ITS Policy Document
Policy DATA PROTECTION ACT Date Created 23 JANUARY 2013
1998 / Revised
Team Service Improvement & Owner J.Eaglesfield
Status REVIEW – v1.2
The University is committed to comply with the Data Protection Act 1998 and will operate procedures to
ensure that appropriate requirements are met.
The Act contains eight fundamental principles relating to the collection, use and disclosure of data and
the right of staff to have access to personal data concerning themselves.
This policy is effective from 23rd January 2013
The University and all staff who process or use any personal information must ensure that they follow
these principles at all times. Staff should familiarise themselves with the contents of the Data Protection
Code of Practice which can be viewed on the University Website.
The University is notified as a Data Controller with the Information Commissioners Office (ICO). This
means that the University will notify the ICO of certain details about the processing of personal data
which are then included on a public register.
The Director of IT Services has responsibility for ensuring the University’s compliance with the Act.
Personal data is concerned with data that the University might collect and keep on any individual who
might wish to work, work, or have worked at the University. It will include personal details provided in
the main from the individual on application forms and other fair and lawful sources.
The Principles are that Data will be:
Obtained and processed fairly and lawfully
Use will only be for one or more specified and lawful purposes and shall not be further
processed in any manner incompatible with that purpose or those purposes
Relevant, adequate and not excessive in relation to the purpose or purposes for which they are
Accurate and where necessary, kept up to date
Held no longer than is necessary for that purpose or those purposes
Processed in accordance with the rights of Data Subjects under the Act
Properly secured against unlawful or unauthorised access, loss, damage or destruction
Not be transferred outside the European Economic Area unless that country or that territory
ensures an adequate level of protection for the rights and freedoms of the data subject in
relation to the processing of personal data.
The University will process personal data for the purpose of its normal business activity and in
compliance with the law and other statutory obligations. This will include: - the payment of salary,
ITS Policy Document
pension provision, equality and diversity legislation and the University’s duty to monitor statistics,
statistical returns, training and development and the operation of policies and procedures. Certain
information may need to be disclosed to other legitimate parties as part of the University’s obligation to
comply with statutory or legal requirements including statistical returns to external bodies including:
HESA, Inland Revenue, Pension Bodies and other Government departments, e.g. Child Support Agency
and Benefits Agency. These are indicative examples of data processing purposes and are not exhaustive.
The Data Protection Act provides individuals with the right to access to information that is kept about
them. Staff wishing to exercise their right under the Act must apply in writing in the first instance to the
Data Controller (Director of IT Services).
The University and all staff who process or use any personal information.
Authorised by the Service Improvement & Governance Manager
This statement should be read in conjunction with these Regulations Policies and Statements of Best
1. Personal Information Promise
2. Information Security Policy
3. Data Code of Conduct
4. Data Policy
17/10/2011 JE Review document created v1.0
20/01/20112 JE Review document updated to include Data Policy
06/12/2012 SJCC approved policy pending Equality & Diversity verification
23/1/2013 E&D approval