The Data Protection Act 1998 (DPA) applies to personal data. Information which relates to a living, identifiable individual i.e. information which is about you and identifies you is your personal data. Organisations such as the University of Central Lancashire (UCLan) are ‘data controllers’ for the purposes of the DPA because they process personal data. ‘Processing’ means anything that is done to the data including just holding them in a file or computer system.
The DPA gives individuals (known as data subjects) a number of rights in relation to their personal data and sets out rules that must be followed by data controllers when they process personal data. As a data controller, UCLan must ensure it complies with the DPA.
The DPA contains eight principles of good information handling. UCLan must ensure that your personal data are processed in accordance with these principles unless the DPA states it does not have to. These principles are outlined below:
1. Personal data must be processed fairly and lawfully.
2. Personal data shall be obtained only for one or more specified and lawful purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose(s) for which they are processed.
4. Personal data shall be accurate and where necessary kept up-to-date.
5. Personal data processed for any purpose(s) shall not be kept for longer than is necessary for that purpose.
6. Personal data shall be processed in accordance with the rights given to data subjects by the DPA.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country outside the EEA, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The right to ask a data controller to let them see or have a copy of the personal data it processes about them (this is the right of subject access);
The right to prevent a data controller processing their personal data for direct marketing purposes;
The right to prevent a data controller processing personal data in a way that is likely to cause them damage or distress;
Rights in relation to decisions made by solely automatic means;
The right to claim compensation for damage or damage and distress suffered as a result of a contravention of the DPA;
The right to ask a court to order a data controller to rectify, block, erase or destroy inaccurate data; and
The right to ask the Information Commissioner to assess whether or not a data controller has processed their personal data in a way that contravenes the DPA.
The Information Commissioner is an independent regulator who provides advice and guidance about the DPA and ensures data controllers comply with it. The Information Commissioner’s Office (ICO) can investigate complaints about alleged contraventions of the DPA and where necessary, can order data controllers to take specific action or even prosecute them if they are not complying with the DPA.
The DPA requires data controllers to tell the Information Commissioner that they are processing personal data and to provide general details about the purposes they will be processed for, such as ‘staff administration’ or ‘credit referencing’. These details are kept on a register of data controllers which is available to the public on the ICO’s website. This procedure is called ‘notification’. Data controllers must notify each year and it is a criminal offence not to do so.
The general purposes for which UCLan processes personal data can be seen in its register entry on the ICO’s website. UCLan’s registration number is Z5512420. Further information about how UCLan ensures it processes personal data in compliance with the DPA can be found in its Data Protection Policy.
For more information about data protection within UCLan please contact the Information Governance Officer. If you require independent advice and guidance about the DPA in general, please contact the ICO or visit the ICO website.
If you want to make a subject access request (SAR) to UCLan for copies of the personal data it processes about you, please see the section called ‘Accessing your personal data’ and complete and return the SAR Form. If you are unable to complete this please contact Information Governance Officer for assistance.