• Skip To Menu
  • Skip To Content
  • Home
  • A - Z
  • Bookmark
  • Accessibility
  • Staff Login
  • Student Lobby
  • Search UCLan Search UCLan
University of Central Lancashire

University of Central Lancashire

  • Home » 
  • Services » 
  • Strategic Development Service » 
  • DPA/FOIA/Records Management » 
  • Code of Practice

Quick Links

  • About us/Guide
  • Accommodation
  • Alumni
  • Burnley Campus
  • Conferences
  • eLearn (WebCT)
  • Enrolment Online
  • Fundraising
  • International Students
  • Jobs @ UCLan
  • Library
  • News & Events
  • Open Days
  • Order a prospectus
  • Partner Colleges
  • Remote Access
  • Study@UCLan
  • The 'i' / Student Help
  • Students Union
  • UCLanSport

Search UCLan

Please use the box below to search the whole UCLan website.

Loading

Close Close

DPA/FOIA/Records Management

  • Data Protection
    • Code of Practice
    • Notification
    • Processing Statement for Students
    • Contacts
    • Advice for Researchers and Externally Funded Contractors
    • University Audit Process
    • Staff/Student Training
  • FOIA
  • Records Management

2012 Guild

Data Protection Code of Practice

WORD version for printing

Introduction

This Code of Practice outlines the steps which all members of the University of Central Lancashire (“the University”) must take to ensure that the University complies with the Data Protection Act 1998 (“the Act”).  References to “the University” include references to the companies within the University Group where appropriate.

The Act includes all Personal Data that is held on computer, including word processed documents, databases and e-mails. It also extends to Personal Data held in manual records where these can be accessed by reference to a person. 

The Act requires the University to notify the Information Commissioner of the types of Personal Data that it holds, the categories of individuals for which it holds this information, to whom it may be disclosed and the purposes for which Personal Data is processed.  It also requires the University to confirm if it transfers Personal Data worldwide.     

All members of the University have a duty to ensure compliance with the Act.  Each Faculty or Service or area will have its own ‘Data Protection Contact’ who is responsible for helping everyone within the relevant Faculty or Service or area to comply with the Act.

  • Definitions
  • The Eight Data Protection Principles
  • Procedure
  • Responsibilities
  • Notification
  • Internal Registration
  • Exemptions
  • Access to Personal Data
  • Security
  • Transfer of Data outside the EEA
  • Data Protection and E-mail / the Internet
  • Responsibilities for Review / Complaints

DOCUMENT CONTROL INFORMATION

 CLASSIFICATION  DOCUMENT DESCRIPTION
Classification Internal / external from Strategic Development Service
Responsibility for Drafting Freedom of Information / Data Protection Officer
Consulted with All Schools / Services
Document Sponsor
Approved by Deputy Vice Chancellor Academic
Effective from 1 January 2008
Next Review Date 1 October 2010
Enquiries to Freedom of Information / Data Protection Officer

This document is issued by Strategic Development Service. Any copied or printed versions will be an uncontrolled copy. The definitive version is available from the Strategic Development Service.

 

DEFINITIONS

The following definitions under the Act should help you understand this document:

“Data” means information being Processed using equipment operating automatically in response to instructions given for that purpose or is recorded with the intention that it should be Processed by means of such equipment or is recorded as part of a Relevant Filing System or with the intention that it should form part of a Relevant Filing System or information which does not fall within the previous definitions but forms part of an accessible record or is recorded information held by a public authority (i.e. UCLan and does not fall into the catagories above).

“Data Controller” means an individual or undertaking who determines the purpose for which or the manner in which any Personal Data are or are to be Processed.  It also extends to a person who gives instructions about the use of Personal Data even though it may not come into their possession.

“Data Processors” means any person other than an employee of the Data Controller who processes Data on behalf of the Data Controller.  This would include people such as market researchers who collect Personal Data on behalf of the Data Controller.

“Data Subject” means an identifiable or identified living individual who is the subject of the Personal Data.  A Data Subject could be anywhere in the world but must be living.

“Personal Data” means Data which relates to a living individual who can be identified from that Data or from that Data and other information which is in the possession of, or is likely to come into the possession of, the Data Controller and includes any expression of opinion about that individual and any indication of the Data Controller or any other person’s intentions towards that individual.

“Processing” means obtaining, recording or holding Personal Data which includes organising, adapting or altering Personal Data, retrieving, consulting or using the Personal Data, disclosure of the Personal Data in any way, aligning, combining, blocking, erasing or destroying Personal Data.  The definition is so wide that it would include someone looking at a computer screen.

“Relevant Filing System” means any set of information relating to individuals which is structured either by reference to individuals or by reference to criteria relating to individuals in such a way that specific information relating to a particular individual is readily accessible even where Processing does not take place automatically.  This would include any paper files relating to an individual student.

“Sensitive Personal Data” means Personal Data about a Data Subject which relates to their racial or ethnic origin, their political opinions, religious or other similar beliefs, membership of a trade union, physical or mental health or condition, sex life, commission or alleged commission by them of any offence or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings and the Court’s sentence in such proceedings.

THE EIGHT DATA PROTECTION PRINCIPLES

The Data Protection Act 1998 contains eight governing Principles relating to the collection, use and disclosure of data, and the rights of the subject to have access to Personal Data concerning themselves.   These Principles are:

The First Principle

Personal Data should be processed fairly and lawfully and, should not be processed unless certain conditions are met.

All Personal Data processed must satisfy at least one of the conditions of Schedule 2 of the Act.  The requirements of  Schedule 2 can be summarised as follows:

  • with consent;
  •  to perform a contract with the individual or with a view to entering into a contract with the individual;
  • under a legal obligation;
  • to protect the vital interests of the individual;
  • to carry out public functions conferred by or under enactment;
  • for the administration of justice;
  • to pursue the legitimate interests of the data controller unless prejudicial to the interests of the individual.

Sensitive Personal Data processed must meet at least one of the conditions of Schedule 2 (above).  In addition, it must also satisfy one of the conditions of Schedule 3 of the Act.  The conditions of Schedule 3 can be summarised as follows:

  • with explicit consent;
  • exercising or performing any right or legal obligation conferred or imposed on the data controller in the context of employment;
  • to protect the vital interests of the individual where consent cannot be given or is unreasonably withheld;
  • by certain non profit bodies in the course of  their  legitimate activities;
  • where the information has manifestly been made public by the individual;
  • in any legal proceedings or for obtaining legal advice;
  • to carry out certain government functions (justice, government department, crown);
  • for medical purposes undertaken by a Health Professional or suitably qualified individual;
  • certain ethnic monitoring to ensure equality.

The Second Principle

Personal Data will be obtained for only one or more specified lawful purposes and will not be further processed in any manner incompatible with that purpose or those purposes.

Personal Data obtained for one stated purpose cannot be used for a completely different purpose without the individual being informed of the different purpose.

The Third Principle

Personal Data will be adequate, relevant, and not excessive in relation to the purpose or purposes for which it is processed.

You should not simply hold uniform information about all Data Subjects for all purposes but should consider what Personal Data is really necessary for a particular activity or operation.

The Fourth Principle

Personal Data shall be accurate and, where necessary, kept up to date.

This obligation will apply to Personal Data not only obtained directly from the Data Subject but also to Personal Data obtained from third parties.  You must take reasonable steps to ensure that any Personal Data which you obtain is accurate.  Personal Data that is likely to change from year to year, such as student addresses, should be reviewed annually.

The Fifth Principle

Personal Data processed for any purpose or purposes will not be kept for longer than is necessary for that purpose or those purposes.

Adequate retention policies must be in place to ensure Personal Data is held for no longer than is necessary.

The Sixth Principle

Personal Data will be processed in accordance with the rights of Data Subjects under this Act.
The rights of the Data Subject include the following:

  • the right of Data Subjects to request access to the information held about them, the purpose (s) for which the information is being used and those to whom it is or may be disclosed;
  • to prevent processing likely to cause damage or distress;
  • to prevent processing for the purposes of direct marketing;
  • to be informed of the logic behind any automatic decision making;
  • to take action for compensation if they suffer damage for any contravention of the Act by the Data Controller;
  • to take action to rectify, block, erase or destroy inaccurate data;
  • the right to ask the Information Commissioner to assess whether or not it is likely that any processing of Personal Data has not been carried out in accordance with the Act.

The Seventh Principle

Appropriate technical and organisational measures will be taken against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of or damage to Personal Data.

