by Pat Whatley
Data protection is one of those subjects about which little is known and that’s how most people would like it to remain. But how would you feel if your personal details were disclosed or used without your consent or knowledge? Are you responsible for filing, managing staff, updating a database which contains students’ exam marks or addresses, marking exam scripts, writing references, having references provided for you or conducting research which requires individuals’ details? If the answer to these or many similar questions is yes then you are affected by, or have a responsibility to comply with the terms of the data protection act 1998.
As the implementation of the act is closely tied to records management, responsibility for managing and co-ordinating data protection compliance has been moved to archive, records management and museum services, which is building on the work previously undertaken by Charles Christacopolous, the former data protection officer. Nevertheless, regardless of where the formal responsibility is located, the obligation of the University to comply with the law resides in all staff and students, regardless of grade, position or status.
What is data? Data is information about a living person which identifies that person, and which may be of a sensitive nature, for instance, their health, ethnicity or marital status. This includes opinions about that person and the intentions of other people towards them. The information can be held in many forms: manual, or paper files; electronic files and databases; microfiche; microfilm; photographs; digital images; web pages; voice recordings or X-rays.
The data protection act is designed to protect people from the misuse of their personal information by others and to give legal rights to them with regard to the personal information held about them by others. The University can no longer assume it has the right to process and retain all personal data. The Act gives individuals the right to see what personal information is held about them, and to insist on the information being corrected if it is inaccurate. No individual can demand instant access to the information held about them. There is a proper procedure for this and formal requests for access to personal data should be passed to the data protection officer to ensure correct compliance with the act.
To ensure compliance with the act, all personal information must be processed fairly and lawfully, with the consent of the individual; obtained for specified and lawful purposes; be adequate, relevant and not excessive; be accurate and kept up to date and not kept longer than necessary; processed in accordance with the rights of data subjects and adequate security must be ensured.
Finally, data should not be transferred outside the European economic area. Sensitive personal data is subject to special rules and requires explicit consent. There are specific exemptions to the act which cover situations where there is a public interest involved, such as national security, crime and taxation or academic research. The legislation requires the annual notification of personal data being processed to the Office of the Information Commissioner.
Compliance is managed by the data protection officer, Patricia Whatley, who is also the university archivist. The responsibilities of the data protection officer include the formulation and establishment of policies and procedures, keeping the official notification up to date, staff training and awareness and responding to requests for information. All data protection policies, procedures and guidelines will be available on the archive, records management and museum services web site. To co-ordinate the compliance process, each department/section will shortly be required to nominate a named contact. If they have not already done so each dead of department should consider who they will appoint as their data protection co-ordinator.
The data protection act is complex and has significant implications and consequences for all higher educational institutions. Compliance is the responsibility of all members of the university. The information provided above is not comprehensive. Enquires should be directed to Patricia Whatley ext 4095, email p.e.whatley@dundee.ac.uk