The Data Protection Act 1998 (DPA) provides the rules for the collection, management and maintenance of personal and sensitive personal information.
Personal data is defined in the Act as data about a living individual who can be identified from the data or who can be identified from that data in combination with other information. For example, specific identifiers such as matriculation numbers will make something personal information. Similarly a combination of information (perhaps a postcode and a date of birth) that allows the identification of an individual makes information personal data and subject to the rules of the DPA.
It is important to remember that data in aggregation can identify people and that something does not have to include a name, full address or similar obvious signifier for information to be personal data.
The DPA defines eight types of personal data which are considered ‘sensitive’. The collection and use of sensitive personal data is subject to stricter rules than personal data. The eight types of sensitive personal data are data concerning a person’s:
- Racial or ethnic origin
- Political opinions
- Religious beliefs or beliefs of a similar nature
- Membership of a trade union
- Physical or mental health or condition
- Sexual life
- Commission or alleged commission of any offence
The final type of sensitive personal data concerns
- Any proceedings for any offence committed or alleged to have been committed by the person, the disposal of such proceedings or the sentence of any court in such proceedings
As with personal data it is important to remember that the identification of an individual can be based upon the aggregation of several different sources of information rather than direct attribution in the data itself.
The DPA refers throughout to the ‘processing’ of information, but it is important to note that merely having (or ‘holding’) personal information is considering processing for the purposes of the Act. To that end, whenever you are dealing with personal information in any way during the course of your duties or studies, you must remember that the rules in the DPA apply.
‘Data controller’ is a term used in the DPA to indicate the person or organisation that determines the purposes for, and manner in which, personal information is processed. In our case, the Data Controller is normally the University of Dundee unless the University is acting in consort with another partner. In those cases the University may be what is know as a ‘joint data controller’.
Where the University is in partnership with another organisation and jointly directing the collection, use and maintenance of personal information, the rules for joint data controllership will normally be outlined in applicable partnership agreements. The development of such agreements will normally involve the Director of Legal Services or colleagues in Research and Innovation Services.
Alongside the identification of the data controller, the DPA also uses the term ‘data processor’ to describe a particular role in the processing of personal information. A data processor is an organisation or a person, other than an employee of the data controller, who processes personal information on behalf of the data controller.
The middle part of that definition is important. As an employee of the University you are not a ‘data processor’ when dealing with personal information in the normal course of your duties. If, however, you commission a third party to do something that involves personal information on behalf of the University or in furtherance of your role as an employee of the University (for example, the use of a transcription service or external data management/analysis company), then that person or organisation will be acting as a data processor for the University (as data controller).
As with the arrangements for joint data controllership, where the University retains the services of a data processor this should always be done under a formal agreement outlining the expectations of the University in respect of the management, transmission and security of its information. The Director of Legal Services or colleagues in Research and Innovation Services will normally oversee such agreements.
The ‘data subject’ is the person to whom personal information is attributable (i.e. the person that the information is about).
The Data Protection Act is a complex piece of legislation, but is based, at heart, upon the implementation of eight key principles for the collection, management storage, transmission and destruction of personal information. By looking at each of the principles in turn, the basic operation of the DPA and the broad rules for the collection and use of personal data become clearer.
This principle enshrines the requirement to tell people why and how their information will be processed and ensures that such processing is lawful.
Guidance from the Office of the Information Commissioner (the body which regulates Data Protection Act compliance) describes ‘fair processing’ as follows:
Fairness generally requires you to be transparent – clear and open with individuals about how their information will be used. Transparency is always important, but especially so in situations where individuals have a choice about whether they wish to enter into a relationship with you. If individuals know at the outset what their information will be used for, they will be able to make an informed decision about whether to enter into a relationship, or perhaps to try to renegotiate the terms of that relationship. Assessing whether information is being processed fairly depends partly on how it is obtained. In particular, if anyone is deceived or misled when the information is obtained, then this is unlikely to be fair.
Normally, fair processing information is provided to individuals at the point that they provide their information. It usually takes the form of a ‘fair processing statement’ or ‘privacy notice’ that explains who is collecting the data, for what purpose or purposes, what the information will be used for and for how long the information will be used. This allows people to make an appropriate judgment on the provision of their information. Situations where fair processing statements are used include the collection of student information and the provision of information to participants in research. A good way to remember the things that should be included in a fair processing statement is to ask yourself whether the information you are providing to the data subject explains:
- WHO you are
- WHAT you are doing
- WHY you are doing it
- HOW any personal information collected from data subjects will be used
- and for HOW LONG
Importantly, you may not deceive or mislead the data subject or plan to use their information in ways that are not specified on the fair processing statement.
Where information is acquired from a third party or has been collected previously for a different purpose from the one for which it is now being used, it may be appropriate to issue new fair processing statements. Should you be using data for a different purpose from the one for which it was originally collected please seek advice from the University’s Records Manager and Information Compliance Officer on whether it is appropriate to issue new fair processing statements.
