The Data Protection Act 1998 governs the processing of personal data and we as individuals have the right to access personal information held about us by all organisations that hold personal information, such as government departments, banks, credit card companies, local councils, schools, hospitals, doctors, your past and present employers, internet and mail order companies. From 25 May 2018 the Data Protection Act will be replaced by the General Data Protection Regulation.
As a higher education institution Falmouth University must collect, process and disclose personal information about staff (whether permanent or temporary, paid or volunteer) and students according to the eight principles of the DPA.
The 1998 Act replaced and consolidated earlier legislation such as the Data Protection Act 1984 and the Access to Personal Files Act 1987. At the same time it aimed to implement the European Data Protection Directive. In some aspects, notably electronic communication and marketing, it has been refined by subsequent legislation for legal reasons.
The Privacy and Electronic Communications (EC Directive) Regulations 2003 altered the consent requirement for most electronic marketing to 'positive consent' such as an opt-in box. Exemptions remain for the marketing of 'similar products and services' to existing customers and enquirers, which can still be permissioned on an opt-out basis.
Accessing information under the Data Protection Act
The Data Protection Act 1998 (DPA) entitles individuals to request access to any personal data that an organisations may hold about them - which of course includes Falmouth. This is known as a Subject Access Request or SAR. The process that should be followed when requesting personal information from Falmouth is explained in our Subject Access Request procedure and is applicable to staff and students. Under the DPA a fee can be charged for each request received, depending on the type of request. A brief description of the types of request applicable to Falmouth is given below:
- Personal information from an organisation will usually cost a maximum of £10
- Requesting personal information including your education records: a sliding scale ranging from £1 - £50 depending on the number of pages to be provided
The eight data protection principles
1: Personal information must be fairly and lawfully processed
In practice, it means that you must:
- Have legitimate grounds for collecting and using the personal data
- Not use the data in ways that have unjustified adverse effects on the individuals concerned
- Be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data
- Handle people's personal data only in ways they would reasonably expect
- Make sure you do not do anything unlawful with the data
2: Personal information must be processed for limited purposes
In practice, the second data protection principle means that you must:
- Be clear from the outset about why you are collecting personal data and what you intend to do with it
- Comply with the Act's fair processing requirements - including the duty to give privacy notices to individuals when collecting their personal data
- Comply with what the Act says about notifying the Information Commissioner
- Ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair
3: Personal information must be adequate, relevant and not excessive
In practice, it means you should ensure that:
- You hold personal data about an individual that is sufficient for the purpose you are holding it for in relation to that individual
- You do not hold more information than you need for that purpose
So you should identify the minimum amount of personal data you need to properly fulfil your purpose. You should hold that much information, but no more. This is part of the practice known as 'data minimisation'.
4: Personal information must be accurate and up to date
Although this principle sounds straightforward, the law recognises that it may not be practical to double-check the accuracy of every item of personal data you receive. So the Act makes special provision about the accuracy of information that individuals provide about themselves, or that is obtained from third parties.
To comply with these provisions you should:
- Take reasonable steps to ensure the accuracy of any personal data you obtain
- Ensure that the source of any personal data is clear
- Carefully consider any challenges to the accuracy of information
- Consider whether it is necessary to update the information
5: Personal information must not be kept for longer than is necessary
In practice, it means that you will need to:
- Review the length of time you keep personal data
- Consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it
- Securely delete information that is no longer needed for this purpose or these purposes
- Update, archive or securely delete information if it goes out of date
6: Personal information must be processed in line with the data subjects' rights
The rights of individuals that this principle refers to are:
- A right of access to a copy of the information comprised in their personal data
- A right to object to processing that is likely to cause or is causing damage or distress
- A right to prevent processing for direct marketing
- A right to object to decisions being taken by automated means
- A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed
- A right to claim compensation for damages caused by a breach of the Act
7: Personal information must be secure
In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:
- Design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach
- Be clear about who in your organisation is responsible for ensuring information security
- Make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff
- Be ready to respond to any breach of security swiftly and effectively
8: Personal information must not be transferred to other countries without adequate protection
This is the eighth data protection principle, but other principles of the Act will also usually be relevant to sending personal data overseas. For example, the first principle (relating to fair and lawful processing) will in most cases require you to inform individuals about disclosures of their personal data to third parties overseas. The seventh principle (concerning information security) will also be relevant to how the information is sent and the necessity to have contracts in place when using subcontractors abroad.
The Act also sets out the situations where the eighth principle does not apply. These situations are considered in more detail on the ICO website but you can also contact the data protection officer for further information.
If you are considering sending personal data outside the EEA, there is a checklist to help you decide if the eighth principle applies and, if so, how to comply with it to make a transfer. For further information please contact the data protection officer.
For more information or specific enquiries, please contact the Information Office: