-
Notifications
You must be signed in to change notification settings - Fork 0
/
data-protection.htm
executable file
·718 lines (695 loc) · 38.6 KB
/
data-protection.htm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><!-- InstanceBegin template="/Templates/3_dpact.dwt" codeOutsideHTMLIsLocked="false" -->
<!-- HEAD starts -->
<head>
<!-- InstanceBeginEditable name="doctitle" -->
<title>Loughborough University Data Protection Policy - Data Protection - Academic Registry - Loughborough University</title>
<!-- InstanceEndEditable -->
<meta http-equiv="content-type" content="text/html;charset=utf-8" />
<meta http-equiv="Content-Style-Type" content="text/css" />
<link rel="stylesheet" type="text/css" media="print" href="http://www.lboro.ac.uk/admin/ar/sitewide/style/print.css" />
<!-- Main stylesheets -->
<style type="text/css" media="all">
@import url(extra.css);
@import url(http://www.lboro.ac.uk/admin/ar/sitewide/style/ar_style.css);
</style>
<!-- Additional per-section stylesheets -->
<style type="text/css" media="all">
@import url(../../style/policy.css);
</style>
<!-- InstanceBeginEditable name="extraStyles2" -->
<style type="text/css" media="all">
<!-- extra Styles 2 goes here -->
</style>
<!-- InstanceEndEditable -->
</head>
<!-- HEAD ends -->
<!-- BODY starts -->
<body>
<!-- CONTAINER starts -->
<div id="container">
<!-- HEADER starts -->
<div id="header">
<div id="lulogo"><a href="http://www.lboro.ac.uk/"><img src="http://www.lboro.ac.uk/admin/ar/sitewide/img/lulogo.gif" alt="Loughborough University" width="204" height="69" /></a></div>
<div id="address">
<span>Loughborough University </span><br />
Leicestershire, UK <br />
LE11 3TU<br />
Tel: +44 (0) 1509 263171
<a href="#xContent"> </a><br />
</div>
<!-- PAGE TITLE (and top of page anchor) -->
<div id="ptitle"><a name="xtop" id="xtop"></a>
Data Protection
</div>
</div>
<!-- HEADER ends -->
<!-- TRAIL starts -->
<div id="breadcrumb">
<ul>
<li><a href="http://www.lboro.ac.uk">University Home</a></li>
<li><a href="http://www.lboro.ac.uk/staff/">Staff </a></li>
<li><a href="../../index.htm">University Policy</a></li>
<li><a href="../index.htm">Data Protection </a></li>
<li><!-- InstanceBeginEditable name="trailE" -->Loughborough University Data Protection Policy<!-- InstanceEndEditable --></li>
<li><!-- InstanceBeginEditable name="trailF" --><!-- InstanceEndEditable --></li>
<li><!-- InstanceBeginEditable name="trailG" --><!-- InstanceEndEditable --></li>
<li><!-- InstanceBeginEditable name="trailH" --><!-- InstanceEndEditable --></li>
<li><!-- InstanceBeginEditable name="trailI" --><!-- InstanceEndEditable --></li>
<li><!-- InstanceBeginEditable name="trailJ" --><!-- InstanceEndEditable --></li>
</ul>
</div>
<!-- TRAIL ends -->
<!-- MAIN starts -->
<div id="main">
<!-- LEFTMENU starts -->
<div id="links">
<div id="navcontainer">
<ul id="navlist">
<li class="toptitle">University Policy </li>
<li><a href="../../index.htm#students">Policy for Students</a></li>
<li><a href="../../index.htm#staff">Policy for Staff </a></li>
<li><a href="../../index.htm#general">General Policies </a></li>
</ul>
</div>
</div>
<!-- LEFMENU ends -->
<!-- CONTENT starts -->
<div id="content" class="">
<!-- InstanceBeginEditable name="content" -->
<h1>Loughborough University Data Protection Policy</h1>
<!-- #BeginLibraryItem "/Library/menu_dpact.lbi" -->
<div class="right_column">
<div class="section_menu">
<h1>Data Protection </h1>
<ul>
<li><a href="../index.htm">Data Protection Home </a></li>
</ul>
<ul>
<li><a href="../procsar/index.htm">Handling Subject Access Requests </a></li>
<li>Student Records Management
<ul>
<li><a href="../rmac/index.htm">Academic Departments </a></li>
