any file, whether manual or computerised, which contains personal information unless this has been approved in advance by the University Data Protection Officer. Not only will unauthorised collection or use of personal information be considered a disciplinary offence and may have legal consequences for the individual concerned, but also it is essential that the University has immediate access to all personal data so that it can respond quickly to a request by a person to see the data held on her or him. In preparation for the implementation of Freedom of Information and National Archive legislation over the first decade of the 21st century, the University is planning to implement over the period 2001-2003 a system of data collection, storage and archiving which has at its core the 'Master File' concept, i.e. all information whether personal or not should be held in one secure location and any copies which are essential for the efficient conduct of official business should be approved and disposed of when the reason for holding them is no longer valid.

THIS GUIDE

Following the Introduction, the Guide is in three parts:

  • A description of the types of information the University will process and some guidance on most of these (more comprehensive advice has been given on some particular issues to University departments which need it)
  • Appendices which set out some of the legal background and further guidance from the Information Commissioner
  • A list of websites from which further information may be obtained.

There has been relatively little litigation on data protection and other privacy legislation in the UK or in the European Court of Human Rights. Therefore interpretations of the law by the Information Commissioner, by JISC and by the author of this Guide cannot be considered to be definitive. They are the best guidance possible in mid- 2001.

Dennis Farrington
Data Protection Officer
July 2001

1. PERSONAL DATA TO BE PROCESSED BY THE UNIVERSITY

1.1 The University will expect to process personal data relating to:

  • Staff
  • Applicants for employment
  • Honorary and visiting staff
  • Applicants for places
  • Registered students
  • Members of the Court and Conference
  • External examiners
  • Consultants
  • Customers and suppliers
  • Research subjects
  • Alumni
  • Honorary graduates
  • Actual and potential benefactors

1.2 As explained in the detailed Appendices, the 1998 Act introduced the concept of 'sensitive personal data' which is data of a particularly personal nature related to the following:

  • The racial or ethnic origin of the data subject;
  • Their political opinions;
  • Their religious beliefs or other beliefs of a similar nature;
  • Whether they are a member of a trade union;
  • Their physical or mental health or condition;
  • Their sexual life;
  • The commission or alleged commission by them of any offence; or
  • Any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.

1.3 'Sensitive personal data' can only be processed under limited conditions which apply in addition to the general conditions for processing personal data set out in the Act. Information on racial or ethnic origin, on religious belief and on physical or mental health may be processed for the purposes of monitoring with a view to promoting or maintaining equality of opportunity or treatment. This is consistent with the position at common law and with the requirements of Codes of Practice on discrimination. Also of relevance is the processing of sensitive personal data in the public interest either as necessary for the prevention or detection of any unlawful act or to protect members of the public against dishonesty, malpractice, mismanagement etc., c.f. the Public Interest Disclosure Act 1998.


2. RETURNS TO EXTERNAL BODIES

2.1 In relation to the processing of sensitive information for returns, the most important of these conditions is that the data subject has given his or her explicit consent. The Information Commissioner's guidance states that the use of the word 'explicit' suggests that the consent of the data subject should be absolutely clear. In 'appropriate cases' it should cover the specific detail of the processing, the particular type of data to be processed (or even the specific information), the purposes of the processing and any special aspects of the processing which may affect the individual, for example disclosures which may be made of the data. The level of consent needed will vary with the facts. In some cases implied consent may be sufficient, in others nothing less than clear written consent will suffice.

2.2 An alternative to explicit consent set out in Schedule 3 of the Act is that the processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment. The requirement to provide 'anonymised' information to SHEFC (and, as its agent, to HESA) is derived from section 50 Further and Higher Education (Scotland) Act 1992.

2.3 In order to avoid the identification of individuals from 'anonymised' data, it is important to ensure adherence of the Second Data Protection Principle, i.e. that data only be obtained for one or more lawful purposes and not processed in a manner incompatible with that or those purposes.


3. STAFF

3.1 The University processes data in respect of its own employees. It may also process data on behalf of employees of other organisations or other institutions involved in research or other collaborative projects but not on the payroll. It must ensure that it processes all personal data in accordance with the Act, giving particular attention to the processing of sensitive information. Processing of payroll information is fully compliant. However, any new type of processing started since 24 October 1998, on any new form of database, e.g. on a PC, palm computer or a mobile phone database, is not covered. In respect of 'structured' manual records - essentially paper personal files wherever held in the University - held prior to 24 October 1998 there is no right of subject access until 24 October 2007. Manual data added after 24 October 1998 does not qualify for this extended transitional period and is accessible from October 2001.

3.2 Personal information about staff is interpreted to include any data by means of which a living individual can be identified. There is no authoritative guidance on whether such data includes photographs, which are now taken by Information Services on digital cameras and held on compact discs. To be safe, however, it has been recommended that the University adopts a policy of treating photographs as personal data and processes them within the requirements of the Act. Subject to the fair processing code set out in Schedule 1 to the Act, the same guidance can generally be given in respect of names, e-mail addresses and other data by which staff working for the University can be identified. To be certain that the Act is not being infringed, staff should give their explicit consent for such information to be made available when it is not reasonably foreseeable that it will be used. For example, it is obvious that it is appropriate to give the name of an employee for official purposes. It is not obvious that the employee has consented to e-mail addresses being placed on web pages or photographs being used in publications of any kind. On the other hand, unless there is explicit objection, it is reasonable to assume that members of staff taking part in official events at which photographs are routinely taken (e.g. graduation ceremonies) are content to appear.

