The Data Protection Act 1998 (DPA) gives the University obligations and responsibilities in the way it handles information about people. The Act gives everyone certain rights, and specifies that those who gather and use personal data must follow the eight Data Protection Principles (see below).
The University is also required to notify the UK Information Commissioner of its use of personal data. This notification is published in a public register.
The University administers its obligations under the DPA in accordance with its Data Protection Policy.
For specific information on how the University uses personal data, see the staff, student, alumni and website data protection notices. For guidance on how to access the personal information the University may hold about you, see requests for personal information.
The DPA covers personal data, held in digital or structured paper form. The Act defines personal data as:
'...data which relate to a living individual who can be identified - from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the Data Controller (the University), and includes any expression of opinion about the individual and any indication of the intentions of the Data Controller or any other person in respect of the individual.'
Determining what constitutes personal information isn't always straightforward, and the Information Commissioner has produced guidance to help people decide what is personal data.
The DPA recognises that some types of personal data, known as sensitive data, should be treated with particular regard. Sensitive data consists of information relating to: racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life and information concerning criminal offences.
Under the DPA, personal data must be processed in accordance with the following eight Data Protection Principles. The term processing has a very wide application, covering all stages from creation to holding, alteration and eventual destruction of the data. The eight Data Protection Principles state that data must:
- be processed fairly and lawfully and only if certain conditions (set out in the Act) are met
- be obtained for specified and lawful purposes, and not processed further for incompatible purposes
- be adequate, relevant and not excessive for those purposes
- be accurate and, where necessary, up-to-date
- not be kept for longer than is necessary
- be processed in accordance with the rights of data subjects
- be kept safe from unauthorised access, loss or destruction
- not be transferred to countries outside the European Economic Area, unless to countries with equivalent levels of data protection
The Data Protection Act gives a number of specific rights to individuals. These are:
- Right to subject access. All individuals have the right to request access to copies of personal information the University holds about them, either digitally or in a structured paper filing system. To find out how to make a request please view the requests for personal information page.
- Right to prevent processing likely to cause damage or distress. Individuals are entitled to ask the University not to process information that would cause substantial unwarranted damage or distress to them or another person
- Right to prevent processing for purposes of direct marketing. Individuals are entitled to request, in writing, that the University does not process personal data for the purposes of direct marketing
- Rights related to automated decision making. Individuals are entitled to request that the University ensures that no decision affecting them is solely based on the processing of data by automated means, and can request that decisions are made with some human involvement
- Right to compensation. Individuals are entitled to claim compensation through the courts for any damage and distress suffered as a result of any breaches of the Data Protection Act committed by the University
- Right to rectification, blocking and destruction. If personal data is inaccurate or contains expressions of opinion based on inaccurate information, individuals have the right to have that data rectified, blocked or destroyed
If you have any specific queries about data protection at UEA, please contact the University's Information Policy and Compliance Managers at firstname.lastname@example.org or by telephone on +44 (0)1603 59 2431.