<li><a href="../rmsserv/index.htm">Support Service Sections </a></li>
</ul>
</li>
<li><a href="../rmstaff/index.htm">Staff Records Management </a></li>
<li><a href="../disclosure/index.htm">Disclosure of Student Info. </a></li>
<li><a href="../telephone/index.htm">Telephone Protocal for the Disclosure of Personal Information </a></li>
<li><a href="../recret/index.htm">Records Retention Schedule </a></li>
<li><a href="../ea/index.htm">Exams and Assessments </a></li>
<li><a href="../refs/index.htm">References</a></li>
</ul>
<ul>
<li><a href="../photos/index.htm">Photographs for use in Publicity</a></li>
</ul>
<p> </p>
</div>
</div>
<!-- #EndLibraryItem -->
<h2>Sections:</h2>
<ul>
<li><a href="#sec1">Section 1: Policy Statement</a></li>
<li><a href="#sec2">Section 2: Background to the Data Protection Act 1998</a></li>
<li><a href="#sec3">Section 3: Definitions (Data Protection Act 1998)</a></li>
<li><a href="#sec4">Section 4: Responsibilities under the Data Protection Act</a></li>
<li><a href="#sec5">Section 5: Notification</a></li>
<li><a href="#sec6">Section 6: Data Protection Principles</a></li>
<li><a href="#sec7">Section 7: Data Subject Rights</a></li>
<li><a href="#sec8">Section 8: Consent</a></li>
<li><a href="#sec9">Section 9: Security of Data</a></li>
<li><a href="#sec10">Section 10: Rights of Access to Data</a></li>
<li><a href="#sec11">Section 11: Disclosure of Data</a></li>
<li><a href="#sec12">Section 12: Retention and Disposal of Data</a></li>
<li><a href="#sec13">Section 13: Publication of University Data</a></li>
<li><a href="#sec14">Section 14: Direct Marketing</a></li>
<li><a href="#sec15">Section 15: Use of CCTV</a></li>
<li><a href="#sec16">Section 16: Academic Research</a></li>
<li>Section 17: Appendices
<ul>
<li><a href="../sareq/index.htm">I: Handling Subject Access Requests</a></li>
<li><a href="../rmac/index.htm">II: Student Records Management in Academic Departments</a></li>
<li><a href="../rmsserv/index.htm">III: Student Records Management in Support Service Sections</a></li>
<li><a href="../rmstaff/index.htm">IV: Staff Records Management</a></li>
<li><a href="../disclosure/index.htm">V: Disclosure of Student Information</a></li>
<li><a href="../telephone/index.htm">VI: Telephone Protocol for the Disclosure of Personal Information</a></li>
<li><a href="../recret/index.htm">VII: Records Retention Schedule</a></li>
<li><a href="../ea/index.htm">VIII: Examinations and Assessment</a></li>
<li><a href="../refs/index.htm">IX: References</a></li>
<li><a href="../photos/index.htm">X: Photographs to be used in Publicity/Promotional Material</a></li>
</ul>
</li>
<li><a href="#sec18">Section 18: Further Information</a></li>
</ul>
<p> </p>
<h2><b><a name="sec1"></a>Section 1: Policy
Statement</b></h2>
<p>Loughborough University is committed to a policy of protecting the rights and
privacy of individuals (includes students, staff and others) in accordance with
the Data Protection Act. The University needs to process certain information
about its staff, students and other individuals it has dealings with for
administrative purposes (eg to recruit and pay staff, to administer programmes
of study, to record progress, to agree awards, to collect fees, and to comply
with legal obligations to funding bodies and government). To comply with the
law, information about individuals must be collected and used fairly, stored
safely and securely and not disclosed to any third party unlawfully.</p>
<p>The policy applies to all staff and students of the University. Any breach of
the Data Protection Act 1998 or the University Data Protection Policy is
