Issued by the Information Access and Security Group of the Information Strategy Sub-Committee.
- Does the Act Affect You?
- Data Protection Principles
- Data User Responsibilities under the Act and the Notification Process
- The Data Subject Rights
- Further Information
- The 1998 Data Protection Act is concerned with personal data and the manner in which it is processed. The 1998 Data Protection Act became Law on 24 October 1998, replacing the earlier 1984 Act. It introduces a number of important changes and extends the provisions of the 1984 Act.
- Further information is available on the Web. The Office of the Information Commissioner has published introductory guidelines for the new Act and other background material on the Web at www.gov.uk/data-protection. The complete 1998 Data Protection Act is available on the HMSO Web site at www.legislation.gov.uk. If you require further information, please contact the University Secretary, the Director of IT Services or the Director of Learner Support Services.
- Data users are personally responsible for complying with the provisions of the 1998 Act. This summary describes the Act and some of its implications and outlines the steps data subjects will need to take before processing their data. It will help users to decide if the Act applies to data that they are storing or processing.
- You are affected by the Act if you process personal data.
- Under the 1998 Act, personal data is any information relating to living persons, termed data subjects, who can be identified from the information either directly or indirectly, when combined with other information which the data controller or data processor may have in their possession now or in the future.
- The 1998 Act extends the provisions of the 1984 Act to include not only machine-readable data (termed automated data) but also hard-copy or written information, voice recordings, photographs, video recordings and structured manual files (all termed non-automated data) where there is ready access to information about individuals. It is prudent to err on the side of caution, e.g. most manual files accessed on the basis of the names of individuals will be covered by the Act.
- The Act also applies to opinions or statements of intention about a subject, to bibliographies or lists of references and to files of electronic messages containing details of the sender or recipients. As an example, directories of telephone numbers and email addresses are allowed provided they include only work-related or public information. They are bound by the Act if they contain personal details, e.g. private home or mobile phone numbers, private email account details or home addresses.
- The new Act introduces additional provisions and restrictions when processing classes of personal data that it defines as sensitive data. These include data on political interests, ethnic origin, trade union membership, sex life, criminal records and medical records among other classes. The Act recognises that disclosure of such information may be distressing or problematic to the data subject.
The 1998 Act sets out eight principles that must be observed in all collection, storage and use of personal data. The following is only a brief description of the principles. Further detail is available from the "Introduction to the Data Protection Act 1998" on the Web (see 1.2 above).
First Principle: Personal Data must be processed fairly and lawfully and shall not be processed unless certain conditions are met.
Consent implies a specific and informed indication of agreement to collection and processing with reference to the data subject. In practice, this implies return of a form or other active communication including confirmation, e.g. a "tick box". Data controllers cannot infer consent from non-response to a communication, e.g. it is inadequate to send a letter specifying that processing will be carried out unless a data subject responds and explicitly opts out.
Data controllers must obtain consent from data subjects, unless processing falls into one of the exempt categories under the Act which include:
- processing necessary for performance of a contract with the data subject
- processing required under legal obligation
- processing necessary to protect the vital interests of the data subject
- processing necessary in order to pursue the legitimate interests of the data controller or third parties to whom data are disclosed provided that the processing is not prejudicial to the interests of the data subject.
In assessing fair processing, data controllers are advised to consider the extent to which uses of personal data are reasonably foreseeable by the data subject. If not, data controllers must ensure that they provide additional information as may be necessary to ensure that data subjects are fully informed.
If sensitive data are being processed, the data controller usually requires explicit consent from the data subject before processing. The use of the word explicit under the Act implies that the subject has been informed of the specific detail of the processing and, in particular, processing outcomes that may affect the individual and all possible disclosures. Further advice may be issued on this matter but, in general, it is better to err on the side of caution when dealing with sensitive data.
Second Principle: Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any way incompatible with that purpose or those purposes.
Processing purposes are specified to the Office of the Information Commissioner as part of the notification process (see below). Processing must be restricted to purposes that have been notified. Thus it is important that all anticipated uses and disclosures are fully described and included at the time of notification.
Third Principle: Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
This principle is intended to restrict the amount of data held to the minimum necessary for a particular processing purpose. The definition of processing is extended under the new Act to encompass all data-related activities, normally with reference to data subjects. These include the whole spectrum of collection, input, storage (even if information is held without further processing), organisation, updating, accessing, retrieving, deletion and disclosure of data.
Fourth Principle: Personal data shall be accurate and, where necessary, kept up to date.
