Understanding Data Protection

Understanding Data Protection
HRIS Programme
Version:: v1.0
Data Protection Act 1998
• The Data Protection Act has two aspects:
Giving people the ‘right to know’ what information organisations
hold about them.
Providing a framework for organisations handling personal data.
The primary purpose of data protection legislation is to protect
individuals against possible misuse of personal data information about
them, held by others.
The Act is underpinned by eight straightforward, common-sense
Data Protection Principles
The eight principles require that personal data is:
1. .Fairly and lawfully processed.
2. .Processed for limited purposes.
3. .Adequate, relevant and not excessive.
4. .Accurate and up to date.
5. .Not kept for longer than necessary.
6. Processed in line with the rights of individuals.
7. .Secure.
8. .Not transferred to other countries without adequate protection.
Personal data
HRIS stores personal and sensitive personal data on employees
(current and former) and job applicants (successful and
Personal data is any information which identifies an individual
e.g. name, photograph, applicant or employee number.
Sensitive personal data is personal data relating to the individual
e.g. race or ethnic origin, political opinion, religious beliefs, physical
or mental health, trade union membership, sexual life or criminal
activities. Special conditions apply to the processing of sensitive
personal data, including an obligation to obtain the explicit consent of
the individual.
Handling personal data
The Data Protection Act covers personal data where specific
information about a named employee may be readily found within:
Computer systems, such as HRIS.
Manual filing systems, where data is stored under topic headings or
folders where data is stored within file dividers.
Documents which contain personal data but are not filed or
referenced to a particular individual
Particular care should be taken in handling sensitive personal data
Other information which should be handled with care includes next
of kin details, bank details or other financial information, and
information collected for the purposes of staff recruitment
Subject Access Requests
A Subject Access Request is where an individual asks for the
data the University holds on them.
Requests must be processed within 40 calendar days.
The University can be asked to disclose all information held in electronic
or paper form, that identify the individual making the SAR.
E.g. emails & letters; handwritten notes; comments made in HRIS;
shortlisting forms; interview notes; references.
If you receive a request for information under either the Data
Protection Act or the Freedom of Information Act you must inform
HRIS Support immediately (hr.systems@admin.ox.ac.uk) and follow
their instructions.
Subject Access Requests
Everything you write or email about an individual is
potentially disclosable to them...
Subject Access Requests
Everything you write or email about an individual is
potentially disclosable to them...even if it is marked
confidential or draft.
Risks of non compliance
Breaching the Data Protection Act represents a reputational and
financial risk to the University
The Information Commissioner’s Office has the power to fine
organisations up to £500,000 for breaches of the Data Protection Act
Ealing Council and Hounslow Council fined £70,000 and £80,000 for
losing password-protected but unencrypted laptops.
Hertfordshire County Council fined £100,000 for accidentally faxing
sensitive personal information to the wrong recipient.
Company A4e fined £60,000 for losing an unencrypted laptop containing
sensitive personal details about salaries, criminal activity and
employment status.
Security Rules for Accessing HRIS
Keep your HRIS password and log-in private – they should not be shared.
If you are leaving your desk either log out of HRIS or lock your computer.
HRIS may be accessed within the ox.ac.uk domain or via secured network
access such as VPN. Other than via secured network access, HRIS must
not be accessed in a public place and data from the system must not be
sent to personal email accounts. HRIS must not be used on personal off site
computers or portable devices without the express consent of the HR
Systems Support.
Where it is necessary to download sensitive personal data from the
system to be held in electronic form, the data shall be held on encrypted
USB stick or in a secure ZIP file. The User shall keep the encryption
details confidential in the interests of maintaining security.
Where it is necessary to download data other than sensitive personal data,
to be held in electronic form, it shall, at a minimum be password protected.
If data is downloaded from the system to be held in paper form, the data
shall be stored in locked filing cabinets.
Further information
Further guidance at:
The Data Protection Team can provide specific advice on the Data
Protection Act at an individual, section or department level.
HR Systems Support
Individual User Agreement for HRIS
All information in HRIS is treated as highly confidential and should not
be divulged, shared or given to any other person, including after your
employment with the University terminates.
In order for you to be granted access to HRIS you must:
1. Take the Assessment (and score at least 8/10).
Go to WebLearn > Tests > Understanding Data Protection Assessment
2. Read and accept the Terms and Conditions set out in the
Individual User Agreement.
Go to WebLearn > Tests > Individual User Agreement