considered to be an offence and in that event, Loughborough University
disciplinary procedures will apply. As a matter of good practice, other agencies
and individuals working with the University, and who have access to personal
information, will be expected to have read and comply with this policy. It is
expected that departments/sections who deal with external agencies will take
responsibility for ensuring that such agencies sign a contract agreeing to abide
by this policy.</p>
<h2><br />
<a name="sec2"></a>Section <b>2</b>: Background to the Data Protection Act 1998</h2>
<p>The Data Protection Act 1998 enhances and broadens the scope of the Data
Protection Act 1984. Its purpose is to protect the rights and privacy of living
individuals and to ensure that personal data is not processed without their
knowledge, and, wherever possible, is processed with their consent.</p>
<h2><br />
<a name="sec3"></a>Section <b>3</b>: Definitions (Data Protection Act 1998)</h2>
<table class="smart" width="97%" border="0" cellspacing="1" cellpadding="0">
<tr>
<th>Personal Data</th>
<td>Data relating to a living individual who can be
identified from that information or from that data and other information in
possession of the data controller. Includes name, address, telephone number,
id number. Also includes expression of opinion about the individual, and of
the intentions of the data controller in respect of that individual.</td>
</tr>
<tr>
<th>Sensitive Data</th>
<td>Different from ordinary personal data (such as
name, address, telephone) and relates to racial or ethnic origin, political
opinions, religious beliefs, trade union membership, health, sex life,
criminal convictions. Sensitive data are subject to much stricter conditions
of processing.</td>
</tr>
<tr>
<th>Data Controller</th>
<td>Any person (or organisation) who makes decisions
with regard to particular personal data, including decisions regarding the
purposes for which personal data are processed and the way in which the
personal data are processed.</td>
</tr>
<tr>
<th>Data Subject</th>
<td>Any living individual who is the subject of
personal data held by an organisation.</td>
</tr>
<tr>
<th>Processing</th>
<td>Any operation related to organisation, retrieval,
disclosure and deletion of data and includes: Obtaining and recording data
Accessing, altering, adding to, merging, deleting data Retrieval,
consultation or use of data Disclosure or otherwise making available of
data.</td>
</tr>
<tr>
<th>Third Party</th>
<td>Any individual/organisation other than the data
subject, the data controller (University) or its agents.</td>
</tr>
<tr>
<th>Relevant Filing System</th>
<td>Any paper filing system or other manual filing
system which is structured so that information about an individual is
readily accessible. <strong>Please note that this is the definition of
"Relevant Filing System" in the Act. Personal data as defined, and
covered, by the Act can be held in any format, electronic (including
websites and emails), paper-based, photographic etc. from which the
individual's information can be readily extracted.<br />
</strong></td>
</tr>
</table>
<h2><br />
<a name="sec4"></a>Section 4:
Responsibilities under the Data Protection Act</h2>
<ul>
<li>The University as a body corporate is the data controller under the new
Act.</li>
<li>A Data Protection Officer has been appointed who is responsible for
day-to-day data protection matters and for developing specific guidance
notes on data protection issues for members of the University.</li>
<li>A Data Protection Advisory Group (DPAG) has been established to advise on
data protection issues and provide support for the Data Protection Officer.
