Common questions from UEA staff about data protection Common questions from UEA staff about data protection

Q: What are my obligations around the personal data I hold or process at work?
Q: I don't handle any personal data at work. Does the DPA still apply to me?
Q: I've been asked to provide personal information relating to a Subject Access Request. What do I need to do?
Q:  How do I search through my Outlook mailbox for information relating to a Subject Access Request?
Q: Can I pass information about a student to another member of staff? Can I pass that information on to a colleague at another University?
Q: How long do I need to keep personal information for? Can I just delete it?
Q: A student has asked for a copy of their student file. Do I need to give them a copy?
Q: How does the DPA apply to my emails?
Q: I'm concerned about how someone at the University is using personal data in their care. What can I do about this?
Q: What happens if I lose personal data?
Q: I sent personal data by email to the wrong address. What should I do about this? (Post can be misdirected, as can faxes too.)
Q: Someone has asked if they can use the personal data I hold for their own work. Is this OK?
Q: I'm collecting personal data. What do I need to tell the people I'm collecting it from?
Q: The police have contacted me for information about a student or member of staff, including their home contact details. Do I need to provide this to them?
Q: I've received a phone call from an outside party seeking information about a current student/ex-student. Am I obliged to provide it to them, or do I need to protect the privacy of the student?
Q: Is it OK for me to record conversations with colleagues?
Q: Is it OK for others such as the parents of one of my students to record their conversations with me?
Q: Do I always need to encrypt data when sending it by email? What is encryption anyway, and how do I do it?
Q: Does data protection apply to work emails which I hold on my personal email account (such as Gmail)?
Q: I've heard I should be careful putting personal data into cloud providers like Dropbox. What exactly are the issues with this?
Q: I've created a database of contacts who attended an event I organised. Can I use it to tell them about any further similar events we are thinking about running, or pass to one of my colleagues who is organising their own events which might be of interest to them, such as a golfing tour of Ireland?
Q: I need to send personal data to another organisation for additional processing (e.g. checking the addresses and cleaning the data). How do I go about doing this?
Q: I've kept personal notes about a matter relating to a particular member of staff/student. Is this their personal information?

Q: What are my obligations around the personal data I hold or process at work?
A: You need to be aware of what it is, why you have it, and that you process it only for the purposes for which it was collected, that you do not process it in any way that is unfair or illegal, and you must ensure that it is held securely (secured against unauthorised access, loss or damage). The data must also be kept up to date and accurate, and disposed of when no longer required. 
The eight data protection principles apply to all processing of personal data, and those obligations will reside with each individual member of staff processing the data.

Q: I don't handle any personal data at work. Does the DPA still apply to me?
A: In our experience, every member of staff at the University handles personal data, not just those running research projects with human subjects, or managing information systems. If you send or receive emails, you will be handling personal data. If you express an opinion about anyone in writing, you'll be handling personal data.
The DPA applies to an organisation and therefore all employees within the organisation whether or not their specific role requires them to process personal data. Also, everyone including all staff has rights of access to their personal data, and the DPA gives you that right too.

Q: I've been asked to provide personal information relating to a Subject Access Request. What do I need to do?
A: Subject Access Requests are managed centrally by the ISD information compliance team. This team has got in touch with you (or a designated contact for your department) because they believe that you are holding information relating to an individual who has asked to see the personal data the University holds about them. . Requests can be general or specifically focused on particular parts of the University. You should follow the instructions in the email and provide the copies of the information by the designated due date. The ISD information compliance team can help if you are unsure about what information may be included, or how you need to search for relevant data.

Q: How do I search through my Outlook mailbox for information relating to a Subject Access Request?
A: You will have been informed by the ISD information compliance team of the exact wording of the request, e.g. between certain dates, between certain correspondents, and referring to a particular individual. You can search your Outlook mailbox specifying the name of the individual as a search term following the guidance at this web page.

Q: Can I pass information about a student to another member of staff? Can I pass that information on to a colleague at another University?
A: Yes, this is possible, but only if this is necessary for the purpose for which it was collected. Always be wary of sharing personal data of any sort. Any information transmitted off site must always be encrypted before transmission (by email, SFTP, CD, USB stick etc.). For further guidance, have a look at the Information Commissioner's data sharing checklist

Q: How long do I need to keep personal information for? Can I just delete it?
A: You should keep personal information for as long as it is required for the purpose for which it was collected. Your department should have a Records Retention Schedule (RRS) which defines how long certain types of records might be held. This will include some records which contain personal information. A list of all department records retention schedules is available from the RRS Department Policies page

Q: A student has asked for a copy of their student file. Do I need to give them a copy?
A: All data subjects are given a right in the Act for a copy of their personal data. A student file, however, may also contain the personal information of other individuals and it may not be fair to disclose this without their consent. Our practice at UEA is to organise this centrally through the ISD information compliance team. Contact the Information Policy & Compliance Manager for advice and guidance at dataprotection@uea.ac.uk.

Q: How does the DPA apply to my emails?
A: The Act applies to any digital personal data held by the University, so emails are included. Data relating to another living individual is also their personal data. An email written by Dr Smith which you have received and hold is their personal data. Likewise an email you have written about Dr Smith to a colleague is both your personal data and that of Dr Smith. Such emails may be disclosable in response to a subject access request submitted by Dr Smith.