3.3 Particular attention must be paid to the Eighth Data Protection Principle in relation to transfer of personal data outside the European Economic Area (the EU plus Iceland, Liechtenstein and Norway.) One of the purposes of the EU Directive was to facilitate data transfer within the EEA although it is unclear whether the laws of every EEA state permit transfer across borders even within the EEA. The eighth principle recognises that not all other states have adequate data protection laws in place. Clearly placing personal data on the Web is risky unless there is explicit consent from employees.

3.4 The Personnel Office will inform staff of precisely what information is held about them and the uses to which it is put. Where it is not clear that a member of staff has given consent to a particular use of information, either expressly or by implication, she or he will be asked to give express consent.

3.5 It is legitimate for Deans of Faculty, Heads of Departments and administrative and service heads to retain some basic information about staff in the Faculty, etc. concerned. The Personnel Office will provide guidance on what may, and what may not, be retained. When staff leave, all such information should be disposed of in confidential waste. It is not legitimate for members of staff in any other capacity to hold personal information on other members of staff without the latter's express consent.

3.6 The Personnel Office will also routinely advise all applicants for employment of the use made, and disposal of, material submitted with an application. Under no circumstances may individual members of staff retain any personal data on applicants, whether successful or not, after the conclusion of the appointment process. All such material should be disposed of in confidential (not ordinary) waste or returned to the Personnel Office for disposal. The Personnel Office will give further advice as required.



4. STUDENTS

4.1 Students admitted through UCAS complete a standard form which contains a considerable amount of personal data. UCAS protocols and procedures are expected to comply with the Data Protection Act and UCAS has issued a statement to that effect. So far as the University is concerned, it must ensure that every member of staff processing UCAS applications is aware of those protocols. Although it is assumed that everyone will appreciate the need to keep details of individual applicants confidential, particular stress should be placed on processing sensitive personal data such as information about criminal convictions. In this case it is suggested that any application disclosing a criminal conviction should be considered by a senior officer before being processed further. A protocol for this has been developed within the University: details are available from the Director of Registry Services.

4.2 Prospective applicants seeking prospectuses obviously have to give some information about themselves for that purpose. Apart from statistical purposes, there does not appear to be any legitimate need to retain that information: Faculty and Departmental Offices must not therefore keep any records of this kind.

4.3 In respect of non-UCAS admissions, for example to post-graduate courses or research, the University needs to collect sensitive data similar to that collected by UCAS so that, for example, it can ensure that an application by a disabled student is given proper consideration in the light of what facilities can reasonably be offered, and for ethnic and other monitoring purposes. A similar procedure to that in paragraph 6.1 is to be used for the consideration of applications from those with criminal convictions.

4.4 As in the case of applications for employment, a procedure also has to be set in place for destroying records of unsuccessful applicants after the period allowed for bringing claims of discrimination.

4.5 Personal data including sensitive personal data gathered from successful applicants who subsequently register will be transferred to the Student Record System which has been certified to be compliant with the Act. Processing of
sensitive personal data (e.g. disability status) is restricted to those who need to know.

4.6 Students should be able to access personal data about themselves with minimum fuss and bureaucracy. This has now been achieved in part through Internet access to the academic record.

4.7 There are particular issues relating to examination results where it is no longer possible to restrict access to such data (excluding the student examination scripts themselves but including any marks and other comments made by examiners) for more than a specified period once the requisite subject access fee has been paid. The fee is set at a maximum of £10 by law. This is of concern where a student is in debt to the University and examination marks may not then be withheld. The Act does not require that certification be given in such circumstances but that may not prove to be a disincentive. The only routes open to the University to avoid this situation appear to be

(i) to deny students access to the examination; or
(ii) not mark the examination paper; or
(iii) to issue a data subject access response in a form which makes it clear that the student has not completed non-academic obligations.

No policy on this has yet been developed, but the third option appears to be the most practicable.

4.8 The question of publicising individual examination marks or degree classifications is also significant. No such information should be published without explicit consent.


5. RESEARCH SUBJECTS

5.1 The protection of personal data about research subjects is one of the most important aspects of the Act for higher education institutions. It is also a key element of ethical codes developed by professional bodies and by the institutions themselves. It is anticipated that the Research and Postgraduate Education Committee and/or Ethics Committee will ensure that the Act's provisions are fully taken into account when approving any particular research involving human subjects. Section 33 of the Act which provides for various exemptions in respect of the processing or further processing of personal data for research purposes does not thereby excuse the institution from complying with that part of the Second Data Protection Principle requiring that personal data shall be obtained only for one or more specified and lawful purpose. One exemption allows for data to be retained indefinitely. Another excludes subject access provided that the results of the research or any resulting statistics are not made available in a form which identifies data subjects.



6. ALUMNI

6.1 It should not be assumed that students have given their consent to personal data being held on them once they have graduated (with the exception of Nursing and Midwifery students where law requires retention of records) although it might be reasonable to retain such data for a period to enable references and transcripts to be provided and, as regards names, for historical purposes. If graduates and other alumni are to be retained on any form of register, in principle their explicit consent has to be obtained and this should be done at registration.