DPAG is chaired by the Deputy Vice-Chancellor and reports to Information
Services Committee. The Data Protection Officer is Secretary to DPAG.</li>
<li>The Senior Management Group (VC, DVC, PVCs and Deans), Heads of
Departments/Sections, Directors of Research Institutes/Centres and all those
in managerial or supervisory roles are responsible for developing and
encouraging good information handling practice within the University.</li>
<li>Compliance with data protection legislation is the responsibility of all
members of the University who process personal information.</li>
<li>Members of the University are responsible for ensuring that any personal
data supplied to the University are accurate and up-to-date.</li>
</ul>
<h2><br />
<a name="sec5"></a>Section 5:
Notification</h2>
<p>Notification is the responsibility of the Registrar and the Data Protection
Officer. Details of the University's notification are published on the <a href="http://www.dataprotection.gov.uk/">Information
Commissioner's website</a>. Anyone who is, or intends, processing
data for purposes not included in the University's Notification should seek
advice from the Data Protection Officer.</p>
<h2><br />
<a name="sec6"></a>Section 6: Data
Protection Principles</h2>
<p>All processing of personal data must be done in accordance with the eight
data protection principles.</p>
<ol>
<li><b>Personal data shall be processed fairly and
lawfully.</b><br />
Those responsible for processing personal data must make reasonable
efforts to ensure that data subjects are informed of the identity of the
data controller, the purpose(s) of the processing, any disclosures to
third parties that are envisaged and an indication of the period for which
the data will be kept.</li>
<li><b>Personal data shall be obtained for specific
and lawful purposes and not processed in a manner incompatible with those
purposes.</b><i><br />
</i>Data obtained for specified purposes must not be used for a purpose
that differs from those.</li>
<li><b>Personal data shall be adequate, relevant
and not excessive in relation to the purpose for which it is held.</b><i><br />
</i>Information, which is not strictly necessary for the purpose for which
it is obtained, should not be collected. If data are given or obtained
which is excessive for the purpose, they should be immediately deleted or
destroyed.</li>
<li><b>Personal data shall be accurate and, where
necessary, kept up to date.</b><i><br />
</i>Data, which are kept for a long time, must be reviewed and updated as
necessary. No data should be kept unless it is reasonable to assume that
they are accurate. It is the responsibility of individuals to ensure that
data held by the University are accurate and up-to-date. Completion of an
appropriate registration or application form etc will be taken as an
indication that the data contained therein is accurate. Individuals should
notify the University of any changes in circumstance to enable personal
records to be updated accordingly. It is the responsibility of the
University to ensure that any notification regarding change of
circumstances is noted and acted upon.</li>
<li><b>Personal data shall be kept only for as long
as necessary.</b> (see Section 12 on <a href="#sec12">Retention
and Disposal of Data</a>)</li>
<li><b>Personal data shall be processed in
accordance with the rights of data subjects under the Data Protection Act.</b><i> </i>(see Section 7 on <a href="#sec7">Data Subjects
Rights</a>)</li>
<li><b>Appropriate technical and organisational
measures shall be taken against unauthorised or unlawful processing of
personal data and against accidental loss or destruction of data.</b><i> </i>(see
Section 9 on <a href="#sec9">Security of Data</a>)</li>
<li><b>Personal data shall not be transferred to a
country or a territory outside the European Economic Area unless that
country or territory ensures an adequate level of protection for the
rights and freedoms of data subjects in relation to the processing of
personal data.</b><i><br />
</i>Data must not be transferred outside of the European Economic Area (EEA)
- the fifteen EU Member States together with Iceland, Liechtenstein and
Norway - without the explicit consent of the individual. Members of the
University should be particularly aware of this when publishing
information on the Internet, which can be accessed from anywhere in the
globe. This is because transfer includes placing data on a web site that
can be accessed from outside the EEA.</li>
</ol>
<h2><br />
<a name="sec7"></a>Section 7: Data
Subject Rights</h2>
<p>Data Subjects have the following rights regarding data processing, and the
data that are recorded about them:</p>
<ul>
<li>To make subject access requests regarding the nature of information held
and to whom it has been disclosed.</li>
<li>To prevent processing likely to cause damage or distress.</li>
<li>To prevent processing for purposes of direct marketing.</li>
<li>To be informed about mechanics of automated decision taking process that
will significantly affect them.</li>
<li>Not to have significant decisions that will affect them taken solely by
automated process.</li>
<li>To sue for compensation if they suffer damage by any contravention of the
Act.</li>
<li>To take action to rectify, block, erase or destroy inaccurate data.</li>
<li>To request the Commissioner to assess whether any provision of the Act has
been contravened.</li>