An adequate level of security must be in place for the handling of all University Personal Data from collection through to disposal.   This is all data held on computers (including e-mail) and in manual filing systems (including both formal and informal notes and records).  It also applies to Personal Data handled by external contractors, consultants and partners on behalf of the University.  When using these agencies a written contract should be entered into which ensures that all the University Data Protection policies and procedures are complied with at all times. Financial Services Purchasing section, or SDS Governance and Legal Contracts section must be referred to when entering into contracts of this nature.

The University Security Policy should be referred to and adhered to by all staff handling Personal Data.

The Eighth Principle

Personal Data must not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Personal Data.

There are exceptions to the general rule which may allow information to be transferred outside the EEA.  These exceptions can be summarised as follows:

  • with consent;
  • to make or perform a contract;
  • in legal proceedings;
  • to protect the vital interests of the individual;
  • for substantial public interest;
  • where the information is on a public register;
  • on terms approved by the Information Commissioner or where authorised by the Information Commissioner.

The University needs to be able to justify its reasons for transferring data if using the above criteria for transfers outside the EEA.

PROCEDURE

This Code of Practice is intended to assist everyone within the University to comply with the Act.  The University as a Data Controller will hold the minimum Personal Data necessary to enable it to perform its functions, and the data will be erased once the need to hold it has passed.  Every effort will be made to ensure that data is accurate and up-to-date, and that inaccuracies are corrected without undue delay.  The University will provide to any individual who requests it, (in a manner specified by the Act), a formal reply to all enquiries made by that individual in accordance with the rights of Data Subjects.  No fee will be charged for this service.

It is the responsibility of every employee and student of the University to ensure compliance with not only this Code of Practice but the Act itself.  The University expects all of its employees and students to comply fully with this Code of Practice and the Act when processing Personal Data as part of their employment, research or studies at the University.  Disciplinary action may be taken against any employee or student who breaches this Code of Practice, any other instructions relating to the Act or the Act itself.

RESPONSIBILITIES

Overall responsibility for compliance by the Higher Education Corporation with the Act lies with the University Board and managerial responsibility is exercised by the Deputy Vice Chancellor (SP&PM).  Responsibility for compliance by the companies within the University Group lies with the Board of Directors of the same.  Responsibility for compliance with the Act is delegated to Senior Management Team Members within their respective Faculties or Services.  Senior Management Team Members will nominate a Data Protection Contact to undertake the administration of Data Protection matters within the relevant Faculty or Service.   A Freedom of Information/Data Protection Officer based in Strategic Development Service who is the Deputy Vice Chancellor's (SP&PM) representative will assist Data Protection Contacts from each Faculty or Service in the implementation of this Code of Practice. 

If this Code of Practice does not provide guidance on a particular issue, the query should first be directed to the Data Protection Contact within your Faculty or Service who, if necessary, may seek further guidance from the Freedom of Information/Data Protection Officer.

Freedom of Information/Data Protection Officer

The main duties of the Freedom of Information/Data Protection Officer are as follows:

  • To ensure that the University’s notification under the Act is accurate and kept up to date.
  • To act as an interface between the University and the Information Commissioner.
  • To develop, update and publish the Data Protection Code of Practice for the University.
  • To act as an initial contact point for Subject Access requests and co-ordinate formal replies.
  • To handle requests for information from external bodies (e.g. Police, DSS, HMRC, Local Authorities).
  • To provide training on Data Protection issues.
  • To assist Data Protection Contacts with specific issues.
  • To obtain formal confirmation that the biennial audit has been conducted in each Faculty or Service.

Data Protection Contact

The main duties of the Data Protection Contact are to assist the Senior Management Team Member in relation to the following duties:

