How Does the Data Protection Act 1998 Affect Me?

Canterbury Christ Church University

Data Protection

Frequently Asked Questions

How does the Data Protection Act 1998 affect me?

The Data Protection Act 1998 (‘the Act’) covers both manual and electronic records. This means files and other paper-based record systems containing information about identifiable living people are subject to the Act.

Does the University need to register under the Act?

The Universityis registeredwith the Information Commissioner covering all its main routine administrative and educational functions. There are separate sections concerning specific areas of work.

I have been asked by a student to supply a copy of their records. What should I do?

Usually a student wantsa few specific documents which they are able to identify. The University seeks to be open and transparent. Therefore, it is appropriate to give the student a copy of the documents, or access to the documents.

Very occasionally, a student wants a large number of documents from several departments. The student has to make what is called a subject access request. In this case, you should refer the request to the Data Protection Officer. The student needs to complete and return a form setting out the information they wish to see, and provide evidence of identity. They may also have to pay a fee, which is currently £10. The Universityhas to provide the information within 40 days of receiving the request.

Areexamination marks and results disclosable?

Potentially examination marks and minutes from a meeting of a Board of Examiners relating to a particular student are subject to disclosure.

Examination scripts are exempt, but students couldrequest any comments or notes recorded on the script. Examinersneed to be aware of this, and not to record any comments on the script they would be unhappy for the student to see.

There are special rules stating examination results are notdisclosable any earlier than the publication date.

Can we publish moduleand/or programme results on departmental notice boards and in degree ceremony booklets?

The Information Commissioner considered this issue and concluded the publishing of degree results does not breach the terms of the Act provided there is nothing that would enable individual students to be contacted (e.g. by including of e-mail or postal addresses or telephone numbers).

However, individual students might not wish their names to be included on the published list, and so consent is required. A student could withdraw such consent.

The University no longer publishes examination results, but informs candidates separately. The Graduation Office publishes results in the ceremonyprogramme.

I want to create a photo board showing photographs of all staff and students within my department. Can I do this?

Photographs constitute personal data, so it is necessary to gain consent from the individuals concerned before displaying their photographs. Since photographs may reveal details of the subject's race and ethnic origin, they are best considered as sensitive personal data.

Consent may be obtained by asking students and staff to supply photographs, and informing them at the point of collection how the photographs are to be used. If a person objects to the display of the photograph, then it needs removing. You should only use and retain photographs when strictly necessary.

I would like to publish a list of students' e-mail addresses/home addresses on the department notice board. Can I do this?

Consent needs obtaining from the individuals concerned before making public any personal data. If an individual does not give their consent, you must not publish the person’s data. If an individual initially agrees, but subsequently has a change of mind, the data needs removing immediately.

I have obtained consent to display certain items of personal data on the department notice board/in a department handbook. Can I also publish the information on the department website?

Only if you have obtained specific consent to this from the individuals concerned. You cannot assume that consent for a particular use of data extends to any other use. If you have consent to use personal data for a particular purpose and wish to use this data for another or different purpose, additional consent needs obtaining from all relevant individuals. This is especially important in relation to the publication of personal data on websites because the internet makes information globally accessible.

I am already holding personal information on a database of contacts that I have compiled over a number of years. Can I hold and use this information?

Yes, but think about what personal data you are collecting and holding and why. The information should be relevant, accurate and held for no longer than necessary. If you are storing or using old or unreliable personal information, you should either update or delete it. One way would be to write to the individuals concerned, notifying them of the data you hold and asking them to check that it is correct. You can also inform them of the purposes for which the data is being held and seek their consent.

I sent literature about forthcoming events and reunions to former students. A few objected, saying they do not wish to receive any further communications. What should I do?

You need to ensure you do not send these persons further communications. If you generate mail electronically, you need a system to ensure the removal from your mailing list of the details of the people objecting to receiving communications.

Some of our student files contain comments of a personal or derogatory nature. Could the individual concerned view these under the terms of the Act?

Yes. All personal information is potentially subject to disclosure. The general rule is you should not record, however informally, comments you would not be happy for the data subject to see.

What about references? Do these have to be disclosed?

Potentially, yes. There are special rules relating to references, but although the subject of the reference cannot demand a copy from the person giving the reference, they could possibly obtain it from the person, or institution,who received the reference.

A third party contacted me requesting information about a student/member of staff. What should I do?

The general rule is to be very careful about who information is disclosed to. You need to find out exactly who requires the personal data and why. Ideally you should obtain the consent of the relevant student/member of staff before any data is disclosed to a third party, although this may not always be possible (e.g. in a medical emergency). If you are in any doubt as to whether to disclose the information, contact the Data Protection Officer.

I have a form/questionnaire for students/members of staff/third parties to complete and return. Do I need to modify this form to comply with the Act?

Yes. Contact the Data Protection Officer for advice on amending forms to include a statement informing recipients the purposes for which their personal data will be used for, where it will be held and to whom it may be disclosed.

I use an outside company for sending bulk mailings/administering a database. Are there any special rules for this?

Yes. Under the terms of the Act, there must be a written contract containing certain specified terms to ensure that the company complies with the Act.

How long should I retain my records?

The Act states you should not hold personal data for no longer than is necessary. It is good practice not to collect and retain more personal information than is strictly necessary. All irrelevant, out of date or obsolete personal information needs destroying by secure means.

All this seems quite complicated. Are there some basic rules I should remember?

Be careful about the personal information you hold, and to whom you pass it. Think about what you use personal data for, and whether the individual concerned expects you to be using it for this purpose. Wherever possible, obtain specific consent.

Frequently Asked QuestionsPage 1

August 2016