6.2 An organisation called CASE (Council for Advancement and Support of Education) has taken the lead in providing advice on data protection issues relating to alumni and fund-raising on behalf of universities. This focuses on a number of important issues relating to alumni databases and the sharing of data with internal and external groups and individuals. Alumni might 'reasonably expect' alumni offices to process their data for the following purposes which do not then require explicit positive consent - except of course where the data is 'sensitive:'

  • sending University mailings (e.g. Stirling Minds);
  • offering direct benefits and services to alumni from the University (e.g. discounts on Macrobert, Gannochy, selling memorabilia);
  • University-related fund-raising other than telephone fund-raising;
  • seeking non-financial alumni support (e.g. careers advice for students, help with student recruitment);
  • contacting alumni with details of reunions, etc;
  • use of mailing houses for large-scale mailings - with confidentiality agreements in place;
  • forwarding of messages from other graduates (without disclosing data);
  • including information on products and services which may be of interest to alumni within other mailings (e.g. information on the MNBA affinity card).

6.3 Although explicit positive consent may not be required for these purposes, the University has an obligation to let alumni know that they have statutory rights relating to the personal data held on them. In particular they must be informed that the have the right to object to use of their data for directing marketing purposes. An arrangement will be made whereby alumni give their consent, or not, to all types of communication from the beginning of their time at Stirling. This also applies to arrangements for sharing data with external agencies, with positive consent for transfer outside the EEA.

6.4 It will be essential that where an alumnus has asked that data held on him or her be not used for certain purposes, the alumni office records that information and acts on it. Departments should not keep separate data on alumni, unless alumni understand that the administrative complexity and expense of checking every time a particular alumnus is either the subject or object of an enquiry may mean that the University does not know about that database.

6.5 'Host mailing' where the University acts on behalf of an outside company is fraught with difficulty and in particular the requirement for prior express consent. Likewise giving out information to banks etc for affinity cards and other products is not to be considered as falling within the 'reasonable expectation' of alumni although enclosing material with University magazines etc is probably in order. Finally, telephone calls for the purpose of fundraising to alumni registered with the Telephone Preference Service is almost certainly unacceptable and such activities require further discussion before implementation.


7. ACTUAL AND POTENTIAL BENEFACTORS

7.1 The University may, either itself or through development trusts and other bodies , gather data on actual or potential benefactors. Much of this will be in the public domain but individuals are still entitled to know what data is being held, why it is being held, to ensure its accuracy and to ask for it to be removed. Unless they have given their explicit consent to the relevant data being processed, the University would probably have to rely on paragraph 6 (1) of Schedule 2 to the Act 'The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.' Probably the most important element is that where information has not (for obvious reasons) been obtained directly from the individual, the processing is compliant with the Data Protection Principles in that it is kept up to date, only used for the specific purpose, and not retained longer than is necessary.


APPENDIX 1

WELFARE SERVICES COMMITTEE: WORKING GROUP ON CONFIDENTIALITY

Policy Statement

General policy

1. The University respects the right of it students to confidentiality. In its management of records and data held in paper files and computer databases the University, at every level, operates in accordance with Data Protection legislation.

2. In its general policies and proceedings the University seeks to encourage respect for the privacy of individuals and observation of the highest standards of professional conduct in the discussion and dissemination of personal information.

External communications

3. Except with the student's agreement, and/or when there is a legal obligation to do so, the University does not disclose data held in its records to persons or agencies outwith the University. University staff do not pass information concerning students to parents, legal guardians, next of kin, or other relatives, nor to such outside bodies as banks or commercial organisations, nor to Social Security offices or sheriff officers. University staff do not disclose to external enquirers whether a person is a student of the University.

4. The University does disclose to relevant fee paying authorities and to the Student Loans Company the name, date of birth, course of study, dates of attendance and academic record of students. It also routinely discloses information to local councils for Council Tax purposes. Students outwith University accommodation are given the opportunity on their registration forms to prevent the University from doing this on their behalf if they so wish. In addition, the University supplies to The Scottish Higher Education Funding Council as required by law anonymous statistical data concerning the profile of the student body (these include attendance records, race, gender, place of residence, nationality, fee status).

5. Once a student has graduated, their degree result becomes public knowledge. The University continues to treat all other data as confidential. However, both during and after students' undergraduate or postgraduate careers at the University, it is assumed that when a student requests a member of staff to provide a reference on their behalf permission is given for the disclosure of information relevant to the reference. In order to maintain confidentiality and to prevent the unauthorised disclosure of information, staff do not provide references without a prior request from the student concerned. All references which are provided carry a standard form of disclaimer to ensure legal protection for the referee and the University.

6. When information beyond that covered by §§ 4-5 is requested by an external person or agency, they are asked first to obtain permission from the student for the release of information, and to have the student advise the University that permission is granted.

7. When, in exceptional circumstances, information is to be released without the student's knowledge or permission, the agreement of the relevant Deputy Principal must first be obtained. In the event of that permission being given, the student is informed of the disclosure as soon as possible. Such permission will not be given if disclosure is restricted by law.

Internal Communications

8. The University makes a distinction between the academic and the personal in its policy on the internal dissemination of student information. It assumes that within an academic community information concerning students' contact addresses and phone numbers, and details of their unit registrations, degree programmes, unit grades, class attendance and other matters to do with undergraduate and postgraduate study may pass between members of academic staff, examiners, advisers of studies, faculty officers, the central administration and university committees as required to enable them to carry out their various duties.