  • To formulate, maintain and develop procedures to be followed in the relevant Faculty or Service. 
  • To ensure that all processing of Personal Data within the relevant Faculty or Service does not contravene the Act or the University’s Code of Practice.
  • To promote awareness of the Act within the relevant Faculty or Service.
  • To maintain up-to-date records of all computerised data and all manual data held in structured filing systems in the relevant Faculty or Service.  These records will include details of the personnel authorised to access the data.
  • To check the University’s notification against all records of Personal Data held in the relevant Faculty or Service and ensure that these records are covered by the University’s notification.
  • To monitor any projected changes in the use of personal records held in their area to ensure that these are within the terms of the University’s notification.  If changes to the notification are required, to request the Freedom of Information/Data Protection Officer to amend the notification before these changes are implemented.
  • To develop and implement adequate retention policies for all Personal Data.
  • To ensure that appropriate contracts are in place with third parties who handle Personal Data on behalf of the University.
  • To ensure that all processing of information in the relevant Faculty or Service provides details as to the purpose(s) for which the data will be processed and if necessary consent to that processing is provided by the Data Subject.
  • To conduct a biennial audit in the relevant Faculty or Service to ensure compliance with the Act and this Code of Practice and notify the Freedom of Information/Data Protection Officer accordingly.
  • To assist the Freedom of Information/Data Protection Officer to process any formal Subject Access Request received and to ensure that systems are in place in the relevant Faculty or Service to provide the information required within the appropriate timescales.
  • To ensure that all persons in the relevant Faculty or Service carrying out research projects which entail the use of Personal Data comply with the relevant Data Protection Principles.
  • To ensure adequate safeguards are in place against disclosure to unauthorised persons and/or for unauthorised purposes.
  • To ensure that effective procedures are in place to identify individuals who do not wish to receive direct marketing material.

All employees and students have a general duty to observe the Act, any specific instructions given by the University and any University Codes of Practice or procedures relating to the Act.  It is the responsibility of each employee/student to assist the Data Protection Contact to maintain compliance with the Act in the relevant Faculty or Service.  Employees and students should not disclose Personal Data that comes into their possession to other people within the University unless this is necessary to perform their duties.

NOTIFICATION

The Act requires the University to notify the Information Commissioner of the ways in which it processes Personal Data.  Failure to notify the Information Commissioner is a criminal offence.  The University’s notification must be renewed annually, however the notification should be amended whenever necessary.  It is the responsibility of all employees and students to ensure that any processing of Personal Data that they undertake is within the terms of the University’s notification.   If you believe that any processing which you intend to carry out falls outside of the University’s current notification, you must tell your Data Protection Contact.  You should not carry out the intended processing until your Data Protection Contact confirms that it will be covered by the University’s notification. 

The University is only able to process Personal Data within the terms of its notification.  If the University  processes Personal Data outside of its notification, both it and the individual processing  the data may incur civil and criminal liability.  The notification will be made by the Data Protection Liaison Officer after confirmation of details have been received from Data Protection Contacts.

You can obtain details of the University’s current notification from your Data Protection Contact or by viewing the Strategic Development Service website. 

INTERNAL REGISTRATION

Detailed records of all computerised personal data and structured manual data files retained by the University will be held in each Faculty or Service.  Data Protection Contacts will perform a biennial audit of the relevant Faculty or Service’s compliance with the Act and this Code of Practice.   This will be submitted to the Freedom of Information/Data Protection Officer by 31 December each year the audit takes place.

EXEMPTIONS

A small number of activities are exempt from certain provisions of the Act.  Activities relevant to the University are:

  • Examination scripts (but not examiners’ comments) are exempt from the Subject Access provision (Principle 6).
  • Personal data used for research purposes is exempt from a limited number of principles of the Act.  However the results of the research should not identify the Data Subject. 

Other exemptions that are available are of a very specific nature.  They relate to matters such as National Security, Crime and Taxation and Health matters.  These exemptions that in certain cases allow the University to disclose data without consent are dealt with in the section of this Code of Practice that relates to the disclosure of Personal Data.

The guidelines issued by the office of the Information Commissioner set out all exemptions from the Act.  These can be viewed on their website at http://www.informationcommissioner.gov.uk/.

ACCESS TO PERSONAL DATA

Access to Personal Data includes disclosures and Subject Access requests

Disclosure of Personal Data is permitted under the 1998 Act where the University has both notified the usage to the Information Commissioner and complied with the requirements of both Principles 1 and 2 of the Act.  It is essential that at the time the data is collected Data Subjects are informed of the purposes for which it will be used and the individuals or organisations to whom it may be disclosed.  If it is proposed to use the information obtained for direct marketing purposes, Data Subjects should be informed of this purpose at this time and given the opportunity to decline this usage of the data.

Within the terms of the Act, the following are authorised persons to whom Personal Data may be disclosed:

  • the Data Subject, or someone acting on behalf of the Data Subject;
  • a third party at the request or with the consent of the Data Subject, or of someone acting on behalf of the Data Subject;
  • a third party contact nominated by the Data Subject and notified to the University as the person to be contacted in the case of an emergency

Within the terms of the Act Personal Data may only be disclosed where the purposes have been notified to the Information Commissioner and where the Data Subject’s informed consent has been obtained.  When data is used for the purpose of direct marketing care must be taken to ensure that the Data Subject has not objected to this processing either at the date of collection or at a later date.

