DATA PROTECTION ACT 1998 Became law on 1 March 2000 Only applies to the use of personal data, that is data which relates to an identifiable living individual,

DATA PROTECTION ACT 1998

• Became law on 1 March 2000

• Only applies to the use of personal data, that is data which relates to an identifiable living individual, the data subject, and which

• Is being processed by computer or other automatic equipment;

or is recorded with the intention that it should be so processed;

• Forms part of a relevant filing system or accessible record.

• Based upon 8 Principles for processing personal data

DATA PROTECTION PRINCIPLES

Conditions for processing – Schedule 2• Consent.

• Contractual.

• Legal obligations.

• Person’s vital interests.

• Administration of justice.

• Functions of Crown or

Government Dept.

• In the public interest.

• Legitimate interests of the University.

1. PERSONAL DATA SHALL BE PROCESSED FAIRLY AND LAWFULLY.

Fair Processing Code

• Identity of the data controller

• Identity of any nominated representative

• Purposes for which the data are to be processed

• Any further information necessary to enable the processing to be fair;

e.g. likely recipients, retention period.


Sensitive Personal Data

• racial or ethnic origin

• political opinions,

• religious or other beliefs,

• trade union membership,

• physical or mental health,

• sexual life,

• offences, or alleged offences

• Criminal offences / previous convictions

Conditions for processing – Schedule 3

Explicit consent Employment law obligations Vital interests of the data subject Some not for profit organisations Information made public by the data subject Legal Rights of the data subject Public functions (admin of justice) Medical purposes Racial equality monitoring

1. PERSONAL DATA SHALL BE PROCESSED FAIRLY AND LAWFULLY.


2. Personal data shall be obtained only for specified and lawful purposes, and shall not be further processed in any manner incompatible with those purposes.


3. Personal data shall be adequate, relevant and not excessive in relation to the purposes for which it is processed.


4. Personal data shall be accurate, and where necessary, kept up to date.


5. Personal data shall not be kept for longer than is necessary, for the purposes for which it is being processed.


6. Personal data shall be processed in accordance with the rights of data subjects under this Act.


7. Appropriate security measures shall be taken against the unauthorised or unlawful processing, accidental loss , destruction , or damage of personal data.


8. Personal data shall not be transferred outside the EEA unless that country / territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

INDIVIDUALS RIGHTS

1. Right of subject access

2. Right to prevent processing likely to cause damage or distress

3. Right to prevent processing for the purposes of direct marketing

4. Rights in relation to automated decision-taking

5. Right to take action for compensation if the individual suffers damage by any

contravention of the Act by the university

6. Right to take action to rectify, block, erase or destroy inaccurate data

7. Right to make a request to the Commissioner for an assessment to be made

as to whether any provision of the Act has been contravened

EXEMPTIONS

• Confidential references given by the University

• Management forecasts/management planning

• Negotiations

• Examination scripts

• Examination marks

• Research, History and Statistics

• Special purposes exemption

the purposes of journalism,

artistic purposes,

literary purposes

OFFENCES UNDER THE ACT

• Processing without notification

• Failure to notify Commissioner of changes to a register entry

• Failure to comply with written request for particulars

• Failure to comply with Commissioner Notices

• Making a false statement in compliance with a notice

• Intentional obstruction / failure to give reasonable assistance in the execution of

a warrant

• Unlawful obtaining of personal data

• Unlawful selling of personal data

• Enforced subject access

DISCLOSURE

Data may be legitimately disclosed only

i) where the individual has given their consent,

ii) where the disclosure is in the legitimate interests of the institution,

iii) where the institution is legally obliged to disclose the data,

iv) where the disclosure of data is required for the performance of a contract,

v) where specific exemptions for disclosure without consent apply

DISCLOSURE WITHOUT CONSENT

Certain disclosures are permitted under the Data Protection Act 1998 provided

one or more of the following criteria are met:

•For the purpose of safeguarding national security,

•For the purpose of preventing or detecting crime

•For the assessment or collection of tax or duty,

•To discharge regulatory functions,

•For the purpose of preventing serious harm to a third party

•For the purpose of protecting the vital interests of the individual

Requests relating to disclosure without consent (including enquiries from the

police) should be supported by the appropriate paperwork and referred to the

Data Protection Co-ordinator)

DISCLOSURE

• Telephone Requests.