9. However, within and between academic and administrative departments, written and verbal information concerning personal information on students is passed on a strict 'have to know' basis. Staff consider carefully what information they share and with whom, with due respect for the individual concerned. Except in urgent welfare or medical cases, or when legally obliged to do so, they do not pass on personal information without the student's agreement.

10. Personal information concerning particular named students presented to a meeting of any committee is treated, and recorded in its minutes, as reserved business and is not disclosed to any but full members of the committee. Particularly sensitive information may in some instances be known only to the Chair of the committee.

11. Save for academic information, Advisers of Studies do not disclose what is discussed at advisory interviews or at other meetings with their advisees without the agreement of the advisee, nor do they take action without their advisee's agreement except in urgent welfare or medical cases, or when legally obliged to do so.

Counselling, Welfare and Medical services

12. The University respects the confidentiality of counselling services. None of its departments seek to identify students who consult the Student Information and Support Service, nor do they seek information on their business. Students may request SISS staff to disclose information on their behalf. SISS adhere to the Code of Ethics and Practice of the British Association for Counselling. SUSA Welfare Officers, Careers Advisory Service and the Chaplaincy similarly adhere to a strict code of confidentiality.

13. The University respects the confidentiality of medical services and does not seek from them information beyond what is ordinarily disclosed by GPs (for example, on medical certificates).

Wardennial, Accommodation, Portering, Cleaning and Security services

14. Wardennial, accommodation, portering, cleaning and security services respect students' right to confidentiality but will, when necessary, disclose to relevant university authorities matters which fall under the disciplinary code. These authorities will, in their turn, communicate action taken to relevant university officers and departments. Students always receive formal notification of any such action and are advised of the University's complaints and appeals procedures.

15. University staff engaged in these services will also report to University officers information which they have good reason to believe it is in the student's interest to disclose. Students will be advised of such disclosure as soon as possible.

Storage of information

16. The University recognises a duty to store information held on students and staff in a secure way. This applies at all levels, departmental, faculty and central administration.

Access to information

17. There is generally no bar to students obtaining details of information held about
them. However, they may apply formally under the provision of the Data
Protection legislation* for a copy of any information held about them by the University, any department or member of staff. The standard fee for the "subject access request" is £10.00 payable in advance.

* In general terms the legislation provides for structured manual information created since October 1998 to be available from October 2001 and other manual information from October 2007. A printout of computerised information whenever created is available without restriction.


APPENDIX 2

THE LEGAL BACKGROUND

1 The main provisions of the Data Protection Act 1998 came into effect on 1 March 2000. The Act replaced the Data Protection Act 1984, passed to comply with a Council of Europe Convention of 1981. Processors of personal data were required to register periodically under the 1984 Act with the Data Protection Registrar. The 1998 Act implemented the EU Data Protection Directive (95/46/EC) passed on 24 October 1995 and which the UK was required to implement within three years. The date of 24 October 1998 is thus of considerable legal significance, as are the two 'transitional periods' allowed by the Directive, until 24 October 2001 and 24 October 2007. By the time this guidance is published, the first transitional period will effectively be over.

2 Under the 1998 Act, the requirement for registration has been replaced by a requirement for annual notification and the Data Protection Registrar was re-titled Data Protection Commissioner with enhanced powers. Higher and further education institutions must comply with notification procedures by October 2001 or whenever their registration expires, whichever is earlier. The new Act is part of the 'rights agenda' which includes the Human Rights Act 1998, the Regulation of Investigatory Powers Act 2000 (and its Scottish equivalent), the Public Interest Disclosure Act 1998, some aspects of employment and trade union legislation and the Freedom of Information legislation. The Freedom of Information Act 2000 which is only partially relevant in Scotland has amended the Data Protection Act, notably to re-title the Data Protection Commissioner as Information Commissioner.

3 The University was registered under the former Data Protection Act 1984: Central Administration to 16 December 2001, Nursing and Midwifery to 4 December 2000, SUSA to 20 February 2002. Nursing and Midwifery registration was transferred into the main University registration in early 2001. Notification formalities for the University will be completed by the time this guidance is published, on the basis of a template provided by the Information Commissioner.

4 The 1998 Act confers much stronger protection for citizens on the use to which personal information may be put, and in particular protects certain categories of 'sensitive' information, broadly echoing the privacy, anti-discrimination and other rights included in the European Convention for the Protection of Human Rights and Fundamental Freedoms 1950. It significantly extends the protection given to individuals in respect of any personal data which is processed by organisations including the University. In general terms all personal information held in any form, manual or computerised, is covered by the new Act. Computerised personal information has been disclosable since 1984. From October 2001 all computerised personal information (including e-mails) whenever created , and all personal information held in manual structured files (e.g. personnel records) and created since 24 October 1998 will be disclosable to the data subject. The data controller is not under a legal obligation to disclose personal information held in manual structured files and created prior to 24 October 1998, until 24 October 2007.

5 The Information Commissioner has produced detailed codes of practice on two areas relevant to the University: Employment and use of CCTV. These are fully taken into account in this guidance. JISC has also produced guidance for higher education institutions: the second edition (December 2000) is also taken into account here.


APPENDIX 3

PRINCIPLES OF PROCESSING PERSONAL DATA

As with the 1984 Act there are eight Data Protection Principles ("the Principles") in the Act. However, the new Principles are not exactly the same as those in the 1984 Act. Except to the extent that any data controller is able to claim an exemption from any one or all of them (whether on a transitional or outright basis) the Principles apply to all personal data processed by data controllers. Controllers must comply with them, irrespective of whether they are required to notify and whether or not they are actually notified.