The Data Protection Act requires that all reasonable steps be taken to prevent inaccuracy. Where appropriate, data must be kept up to date to ensure that they are adequate for the processing purpose or purposes. See also section 5 on data subject rights.
Fifth Principle: Personal data processed for any purpose or purposes shall not be kept longer than is necessary for that purpose or purposes.
Data users need to review their holdings of personal data regularly, deleting information that is no longer required for their notified purpose or purposes. The definition of "necessary" duration will differ for different data or purposes, e.g. how long is it necessary to keep personal references, application forms or admissions information? More advice will be issued on this aspect of the Act when it becomes available.
Sixth Principle: Personal Data shall be processed in accordance with the rights of data subjects under the Act.
The new Act extends rights of the data subject to correct inaccuracies or access data held on them, to prevent inappropriate processing or to demand deletion of data held inappropriately. See 5.6 for more information.
Seventh Principle: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
This principle is not only important to data users for data they hold but also to computer administrators in respect of personal data they hold or process on behalf of data users. In the case of bureau services, it applies to personal data processed by users on equipment for which the bureau administrator is responsible. In particular, it implies the need for adequate password protection or other access controls, regular backups of data, security protection of backup media and an appropriate choice of staff who may see information during processing. The level of security that is appropriate will depend on the type of data being processed; in particular, sensitive data may require extensive security measures.
Similar care must be taken when disposing of equipment or media or equipment that contain personal data.
From a security standpoint, it is also useful to distinguish between the various classes of personal data.
- Public personal data (e.g. bibliographies or directories) consist of publicly available material but which may not be exempt from the Act; it must be registered but has a low security rating since the information is readily available elsewhere.
- Depersonalised personal data is a term used for personal data that has personal identifiers such as names and addresses replaced by a code which only the data controller can translate. The 1998 Act applies to such data in the same way that it applies to personal data containing identifiers.
- Sensitive data, particularly that containing personal identifiers (or containing data of a sufficiently distinctive nature to identify an individual from the contents alone) will require extensive security precautions. There is a spectrum of more or less sensitive personal data between these two extremes that needs to be considered case by case.
Please contact IT Services for further advice on security precautions or read the University Code of Practice for Information Access and Security. In addition, the Information Commissioner's advisory notes on the Web (see section 1.4) refer data controllers to BS7799 to help in assessing the adequacy of their security regime.
Eighth Principle: Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
There are no restrictions to free flow of personal data between countries in the European Economic Area, for disclosures that are permitted within the UK. However, personal data may only be transferred to third countries (i.e. outside the EEA) if such countries have an adequate level of protection for the rights and freedoms of data subjects. When determining adequacy, data controllers need to consider the nature of the data and the protection afforded by the regulatory framework of the recipient country (or by contractual provisions deliberately included to afford adequate protection).
However, if the data subject has consented to the transfer or the transfer is necessary for performance of a contract between data subject and data controller, the transfer of personal data is exempt from this restriction.
See the advisory information on the Web pages of the Information Commissioner's Office for further details (including transitional arrangements).
- The Data Protection Act seeks to control the use of personal data, to ensure that it is processed fairly and lawfully and to register its use. It requires that data controllers notify the Office of the Information Commissioner annually of all personal data and associated processing activities. Notification replaces registration under the 1984 Act. Existing registrations under the 1984 Act remain in force until their natural expiry date. Thus a data controller is required to notify the Information Commissioner's Office before
- embarking on any new processing activities, or the earlier of
- the expiry of an existing registration under the 1984 Act and
- the deadline for notification for new data controllers (24 October 2001).
- Under the 1984 Act, the University collected details of processing purposes across the campus. It registered all purposes under a single registration that met the collective needs of most administrative and academic uses. This registration was the basis of the University's notification to the Information Commissioner's Office under the 1998 Act.
- It is important that all potential data controllers check to ensure that their processing of personal data is a continuation of (or is covered by) an existing notified purpose. If not, they must ensure that the current notification is updated to include the new purpose.
- The University is planning a central register of personal data and processing purposes for all teaching, research and administrative activities making use of personal data, in order to simplify handling of data subject access requests.
- As required under Regulation 21, it is the responsibility of all members of the University that process personal data (in the general sense of the Act) to inform the University Secretary and through the Deputy Vice-Chancellor to update the current notification. Where staff process personal data independently of the University, e.g. for themselves or on behalf of another organisation, they must notify the Information Commissioner's Office direct.
- Since processing unregistered data is a criminal offence and processing registered personal data will, in most cases, involve taking more care than usual, individuals who input or process data on behalf of others will need to know whether the material they are dealing with contains personal data and, if so, seek assurance that the Information Commissioner's Office has been notified appropriately.