It also important to remember that people can withdraw their consent. If anyone should choose to do you must have the ability to note that and stop processing their information.
The provision of a fair processing statement to data subjects also represents an opportunity to make sure that the processing of their information is lawful. By issuing fair processing statements and asking data subjects to record their consent to the collection and use of their data for the purposes specified, you fulfil one of the ways that processing is deemed ‘lawful’ in the DPA and maintain a robust audit trail which explains and justifies your use of personal information. Obtaining informed consent also makes the processing of sensitive personal data lawful where data subjects understand what information is being collected from them and why and how it will be used.
There are other circumstances where the processing of personal and sensitive personal information is considered lawful, but informed consent is the most robust way to ensure that you meet the obligations in the DPA. If you do not intend to obtain consent from data subjects to process their information, please contact the University’s Records Manager and Information Compliance Officer before proceeding.
 Information Commissioner’s Office, ‘What does fair processing mean’, https://ico.org.uk/for-organisations/guide-to-data-protection/principle-1-fair-and-lawful/ (accessed September 2017)
This principle further emphasises the point that you need to be clear regarding the reasons for which personal information is being processed. Processing should stop if what you are doing differs from the reasons personal data was collected originally. Where you are unsure whether processing is ‘incompatible’ please contact the University’s Records Manager and Information Compliance Officer.
A notable exemption to this principle is personal data used solely for research. Subject to certain conditions being met, research can be carried out using personal data that was collected for another purpose. Please see the section on research below for more information on the requirements and applicability of the research exemption.
This principle ensures that data collection and processing is audited against need. Where personal data is required for a task, only the minimum amount of information should be processed. For example, if name, address and date of birth are required for a particular purpose it is not permissible to also collect marital status because that ‘might be useful for something in future’.
Where the University processes personal information, it is required to ensure that information is accurate and current. Should an individual challenge the accuracy of the University’s information, please contact the Records Manager and Information Compliance Officer for advice.
When dealing with personal information it is important to establish the length of time for which it will be needed and to communicate this to the data subject in the fair processing statement. When personal information is no longer required for the specified purposes it should be destroyed (via a manual or digital shred). A destruction log should also be kept, documenting the information destroyed and the person authorising the destruction. For more information on the proper disposal of information please see Guidance on the proper disposal of information.
As with principle 2, personal data processed for research is exempt from this principle. The research exemption in the DPA allows for personal data processed for research to be held indefinitely. However, the retention of personal information for research must meet the conditions of the research exemption. Please see the section on research below for more information on the requirements and applicability of the research exemption.
The rights of data subjects in respect of their personal data are enshrined in the DPA. In summary these are:
- A right of access to a copy of the information comprised in their personal data
- A right to object to processing that is likely to cause or is causing damage or distress
- A right to prevent processing for direct marketing
- A right to object to decisions being taken by automated means
- A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed
- A right to claim compensation for damages caused by a breach of the Act
It is important that the University respect these rights and reacts appropriately should a data subject wish to exercise them. Please contact the University’s Records Manager and Information Compliance Officer for advice and assistance in the following circumstances:
- When someone asks you for their own personal information.
- When someone claims that the University’s actions in respect of their data are causing them damage or distress
- When someone asks you to stop communicating with them
- When someone contests the information held by the University
Where a person makes a request for access to their own information it is known as a ‘Subject Access Request’. The University has 40 calendar days to respond to a request of this type from the point that it is received by the University (not from the point that the request is actioned). It is important that you seek assistance as soon as possible where someone is requesting access to their personal information.
 Information Commissioner’s Office, ‘The rights of individuals (Principle 6)’, https://ico.org.uk/for-organisations/guide-to-data-protection/principle-6-rights/ (accessed September 2017)
Alongside the requirements for the appropriate collection, management and disclosure of personal data, another fundamental aspect of data protection is the requirement to ensure that personal information is not lost or misused. Practical steps to compliance with this principle include:
- Never sharing or disclosing passwords
- Never leaving information on computer screens or desks when they are unattended and securing information in locked areas at night
- Always password-protecting and, where appropriate, encrypting information on portable devices and media such as laptops, memory sticks and external hard drives (please seek advice from the Information Security Officer in Information and Communications Services)
- Ensuring formal agreements cover and limit the sharing and processing of information when working with external bodies
- Rapidly removing access privileges to systems and physical spaces by staff leaving the University
- Scrutinising potential employees and ensuring that new members of teams understand the sensitivity of the information disclosed to them in their duties
- Reporting potential loss or unauthorised access to information (see the section on data loss below)
- Shredding or securely erasing information when no longer required (the Information Security Officer in Information and Communications Services can advise on the secure destruction of digital information)
- Not writing papers or documents which disclose personal information without explicit permission to do so (remembering that the combination of data points can identify people and removing obvious identifiers like names may not be enough)
- Requesting regular advice or training from the University’s Records Manager and Information Compliance Officer on information compliance issues
The University also has systemic measures in place in respect of its IT services and campus security to assist in the protection of personal and other University information, but it is the responsibility of all staff to exercise due care. If, for example, you are unsure whether it is appropriate to place information onto a memory stick pause and consider the implications of the data being lost or used against someone or the University and seek advice if you have any doubts.