</ul>
<h2><br />
<a name="sec8"></a>Section 8:
Consent</h2>
<p>Wherever possible, personal data or sensitive data should not be obtained,
held, used or disclosed unless the individual has given consent. The University
understands "consent" to mean that the data subject has been fully
informed of the intended processing and has signified their agreement, whilst
being in a fit state of mind to do so and without pressure being exerted upon
them. Consent obtained under duress or on the basis of misleading information
will not be a valid basis for processing. There must be some active
communication between the parties such as signing a form and the individual must
sign the form freely of their own accord. Consent cannot be inferred from
non-response to a communication. For sensitive data, explicit written consent of
data subjects must be obtained unless an alternative legitimate basis for
processing exists.</p>
<p>In most instances consent to process personal and sensitive data is obtained
routinely by the University (eg when a student signs a registration form or when
a new member of staff signs a contract of employment). Any University forms
(whether paper-based or web-based) that gather data on an individual should
contain a statement explaining what the information is to be used for and to
whom it may be disclosed. It is particularly important to obtain specific
consent if an individual's data are to be published on the Internet as such data
can be accessed from all over the globe. Therefore, not gaining consent could
contravene the eighth data protection principle.</p>
<p>If an individual does not consent to certain types of processing (eg direct
marketing), appropriate action must be taken to ensure that the processing does
not take place.</p>
<p>If any member of the University is in any doubt about these matters, they
should consult the University Data Protection Officer.</p>
<h2><br />
<a name="sec9"></a>Section 9: Security
of Data</h2>
<p>All staff are responsible for ensuring that any personal data (on others)
which they hold are kept securely and that they are not disclosed to any
unauthorised third party (see Section 11 on <a href="#sec11">Disclosure
of Data</a> for more detail).</p>
<p>All personal data should be accessible only to those who need to use it. You
should form a judgement based upon the sensitivity and value of the information
in question, but always consider keeping personal data:</p>
<ul>
<li>in a lockable room with controlled access, or</li>
<li>in a locked drawer or filing cabinet, or</li>
<li>if computerised, password protected, or</li>
<li>kept on disks which are themselves kept securely.</li>
</ul>
<p>Care should be taken to ensure that PCs and terminals are not visible except
to authorised staff and that computer passwords are kept confidential. PC
screens should not be left unattended without password protected screen-savers
and manual records should not be left where they can be accessed by unauthorised
personnel.</p>
<p>Care must be taken to ensure that appropriate security measures are in place
for the deletion or disposal of personal data. Manual records should be shredded
or disposed of as "confidential waste". Hard drives of redundant PCs
should be wiped clean before disposal.</p>
<p>This policy also applies to staff and students who process personal data
"off-site". Off-site processing presents a potentially greater risk of
loss, theft or damage to personal data. Staff and students should take
particular care when processing personal data at home or in other locations
outside the University campus.</p>
<h2><br />
<a name="sec10"></a>Section 10: Rights
of Access to Data</h2>
<p>Members of the University have the right to access any personal data which
are held by the University in electronic format and manual records which form
part of a relevant filing system. This includes the right to inspect
confidential personal references received by the University about that person.</p>
<p>Any individual who wishes to exercise this right should apply in
writing to the Data Protection Officer. The University reserves the right to
charge a fee for data subject access requests (currently £10). Any such request
will normally be complied with within 40 days of receipt of the written request
and, where appropriate, the fee. See <a href="../procsar/index.htm">Subject
Access Request Procedure</a> (available from the University Data
Protection webpages) for more detail. For information on responding to
subject access requests see <a href="../sareq/index.htm">Appendix 1</a>
of this policy.</p>
<p>In order to respond efficiently to subject access requests the University
needs to have in place appropriate records management practices. See
Appendices II, III and
IV for further
information on records management.</p>
<h2><br />
<a name="sec11"></a>Section 11: Disclosure
of Data</h2>
<p>The University must ensure that personal data are not disclosed to
unauthorised third parties which includes family members, friends, government
bodies, and in certain circumstances, the Police. All staff and students should
exercise caution when asked to disclose personal data held on another individual
to a third party. For instance, it would usually be deemed appropriate to
disclose a colleague's work contact details in response to an enquiry regarding
a particular function for which they are responsible. However, it would not
