University Secretary

The Data Protection Act 1998

For the full text of the Data Protection Act go to the website of the Office of Public Sector Information.

The Legislation

The Data Protection Act 1998 (the DPA) came into effect on 1st March 2000. The EC Directive on which this legislation is based was designed to protect the rights and freedoms of individuals, in particular their right to privacy with respect to the processing of personal data. The main effect of the 1998 Act was to ensure manual records are given the same protection as computer records.

Personal data is any information that can identify a living person either by itself e.g. a person's name, or with other information e.g. an address plus a name.

'Processing' is the inclusive term given to the collection, use, storage and ultimate destruction of any personal information.

back to top

Requirements

The DPA imposes several requirements on any organisation that processes personal data. The first is that the data controller (the organisation that processes the personal data) must notify the Information Commissioner of 1) the personal data it is processing, 2) who the information will be collected from, 3) who it may be disclosed to, and 4) the purposes for which the information is processed.

To view the University's notification as a data controller, click on the following link to the Public Register of Data Controllers on the Information Commissioner's website.

back to top

The Data Protection Principles

Anyone processing personal data must take into account the 8 data protection principles when processing personal data to ensure the data is handled properly.

The 8 principles are that:

  1. Personal data shall be processed fairly and lawfully.
  2. Personal data shall only be processed for the purposes for which it was collected and not for any other purpose(s).
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data shall not be kept for longer than is necessary.
  6. Personal data shall be processed in accordance with the rights of data subjects under the DPA.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred outside of the European Economic Area unless an adequate level of protection for the data can be ensured.

back to top

Data Subject Rights

A data subject - that is the individual to whom the information relates - has several rights in relation to the processing of their personal data, as outlined in the Sixth Principle. The following is a general explanation of the rights, but further information on how to pursue these rights are detailed in the DPA. Firstly, there is the right of access to personal data, where the individual is entitled:

  1. to be told if a data controller is processing any information about that individual,
  2. if that is the case, to be given a description of that information, why it is being kept and to whom it may be disclosed,
  3. to have that information given to them as well as details about how that information was received, and
  4. where the processing is carried out automatically for the purpose of evaluating matters relevant to that person, to have the logic involved in the decision taking explained.

Secondly, there is the right to prevent processing likely to cause damage or distress. An individual can ask a data controller to cease or not begin processing any personal data if that processing could cause unwarranted substantial distress to the individual or someone connected to the individual.

Thirdly, there is the right to prevent processing for purposes of direct marketing whilst the fourth right is in relation to automated decision-taking. The individual can ask the data controller to ensure that no decision that could significantly affect the individual is based solely on processing by automatic means.

Finally, there are the rights to compensation for failure to comply with the previously mentioned rights, and the rights to amend personal data. An individual who suffers damage as a result of failure by the data controller to comply with the DPA is entitled to compensation, and in cases where a court decides that personal data is inaccurate, the court can order the data controller to block, rectify, erase or destroy any personal data that is inaccurate, including any expression of opinion.

back to top

Sensitive Personal Data

The DPA defines some personal data as sensitive personal data. Sensitive personal data must be processed more carefully with respect to the purposes for which it is collected and who will have access to that information, than other data collected.

Sensitive personal data is defined in the legislation as data referring to:

  1. the racial or ethnic origin of the data subject,
  2. his/her political opinions,
  3. his/her religious beliefs or beliefs of a similar nature,
  4. membership of a trade union,
  5. his/her physical or mental health or condition,
  6. his/her sexual life,
  7. the commission or alleged commission by him/her of any offence, or
  8. any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

back to top

Subject Access Request

If you want to know what information a data controller holds about you, you can make a subject access request under the DPA. A charge of £10 can be made for each request, and the data controller must respond within 40 days of receiving your request. You will be provided with details of the information held about you, why the data controller has the information, what it will be used for and who the data will be released to.

If you want to make a Subject Access Request to the University, either contact the University's Information Disclosure and Complaints Manager, Samantha Hill, on 023 9284 3642 for more details of the process or complete the Subject Access Request form. The form must be printed off and sent to Samantha Hill, Information Disclosure and Complaints Manager, at:

University House
Winston Churchill Avenue
Portsmouth
PO1 2UP

back to top