The Principles are set out in Part I of Schedule 1 of the Act. Part II of Schedule 1 consists of interpretation provisions applicable to the first, second, fourth, sixth, seventh and eighth Principles.

Schedule 2 of the Act provides conditions for the processing of any personal data in compliance with the first Principle, whilst Schedule 3 provides conditions for the processing of sensitive personal data in compliance with the first Principle over and above those set out in Schedule 2.

Schedule 4 of the Act consists of cases where the eighth Principle (prohibiting the transfer of personal data outside the European Economic Area) does not apply.

1. FIRST PRINCIPLE

"Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -

  • at least one of the conditions in Schedule 2 is met, and
  • in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met."

1.1 This is different from the first Principle in the 1984 Act in several respects. In particular it introduces the requirement that, as a requisite of fair and lawful processing, personal data shall not be processed unless at least one of the conditions in Schedule 2 of the Act ("the conditions for processing") is met and, in the case of the processing of sensitive personal data (see paragraph 1.3 below) at least one of the conditions in Schedule 3 of the Act ("the conditions for processing sensitive data") is also met.

1.2 Conditions for Processing (Schedule 2 of the Act): at least one of the following conditions must be met in the case of all processing of personal data (except where a relevant exemption applies)-

  • The data subject has given their consent to the processing (see paragraph 1.6 below)
  • The processing is necessary-
    a) for the performance of a contract to which the data subject is a party, or
    b) for the taking of steps at the request of the data subject with a view to entering into a contract. [The most obvious examples of this in the University are employment contracts and student contracts]
  • The processing is necessary to comply with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
  • The processing is necessary in order to protect the vital interests of the data subject. [The Information Commissioner considers that reliance on this condition may only be claimed where the processing is necessary for matters of life and death, for example, the disclosure of a data subject's medical history to a hospital Casualty Department treating the data subject after a serious road accident.]
  • The processing is necessary-
    a)for the administration of justice,
    b) for the exercise of any functions conferred by or under any enactment,
    c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or
    d) for the exercise of any other functions of a public nature exercised in the public interest.
  • The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case because of prejudice to the rights and freedoms or legitimate interests of the data subject. [The Secretary of State may by order specify particular circumstances in which this condition is, or is not, to be taken to be satisfied.]

1.3 Sensitive Personal Data. The Act introduces categories of sensitive personal data, namely, personal data consisting of information as to-

a) the racial or ethnic origin of the data subject,
b) their political opinions,
c) their religious beliefs or other beliefs of a similar nature,
d) whether they are a member of a trade union ,
e) their physical or mental health or condition,
f) their sexual life,
g) the commission or alleged commission by them of any offence, or
h) any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.

1.4 Conditions for Processing Sensitive Data (Schedule 3 of the Act): at least one of these must be satisfied, in addition to at least one of the conditions for processing (which apply to the processing of all personal data), before processing of sensitive personal data can claim to have been lawful in accordance with the first Principle.

  • The data subject has given their explicit consent to the processing of the personal data (see paragraph 1.6 below).
  • The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment. The Secretary of State may by order specify cases where this condition is either excluded altogether or only satisfied upon the satisfaction of further conditions.
  • The processing is necessary-
    a) in order to protect the vital interests of the data subject or another person, in a case where-
     consent cannot be given by or on behalf of the data subject, or
     the data controller cannot reasonably be expected to obtain the consent of the data subject, or
    b) in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.
  • The processing -
    a) is carried out in the course of its legitimate activities by any body or association which exists for political, philosophical, religious or trade-union purposes and which is not established or conducted for profit,
    b) is carried out with appropriate safeguards for the rights and freedoms of data subjects,
    c) relates only to individuals who are either members of the body or association or who have regular contact with it in connection with its purposes, and
    d) does not involve disclosure of the personal data to a third party without the consent of the data subject.
  • The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.
  • The processing:-
    a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),
    b) is necessary for the purpose of obtaining legal advice, or
    c)is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
  • The processing is necessary -
    a) for the administration of justice,
    b) for the exercise of any functions conferred by or under any enactment, or
    c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department. [The Secretary of State may by order specify cases where this condition is either excluded altogether or only satisfied upon the satisfaction of further conditions.]
  • The processing is necessary for medical purposes (including the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services) and is undertaken by-
    a)a health professional (as defined in the Act), or
    c) a person who owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.
  • The processing -
    a) is of sensitive personal data consisting of information as to racial or ethnic origin,
    b) is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained, and
    c) is carried out with appropriate safeguards for the rights and freedoms of data subjects. [The Secretary of State may by order specify circumstances in which such processing is, or is not, to be taken to be carried out with appropriate safeguards for the rights and freedoms of data subjects.]
  • The personal data are processed in circumstances specified in an order made by the Secretary of State.

1.5 Data controllers should address their minds to the requirement to have a legitimate basis for processing and ask themselves, in the case of all processing operations presently being carried on by them -

"Do I have legitimate grounds for my processing operations?"

Subject to any transitional relief, data controllers will need to consider the legitimate basis(es) for current and future processing. Failure to meet at least one of the conditions will mean the processing is in breach of the first Principle and therefore subject to possible enforcement action.