usually be appropriate to disclose a colleague's work details to someone who
wished to contact them regarding a non-work related matter. The important thing
to bear in mind is whether or not disclosure of the information is relevant to,
and necessary for, the conduct of University business. Best practice, however,
would be to take the contact details of the person making the enquiry and pass
them onto the member of the University concerned.</p>
<p>This policy determines that personal data may be legitimately disclosed where
one of the following conditions apply:</p>
<ol>
<li>the individual has given their consent (eg a
student/member of staff has consented to the University corresponding with
a named third party);</li>
<li>where the disclosure is in the legitimate
interests of the institution (eg disclosure to staff - personal
information can be disclosed to other University employees if it is clear
that those members of staff require the information to enable them to
perform their jobs);</li>
<li>where the institution is legally obliged to
disclose the data (eg HESA and HESES returns, ethnic minority and
disability monitoring);</li>
<li>where disclosure of data is required for the
performance of a contract (eg informing a student's LEA or sponsor of
course changes/withdrawal etc).</li>
</ol>
<p>The Act permits certain disclosures without consent so long as the
information is requested for one or more of the following purposes:</p>
<ul>
<li>to safeguard national security*;</li>
<li>prevention or detection of crime including the apprehension or prosecution
of offenders*;</li>
<li>assessment or collection of tax duty*;</li>
<li>discharge of regulatory functions (includes health, safety and welfare of
persons at work)*;</li>
<li>to prevent serious harm to a third party;</li>
<li>to protect the vital interests of the individual, this refers to life and
death situations.</li>
</ul>
<p>* Requests must be supported by appropriate paperwork.</p>
<p>When members of staff receive enquiries as to whether a named individual is a
member of the University, the enquirer should be asked why the information is
required. If consent for disclosure has not been given and the reason is not one
detailed above (ie consent not required), the member of staff should decline to
comment. Even confirming whether or not an individual is a member of the
University may constitute an unauthorised disclosure.</p>
<p>Unless consent has been obtained from the data subject, information should
not be disclosed over the telephone. Instead, the enquirer should be asked to
provide documentary evidence to support their request. Ideally a statement from
the data subject consenting to disclosure to the third party should accompany
the request.</p>
<p>As an alternative to disclosing personal data, the University may offer to do
one of the following:</p>
<ul>
<li>pass a message to the data subject asking them to contact the enquirer;</li>
<li>accept a sealed envelope/incoming email message and attempt to forward it
to the data subject.</li>
</ul>
<p>Please remember to inform the enquirer that such action will be taken
conditionally: ie "if the person is a member of the University" to
avoid confirming their membership of, their presence in or their absence from
the institution.</p>
<p>Further information regarding the disclosure of personal information can be
found in Appendices V (<a href="../disclosure/index.htm">student information</a>) and VI
(<a href="../telephone/index.htm">telephone protocol</a>).</p>
<p>If in doubt, staff should seek advice from their Head of Department/Section
or the University Data Protection Officer.</p>
<h2><br />
<a name="sec12"></a>Section 12: Retention
and Disposal of Data</h2>
<p>The University discourages the retention of personal data for longer than
they are required. Considerable amounts of data are collected on current staff
and students. However, once a member of staff or student has left the
institution, it will not be necessary to retain all the information held on
them. Some data will be kept for longer periods than others.</p>
<h3>Students</h3>
<p>In general, electronic student records containing information about
individual students are kept indefinitely and information would typically
include name and address on entry and completion, programmes taken, examination
results, awards obtained.</p>
<p>Departments should regularly review the personal files of individual students
in accordance with the University's Records Retention Schedule (<a href="../recret/index.htm">Appendix
VII</a>).</p>
<h3>Staff</h3>
<p>In general, electronic staff records containing information about individual
members of staff are kept indefinitely and information would typically include
name and address, positions held, leaving salary. Other information relating to
individual members of staff will be kept by the Personnel Department for 6 years
from the end of employment. Information relating to Income Tax, Statutory
Maternity Pay etc will be retained for the statutory time period (between 3 and
6 years).</p>
<p>Departments should regularly review the personal files of individual staff
members in accordance with the University's Records Retention Schedule (<a href="../recret/index.htm">Appendix
VII</a>).</p>
<p>Information relating to unsuccessful applicants in connection with
recruitment to a post must be kept for 12 months from the interview date.
