Data Protection

London Higher’s data protection policy can be downloaded here in PDF form. The policy is also set out below.

Data Protection Policy

The Data Protection Act 1998 came in to force in March 2000 and superseded the Data Protection Act 1984. The Data Protection Act (DPA) sets out eight principles for processing personal data and provides individuals with rights including access to personal information held on computer and paper records.

An individual or organisation can contact the Information Commissioner’s Office if they feel information has been denied or not handled according to the eight principles.

In the workplace, the DPA applies to anyone handling or having access to personal information.

1. Scope of the policy
1.1 The DPA applies to electronic and paper records containing personal data relating to living individuals who can be identified from the data.

1.2 This includes any expression of opinion about an individual and intentions towards an individual. It also applies to personal data held visually in photographs or video clips (including CCTV) or as sound recordings.

1.3 London Higher and associated Divisions and work programmes collect a large amount of data, which can be broadly classified into three categories such as 1) staff information (usually sensitive personal data such as staff records, names and contact details); 2) communications data (such as routine information held in electronic databases on for example higher education staff,); and 3) published datasets (such as anonymised higher education statistics and other similar datasets).

2. Responsibilities
2.1 Details of the DPA mean that London Higher must:
• manage and process personal data appropriately
• protect an individual’s right to privacy
• provide an individual with access to all personal information held, unless there are exemptions

2.2 London Higher is required to notify the Information Commissioner of the processing of personal data and for ensuring details are included in a public register. The public register of data controllers is available on the Information Commissioner’s website and can be searched.

2.3 London Higher’s Data Controller is responsible for producing guidance on data protection and compliance with guidance on creation, maintenance, storage and retention of all records which contain personal information.

2.4 Every member of staff that holds information about identifiable living individuals has to comply with data protection and individuals can be liable for breaches of the DPA.

3. Relationship with existing policies
3.1 This policy has been formulated as part of a suite of related documents:
• Data Protection guidance and best practice guidelines
• Records Management policy and Retention Schedule
• Information Management & Security policy
• Freedom of Information policy
• Privacy statement for website

3.2 Compliance with Data Protection, Records Management and other policies will help in compliance with other legislation or regulations including audits and equal opportunities.

4. Guidance
4.1 Guidance on the procedures necessary to comply with this policy is available from the Data Controller. This guidance covers:
• Introduction to Data Protection including Data Protection principles, types of data involved and key concepts
• Best practice guidelines including:
• Use of personal data by employees
• Transfer of personal data to third parties
• Security of personal data
• Use of personal data in research
• Confidential references
• Procedures for dealing with subject access requests

5. Status
Policy Created: 23 November 2009
Policy Approved: 2 December 2009
Policy Under Review: January 2014

This policy will be reviewed every three years.

6. Contact(s)
Data Controller: Dr Michael Reynier
Tel: 020 7391 0689

Data Protection Terminology

Data Protection Controller: Responsible for ensuring policies and procedures comply with the DPA and communicated to staff. Also responsible for registering the organisation’s use of personal data with the Information Commissioner and answering DPA queries.

Data Subject: living individual who is the subject of personal data.

Data User: include employees who are involved in processing personal information.

Processing: any activity with data including collecting, recording or retrieval, or working on the data such as organising, adapting, changing, erasing or destroying it.

Data: recorded information stored electronically or in paper-based filing systems.

Personal Data: information about a living identifiable individual which can be factual (e.g. job appraisal) or an opinion (e.g. manager’s view).

Sensitive Personal Data: includes information about a person’s ethnic origins, political or religious beliefs, sexuality, or criminal convictions. Processing requirements are much stricter than for personal data and usually require written permission from the person concerned.

Examples of data which can be collected, as indicated above

Personal data: Name, Address, Contact details (telephone etc.)

Sensitive personal data:
Racial or ethnic origin
Political opinions
Religious beliefs
Trade union membership
Physical or mental health
Sexual life
Criminal proceedings or convictions

The Eight Principles of the Data Protection Act (DPA)

The DPA principles state personal data must be:

  1. processed fairly and lawfully;
  2. processed for specific purposes and in an appropriate manner;
  3. adequate relevant and not excessive;
  4. accurate and up-to-date;
  5. not kept for longer than necessary;
  6. processes in accordance with the rights of the data subjects;
  7. protected by appropriate security;
  8. not transferred outside the European Economic Area without adequate controls.