1.6 Consent: one of the conditions for processing is that the processing is carried on with the consent of the data subject. The existence or validity of consent will need to be assessed in the light of the facts. Consent is not defined in the Act. To assist in understanding what may or may not amount to consent in any particular case it is helpful to refer back to the Directive. This defines "the data subject's consent" as:-
"... any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed."

The fact that the data subject must "signify" their agreement means that there must be some active communication between the parties. Data controllers cannot infer consent from non-response to a communication, for example from a customer's failure to return or respond to a leaflet.

The adequacy of any consent or purported consent must be evaluated. For example, a consent which was later found to have been obtained under duress or on the basis of misleading information would not be a valid basis for processing.

Even when consent has been given it will not necessarily endure forever. While in most cases consent will endure for as long as the processing to which it relates continues, data controllers should recognise that the individual may be able to withdraw their consent.

Consent must be appropriate to the particular circumstances. For example, if the processing to which it relates is intended to continue indefinitely or after the end of a trading relationship then the consent should cover those circumstances.

There is a distinction in the Act between the nature of the consent required to satisfy the condition for processing and that which is required in the case of the condition for processing sensitive data. The consent must be "explicit" in the case of sensitive personal data. The use of the word "explicit" suggests that the consent of the data subject should be absolutely clear. In appropriate cases it should cover the specific detail of the processing, the particular type of data to be processed (or even the specific information), the purposes of the processing and any special aspects of the processing which may affect the individual, for example disclosures which may be made of the data.

As can be seen from the above, the level of detail appropriate to a consent will vary. In some cases implied consent may be sufficient. In others nothing less than clear written consent will suffice. A blanket consent to the processing of personal data is unlikely to be sufficient as a basis on which to process personal data, particularly sensitive personal data. The more ambiguous the consent being relied upon by data controllers in any particular case the more likely there are to be questions about its existence or validity.

Compliance with "the fair processing code" (see paragraph 1.10) should in most cases ensure that consent is both "specific" and "informed". This is provided that, in appropriate cases, data controllers supply data subjects with "any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair" (see paragraph 1.11.1 below).

As guidance in this respect the Commissioner advises that data controllers consider the extent to which the use of personal data by them is or is not reasonably foreseeable by data subjects. To the extent to which their use of personal data is not reasonably foreseeable, data controllers should ensure that they provide such further information as may be necessary.

Compliance with "the fair processing code" (see paragraph 1.10.2 below) should also ensure that the data subject is informed of the purpose or purposes for which the data are intended to be processed.

1.7 Controllers should recognise that compliance with the relevant conditions in Schedules 2 and 3 of the Act in any case may not, in itself, ensure that processing is fair and lawful. There may be circumstances where, notwithstanding compliance with one or more of the relevant conditions, the processing is unfair or unlawful for other reasons. Factors which will need to be considered over and above satisfying at least one of the relevant conditions will include the question of compliance with "the fair processing code" (see paragraph 1.10 below). There are circumstances in which processing may be in breach of the first Principle notwithstanding the fact that the data controller complies with at least one of the conditions for processing, for example, processing in breach of an obligation of confidence.

1.8 In what circumstances is processing necessary...? Data controllers should consider in each case whether the processing is necessary to achieve the purpose.

1.9 Fairness of processing: as well as requiring data controllers to ensure that they have at least one legitimate basis for processing personal data, the first Principle also requires data controllers to ensure that such processing is fair. The Act gives specific guidance on interpreting this requirement in paragraphs 1 to 4 of Part II of Schedule 1 of the Act. Such guidance is referred to in this guide as "the fair processing code". Compliance with the fair processing code will not in itself ensure fair processing. However, in such circumstances, processing will be treated as having been done fairly unless there is evidence to the contrary.

1.10 The fair processing code (Schedule 1, Part II, paragraphs 1 to 4).

1.10.1 Paragraph 1 - The fair obtaining requirements
Paragraph 1 of the fair processing code provides that in deciding whether or not processing (which term now specifically includes obtaining) is fair, the way in which personal data are obtained will be considered. This will include particular reference to whether any person from whom the personal data are obtained is deceived or misled as to the purpose or purposes for which the personal data are to be processed. As has been explained previously, this may also have a bearing on the validity of any consent given by the data subject to the processing, which in turn may remove the basis for processing which was being relied upon by the data controller.
There are two specified cases where data will always be treated as having been fairly obtained. These are when data consist of information obtained from a person who is either,
a) authorised, or
b) required,
to supply it by or under any enactment.

1.10.2 Paragraphs 2 and 3 - Information to be provided to Data Subjects
Paragraphs 2 and 3 of the fair processing code provide that personal data are not to be treated as processed fairly unless the requirements set out in paragraphs 1.11 and 1.12 below are observed, subject to certain exceptions (as set out in paragraph 1.12.1 below). Again it should be noted that observance of these requirements will not ensure fair processing where there are other factors present which would render the processing unfair. There is a general duty of fairness which consists in part of the fair processing code.

1.10.3 Paragraph 4 - General Identifiers
Paragraph 4 of the fair processing code provides for the use of personal data which contain a "general identifier" such as a number or code used for identification purposes as defined in the Act. The Secretary of State will prescribe by order conditions which must be complied with to ensure the fair and lawful processing of personal data containing a general identifier of a description to be prescribed by order. Details of any proposed order in this respect are not known at present.