Within the terms of the Act the following are purposes where data may be disclosed to third parties without the consent of the Data Subject :

  • for legal purposes, if the Personal Data are required by statute, rule of law or Court Order; are required to obtain legal advice; or required for legal proceedings in which the person making the disclosure is a party or witness;
  • to safeguard national security based on a certified request from a Cabinet Minister, Attorney General or Lord Advocate;
  • for the detection or prevention of crime and for taxation purposes.  Disclosures for these reasons will only occur if the University is satisfied as to the purpose of such a request and the likelihood of substantial prejudice if the request was refused;
  • to protect the vital interests of the Data Subject;
  • to carry out regulatory functions such as securing the health, safety and welfare of persons at work. 

It should be remembered that requests for disclosure for the purposes listed above should be considered on a case by case basis only and that the Freedom of Information/Data Protection Officer should be consulted when necessary.  Any decisions made to disclose data in accordance with the above purposes should be fully documented.

Responding to Disclosure Requests

All requests for disclosure of Personal Data from persons outside the University must be treated with caution by all staff.  Senior Management Team Members must ensure that each Faculty or Service procedures provide adequate safeguards against disclosure to unauthorised persons and/or for unauthorised purposes.

Faculty or Service procedures should take account of the following guidelines:

  • Personal Data must not be disclosed to an external body over the telephone.  Individuals making such enquiries should be asked why the information is required and be informed of the University’s requirement to comply with the Act.  Wherever possible the Data Subject should be informed of the enquiry to enable them to respond directly.
  • Parents, relatives and guardians should be informed of the University’s requirement to comply with the Act if making representation on behalf of a student or employee.
  • Personal Data requested by members of staff from other Faculties or Services should only be released when it has been established that the information required is necessary for them to carry out their official duties.
  • All requests from outside agencies such as the Police, DSS, HMRC, Local Authorities, Overseas Embassies or High Commissions should be submitted in writing and forwarded to the Freedom of Information/Data Protection Officer. 

Subject Rights

The 1998 Act gives certain rights to individuals in respect of Personal Data held about them by others.  These rights are:  the right of Subject Access; the right to prevent processing likely to cause damage or distress; the right to prevent processing for the purposes of direct marketing; the right to be informed of the logic behind any automatic decision making; the right to take action for compensation if they suffer damage by any contravention of the Act by the Data Controller; the right to take action to rectify, block, erase or destroy inaccurate data and finally the right to ask the Commissioner to assess whether or not it is likely that any processing of Personal Data has not been carried out in accordance with the Act.  The following are the procedures that must be followed if an individual requests the University to comply with these requirements of the Act. 

Subject Access Request

Data Subjects have the right to be informed whether Personal Data about them is being processed by the University and the right to receive a copy of that Personal Data together with details of the purpose for which it is being processed and to whom the data might be disclosed within 40 days of making that request.  (In the case of examination marks the period is extended to 5 months but must be no longer than 40 days after the announcement of the results.)    This entitlement relates to all Personal Data held about an individual, whether in computerised records or in a structured manual file.

A Subject Access request must be in writing which includes e-mail, but does not have to specifically refer to Subject Access, Data Protection or the Act.  An individual could ask for all information that the University holds about them. 

All requests for Subject Access must be immediately passed to the Freedom of Information/Data Protection Officer in the Strategic Development Service.

After an acknowledgement letter is sent to the applicant, the Freedom of Information/Data Protection Officer will forward a copy of the request to the Data Protection Contact in each relevant Faculty or Service requiring the retrieval of the data by a specific date. 

The Freedom of Information/Data Protection Officer will co-ordinate the formal reply to the applicant, or will advise them that no Personal Data relating to them are held.

