DATA PROTECTION ACT 1998 Became law on 1 March 2000 Only applies to the use of personal data, that is data which relates to an identifiable living individual, the data subject, and which Is being processed by computer or other automatic equipment; or is recorded with the intention that it should be so processed; Forms part of a relevant filing system or accessible record. Based upon 8 Principles for processing personal data

DATA PROTECTION PRINCIPLES Conditions for processing – Schedule 2 Consent. Contractual. Legal obligations. Person’s vital interests. Administration of justice. Functions of Crown or Government Dept. In the public interest. Legitimate interests of the University. 1.PERSONAL DATA SHALL BE PROCESSED FAIRLY AND LAWFULLY. Fair Processing Code Identity of the data controller Identity of any nominated representative Purposes for which the data are to be processed Any further information necessary to enable the processing to be fair; e.g. likely recipients, retention period.

DATA PROTECTION PRINCIPLES Sensitive Personal Data racial or ethnic origin political opinions, religious or other beliefs, trade union membership, physical or mental health, sexual life, offences, or alleged offences Criminal offences / previous convictions Conditions for processing – Schedule 3  Explicit consent  Employment law obligations  Vital interests of the data subject  Some not for profit organisations  Information made public by the data subject  Legal Rights of the data subject  Public functions (admin of justice)  Medical purposes  Racial equality monitoring 1.PERSONAL DATA SHALL BE PROCESSED FAIRLY AND LAWFULLY.

DATA PROTECTION PRINCIPLES 2.Personal data shall be obtained only for specified and lawful purposes, and shall not be further processed in any manner incompatible with those purposes.

DATA PROTECTION PRINCIPLES 3.Personal data shall be adequate, relevant and not excessive in relation to the purposes for which it is processed.

DATA PROTECTION PRINCIPLES 4.Personal data shall be accurate, and where necessary, kept up to date.

DATA PROTECTION PRINCIPLES 5.Personal data shall not be kept for longer than is necessary, for the purposes for which it is being processed.

DATA PROTECTION PRINCIPLES 6.Personal data shall be processed in accordance with the rights of data subjects under this Act.

DATA PROTECTION PRINCIPLES 7.Appropriate security measures shall be taken against the unauthorised or unlawful processing, accidental loss, destruction, or damage of personal data.

DATA PROTECTION PRINCIPLES 8.Personal data shall not be transferred outside the EEA unless that country / territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

INDIVIDUALS RIGHTS 1.Right of subject access 2.Right to prevent processing likely to cause damage or distress 3.Right to prevent processing for the purposes of direct marketing 4.Rights in relation to automated decision-taking 5.Right to take action for compensation if the individual suffers damage by any contravention of the Act by the university 6.Right to take action to rectify, block, erase or destroy inaccurate data 7.Right to make a request to the Commissioner for an assessment to be made as to whether any provision of the Act has been contravened

EXEMPTIONS Confidential references given by the University Management forecasts/management planning Negotiations Examination scripts Examination marks Research, History and Statistics Special purposes exemption  the purposes of journalism,  artistic purposes,  literary purposes

OFFENCES UNDER THE ACT Processing without notification Failure to notify Commissioner of changes to a register entry Failure to comply with written request for particulars Failure to comply with Commissioner Notices Making a false statement in compliance with a notice Intentional obstruction / failure to give reasonable assistance in the execution of a warrant Unlawful obtaining of personal data Unlawful selling of personal data Enforced subject access

DISCLOSURE Data may be legitimately disclosed only i)where the individual has given their consent, ii) where the disclosure is in the legitimate interests of the institution, iii) where the institution is legally obliged to disclose the data, iv) where the disclosure of data is required for the performance of a contract, v) where specific exemptions for disclosure without consent apply