The Data Protection Act 1998 is the UK implementation of the European Union’s Data Protection Directive. Other countries in the European Economic Area (EEA) also have national implementations of that Directive. As a result, the presumption is that there is parity in the rights, freedoms and protections for data subjects in all EEA member states. In practice, this means that institutions in Europe can collaborate in ways that require the transfer of personal data between nations (although, this is something that should be made clear to data subjects in fair processing statements/privacy notices).
When collaborating with partners outwith the EEA in projects involving the transfer of personal data, the University must ensure that its partners meet the European standards for data protection before transmitting or sharing any information. The Information Commissioner’s Office provides information on the countries that ‘have an adequate level of protection’, model contract clauses that can be used when working with partners in countries that do not appear on that list and information on the ‘safe harbour’ scheme that international partners can use to indicate their compliance with EU rules on data protection.
 The European Economic Area comprises the members of the European Union with Norway, Liechtenstein and Iceland.
 Information Commissioner’s Office, ‘Sending personal data outside the European Economic Area (Principle 8)’, https://ico.org.uk/for-organisations/guide-to-data-protection/principle-8-international/ (accessed September 2017)
There is an understandable fear held by many that the rules concerning the proper collection, management and disclosure of personal data contained in the Data Protection Act will hamper the use of personal information in research. This fear is, however, broadly unfounded. The rules provided by the Data Protection Act for the collection and processing of personal information accord with normal ethical practices for academic research and the provision of information to participants in order to obtain informed consent. It is normal for participant information sheets to include information on who is undertaking the research, what they are doing, why they are doing it, how their information will be used and the length of time for which it will be used and/or retained. This is the same information required by the Data Protection Act when providing fair processing or privacy notices to data subjects. Provided that good research practice has been followed so that participants understand how and where their data will be used and disclosed and have provided their consent on that basis, the ‘fair and lawful processing’ requirement of the Data Protection Act is likely to have been met.
The Act also provides specific provision for the use of personal data in research in S.33, exempting the University from certain requirements in respect of that data. Provided that
- The data are not processed to support measures or decisions with respect to particular individuals, and
- The data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject
then the following applies:
- In respect of the second data protection principle, the further processing of personal data only for research purposes is not regarded as incompatible with the purposes for which they were obtained. This means that personal information collected for a purpose other than research can be used in research projects.
- Notwithstanding the fifth data protection principle, personal data processed only for research may be kept indefinitely.
- Where personal data is held solely for research purposes, the data controller is not obliged to provide access to that information to any data subject provided that
- They are processed in compliance with the conditions above
- That the results of the research or any resulting statistics are not made available in a form which identifies living individuals
The research exemption should not be viewed as providing carte blanche to use personal information in research. It does not, for instance, provide an exemption form the requirement to ensure that processing of personal information is fair and lawful. The best way to ensure that requirement is met is to obtain informed consent from participants. What the exemption does do, however, is provide for the use of personal information in research and the retention of that information over time provided that no harm or distress could be caused to participants, that the information is not being used to make decisions about people and that the outputs of the research are properly anonymised.
There are provisions in the Data Protection Act that make the use of personal information for medical purposes lawful. These provisions extend to medical research. However, as with the general research exemption, there are specific requirements concerning the medical use of personal data contained in the Act. Similarly, the University’s relationship with its NHS partners means that their rules and requirements must be taken into consideration. As no two situations are the same, when conducting medical research it is advisable to contact the Tayside Medical Science Centre (www.tahsc.org/) and the Records Manager and Information Compliance Officer during the development stages of research projects.
If this is a normal part of the business of the University and you are confident that the person making the request is the data subject (i.e.you know them) then provide them with their information. If you have any misgivings, the request seems out of the ordinary or you cannot be sure of the identity of the person making the request, contact the Records Manager and Information Compliance Officer who will manage the request as a ‘Subject Access Request’ and take any necessary steps to ensure that it is managed appropriately.
There are various circumstances in which requests will be made for personal data by third parties. These include by solicitors, government and law enforcement agencies and by relatives of the person concerned. In general, the first response to a request such as this should be to take the details of the person making the request and the information they are seeking, then informing them that the University will respond in due course. The request should then be passed to the Records Manager and Information Compliance Officer.
Often, with requests of this type, the University will be able to provide the information that is being requested, but it must ensure that all disclosures are made appropriately and in light of the correct sections of the Data Protection Act. This helps to ensure that the risk of inappropriate or unlawful disclosure is minimised.
The University receives requests for information in aggregate on a reasonably regular basis. There are situations where it is a requirement upon the University to provide certain information, for example to HESA. In other situations it may be that someone is asking for information on a particular cohort of students for research or other purposes. The key is that, even in aggregate, it may be possible to identify individuals. There are methods that can be used to protect individuals, for example replacing the numbers 0 through 4 with the phrase ‘less than five’, but these measures need to be considered in light of the request being made. Please seek further advice from the Records Manager if you have any misgivings about the release of information.
Normally, marks should be entered into SITS and students should access them individually via e-Vision using their own credentials. If, for example after major examinations, students are seeking their marks as quickly as possible, the marks can be held in School Offices and provided to students on request, rather than placed on notice boards in open areas of the University. Where information must be placed on notice boards, it should be posted by matriculation number only.
Although this may seem extreme, large areas of the University campus are open, semi-public spaces. Posting personal information in such spaces is inappropriate and could have significant ramifications if, for example, someone was searching the campus trying to locate an individual with intention of causing them harm.
It is crucial in situations such as this to react quickly. Tell your manager and notify the University’s Records Manager as quickly as possible. Try and establish the last place that the data was seen and how much information is missing. The goal is not to apportion blame; the aim is to establish what has gone, the level of risk associated with the loss and to mitigate that risk appropriately. The University’s Procedure for data loss and it is important that everyone familiarizes themselves with that process.
Remember however, that the best way to prevent data loss is to practice good information security and at minimum to lock filing cabinets, desk drawers and office doors where personal or other sensitive information may be held and to password protect memory sticks, computers, laptops or other portable electronic media. Where systems are known to contain personal or other sensitive data seek advice from ICS on encryption and other security measures and ensure that any advice is implemented fully.
If you are contacting anyone for marketing reasons you should always provide a fair processing statement explaining what you are doing any why. Over and above that statement you should include a clear and easy way for the individual to opt-out of future marketing communications. You must have mechanisms in place to honour any request to opt-out.
Information sharing is a complex area. Some sharing, for example with law enforcement agencies, is normal (provided that they have appropriate grounds to access that information), but such instances are dealt with case by case, rather than routinely. Where regular information sharing is required with another organisation, that should be done under a formal data sharing agreement. Where data sharing is required advice should be taken from the Director of Legal Services.
The University regularly introduces new systems and process and develops new research projects involving the management and/or use of personal information. At the planning and design stage due consideration should be given the privacy impact of the new proposal and the potential risk to the individuals whose data is being processed, should be evaluated and any necessary mitigation put in place. The Information Compliance Officer or Director of Legal Services can assist with that process.
The Information Commissioner’s Office have developed a process known as ‘privacy impact assessments’ to help evaluate the impact of any new development on privacy. Whilst it may not be appropriate for all circumstances, consideration should be given as to the applicability of conducting a privacy impact assessment - https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-by-design/.
It is important to remember that the inappropriate use or disclosure of a single person’s information could have significant negative implications for them and that where personal information is being held or used every appropriate safeguard should be applied. The University's Information Security classification and Data Protection policy should help you make judgements about the sensitivity of information. If you have any questions, please contact the Records Manager & Information Compliance Officer.
The University processes personal data for a variety of reasons. One of the requirements of the DPA is that the University maintains a public notification of those reasons with the Information Commissioner's Office. View the University of Dundee on the public Register of Data Controllers.
It’s often reasonable to assume that if someone has included people in an email to you, they wish those persons to be included in the correspondence. However, if you are emailing someone about a personal matter, your email includes personal or business-sensitive data or if you have concerns about the group that has been included, it is prudent to pause before pressing 'send’. Ask yourself whether everyone included needs to see the information or whether any harm could come from someone seeing it inappropriately? Remember also that the tone of a correspondence may change as it develops and that may mean different people should be removed/included as appropriate. If you have concerns you could:
- Write directly to the person with whom you are corresponding and ask whether they are happy for the others to be included, before 'replying all'.
- Remove anyone about whom you are unsure from the email - if you don’t know who someone is, it’s better to check.
- Review the information included in the email to see if there might be a more appropriate method of sharing it.
Please also remember that the use of email can mean the transfer of personal information outwith the EU, so it’s best to check if the appropriate safeguards are in place before proceeding (see the section on the 8th Data Protection Principle above).
Ultimately, as with anything to do with the protection of personal information, it’s better to be cautious initially and expand from that point. That’s a much better position to be in than trying to gather everything back in once it’s been shared inappropriately. A good test is to ask yourself whether the people included would normally have access to this information or whether it seems appropriate for them to do so.