There are eight principles which govern the legal processing of personal data and staff and students must comply with them:
1. Personal data shall be processed fairly and lawfully.
No personal data should be created or held unless the individual (data subject) has given his/her consent. They should be informed that the data is being collected, who the data controller is, what the data will be used for, an indication of how long it will be kept and information on disclosure to any third parties. Where sensitive data is concerned specific consent must be obtained – the individual must be informed that this type of personal data is being held, told the reason for it and they must then agree. Photographs are classed as sensitive data because they reveal information about the subject’s race and ethnicity. Permission should always be obtained to keep or use a photograph of an individual.
2. Personal data shall be held only for one or more specified and lawful purpose(s) and shall not be further processed in any manner incompatible with that purpose(s).
Data obtained for one purpose cannot be used for another.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed.
Do not collect information about individuals which is not absolutely necessary. If excessive or superfluous personal data is acquired it should be deleted or destroyed immediately.
4. Personal data shall be accurate and where necessary kept up to date.
Data which is retained must be reviewed and if necessary amended or updated. No data should be kept unless it is reasonable to assume it is accurate, holding data which is not accurate may not serve any purpose.
5. Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
Regular and systematic reviews of files containing personal data (manual and electronic) should take place to ensure information is not retained for longer than necessary.
6. Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998.
The rights of individuals in respect of the data held on them should always be considered. Consent should be obtained if personal data is being generated or retained for any purpose. Individuals are legally entitled to know what information is being held about them. It is also important no personal data is disclosed to anyone, either inside or outside the UC unless strictly necessary or unless the consent of the data subject has been obtained.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data.
Staff must ensure that personal data is kept in a secure place – in lockable filing cabinets or in rooms that can be locked when unoccupied. They must also seek to prevent unauthorised access to any computers in which personal data is stored. Data stored on an e-learning system such as student details, electronic submission of work and results must be securely maintained.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area (without the individual's express consent) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
No personal data should be transferred, even for a legitimate purpose, outside of the European Economic Area except with the specific consent of the data subject. This is particularly important when considering the global publication of personal information via the World Wide Web.