Q: I'm concerned about how someone at the University is using personal data in their care. What can I do about this?
A: Misuse use of personal data is potentially a breach of the Act, and may be a disciplinary matter at the University. In the first instance, report your concerns to your line manager. You may also contact the ISD information compliance team at dataprotection@uea.ac.uk who will investigate further. In the most serious cases, the activity could be a criminal offence and subject to a fine or imprisonment.

Q: What happens if I lose personal data?
A: This is regarded as a data breach. We must stop the loss of data, try to recover that which has been lost, and inform those affected. Contact the ISD information compliance team as soon as possible at dataprotection@uea.ac.uk or 01603 59 3523/2431.

Q: I sent personal data by email to the wrong address. What should I do about this? (Post can be misdirected, as can faxes too)
A: This is regarded as a possible data breach under the Act. Contact the recipient, and try to recover the email as soon as possible. If you are unable to do this, contact the ISD information compliance team for assistance at dataprotection@uea.ac.uk or 01603 59 3523/2431.

Q: Someone has asked if they can use the personal data I hold for their own work. Is this OK?
A: In principle, no, this is not OK. Personal data can only be used for the purpose for which it was collected. For instance, if you create a mailing list for attendees at an event, you cannot pass that list to someone else promoting a different event unless you have sought and gained explicit consent from the individuals that you can do this with their personal data. The only exception to this is research data under particular circumstances. See section 10 of the JISC code of practice on the DPA for further information on personal data in research. 

Q: I'm collecting personal data. What do I need to tell the people I'm collecting it from?
A: Write a privacy notice. Tell them who you are (i.e. identify the data controller), the purpose for which you are collecting the information, and any additional information required to process the data fairly. Describe what you are going to do with the data. Further information is available

Q: The police have contacted me for information about a student or member of staff, including their home contact details. Do I need to provide this to them?
A: We are under no obligation to provide personal information to the police on their request. We can, however, do so if we are satisfied that the information is required for the prevention or detection of crime, apprehension of offenders, or the assessment or collection of taxes. Under these circumstances, the police will issue a ‘s.29' notice (if they don't, one should be requested), and in response we may go ahead and provide the requested information. Any s.29 notices received should be passed to the ISD information compliance team (data.protection@uea.ac.uk

Q: I've received a phone call from an outside party seeking information about a current student/ex-student. Am I obliged to provide it to them, or do I need to protect the privacy of the student?
A: In general, no, you should not provide the personal information to the third party. We should first have the consent of the individual. If it is a special circumstance allowed by our student data protection notice, e.g. potential employers can ask for confirmation of qualifications, then, yes, we can provide the information.  

Q: Is it OK for me to record conversations with colleagues?
A: Yes, but only with their permission. You should make clear what you intend to do with the recording. 

Q: Is it OK for others such as the parents of one of my students to record their conversations with me?
A: Yes, but only with your consent. 

Q: Do I always need to encrypt data when sending it by email? What is encryption anyway, and how do I do it?
A: Email is not secure. It can easily be misdirected or intercepted en route. If sending personal data by email outside the University, it should be encrypted. There is no need to do this for internal email. Guidance on using encryption is available here. Note that the encryption password must be transmitted by some other means, i.e. not by email.

Q: Does data protection apply to work emails which I hold on my personal email account (such as Gmail)?
A: Yes, also it is UEA policy that only UEA supplied email account should be used for handling UEA business. That is, you should not be using your personal email account to conduct UEA business. See IT usage policies

Q: I've heard I should be careful putting personal data into cloud providers like Dropbox. What exactly are the issues with this?
A: The two main issues are the security of the information which is outside UEA control, and the eighth data protection principle requires any personal data transmitted outside the EEA to be held with an adequate level of protection. Cloud providers may not always specify where in which country exactly the data might reside. For further information about selecting suitable cloud service providers and asking the right questions of them, see the University's Information Classification and Data Management policy, especially the Appendix on ‘Selecting non-UEA Data Storage/Transfer Solutions'. 

Q: I've created a database of contacts who attended an event I organised. Can I use it to tell them about any further similar events we are thinking about running, or pass to one of my colleagues who is organising their own events which might be of interest to them, such as a golfing tour of Ireland?
A: Personal data should only be used for the purpose for which it was collected, and no other. If the original purpose specified the additional uses, then it is possible to use the database. Processing of data should be fair, which means that the data subjects are aware of what you intend to do with it.

Q: I need to send personal data to another organisation for additional processing (e.g. checking the addresses and cleaning the data). How do I go about doing this?
A: Contact the ISD information compliance team for advice and help with completing the standard UEA template agreement (which the team can provide). You should establish a data processing agreement with the organisation. All transfers of the data to and from the organisation must be secure, i.e. the data must be encrypted, and secure methods of transmission of the data should be used.

Q: I've kept personal notes about a matter relating to a particular member of staff/student. Is this their personal information?
A: Though the notes are personal and for your attention alone, they are also likely to be the personal information of the third party. If the notes are to be used to inform or influence actions or decisions affecting that person, then the notes will be their personal information for the purposes of the DPA. As the notes are their personal information, they may be released in response to a subject access request from that individual.