1.11 Information to be provided to Data Subjects - data obtained from data subject. When data are obtained from the data subject the data controller must ensure, so far as practicable, that the data subject has, is provided with, or has made readily available to them the following information (referred to as the "fair processing information")-

  • the identity of the data controller,
  • if it has nominated a representative for the purposes of the Act, the identity of that representative,
  • the purpose or purposes for which the data are intended to be processed, and
  • any further information which is necessary, taking into account the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.

    1.11.1 In deciding whether and, if so, what further information is "necessary" to satisfy the fourth requirement above, data controllers should consider what processing of personal data they shall be carrying out once the data are obtained and consider whether or not data subjects are likely to understand the following -
    a) the purposes for which their personal data are going to be processed;
    b) the likely consequences of such processing; and
    c) more particularly, whether particular disclosures can reasonably be envisaged.

    It would be expected that the more unforeseen the consequences of processing the more likely it is that the data controller will be expected to provide further information. This aspect also has a bearing on the question of what amounts to consent (see specific consideration of this issue at paragraph 1.6 above); in the same way that consent must be "informed", so data subjects themselves must be fully aware of the ways in which their personal data may be processed in order for that processing to be considered as fair.

1.12 Information to be provided to Data Subjects - data obtained other than from data subject. The fair processing information (see paragraph 1.11 above) should also be provided to data subjects (within the timescale set out in paragraph 1.12.3 below) in cases where the data have been obtained from someone other than the data subject, unless one of the exceptions in paragraph 1.12.1 below applies.

1.12.1 Exceptions available to Data Controllers
The following exceptions from the fair processing code can only be claimed by data controllers where they have obtained personal data from someone other than the data subject. It should be stressed that the ability to rely on any exception does not absolve the data controller from the overriding duty to process personal data fairly. The exceptions referred to are -

a) where providing the fair processing information would involve a disproportionate effort (see paragraph 1.12.2 below), or
b) where it is necessary for the data controller to record the information to be contained in the data or to disclose the data to comply with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
c) In addition, the Secretary of State may prescribe further conditions, by way of "appropriate safeguards", which must also be met for the exception to be available. These are not known at present.

1.12.2 What is disproportionate effort?
The term "disproportionate effort" is not defined in the Act. In assessing what does or does not amount to disproportionate effort the starting point must be that data controllers are not generally exempt from complying with the fair processing code because they have not obtained data directly from the data subject.

What does or does not amount to disproportionate effort is a question of fact to be determined in each and every case.

In deciding this the Commissioner will take into account a number of factors, including;
(i) the cost to the data controller in providing the fair processing information, for example, postage and/or manpower/employee time expended weighed against the benefit to the data controller of processing the data;
(ii) the length of time it will take the data controller to provide the information, again weighed against the benefit to the data controller;
(iii) how easy or how difficult it is for the data controller to provide the information, also weighed against the benefit to the data controller;

These factors will always be balanced against the effect on the data subject, i.e. the extent to which the withholding of the information may be prejudicial to the data subject. In this respect a relevant consideration would be the likelihood that/extent to which the data subject already knows about the processing of their personal data by the data controller.

1.12.3 Timescale
As the Act makes no specific provision relating to timescale in the case of data obtained from data subjects, it should be presumed that the fair processing information must be provided to the data subject at the time that the data are obtained.

In circumstances where the data controller has obtained data from someone other than the data subject, the fair processing information must be given (or made readily available) to the data subject before

a) the time when the data controller first processes the data, or
b) in a case where at that time disclosure to a third party (which does not include employees or agents of the data controller) within a reasonable period is envisaged -
· the time when the data are first disclosed to a third party, if the data are in fact disclosed within a reasonable period of time;
· the time when the data controller becomes, or ought to become, aware that the data are unlikely to be disclosed to a third party within a reasonable period of time, if within a reasonable period of time the data controller becomes, or ought to become, aware that the data are unlikely to be disclosed, or
· in any other case, after a reasonable period of time.

Accordingly, data controllers cannot simply obtain personal data from sources other than the data subject and then do nothing else with the data except hold it indefinitely. Before a reasonable period of time has elapsed the data controller must go through the process of informing the data subject in accordance with the fair processing code, subject to the exceptions referred to in paragraph 1.12.1 above.



2. SECOND PRINCIPLE

"Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes."

2.1 Compliance with the second Principle cannot be established simply by registering the purpose(s) for which personal data are processed, as was possible under the 1984 Act. This was because the interpretation provision relating to the third Data Protection Principle in the 1984 Act stated that data were only to be treated as used for an incompatible purpose or disclosed in contravention of the principle if the use or disclosure was not registered with the Registrar. This link between compatibility and registration has now been removed by the Act. An additional test of compatibility will have to be satisfied to comply with this Principle.

2.2 The Act provides further guidance in interpreting the second Principle. In particular, there are two means by which a data controller may specify the purpose or purposes for which the personal data are obtained, namely :-

  • in a notice given by the data controller to the data subject in accordance with the fair processing code (see paragraph 1.10.2 above) or,
  • in a notification given to the Commissioner under the notification provisions of the Act (provisions are not yet in place).

2.3 In deciding whether any disclosure of personal data is compatible with the purpose or purposes for which the data were obtained, consideration will be given to the purpose or purposes for which the personal data are intended to be processed by any person to whom they are disclosed.

3. THIRD PRINCIPLE

"Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed."

3.1 This is similar to the fourth Principle in the 1984 Act. The wider definition of processing should be borne in mind however.

4. FOURTH PRINCIPLE

"Personal data shall be accurate and, where necessary, kept up to date".

