Data Protection Act
Background
The Data Protection Act 1984 has been replaced by The Data Protection Act 1998. The new Act will come into force on I st March 2000 when the 1984 Act will be repealed.
The University wishes to secure compliance with the new legislation as soon as is practicable. As the University moves towards compliance with the new Act information will be posted to the new Data Protection Web pages.
The 1998 Act is more complex and wider in scope than the 1984 Act. In particular it has a much broader definition of 'processing' of personal data. All uses, for the University's purposes, of what the Act defines as 'personal data' must be registered with the Data Protection Commissioner. Personal data is information which relates to identified living individuals and which is automatically processed; after the transitionary period, which ends in October 2001, personal data will also include many manual (paper, microfiche etc.) records. The registration covers personal data stored or processed for University purposes whether on University equipment or on privately owned machines.
Responsibilities of staff
The University will be a 'Data Controller' under the terms of the Act. The Act places responsibilities on a Data Controller's 'servants and agents' corresponding to those which apply to the Data Controller himself. In this context members of the University staff are its 'servants and agents'. All staff are responsible, with the guidance of the University's Data Protection Officer, for fulfilling the University's obligations under the terms of the Act when using personal data for University purposes. Members of staff must therefore ensure that the holding, use and disclosure of any personal data for which they are responsible is in accordance with the University's registration and that the requirements of the Act and the 8 Data Protection principles (listed below) are observed.
Students
Academic and academic-related staff are responsible for the conduct in these matters of the students whom they supervise. The University has adopted the following policy governing use of personal data by students:
a) A student should only use personal data for a University-related purpose with the knowledge and express consent of an appropriate member of staff (normally, for a postgraduate, this would be the supervisor, and for an undergraduate the person responsible for teaching the relevant class/course).
b) The use of University-registered personal data by students should be limited to the minimum consistent with the achievement of academic objectives. Wherever possible data should be de-personalised so that students are not able to identify the subject.
Use of personal data by students is subject to the regulations set out below. The University's policy stated above and the regulations are based on the principle that students must only use personal data under the guidance of a member of staff. A breach of these regulations is an offence against University discipline.
Further informationI . Students must not construct or maintain files of personal data for use in connection with their academic studies/research without the express authority of the appropriate member of staff.
2. When giving such authority, the member of staff shall make the student aware of the requirements of the Data Protection Act and of the appropriate level of security arrangements which attach to the particular set of personal data.
3 . Students must abide by the Data Protection principles and follow the instructions of the University in relation to any uses of personal data registered by the University.
Advice and information about registration and all other aspects of data protection, are available from the University's Data Protection Officer, telephone 6504930 or email Data-Protection@ed.ac.uk
The 8 Data Protection principles
I . Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -
- at least one of the conditions in Schedule 2 of the 1998 Act is met, and
- in the case of sensitive personal data, at least one of the conditions in Schedule 3 of the 1998 Act is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3 . Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5 . Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.