University of Exeter - Policy on Data Protection
1. Policy Statement
1.1 The University of Exeter is committed to a policy of protecting the
fundamental rights and freedoms of individuals and in particular their right to
privacy with respect to the processing of personal data. The Data Protection Act
1998 (the new Act), due to come into force on 1 March 2000, was passed in
order to implement a European Data Protection Directive and applies to personal
data held in a structured way in any medium (paper, computer, microfiche, tape
etc).
1.2 The University holds information about employees, students and other users
to allow it, for example, to recruit and pay staff, process employment contracts
and provide employment information to statutory bodies, organise courses and
conferences, comply with legal obligations to funding bodies and government
and to monitor and record progress, award qualifications, regulate the use of
facilities and administer the collection of fees. To comply with the law, information
must be collected and used fairly, stored safely and securely and not be
disclosed to any third party unlawfully. This policy is a statement of the measures
which the University has adopted to ensure that it is able to comply with the
requirements of the Data Protection Act 1998. The policy will feed into the
University's Information Security Policy yet to be devised.
1.3 The University of Exeter undertakes to apply the policy to all members of the
University. In this context, 'members of the University' encompasses all staff,
students, accredited visitors and data processors. Any breach of the data
protection policy or the Data Protection Act 1998 will be automatically considered
as a breach of discipline and existing University of Exeter disciplinary
proceedings will apply. Any questions or concerns about the interpretation or
operation of this policy should be taken up initially with the University's Data
Protection Officer.
2. Responsibilities
2.1 The University as a body corporate is the data controller under the new Act
and the Council of the University is ultimately responsible for implementing the
Data Protection Act 1998.
2.2 The University has appointed a Data Protection Officer who is responsible for
dealing with day-to-day data protection matters arising and for developing and
encouraging good information handling practice amongst all members of the
University.
2.3 Members of the University are responsible for ensuring that any personal
data supplied to the University are accurate and up-to-date.
2.4 Deans, Heads of Schools/Divisions, Directors of Centres and all in
managerial or supervisory roles have the responsibility of developing and
encouraging good information handling practice within their designated areas.
3. Personal Information in the Public and Private Domain
3.1 The University has distinguished between personal data which will be placed
in the 'public domain' and personal data which will be placed in the 'private
domain'. Personal data classified as being in the 'public domain' refers to
automatically processed and manually held information which will be publicly
available world-wide and may be disclosed to third parties without recourse to the
data subject. Where such personal data are held on-line, 'public domain' refers to
information which is potentially freely available from anywhere on the Internet.
The University's policy is to make the following items of data freely available
unless individuals have objected:Names of members of Council and Senate
Names and academic qualifications of academic and academic related staff and
other support staff where appropriate
Academic staff biographies
Staff e-mail addresses
Staff's work place telephone number
Press releases
Any additional information relating to data subjects which they have agreed to be
placed in the public domain and which may be in automated and/or manual form.
3.2 Any individual who has good reason for not wanting his/her work telephone
number or e-mail address to be made public may, with agreement, specify a
School or section telephone number or e-mail address instead.
3.3 Data subjects' rights will not be affected by personal data which have been
placed in the 'public domain'.
3.4 Personal data classified as being in the 'private domain' refers to
automatically processed and manually held information which will remain private
between the University of Exeter and the data subject unless one or more of the
specified exemptions applies. The University of Exeter will take all reasonable
steps as necessary to ensure that personal data in the 'private domain' are
secure from unauthorised or unlawful processing and accidental loss, damage or
destruction, will process the data in accordance with current legislation and the
University's Register entry and will not disclose the information to any
unauthorised third party.
Where personal data are held on-line, 'private domain' refers to information which
is only available within the University of Exeter (ex.ac.uk) domain; this means
that the information can only be accessed from a computer connected to the
University's data network.
The following are examples of information which are deemed to be in the 'private
domain'; this list is not exhaustive:
Internal e-mail distribution lists
Undergraduate, Postgraduate Taught and Postgraduate Research students' email addresses
Lists of students on particular courses
Student telephone numbers
Student room numbers
Any additional information relating to data subjects which may be in automated
and/or manual form
4. Processing "Ordinary" and "Sensitive" Personal Data
4.1 In all cases, before processing takes place a legitimate basis must be found
as specified within Schedule 2 of the Data Protection Act 1998. The rules relating
to sensitive personal data are additional to those for "ordinary" data. As a general
rule, the University will only process sensitive data on the basis of explicit
consent of data subjects.
5. Retention of Data
5.1 Whilst a considerable amount of data are collected on current staff and
students, once a member of staff or student is no longer a member of the
University then it will not be necessary for the University to hold all of this
information. Instead the University will hold a core of data and some data will be
kept for longer periods of time than others. In general, student records containing
information about individual students are kept indefinitely and information would
typically include name and address on entry, programmes taken, examination
results, references provided and degrees obtained whilst a student at the
University and any other information which the University sees fit, as detailed in
the University's proposed set of guidelines. Information relating to individual
members of staff will be kept by the Personnel Division for a maximum of 7 years
from the end of employment whilst information relating to unsuccessful applicants
in connection with recruitment to a post will be kept for 6 months subject to any
changes in existing legislation. Other information, such as information relating to
Income Tax, Statutory Maternity Pay etc, will be retained for the statutory time
limits. Information in connection with staff pension or taxation matters, potential
or current disputes or litigation regarding employment at the University and
information required for future reference will also be kept for a long period.
5.2 A full list of the information retained, together with details of the period of time
for which it will be kept is available from the Data Protection Officer.
6. Security of Personal Data
6.1 Members of the University are responsible for ensuring that any personal
data which they hold are kept securely, are not disclosed either orally or in writing
or accidentally or otherwise to any unauthorised third party. It is University policy
that unauthorised disclosure is a valid reason for disciplinary action.
7. Right to Access Information
7.1 Members of the University and other users of the University have the right to
access personal data relating to him/her which are held by the University in
electronic format and manual records that form part of a 'relevant filing system',
i.e held in a structured way. Any individual who wishes to exercise this right
(known as a Subject Aceess Request) should apply in writing to the Data
Protection Officer and the University will make a charge (currently £10 per
request).
7.2 Any documentation relating to a request will be retained by the Data
Protection Officer for a period of 6 months after the University's response to the
request has been completed. The Data Protection Officer will keep an indefinate
record of those individuals who have made a formal subject access request.
Data Protection Officer
August 2003