4.1 This is in identical form to the fifth Principle in the 1984 Act.

4.2 Data are inaccurate if they are incorrect or misleading as to any matter of fact.

4.3 The Act provides guidance in interpreting this Principle. The Principle is not to be taken as being contravened because of any inaccuracy in personal data which accurately record information obtained by the data controller from the data subject or a third party in a case where -

  • taking account of the purpose or purposes for which the data were obtained and further processed, the data controller has taken reasonable steps to ensure the accuracy of the data, and
  • if the data subject has notified the data controller of the data subject's view that the data are inaccurate, the data indicate that fact.

4.4 It is important to note that by virtue of 4.3(a) above it is no longer necessarily enough for a data controller to say that, because the information was obtained from either the data subject or a third party, they had done all that they could reasonably do to ensure the accuracy of the data at the time. Now data controllers may have to go further and take reasonable steps to ensure the accuracy of the data themselves. Whether or not a data controller would be expected to take such steps will be a matter of fact in each individual case.

5. FIFTH PRINCIPLE

"Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes".

5.1 This is in similar terms to the sixth Principle in the 1984 Act.

6. SIXTH PRINCIPLE

"Personal data shall be processed in accordance with the rights of data subjects under this Act."

6.1 The Act provides guidance in interpreting this Principle. A person will contravene this Principle if, but only if, they -

  • fail to supply information pursuant to a subject access request under Section 7 of the Act, or
  • fail to comply with notices given under the following provisions of the Act:-
    · Section 10 (right to prevent processing likely to cause damage or distress);
    · Section 11 (right to prevent processing for the purposes of direct marketing); or
    · Section 12 (rights in relation to automatic decision-taking);
  • in respect of exempt manual data only during the transitional periods up to and including 23 October 2007, fail to comply with a notice given under Section 12A of the Act (right to require data controller to rectify, block, erase or destroy inaccurate data or cease holding such data in a way incompatible with the data controller's legitimate purpose).

7. SEVENTH PRINCIPLE

"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

7.1 The Act gives some further guidance on matters which should be taken into account in deciding whether security measures are "appropriate". These are-

  • taking into account the state of technological development at any time and the cost of implementing any measures, the measures must ensure a level of security appropriate to the harm that might result from a breach of security and the nature of the data to be protected.
  • the reliability of staff having access to the personal data.

7.2 The Act introduces express obligations upon data controllers when the processing of personal data is carried out by a data processor on behalf of the data controller. In order to comply with the seventh Principle the data controller must -

  • choose a data processor providing sufficient guarantees in respect of the security measures they take,
  • take reasonable steps to ensure compliance with those measures, and
  • ensure that the processing by the data processor is carried out under a contract which is made or evidenced in writing, under which the data processor is to act only on instructions from the data controller. The contract must require the data processor to comply with obligations equivalent to those imposed on the data controller by the seventh Principle.

8. EIGHTH PRINCIPLE

"Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data."

8.1 The European Economic Area ("The EEA") consists of the fifteen EU Member States together with Iceland, Liechtenstein and Norway.

8.2 In determining what amounts to an adequate level of protection consideration will be given in particular to the following -

  • the nature of the personal data,
  • the country or territory of origin of the information contained in the data,
  • the country or territory of final destination of that information,
  • the purposes for which and period during which the data are intended to be processed,
  • the law in force in the country or territory in question,
  • the international obligations of that country or territory,
  • any relevant codes of conduct or other rules which are enforceable in that country or territory (whether generally or by arrangement in particular cases), and
  • any security measures taken in respect of the data in that country or territory.

8.3 The Act provides that, where the European Commission makes a finding that a country or territory outside the EEA does, or does not, ensure an adequate level of protection within the meaning of Article 25(2) of the Directive, any question which may arise as to whether an adequate level of protection is met in relation to the transfer of any personal data to a country or a territory outside the EEA shall be determined in accordance with that finding. At present there are no such findings in force.

8.4 Schedule 4 the Act provides for circumstances in which the eighth Principle does not apply to a transfer. These are where -

  • The data subject has given their consent to the transfer (see paragraph 1.6 above).
  • The transfer is necessary -
    a) for the performance of a contract between the data subject and the data controller, or
    b) for the taking of steps at the request of the data subject with a view to their entering into a contract with the data controller.
  • The transfer is necessary -
    a) for the conclusion of a contract between the data controller and a person other than the data subject which -
    · is entered into at the request of the data subject, or
    · is in the interests of the data subject, or
    b) for the performance of such a contract.
  • The transfer is necessary for reasons of substantial public interest. The Secretary of State may by order specify the circumstances in which a transfer is to be taken to be necessary for reasons of substantial public interest (no such orders are in place as yet).
  • The transfer -
    a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),
    b) is necessary for the purpose of obtaining legal advice, or
    c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
  • The transfer is necessary in order to protect the vital interests of the data subject.
  • The transfer is part of the personal data on a public register and any conditions subject to which the register is open to inspection are complied with by any person to whom the data are or may be disclosed after the transfer.
  • The transfer is made on terms which are of a kind approved by the Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects.
  • The transfer has been authorised by the Commissioner as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects.



LIST OF USEFUL WEBSITES:

The Information Commissioner
www. dataprotection.gov.uk


JISC Data Protection Code of Practice
www.jisc.ac.uk/pub00/dp_code.html


HEFCE Project, Lancaster University
www.lancaster.ac.uk/dataprotection