Personnel may keep a record of names of individuals that have applied for, be
short-listed, or interviewed, for posts indefinitely. This is to aid management
of the recruitment process.</p>
<h3>Disposal of Records</h3>
<p>Personal data must be disposed of in a way that protects the rights and
privacy of data subjects (eg, shredding, disposal as confidential waste, secure
electronic deletion).</p>
<h2><br />
<a name="sec13"></a>Section 13: Publication
of University Information</h2>
<p>All members of the University should note that the University publishes a
number of items that include personal data, and will continue to do so. These
personal data are:</p>
<ul>
<li><span style="word-spacing: 0; line-height: 100%; margin-right: 0; margin-bottom: 0">Information
published in the University Calendar including:</span>
<ul>
<li><span style="margin-top: 0">names of all members of University Committees
(including Court, Council and Senate).</span></li>
<li>Names, job titles and academic
and/or professional qualifications of members of staff.</li>
<li>Awards and Honours (including
Honorary Graduands, Emeritus Professors, Sir Robert Martin Prizewinners).</li>
</ul>
</li>
<li>Internal Telephone Directory.</li>
<li>Student pass lists including grades.</li>
<li>Graduation programmes and videos or other multimedia versions of
graduation ceremonies.</li>
<li>Information in prospectuses (including photographs), annual reports,
staff newsletters, etc.</li>
<li>Staff information on the University website (including photographs). </li>
</ul>
<p>It is recognised that there might be occasions when a member of staff, a
student, or a lay member of the University, requests that their personal details
in some of these categories remain confidential or are restricted to internal
access. All individuals should be offered an opportunity to opt-out of the
publication of the above (and other) data. In such instances, the University
should comply with the request and ensure that appropriate action is taken.</p>
<h2><br />
<a name="sec14"></a>Section 14: Direct
Marketing</h2>
<p>Any department or section that uses personal data for direct marketing
purposes must inform data subjects of this at the time of collection of the
data. Individuals must be provided with the opportunity to object to the use of
their data for direct marketing purposes (eg an opt-out box on a form).</p>
<h2><br />
<a name="sec15"></a>Section 15: Use
of CCTV</h2>
<p>The University's use of CCTV is regulated by a separate Code of Practice.</p>
<p>For reasons of personal security and to protect University premises and the
property of staff and students, close circuit television cameras are in
operation in certain campus locations. The presence of these cameras may not be
obvious. This policy determines that personal data obtained during monitoring
will be processed as follows:</p>
<ul>
<li>any monitoring will be carried out only by a limited number of specified
staff;</li>
<li>the recordings will be accessed only by the Security Manager, the Deputy
Security Manager, Security Supervisors and Security Control Room Operators;</li>
<li>personal data obtained during monitoring will be destroyed as soon as
possible after any investigation is complete;</li>
<li>staff involved in monitoring will maintain confidentiality in respect of
personal data.</li>
</ul>
<h2><br />
<a name="sec16"></a>Section 16: Academic
Research</h2>
<p>Personal data collected only for the purposes of academic research (includes
work of staff and students) must be processed in compliance with the Data
Protection Act 1998.</p>
<p>Researchers should note that personal data processed ONLY for research
purposes receive certain exemptions (detailed below) from the Data Protection
Act 1998 IF:</p>
<ol>
<li>the data are not processed to support measures or decisions with respect
to particular individuals AND</li>
<li>if any data subjects are not caused substantial harm or distress by the
processing of the data</li>
</ol>
<p>If the above conditions are met, the following exemptions may be applied to
data processed for research purposes only:</p>
<ul>
<li>personal data can be processed for purposes other than that for which they
were originally obtained (exemption from Principle 2);</li>
<li>personal data can be held indefinitely (exemption from Principle 5);</li>
<li>personal data are exempt from data subject access rights where the data
are processed for research purposes and the results are anonymised
(exemption from part of Principle 6 relating to access to personal data).</li>
</ul>
<p>Other than these three exceptions, the Data Protection Act applies in full.