- Any unregistered use of personal data anywhere in the University may be sufficient cause for the Office of the Information Commissioner to suspend all processing throughout the University under the appropriate heading and may have serious legal implications for the University. If personal data held by a user on behalf of the University should become the subject of criminal or civil legal proceedings, the data user may become involved and may be held liable personally and jointly with the University.
- Similar conditions apply to individuals holding or processing personal data on behalf of external bodies.
- As under the earlier Act, data subjects were entitled to apply for a copy of specified information held about them. They now have extended rights of access and are entitled to ask for a description of processing purposes, a description of the data being processed, a description of potential recipients of data, where available, any information as to the source of the data and, if appropriate, the logic involved in any automated decision making with reference to the data subject.
- In addition, under the new Act, data subjects do not need to specify the location thought to be holding relevant data. A data subject is entitled to ALL relevant information the institution holds on them on payment of a single fee (as opposed to a fee per register entry as before). Any coded information must be translated into intelligible form and it should be stressed that the Act covers both electronic and non-automated or manual data.
- The data controller must respond to the request as long as (and only if) the following conditions have all been satisfied
- the request is made in writing,
- the controller is satisfied as to the identity of the enquirer,
- the requisite fee has been paid (although details of the maximum fee have not been released by the Information Commissioner's Office at this stage) and
- a reasonable interval has elapsed since a similar request was made by the same data subject
- Data controllers must comply with access requests within a reasonable time that must not exceed forty days from the data subject complying with the conditions under 5.3 above.
- Access requests under any of the University registered or notified purposes will normally be handled centrally by the Deputy Vice-Chancellor or nominee. Thus it is essential that all uses of personal data are registered centrally with the Deputy Vice-Chancellor (see section 4). If appropriate, access requests will be passed to the relevant department or departments for action.
- In addition to the right of access, data subjects have a number of additional rights under the new Act. Rights are exercised by serving written notice to the data controller or, where there is contravention of the Act, applying for a court order.
- Data subjects have the right to prevent processing causing or likely to cause damage or distress.
- They have a right to compensation if they do suffer damage or distress as a result of any contravention of the Act.
- They may prevent processing for the purposes of direct marketing and may apply for a court order if the data controller fails to comply with a request.
- Data subjects have the right to challenge a decision that affects them significantly when it is based solely on automatic processing. The data controller must notify the subject as soon as reasonably practical following a decision based on automatic means and the data subject has 21 days to require the data controller to reconsider the decision or to take the decision on another basis.
- Data subjects may apply for a court order requiring the data controller to rectify or destroy data that is inaccurate or that expresses opinion based on inaccurate data (defined as incorrect or misleading as to any matter of fact).
- Data subjects have the right to withdraw their consent to process their personal information for a specified purpose.
- A number of exemptions under the Act have direct relevance to the University.
- Section 30 of the Act (subject to an order from the Secretary of State) provides exemption from subject information provision for Health, Education or Social Work data.
- Exemptions under Section 33 of the Act apply to data held exclusively for research purposes (including statistical or historical purposes). The exemptions cover additional processing of data already held, the ability to hold data indefinitely and exemption from subject access provisions. However, they only apply if adequate care is taken to avoid identifying individuals with distinctive characteristics in the published results and provided that data are not processed to support decisions relating to individuals or in a way that could cause substantial damage or distress to a data subject.
- Schedule 7 of the Act provides exemption for subject access to confidential references given by the data controller in respect of a data subjects' education, employment, appointment to another office or provision of a service. However, please note that a data subject has a right of access to a reference from its recipient, e.g. the potential or actual employer. It is thus prudent to assume that the subject of a reference will have the right to see it.
- Schedule 7 of the Act also extends the time period for complying with subject access to examination marks or results. The time period is extended to five months from the date of a valid request, i.e. subject to the enquirer satisfying the conditions outlined in section 5.3 above, or forty days from announcement of the examination results whichever is the shorter. If a longer period elapses before the responding, the information provided in the response must include both the data in question at the time when the request was received and (if different) any data held or processed up to the date of compliance with the request. Further detail will be available in due course from the Registrar's Department.
- In this context, examination scripts are exempt from subject access under Schedule 7, since the comprise information recorded by the data subject.
If you require further information please contact the Deputy Vice-Chancellor, the Director of Learner Support Services ( or telephone extension 3401), or the Director of IT Services ( or telephone extension 3115).
Content last updated: October 2008.