Common questions on the DPA and related issues can be found at

Information about the eight principles

Principle 1: Personal data must be processed fairly and lawfully

The data subject must know why their information is being collected, what it will be used for and if it will be shared and by whom. The individual must give permission for the use of the data unless the processing is necessary for legal or contractural reasons.

Principle 2: Personal data must be processed for specific purposes and in an appropriate manner

Data must not be collected unless there is a specific and valid reason. Personal data collected for one reason must not be used for other purposes.

Consent cannot be inferred from silence or failure to respond to a request for consent. Data cannot be disclosed to unauthorised third parties including family members, friends, local authorities, government bodies and the police except under specified exemptions (see Exemptions).

Individuals with details on databases should have provided consent and informed of the purposes of the data collection. A “general” consent notice stating details will be held on a database for certain specified purposes can be used. An individual can refuse to be included. Express consent is required if details are to be used for direct marketing purposes.

Consent can be obtained for any processing by a declaration (or “collection notice”) in the contract of employment. This should also refer to the likely purposes for which the data may be processed. However, explicit consent is required for processing sensitive personal data.

Principle 3: Personal data must be adequate, relevant and not excessive

Information must not be collected just because it may be useful in the future. Avoid abbreviations and personal opinions or comments in any notes referring to an individual’s personal data.

Principle 4: Personal data must be accurate and up-to-date

Individuals have the right to have inaccurate data updated or deleted. Periodic checks should be made to confirm the accuracy of stored data. For staff, annual reminders by management are recommended with a listing of consents and collection notices already provided by an employee. Requests for updates should be maintained in a central record.

Principle 5: Personal data should not be kept for longer than necessary

A retention policy will provide guidance on how long different types of data need to be maintained.

Sensitive personal data should be destroyed at the same time as data on an individual are reduced to a core record.

Staff records should not be kept longer than six years after an employee has left the organisation.

Principle 6: Personal data is processed in accordance with the rights of the data subject

Individuals have a right to prevent processing likely to cause damage or distress and the right to correct, block, erase or destroy inaccurate data or information that contains opinions based on inaccurate data. Individuals have a right to prevent disclosures for direct marketing purposes, unless prior consent has been provided. An individual can prevent a data controller making decisions based solely on automatic processing of personal data, e.g. psychometric test scores.

The right of subject access allows individuals to be given any information held on them. Requests must be made in writing and data controllers are obliged to provide the information and data (including copies) within 40 days of receiving a request and fee (if applicable, depending on the organisation). The 40 day deadline is a legal obligation.

Individuals can claim compensation for damage and distress if any of the conditions of the DPA are broken.

Confidential references are exempted from disclosure requirements. However, the individual has the right to obtain a copy of the reference from the recipient of the reference. Referees must be aware references can be disclosed to the individual concerned. Any person writing a reference should only include statements that he or she would be prepared to say directly to the individual concerned.

Principle 7: Personal data is protected by appropriate security

There should be appropriate safeguards to protect personal data in both computerised and paper formats including a review of security for offices, buildings, desktop and laptop computers, personal digital assistants, corporate mobile phones, portable storage devices, such as USB memory “sticks”, CDs and DVDs.

Personal data, such as expense claims, job application forms or staff appraisals, should not be removed from offices or stored or processed on portable devices including laptops and “smartphones”.

If personal data is sent to third parties then a request must be made that the papers or electronic documents are returned or shredded (papers) or deleted securely (electronic files) when they are no longer required.

If data processing is outsourced, then the organisation must ask for guarantees on security measures and compliance with other DPA principles. Before disposal of computing equipment, any personal data must be removed from the memory and a written record kept for audit purposes.

Principle 8: Personal data is not transferred out of the EEA without adequate controls

Exemptions are provided where the data subject has given prior consent.

In addition, exemptions apply to data processing when it can be justified in the public interest from the police, tax or other authorities. Disclosures can be made on receiving a certificate from the authority indicating the relevant exemption from the DPA.

Exemptions include:

There are also special exemptions that apply to some personal information relating to health, education and social work.

Complaint Form

If you wish to file a complaint against London Higher under the Data Protection Act then please download this Word (*.doc) document and return to the Information Commissioner’s Office (ICO) or contact the ICO directly at:

Customer Services Team
Information Commissioner’s Office
Wycliffe House
Water Lane