1. Royal Holloway, University of London needs to collect, store and use information about its staff, students, applicants, former students and others in order to carry on its business as an institution of higher education. The college is committed to doing this in such a way as to protect the privacy of individuals and to comply with relevant legislation, in particular the Data Protection Act (1998).
The Data Protection Act
2. The Data Protection Act requires the College to collect and use data fairly, to store it safely and not to disclose it to any other person unlawfully. To this end the Act sets out Data Protection Principles. In summary, these state that personal data shall:(i) be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met;
(ii) be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose;
(iii) be adequate, relevant and not excessive for those purposes;
(iv) be accurate and kept up to date;
(v) not be kept for longer than is necessary for that purpose;
(vi) be processed in accordance with the data subject’s rights;
(vii) be kept safe from unauthorised access, accidental loss or destruction;
(viii) not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.
3. The Act applies to personal data held in a structured filing system, whether on paper, electronically, on microfiche, or tape. Although the Act came into force in March 2000, some of its provisions did not take effect until October 2001, and others will not be fully effective until October 2007. This is because of periods of transitional relief.
4. The College and all staff or others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, this College has developed this Data Protection Policy. Staff and students are required to follow this policy at all times and breaches of it may result in disciplinary action. Although this policy does not form part of the contract of employment between the College and members of staff, it is a condition of employment that staff abide by the College’s rules, regulations, codes of practice and policies. Failure to abide by the policy by members of staff may also lead to disciplinary action.
Data Security
5. Unauthorised disclosure of personal data could result in criminal proceedings against the College. All staff are responsible for ensuring that any personal data which they hold is kept securely to ensure that:
• there is no unauthorised access to, alteration or destruction of the data;
• there is no unauthorised disclosure, either orally or in writing, of the data;
• there is no accidental loss or destruction of the data;
• there is no accidental disclosure, either orally or in writing, of the data (to any unauthorised third party).
Responsibilities of Staff
6. Staff have responsibilities both as data subjects and data users. All members of staff are responsible for:
• checking that any information they provide to the college in connection with their employment is accurate and up to date;
• informing the College of any changes to information, which they have provided, i.e. changes of address;
• checking information that the college will send out from time to time, giving details of information kept and processed.
7. If and when, as part of their responsibilities, staff collect information about other people (e.g. about students’ course work, opinions about ability, references to other academic institutions, or details of personal circumstances) they must comply with the Data Protection Principles, the content of this policy statement and advice given by the Data Protection Officer (see para 11 below). Members of the academic staff are also required to supervise students who process personal data as part of the course for which they are responsible.
Responsibilities of Students
8. Students must ensure that all personal data provided to the college is accurate and up to date. They must ensure that changes of address and to other information held by the College about them are notified to the Registry. Students processing personal data as part of their course should do so under the supervision of the member of staff responsible for their course. Students processing personal data, other than as part of their course, are required to make an individual notification to the Information Commissioner (see para 14 below).
Individual Rights under the Data Protection Act 1998
9. Individuals have the right to see electronically-stored data held on them and any manual data about them if it is stored in a structured filing system from which they can be identified. There are some exceptions to subject access, in particular, where confidentiality to a third party would be compromised.
10. All persons about whom personal data is held (known as “data subjects”) are entitled to:
• know what information the College holds and processes about them and why;
• know how to gain access to it, and where appropriate, to have such data corrected or destroyed.
How Staff and Students can access Data
11. Any requests for access to personal data should be submitted to the Records Manager, 3rd floor, Founders Library. The Records Manager is the College’s Data Protection Officer. The Records Manager must establish the identity of the enquirer, initiate a request for the relevant data and ensure that the data is provided within the period of 40 days specified in the Act. A fee of £10 (as permitted under the Act) will be charged for each request.
Notification
12. The College is required to register under the Data Protection Act with the Information Commissioner. This process was formerly known as registration with the Data Protection Registrar. The College’s entry on the register can be consulted in the College Secretary’s Office.
Further Information and Guidance
13. For further information and guidance please see our Make an Information Request page.
14. There is a separate, and more detailed, guidance note for staff on handling students’ personal data, available on the web at:
http://www.rhul.ac.uk/For-Staff/Codes-of-Practice/Handling-Student-Personal-Data.pdf
15. The Office of the Information Commissioner (formerly the Data Protection Registrar) is at Wycliff House, Water Lane, Wimslow, Cheshire, SK9 5AF (tel: 01625 545745; fax: 01625 524410; e-mail: data@dataprotection.gov.uk; web site: http://www.dataprotection.gov.uk)
16. Royal Holloway gratefully acknowledges the Data Protection Code of Practice for the HE and FE Sectors, produced by the HEFCE Joint Information Systems Committee (JISC), which informs much of the content of this statement.