The obligations to obtain consent before using data, to collect only necessary
and accurate data, and to hold data securely and confidentially must all still
be complied with.</p>
<h3>Notes to Researchers</h3>
<ul>
<li>a) Whilst the Act states that research may
legitimately involve processing of personal data beyond the originally
stated purposes (eg longitudinal studies), the University hopes that,
wherever possible, researchers will contact participants if it is intended
to use data for purposes other than that for which they were originally
collected.</li>
<li>b) Although the Act allows personal data processed
only for research purposes to be kept indefinitely, researchers are asked
to refer to the Ethical Advisory Committee's guidelines on <a href="http://www.lboro.ac.uk/admin/committees/ethical/gn/dcas.htm">Data
Collection and Storage</a>.</li>
</ul>
<p>For those departments which gather sensitive personal data (as defined by the
Act, see Section 3 on <a href="#sec3">Definitions</a>),
extra care should be taken to ensure that explicit consent is gained and that
data are held securely and confidentially so as to avoid unlawful disclosure.</p>
<h3>Publication</h3>
<p>Researchers should ensure that the results of the research are anonymised
when published and that no information is published that would allow individuals
to be identified. Results of the research can be published on the web or
otherwise sent outside the European Economic Area but if this includes any
personal data, the specific consent of the data subject must, wherever possible,
be obtained.</p>
<h2><br />
<a name="sec17"></a>Section 17: Appendices</h2>
<p>More detailed guidance on the following issues has been
published by the University:</p>
<ul>
<li><a href="http://www.lboro.ac.uk/admin/ar/policy/dpact/proc-sar.htm">Subject
Access Request Procedure</a>
<ul>
<li>I: <a href="../sareq/index.htm">Handling Subject Access Requests</a></li>
<li><a href="../rmac/index.htm">II: Student Records Management in Academic Departments</a></li>
<li><a href="../rmsserv/index.htm">III: Student Records Management in Support Service Sections</a></li>
<li><a href="../rmstaff/index.htm"> IV: Staff Records Management</a></li>
<li><a href="../disclosure/index.htm">V: Disclosure of Student Information</a></li>
<li><a href="../telephone/index.htm">VI: Telephone Protocol for the Disclosure of Personal Information</a></li>
<li><a href="../recret/index.htm">VII: Records Retention Schedule</a></li>
<li><a href="../ea/index.htm">VIII: Examinations and Assessment</a></li>
<li><a href="../refs/index.htm"> IX: References</a></li>
<li><a href="../photos/index.htm">X: Photographs to be used in Publicity/Promotional Material</a></li>
</ul>
</li>
</ul>
<h2><br />
<a name="sec18"></a>Section 18: Further Information</h2>
<p>Useful web addresses:</p>
<ul>
<li><a href="http://www.dataprotection.gov.uk/">Information
Commissioner's Webpage</a></li>
<li><a href="http://www.jisc.ac.uk/index.cfm?name=pub_smbp_dpa1998">JISC
Senior Management Briefing Paper</a></li>
<li><a href="http://www.dpa.lancs.ac.uk/">Lancaster
University Data Protection Project</a></li>
<li><a href="http://www.dataprotection.gov.uk/seminars/Home.htm">On-Line
Data Protection Seminars</a>(Information
Commissioner's Office)</li>
<li><a href="http://www.hesa.ac.uk/dataprot/HEI_DPguidance.htm">HESA
Data Protection</a></li>
<li><a href="http://www.lboro.ac.uk/admin/committees/ethical/">Ethical
Advisory Committee</a> (Loughborough University)</li>
</ul>
<p>For further guidance or advice on the Data Protection Act, please contact the
Data Protection Officer by email at <a href="mailto:[email protected]">[email protected]</a>,
Academic Registry, Loughborough University, telephone 01509 222468</p>
<!-- InstanceEndEditable -->
</div>
<!-- CONTENT ends -->
</div>
<!-- MAIN ends -->
<!-- FOOTER starts -->
<div id="foot"> <a href="#xtop">Top of Page</a>
<p> <a href="http://www.lboro.ac.uk/disclaimer.htm"></a> | © Copyright Loughborough University | <a href="http://www.lboro.ac.uk/disclaimer.htm"> Legal Information</a> | <br />
| Contact: <a href="mailto:[email protected]">[email protected]</a>|<br />
| <a href="http://validator.w3.org/check/referer">XHTML</a>, <a href="http://jigsaw.w3.org/css-validator/check/referer">CSS</a>, <a href="http://www.contentquality.com/mynewtester/cynthia.exe?Url1=http://www.lboro.ac.uk/admin/ar/">508</a> | </p>
</div><!--FOOTER ends -->
</div>
<!-- CONTAINER ends -->
</body>
<!-- BODY ends -->
<!-- InstanceEnd --></html>