Responding to Subject Access Requests

Certain rules must be followed by the data user when retrieving Personal Data in response to a Subject Access Request.  These are that:

  • the data need not necessarily be provided as a print-out.  The Data Controller may choose to write or type the data to be supplied, with any accompanying explanation;
  • the data must be intelligible to the Data Subject;
  • the data given need only be that available at the time the request was received,  however, it can differ as routine updates of data can continue between the dates of the receipt of the request and the end of the retrieval process;
  • having received a request, NO SPECIAL AMENDMENTS OR DELETIONS OF DATA CAN BE MADE WHICH WOULD NOT OTHERWISE HAVE BEEN MADE.
  • if Personal Data includes information which identifies another individual, (and was not originally provided by the Data Subject) the consent of the third party should be sought before the disclosure is made.  If the third party does not consent to this disclosure the information may be edited out of the reply to the Data Subject providing the third party remains unidentifiable.  Third party data should not be edited out completely - for example , X and Y could be used instead of full names.
  • if  data retrieved is used to make an automatic decision which may significantly affect the Data Subject, an explanation must be provided of the logic underlying the  decision making process.

The formal procedure for controlling and processing Subject Access Requests is cumbersome.  Wherever possible, the informal disclosure of Personal Data to Data Subjects is encouraged, particularly where administrative gains may result - for example, for the periodic confirmation of the accuracy of personal details, such as current address and so on.

Where an informal approach is adopted, it is essential that the Data Protection Principles and University’s procedures are fully observed.  Specifically, Personal Data should only be made available to the Data Subject.

Prevention of Processing

A Data Subject is entitled to request that the University either ceases or does not begin to process information that the Data Subject considers may cause unwarranted substantial damage or distress to them or another.  These requests must be received in writing from the individual and should be forwarded to the Freedom of Information/Data Protection Officer. 

After an acknowledgement letter is sent to the applicant, the Freedom of Information/Data Protection Officer will forward a copy of the request to the Data Protection Contact and Senior Management Team Member for each Faculty or Service, requiring that the Senior Management Team Member consider the application and makes a decision whether or not to continue processing based on all the relevant circumstances of the case.  The Data Protection Contact will, within 21 days of the original request being received send a written reply to the individual setting out the Senior Management Team Member’s decision to either comply with the request, or to explain the reasons why the University feels that the request is unjustified.  A copy of the reply will be forwarded to the Freedom of Information/Data Protection Officer in the Strategic Development Service for monitoring purposes.  If the decision taken is to cease processing the data the Faculty or Service will immediately take steps to comply with this action.

SECURITY

Under the Data Protection Act, security measures apply not only to the security of computer hardware and storage media, such as memory sticks, discs, diskettes and tapes, but also to source documents, manual records, printouts and oral disclosure.  Security measures are also applicable throughout the use and processing of Personal Data, including the handling, transmission, disclosure and disposal of documents containing Personal Data.  The University’s procedures outlined in this document have incorporated security measures.

In Faculties or Services Deans of Faculty and Heads of Service are responsible for ensuring that adequate security arrangements for Personal Data exist.  Although this responsibility may be delegated, it is incumbent on Senior Management Team Members and Heads of Department to ensure that staff and/or students in the relevant Faculty or Service are aware of their responsibilities with regard to Data Protection.

The Act gives specific guidelines on the "appropriateness" of security regulations.  These should be observed when developing procedures to support the University’s Data Protection responsibilities.

In terms of physical security, the following guidelines apply:

  • access to buildings/rooms containing computer hardware must be controlled;
  • adequate precautions must be taken against burglary, fire or natural disaster;
  • casual passers-by or other unauthorised personnel should not be able to read data off screens or printouts;
  • screen savers should be used in all cases;
  • back-up copies of data should be stored separately from live files;
  • manual documents from which Personal Data are extracted must be properly secured and kept in locked storage when not in use;
  • printed material containing information extracted from Personal Data must be handled and disposed of correctly.

In terms of software and where security measures are programmed into systems:

  • the use of global passwords is discouraged.  Passwords should be known only to a minimum number of authorised persons and should be changed at regular intervals;
  •  individual passwords must be closely safeguarded and not divulged to others.  They should be changed at regular intervals;
  • full use should be made of facilities to restrict access on the basis of authority levels;
  • memory sticks, discs, diskettes and tapes on which Personal Data are recorded must be securely safeguarded and accounted for.

Specific regulations apply to individuals who use the computing facilities of the University.  These regulations are issued to each user, and acknowledged, before access to these facilities is allowed.  A copy of the regulations is available from the Learning Information Services. 

When using third party agencies to process Personal Data on behalf of the University a written contract should be entered into requiring that the Act is complied with at all times. Financial Services Purchasing section or SDS Governance and Legal Administration Contracts section must be referred to when entering into contracts of this nature.

