Planning, Governance and Compliance

Data Protection guidance for staff

The holding, processing or disclosure of information on individuals which you may handle in the course of your duties is subject to the Data Protection Act 1998 and the University's Code of Practice on Handling Personal Information [PDF 14.48KB] . It is the policy of the University that all members of staff must comply with the Act and the Code of Practice. Both the Data Protection Act and the Code of Practice cover personal information held in any medium. The University has a designated Data Protection Officer ( to oversee compliance with this policy.

Your attention is drawn particularly to these points:

1.  Information concerning individuals learned in the course of your duties must not be communicated to other persons or bodies unless required to do so by law, or for the proper purposes of University business or with the consent of the individual concerned, and any disclosures of information must be consistent with the University's registration under the Data Protection Act, and any other relevant legislation that may apply.

2.  It is the responsibility of all members of staff to ensure:

(a) that appropriate measures are taken to prevent personal information (in whatever format) from being accidentally divulged to unauthorised persons, and that appropriate care is taken in disposing of printed information containing personal information;

(b) that, within your work area, the current general guidance on handling personal information is followed, along with any specific additional measures that may apply;

(c) that the Data Protection Officer is informed of any personal data which is being (or planned to be) handled, which is not registered, or of any changes in the way the data is being handled which might affect the University's registration under the Data Protection Act.  For anyone handling personal data that they do not themselves control, this responsibility is met by checking with the person who controls the data.

3.  Staff who are data holders may hold personal data only in accordance with the University's registration under the Data Protection Act, except where a member of staff has chosen to register as a Data Controller in his/her own right for University academic work.  (Where a member of staff has chosen to be so registered s/he should inform the Data Protection Officer.)  Data holders should make appropriate arrangements for security and access to their data whenever they are absent from the University, and are responsible for anticipating both security and access considerations in the event of emergencies such as power/utility failures, computer network failure, fire, flood or occupation of the work area by unauthorised people.

4.  You are not permitted to remove from the University personal data with the intention of processing this data elsewhere, unless such use is recognised and authorised.  Removing data in this way must not compromise normal University standards of information security.

5.  The University will support any employee or student who faces court proceedings for alleged breaches of the Data Protection Act, if that employee or student has acted in a reasonable manner, and not in breach of its Code of Practice on Handling Personal Information.

6. The University's HESA (the Higher Education Statistics Agency) collection notice for staff is available in full from the HESA website.