DISCLOSURE WITHOUT CONSENT Certain disclosures are permitted under the Data Protection Act 1998 provided one or more of the following criteria are met: For the purpose of safeguarding national security, For the purpose of preventing or detecting crime For the assessment or collection of tax or duty, To discharge regulatory functions, For the purpose of preventing serious harm to a third party For the purpose of protecting the vital interests of the individual Requests relating to disclosure without consent (including enquiries from the police) should be supported by the appropriate paperwork and referred to the Data Protection Co-ordinator)

DISCLOSURE Telephone Requests. Requests for information from within the University. Requests for information from outside the University. Action when disclosure is refused. Siting of Computer Terminals Clear Desk Policy

DISCLOSURE - SUMMARY Treat all personal data with care Ensure consent has been provided, unless consent is not required If in doubt do not disclose, always ask for advice Do not provide information over the telephone Ask that requests for information are submitted in writing/by fax Keep notes of what has been disclosed and to whom Wilful disclosure of personal information will treated as a disciplinary offence

IMPLEMENTING THE DPA Departmental Responsibilities

All personal data being processed within the department complies with the Data Protection Act 1998, the University’s Data Protection Policy and is included in the University’s official Data Protection Notification. An annual audit of the personal data within the department is carried out and recorded. All contractor’s, agents and other non-permanent university staff used by the department, are aware of and comply with, the Data Protection Act 1998 and the University’s Data Protection Policy.

Departmental Responsibilities That all forms and correspondence used by the department to request personal data, clearly state –the purposes for which the information is to be used, –the period of time it is to retained, and –to whom it is likely to be disclosed. All personal data held within the department is kept securely and is disposed off in a safe and secure manner when no longer needed.

IMPLEMENTING THE DPA Staff Responsibilities

Personal data which they provide in connection with their employment is accurate and up-to-date, and that they inform the University of any errors, corrections or changes, for example, change of address, marital status, etc. That personal data relating to living individuals is processed in accordance with the Data Protection Act 1998 & the University’s data protection policy. Personal data relating to living individuals is not disclosed either orally or in writing, accidentally or otherwise, to any unauthorised third party. Unauthorised disclosure may be considered a disciplinary matter. When supervising students who are processing personal data, that those students are aware of the Data Protection Principles, and the University’s Data Protection Policy.

UNIVERSITY’S RESPONSE Create post of Data Protection Co-ordinator Establish Taskforce –Produce a personal information strategy –Conduct an Audit of Personal Information Systems –Create policies and procedures to ensure compliance with the 1998 Act –Create a Data Protection Web Site

Queen’s University Draft Data Protection Policy Introduction –Compliance Commitment / Policy Statement –Data Protection Principles –Definitions Notification –Notification Process –Subject access to the University ’ s official notification –Updating of official notification

Queen’s University Draft Data Protection Policy Security –General Principles –Responsibilities School / Departmental Responsibilities Staff Responsibilities Student Responsibilities –Disposal Policy For Personal Data –Retention Policy For Personal Data –Processing & Disclosure of Personal Data & Sensitive Data –Incoming and Internal Mail –Contractors, Short-Term And Voluntary Staff –Transfer Of Data Overseas

Queen’s University Draft Data Protection Policy Data Subject Rights & Access To Personal Data –How to make a subject access request, Subject Access Fee Transitional Provisions –Implications of Transitional Provisions on access to personal data Good Practice –Guidelines On Going Revision –On going evaluation –Staff training –Web Site

Queen’s Draft Data Protection Policy Appendices 1.Official University Data Protection Notification 2.University Key Post Holders 3.University Information Security Policy and Related Procedures 4.Disposal Policy – Required Procedures 5.Retention Policy – Retention Periods 6.Good Practice Guidelines ResearchReferences Exam Marks / ScriptsAlumni sWorld Wide Web

FURTHER INFORMATION University data protection web pages On line version of Data Protection Act Data Protection Commissioner’s web site Code of Practice for Higher Education General Briefing Paper for Higher Education on 1998 Act

QUESTIONS