Data Protection at the University of Greenwich
Some definitions of terms used in the Data Protection Act:
Data is information recorded electronically; and manual data held in a relevant filing system or structured form. Since the amendments brought in by the Freedom of Information Act 2000 in January 2005, it also now includes unstructured data held in manual form (sometimes referred to as Category e data).
Personal data relates to living individuals who can be identified from it, either by itself or in tandem with other information that might be in the university’s possession. It includes expressions of opinion, and intentions towards the individual.
Personal data could be contact details, date of birth, qualifications, or anything pertaining to an individual. It is something that affects that person’s privacy (whether in their personal / family life, or business / professional capacity) in the sense that the information has the person as its focus or is otherwise biographical in nature, and identifies that person - by itself or with other information.
Incidental mention of an individual’s name does not count as personal data about that person.
The university holds personal data about its staff, its students, and other individuals connected with the university.
Sensitive personal data is the following sort of information:
· Racial or ethnic origin
· Political opinions
· Religious beliefs or beliefs of a similar nature
· Membership of a trade union
· Physical or mental health or condition
· Sexual life
· Commission or alleged commission of an offence
· Proceedings for any offence or alleged offence, or sentence of court
To process data means any of the following: to obtain, record or hold, carry out operations on it, organise, adapt, alter it, retrieve it, disclose it, erase or destroy it.
The Data Subject is a living person who is the subject of the information, and can be identified from it.
The Data Controller is the University with its representative being the Data Protection Officer, who is Lucy Fincham, University Records Manager, email compliance@gre.ac.uk.
Notification
The organisation is required to submit an annual notification to the Information Commissioner describing its processes and purposes. View the university’s notification pages. The university's registration number is Z6638040.
Processing Changes
Where changes in processing at the university occur, the Data Protection Officer must be informed and permission granted so that notification may be changed if necessary. An Information Audit Form should be completed.
Enforcement
If the organisation contravenes any of the Data Protection principles, the Information Commissioner, who oversees the Act, can serve it with an Enforcement Notice.
The Enforcement Notice will require the organisation, within a specified timeframe, to take steps to correct its data, or its processing of data.
If the Information Commissioner has received an enquiry or complaint about the organisation’s compliance, then he may require information from the organisation. He can serve the organisation with an Information Notice, requiring it to provide certain information within a specified timeframe. An appeal can be made to the Information Tribunal against such Notices.
The Information Commissioner can be granted, by Court, powers of entry and inspection to the university.
Some offences under the Act include:
· Processing without notifying, or failure to notify changes.
· Failure to comply with a Notice.
· Unlawful obtaining or disclosing of personal data.
It could be that failure to conform to any aspect of the Act could result in criminal procedures being taken against the university - and this can be any individual employee of the university.
Reviewed 26/07/11