Processing of Data Off Campus (including Remote Access)

Extra vigilance is required when personal data, which has been gained by virtue of employment at the University, is processed off campus.  Personal Data can only be taken or processed off campus if the following criteria are met:

  • the Personal Data is used or processed in accordance with the duties of the member of staff and for no other purpose;
  •  the processing activities are in accordance with this Code of Practice;  in this respect the security measures outlined above must be strictly complied with both on or off the campus;
  • the 8 governing Principles of the Data Protection Act are strictly adhered to;
  • the University Security Policy is complied with;
  • the Personal Data must be stored off campus for the minimum time required and then disposed of in a secure manner.

Any breach of these responsibilities could lead to disciplinary action.

TRANSFER OF DATA OUTSIDE THE EEA

The 1998 Act requires that Personal Data is not transferred to a country or territory outside the EEA unless that area provides an adequate level of protection for the rights and freedoms of the individual.  Certain exceptions apply to this Principle and these are listed in the section relating to Principle 8.  Staff and students should consider these exceptions when transferring Personal Data outside the EEA.  In particular they should ensure that they have obtained adequate written consent for all transfers of Personal Data outside the EEA or that the transfer forms part of a contractual obligation between the University and the Data Subject.

DATA PROTECTION AND E-MAIL

Personal Data includes any Personal information stored in e-mail messages and, potentially, e-mail addresses themselves. 

Staff and Students must therefore comply with this Code of Practice in relation to any Personal Data which is sent, received or stored in the form of an e-mail.  

DATA PROTECTION AND THE INTERNET

The provisions of the Data Protection Act apply equally to processing on the World Wide Web as they do to processing on all other information systems.  When Personal Data is requested by the University on a website the following information must be supplied to the Data Subject:

  • the purpose for which the data is collected;
  • the description of the organisations or individuals to whom the data might be disclosed;
  • the details of any direct marketing for which the data might be used together with the opportunity for the individual to object to this use of the data;
  • a statement regarding the security of the internet as a mode of  communication.

When Personal Data is obtained from the website of another organisation, Faculties or Services must ensure that the subsequent use of the Personal Data conforms to the information provided to the Data Subject.   If any further subsequent use of this data is proposed that was not disclosed at the time of collection consent must be obtained from the Data Subject before commencing this processing.

Any Personal Data which is placed on a website is treated as data which is transferred outside the EEA.  Written informed consent will be obtained from all staff and students before details are entered on the University’s site.

Further guidance on Data Protection issues is available from the following websites:

The office of the Information Commissioner at:  http://www.informationcommissioner.gov.uk/

The JISC Code of Practice for HE and FE Sectors at:
http://www.jisc.ac.uk/publications/documents/pub_dpacop_0101.aspx

www.jisclegal.ac.uk/publications/DPACodeofPractice.htm

RESPONSIBILITIES FOR REVIEW

The Deputy Vice Chancellor (SP&PM) is responsible for the annual review of this Code of Practice.

COMPLAINTS

The University complaint procedure should not be used for complaints made under the Data Protection Act.  Complaints made about the operation of the Data Protection Act within the University should be made to the Head of the Strategic Development Service.

Dr Jean Brown
Head, Strategic Development Service
University of Central Lancashire
Preston
PR1 2HE

Unresolved Complaints should be forwarded to the Deputy Vice Chancellor (SP&PM).

Professor David Phoenix
Deputy Vice Chancellor (SP&PM)
University of Central Lancashire
Preston
PR1 2HE

If the applicant is dissatisfied with the outcome of the complaint’s procedure they may appeal to the Information commissioner:

The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel 01625-545-700
Fax 01625-545-510

Contacts

Strategic Development Service
University of Central Lancashire
Preston     
PR1 2HE
Tel: 01772 892561
Fax: 01772 892947
Email: dpfoia@uclan.ac.uk

 

UCLan

Preston,
Lancashire,
PR1 2HE

Tel: +44 (0)1772 201 201

Other Links

  • Contact UCLan
  • Visit UCLan
  • How to find us
  • Help

Last updated: 12:35 18/01/2011

Author: Lorraine Ratcliffe

  • Facebook
  • Twitter
  • UCLan RSS
  • Contact UCLan
  • Copyright
  • Disclaimer
  • Data Protection Act
  • Freedom of Information
  • Charity Status