Common general questions about data protection Common general questions about data protection

Q: Does the DPA cover information held on paper as well as electronic systems?
Q: What's personal information?
Q: Who does the DPA apply to?
Q: Does the Data Protection Act apply to dead people?
Q: Are some types of personal data more sensitive than others?
Q: Which activities are regulated by the Data Protection Act?
Q: Who controls my personal data?
Q: What sorts of personal information about me might be held by the University?
Q: What is ‘data processing'?
Q: What or who is the ‘data subject'?
Q: Is it a criminal offence to breach the DPA?
Q: Does the University have a policy regarding data protection?
Q: What obligations does the DPA impose on the University regarding my personal data?
Q: Who has access to the personal information you hold about me?
Q: How long will you hold my personal information for?
Q: I think I can be identified from information you have released under a Freedom of Information request or published on the UEA website. What should I do about this?
Q: I have concerns about how the University is processing my personal data. What can I do?
Q: Can the University delete my personal information without my permission?
Q: I suspect that the University is holding inaccurate data about me. How do I go about getting it corrected or removed?
Q: Can personal data belong to more than one person?
Q: Can I see the personal data the University holds about me?
Q: When I request my personal information, will I receive copies of all statements which people have made about me?
Q: I'm putting information about an event on Facebook. Do I need to be concerned about data protection?
Q: Are there any data protection issues with uploading photos from a recent party onto Facebook/Twitter/any other social media site?
Q: Someone said something unpleasant about me on a website, which isn't true, and even if it was true I'm not happy. What can I do about this?
Q: Does Data Protection apply to CCTV?
Q: I went for an interview at the University and didn't get the job/place on a course. Can I find out why this was the case?
Q: Can I have a copy of the references provided to the University for a recent job application?
Q: Does it cost me anything to request my own data?
Q: I made a request for my personal information. I don't think you have provided all that you hold about me. What can I do about this?
Q: Can I request the personal information on behalf of someone else, e.g. I'm a parent, can I ask for my son's/daughter's personal information? Or, I'm a solicitor acting on behalf of my client whose personal information is held by the University. How do I go about requesting their information?
Q: I requested my personal information and yet the documents I received have some text missing that has been replaced with black boxes. Why is this?


Q: In the context of the Data Protection Act, what is meant by data?
A: Data are information recorded digitally or intended to be recorded digitally, i.e. held on a computer or intended to be held on a computer. Data are accessible digital records or can be stored in a paper filing system.

Q: Does the DPA cover information held on paper as well as electronic systems?
A: Yes, it does.

Q: What's personal information?
A: Personal information is information that by itself or in combination with other information identifies and relates to a living individual. Identifies means it distinguishes them from others. This could be a name, a description, identification number, a photo, or video. Identification is based on who holds the information. If the holder cannot work out who the individual is, then it is not that individual's personal information. ‘Relates to' means it is has some biographical significance, or affects their personal or professional privacy.

Q: Who does the DPA apply to?
A: It covers all living persons who are the subject of personal data. All businesses and organisations in the UK are covered by this UK law, whether or not they choose to store the data in the UK.

Q: Does the Data Protection Act apply to dead people?
A: No, DPA does not apply to individuals once they have died.

Q: Are some types of personal data more sensitive than others?
A: Yes. The Act defines sensitive personal information as information consisting of any of the following: racial or ethnic origin, political opinions, religious beliefs or beliefs of a similar nature, membership of a trade union, physical or mental health, sexual life, offences and alleged offences, and proceedings associated with offences or alleged offences. The difference between sensitive personal data and other personal data is that the consent to use such data must be explicit.

Q: Which activities are regulated by the Data Protection Act?
A: The DPA applies to the processing of personal data. Anything that we can do with data from acquisition to disposal is processing. This includes storage, publication, maintenance and sharing among other things.

Q: Who controls my personal data?
A: The obligations under the Act apply to any body (organisation or individual) who ‘controls' your personal data. That is, they hold information that relates to you and decide how and why this data is processed. Any such body is known as a ‘data controller'. The University, along with many other organisations with whom you have a relationship, may hold information about you and act as data controllers under the Act.

Q: What sorts of personal information about me might be held by the University?
A: Here are some examples: student record, employment record, library borrowing records, expenses claims, computer use, CCTV recordings, squash court booking, and emails written by you or about you. The University's DPA Notices list different types of information held by the University relating to staff and students.

Q: What is ‘data processing'?
A: Any activity on the data between their acquisition to their disposal.

Q: What or who is the ‘data subject'?
A: The data subject is defined by the Act to be an individual who is the subject of personal data.

Q: Is it a criminal offence to breach the DPA?
A: Not every breach of the DPA is a criminal offence, however criminal offences created by the Act include unlawful obtaining, disclosing or selling personal data. 

Q: Does the University have a policy regarding data protection?
A: Yes, it is available on the UEA website

Q: What obligations does the DPA impose on the University regarding my personal data?
A: Here are the eight things the University must do. These are the eight data protection principles.

Q: Who has access to the personal information you hold about me?
A: Only individuals who have a need to access your data for the purpose or purposes for which it was given to us have access to it. 

Q: How long will you hold my personal information for?
A: For students, some personal data will be disposed of on graduation, and some will be retained indefinitely. Each department at UEA has developed a records retention schedule determining how long its records will be held for. Some records are held to satisfy statutory obligations, other records will be held to satisfy the purpose and no longer. Retention periods will therefore vary according to the type of information held and the purpose for which it is held. More information on retention schedules can be found on the Records Retention Schedule (RRS) page.