• Requests for information from within the University.

• Requests for information from outside the University.

• Action when disclosure is refused.

• Siting of Computer Terminals

• Clear Desk Policy

DISCLOSURE - SUMMARY

•Treat all personal data with care

•Ensure consent has been provided, unless consent is not required

•If in doubt do not disclose , always ask for advice

•Do not provide information over the telephone

•Ask that requests for information are submitted in writing/by fax

•Keep notes of what has been disclosed and to whom

•Wilful disclosure of personal information will treated as a disciplinary offence

IMPLEMENTING THE DPA

Departmental Responsibilities


• All personal data being processed within the department complies with the Data Protection Act 1998, the University’s Data Protection Policy and is included in the University’s official Data Protection Notification.

• An annual audit of the personal data within the department is carried out and recorded.

• All contractor’s, agents and other non-permanent university staff used by the department, are aware of and comply with, the Data Protection Act 1998 and the University’s Data Protection Policy.


• That all forms and correspondence used by the department to request personal data, clearly state

– the purposes for which the information is to be used,

– the period of time it is to retained, and

– to whom it is likely to be disclosed.

• All personal data held within the department is kept securely and is disposed off in a safe and secure manner when no longer needed.

IMPLEMENTING THE DPA

Staff Responsibilities

Staff Responsibilities

• Personal data which they provide in connection with their employment is

accurate and up-to-date, and that they inform the University of any

errors, corrections or changes, for example, change of address, marital

status, etc.

• That personal data relating to living individuals is processed in

accordance with the Data Protection Act 1998 & the University’s data

protection policy.

• Personal data relating to living individuals is not disclosed either orally or

in writing, accidentally or otherwise, to any unauthorised third party.

Unauthorised disclosure may be considered a disciplinary matter.

• When supervising students who are processing personal data, that those

students are aware of the Data Protection Principles, and the University’s

Data Protection Policy.

UNIVERSITY’S RESPONSE

• Create post of Data Protection Co-ordinator

• Establish Taskforce

– Produce a personal information strategy

– Conduct an Audit of Personal Information Systems

– Create policies and procedures to ensure compliance with the 1998 Act

– Create a Data Protection Web Site

Queen’s University Draft Data Protection Policy

• Introduction

– Compliance Commitment / Policy Statement

– Data Protection Principles

– Definitions

• Notification

– Notification Process

– Subject access to the University’s official notification

– Updating of official notification


• Security– General Principles– Responsibilities

• School / Departmental Responsibilities• Staff Responsibilities• Student Responsibilities

– Disposal Policy For Personal Data

– Retention Policy For Personal Data

– Processing & Disclosure of Personal Data & Sensitive Data

– Incoming and Internal Mail

– Contractors, Short-Term And Voluntary Staff

– Transfer Of Data Overseas


• Data Subject Rights & Access To Personal Data

– How to make a subject access request, Subject Access Fee

• Transitional Provisions

– Implications of Transitional Provisions on access to personal data

• Good Practice

– Guidelines

• On Going Revision

– On going evaluation

– Staff training

– Web Site

Queen’s Draft Data Protection Policy

• Appendices1. Official University Data Protection Notification

2. University Key Post Holders

3. University Information Security Policy and Related Procedures

4. Disposal Policy – Required Procedures

5. Retention Policy – Retention Periods

6. Good Practice Guidelines

Research References

Exam Marks / Scripts Alumni

E-mails World Wide Web

FURTHER INFORMATION

www.qub.ac.uk/dataprot

University data protection web pages

www.legislation.hmso.gov.uk/acts/acts1998/19980029.htm

On line version of Data Protection Act 1998

www.dataprotection.gov.uk

Data Protection Commissioner’s web site

www.jisc.ac.uk/pub00/dp_code.html

Code of Practice for Higher Education

www.jisc.ac.uk/pub99/sm09_data_prot.htm

General Briefing Paper for Higher Education on 1998 Act

QUESTIONS

Documents

DATA PROTECTION ACT 1998 Became law on 1 March 2000 Only applies to the use of personal data, that is data which relates to an identifiable living individual,