The Data Protection Act 1998 came in to force in March 2000 and superseded the Data Protection Act 1984. The Data Protection Act (DPA) sets out eight principles for processing personal data and provides individuals with rights including access to personal information held on computer and paper records.
An individual or organisation can contact the Information Commissioner’s Office if they feel information has been denied or not handled according to the eight principles.
In the workplace, the DPA applies to anyone handling or having access to personal information.
1. Scope of the policy
1.1 The DPA applies to electronic and paper records containing personal data relating to living individuals who can be identified from the data.
1.2 This includes any expression of opinion about an individual and intentions towards an individual. It also applies to personal data held visually in photographs or video clips (including CCTV) or as sound recordings.
1.3 City of London College and its divisions, collect a large amount of data, which can be broadly classified into three categories such as 1) staff information (usually sensitive personal data such as staff records, names and contact details); 2) communications data (such as routine information held in electronic databases on for example higher education staff,); and 3) published datasets (such as anonymised higher education statistics and other similar datasets).
2.1 Details of the DPA mean that City of London College must:
• manage and process personal data appropriately
• protect an individual’s right to privacy
• provide an individual with access to all personal information held, unless there are exemptions
2.2 City of London College is required to notify the Information Commissioner of the processing of personal data and for ensuring details are included in a public register. The public register of data controllers is available on the Information Commissioner’s website and can be searched.
2.3 City of London College’s Data Controller is responsible for producing guidance on data protection and compliance with guidance on creation, maintenance, storage and retention of all records which contain personal information.
2.4 Every member of staff that holds information about identifiable living individuals has to comply with data protection and individuals can be liable for breaches of the DPA.
3. Relationship with existing policies
3.1 This policy has been formulated as part of a suite of related documents:
• Data Protection guidance and best practice guidelines
• Records Management policy and Retention Schedule
• IT Security policy
• Privacy statement for website
3.2 Compliance with Data Protection, Records Management and other policies will help in compliance with other legislation or regulations including audits and equal opportunities.
4.1 Guidance on the procedures necessary to comply with this policy is available from the Data Controller. This guidance covers:
• Introduction to Data Protection including Data Protection principles, types of data involved and key concepts
• Best practice guidelines including:
• Use of personal data by employees
• Transfer of personal data to third parties
• Security of personal data
• Use of personal data in research
• Confidential references
• Procedures for dealing with subject access requests
Policy Under Review: June 2014
This policy will be reviewed every three years.
Data Controller: Dr Yousuf Shazad