Q: I think I can be identified from information you have released under a Freedom of Information request or published on the UEA website. What should I do about this?
A: If you have not already consented to the publication of your personal data, get in touch with the ISD information compliance team immediately at dataprotection@uea.ac.uk or 01603 59 3523/2431. We will conduct an investigation. We will follow the process as described in the University's web content removal policy.

Q: I have concerns about how the University is processing my personal data. What can I do?
A: You have a right to object under the Act. Get in touch with the ISD information compliance team at dataprotection@uea.ac.uk or 01603 59 3523/2431.

Q: Can the University delete my personal information without my permission?
A: Yes. Processing of your personal data should be according to University procedures. Records retention is determined by the different RRS Department Policies. We also have an obligation under the Act not to hold your personal information for longer than it is needed. More information can be found on the Records Retention Schedule (RRS) page.

Q: I suspect that the University is holding inaccurate data about me. How do I go about getting it corrected or removed?
A: Write to the University describing your concerns. Be sure to be clear about what information you believe is inaccurate, and how it should be corrected. It will also help if you can provide evidence of the inaccuracies and the corrections. The DPA requires the University to keep personal information it holds accurate and up to date.

Q: Can personal data belong to more than one person?
A: Yes. A good example is where someone expresses an opinion about another individual. This is both the personal data of the person expressing the opinion and the target of the opinion. Another example is references.

Q: Can I see the personal data the University holds about me?
A: Yes. You can make what is known as a ‘data subject access request' to the University (or any other organisation that holds your personal information). You can find out how to make a request here

Q: When I request my personal information, will I receive copies of all statements which people have made about me?
A: Comments another person has made about you and that identify you (even if you are only referred to as ‘he' or ‘she') are both your personal information and that of those making the comments.  We will consult with the person who has made the comment (known as a ‘third party') to find out their opinion of releasing the information to you. 

Q: I'm putting information about an event on Facebook. Do I need to be concerned about data protection?
A: Yes, you should be concerned and make appropriate provisions to protect your privacy and that of others. Anything you put up about yourself is your personal data. Any opinions you express about anyone else is both your personal data and the other party's. You should be aware of your rights and those of others relating to personal data.

Q: Are there any data protection issues with uploading photos from a recent party onto Facebook/Twitter/any other social media site?
A: Yes, make sure all those featured in the pictures have provided their consent for this type of processing, i.e. posting onto Facebook.

Q: Someone said something unpleasant about me on a website, which isn't true, and even if it was true I'm not happy. What can I do about this?
A: You have a right to object to any processing of your personal data, and the view expressed is your personal data. Send your objection in writing to the author, the website, the hosting company or the ICO. If the website is not hosted in the UK, local laws will apply.
Your right to object is limited. You may only object if it causes unwarranted or substantial damage or distress. If you are concerned about the behaviour of other staff or students towards you, contact the Student Support Service or Human Resources Division for advice.

Q: Does Data Protection apply to CCTV?
A: Yes. The capture storage and use of CCTV images must be in accordance with our obligations under the DPA. Individuals have a right to request their personal information as recorded by CCTV.

Q: I went for an interview at the University and didn't get the job/place on a course. Can I find out why this was the case?
A: You are welcome to seek feedback on the outcome of the interview process. Depending on what is requested, this may or may not be treated as a formal Subject Access Request under DPA. In the first instance, contact the University's Human Resources Division (if you have applied for a job) or the Admissions Department (if you have applied for a place on a course).

Q: Can I have a copy of the references provided to the University for a recent job application?
A: Yes. As a member of staff, you are not entitled to receive copies of reference which UEA has created in response to job applications you made elsewhere, but you can request copies of references about you received by the University from other organisations for your applications for jobs at UEA.

Q: Does it cost me anything to request my own data?
A: It is UEA policy to charge a £10 administration fee for subject access requests under the DPA. 

Q: I made a request for my personal information. I don't think you have provided all that you hold about me. What can I do about this?
A: Contact the ISD information compliance team, providing as much information as you can about the information which has not been provided and where you believe it might be held. We conduct reasonable and proportionate searches for the most likely locations for personal data. We do not search every possible location. On receipt of your letter, we will revisit the searches to ensure we have accounted for the missing information, and if necessary conduct fresh searches in areas not already covered. The ICO have helpful guidance on how to write the letter. 
 
Q: Can I request the personal information on behalf of someone else, e.g. I'm a parent, can I ask for my son's/daughter's personal information? Or, I'm a solicitor acting on behalf of my client whose personal information is held by the University. How do I go about requesting their information?
A: Yes, you can request the personal information of an individual on their behalf. We require proof, such as an affidavit signed by the individual (the data subject), that you are acting on their behalf. We must satisfy ourselves that you are entitled to act on behalf of the data subject. In addition, we must receive a written request for the personal information. You can use the application form available from the UEA website. 

Q: I requested my personal information and yet the documents I received have some text missing that has been replaced with black boxes. Why is this?
A: These black boxes are redactions, which will be applied to any information which is either out of scope of the request you have made, not your personal data, or possibly the personal data of other individuals. We provide an explanation for all redactions we apply. If you have any concerns about the application of the redactions, write to the ISD information compliance team for a further explanation.