Policy Statement

The University undertakes to apply the policy to all persons associated with the University. In this context, 'all persons associated with the University' encompasses all governors, staff, students, accredited visitors and any person acting as a data processor on behalf of the University. Any breach of the Data Protection Policy or the DPA (1998) will automatically be considered a breach of discipline and existing London Metropolitan disciplinary proceedings will apply.

The Data Protection Principles:

In addition Schedule 2 states that processing may only be carried out where one of the following conditions has been satisfied i.e. where;

• The individual has given his/her consent to the processing

• The processing is necessary for the performance of a contract with the individual

• The processing is required under a legal obligation

• The processing is necessary to protect the vital interests of the individual

• The processing is necessary to carry out public functions

• The processing is necessary in order to pursue the legitimate interests of the data controller or certain third parties (unless prejudicial to the interests of the individual).

This act creates new rights of access to information held by public bodies in England, Wales and Northern Ireland. Further education institutions and organisations fall within the re-mit of the Act. The F.O.I Act (2000) requires institutions to respond to requests within 20 days, in conjunction with the Data Protection Act (1989) it is apparent how important an effective Records Management Programme is, in information retrieval, and this is something we are working towards. Further guidance will be forthcoming.

Stricter conditions apply to the processing of sensitive data. This category includes information relating to racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, health, sex life and criminal convictions. Where such data is being processed not only must the controller meet the requirements of the Principles and Schedule 2, but processing is prohibited unless at least one of the conditions in Schedule 3 can be satisfied.

The explicit consent of the individual will have to be obtained before sensitive data can be processed unless the controller can show that the processing is necessary based on one of the criteria laid out in Schedule 3 of the Act.

1. The personal data that it will process

2. The categories of data subjects to which personal data relates

3. The purposes for which the personal data will be processed.

The information currently held by the University and the purposes for which it is processed form the official notification that has been submitted to the Information Commissioner's Office. If processing for a new or different purpose is introduced the individuals affected by that change will be informed and the official notification will duly be updated to reflect the said change.

• Ensuring that any information they provide to the University in connection with their employment is accurate and up-to-date

• Informing the University of any errors or changes to information which they have provided (e.g., change of address)

• Checking the information the University sends out from time to time giving details of information kept and processed about staff.

• Correct processing of data during the course of their employment.

Students must likewise ensure that any information they provide to the University is:

• accurate and is kept up-to-date.

• If students find themselves in a position where they are processing personal data about staff or other students, (e.g., as a student representative on a University committee or working in a temporary role whilst studying), they must ensure that they comply with the University Policy and with the requirements of the Act.

All staff should ensure that:

• Any personal data, which they hold, is kept securely

• Personal Information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party.

• It is essential to protect the security and confidentiality of data during storage, transportation, handling and destruction.

All personal information in the form of manual records should be:

• Kept in a locked filing cabinet: or

• Kept in a locked drawer, in a lockable room.

If information is computerised, it should be:

• Password protected, with passwords being changed regularly so that only authorised people can view or alter confidential data; or

• Kept only on disk, which should be kept securely in a lockable desk or cabinet to avoid physical loss or damage.

Vendors, contractors, and suppliers are often required to have access to areas in which personal data may be stored or processed. It is therefore necessary to ensure contractors are:

• Controlled, documented, and are wearing some form of identification

• Restricted from unnecessary admittance to areas where personal data is held or processed;

• Required to sign nondisclosure agreements where access to personal data is unavoidable.

Staff and students have the right to access information, which is kept about them in both computer and manually held files. Any person wishing to exercise this right should make their request in writing to the University's Data Protection Officer. When making such a request, referred to as a Subject Access Request the individual must:

• Provide a suitable means of identification

• Inform the Data Protection Officer where they believe the information is held.

The Data Protection Act (1998) stipulates that the University may charge £10.00 for this provision and that the information must be provided within 40 days. The University does not have to divulge information, which identifies another person, unless that person consents to this.

The University undertakes to:

• Ensure that no decisions that affect them are based solely upon an automated decision-taking process.

• Prevent processing likely to cause damage or distress

• Prevent processing for the purposes of direct marketing

• Act to rectify, block, erase or destroy inaccurate data

• Ask the Information Commissioner to assess whether any part of the (1998) Act has been contravened.

Transitional Provisions

Transitional Provisions contained within the (1998) Act allows the University to claim an exemption from specified parts of the legislation for a particular period of time. The University can reserve the right to apply the following transitional relief, to manual data only, during the period 24^th October2001 to 23^rd October 2007. This applies to manual data that was being held and processed immediately before 24 October 1998. Manual data added on or after 24 October 1998 will not qualify:

Qualifying data will be exempt from the following Data Protection Principles:

Disclosing Personal Data

Personal data should not generally be disclosed to third parties without the permission of the individual concerned. In this context "third parties" includes family members, friends, local authorities, government bodies and the police, unless disclosure is exempted by the (1998) Act or by other legislation. Under certain circumstances, data may however be released. Note that among other circumstances the Act permits release of data without express consent:

• For the purpose of protecting the vital interests of the individual (e.g., release of medical data where failure to do so could result in harm to, or the death of, the individual);

• For the prevention of detection of crime;

• For the apprehension or prosecution of offenders;

• For the discharge of regulatory functions, including securing the health, safety and welfare of persons at work;

• Where the disclosure is required by legislation, by any rule of law or by the order of the court.

If in doubt contact the University's Data Protection Officer.

In the case of applicants from overseas information on the progress of an application may be sought on their behalf by a person resident in this country. Such information should not be released unless an authorisation has been confirmed. The Admissions office has produced a proforma for such cases.

The Data Protection Act (1998) places an obligation on the University to err on the side of caution when disposing of personal data All staff have a responsibility to consider safety and security aspects when disposing of personal data in the course of their work. Consideration should also be given to the nature of the personal data involved (how sensitive is it?), and the format in which it is held. Staff should ensure that

• All paper or microfilm documentation containing personal data is permanently destroyed by shredding or incinerating, depending on the sensitivity of the personal data.

The University will often collect student disability information at the admission stage (for example, through UCAS, and through interviews etc.) but collection of disability data may also occur throughout the period of study or employment. The University will provide:

• Mechanisms to ensure that where disability data is provided for a stated purpose, such as to ensure adequate service provision, it is not misused for other purposes, such as to make a decision about whether or not to admit a student to a course of study.

• A system whereby when there is a need to disclose disability data to external organisations, prior consent of the data subject should be obtained for each disclosure. The data subject should be informed about the nature of the information to be disclosed, the intended recipient, and the purpose of disclosure should be given to the data subject.

Contacts

Data Protection Officer, Peter Fisher 020 7320 3001
University Secretary, John McParland 020 7739 2004