Data Protection Policy: Gathering Data
Any gathering of personal data by members of SOAS must be accordance with SOAS's registration with the Information Commissioner (see Data Protection Act Overview). Staff should check the Register of Data Controllers on the Commissioner's website (or consult with the Information Compliance Manager) before introducing any new form of data gathering or making changes to existing methods of data gathering. If it appears that the collection of the data would not be covered by SOAS's existing registration, the Information Compliance Manager must be informed before the changes are implemented, so that SOAS's register entry can be updated (see Data Protection Contacts).
While it is not always necessary to have the consent of the data subject in order for the processing of data to be fair and lawful, it is advisable to seek consent wherever possible, particularly in regard to sensitive personal data where explicit consent should normally be obtained (see the discussion of the first Data Protection Principle in Data Protection Act Overview). SOAS also has a general obligation under the first Data Protection Principle to ensure that data subjects are provided with information about how their data will be used by SOAS, unless doing so would involve disproportionate effort. To meet these requirements, paper and electronic forms (including web based forms) created by SOAS which gather personal data should always include a fair processing notice.
It is recommended that fair processing notices used on SOAS forms should explain:
- Why the data needs to be gathered and how the data will be used [essential].
- The parts of SOAS that will use the data [desirable].
- Any third parties outside SOAS to whom the data will be disclosed or transferred [essential].
- How long the data will be kept [desirable].
- The fact that completion of the form will be taken as consent by the data subject to the use of the data as outlined [essential].
- How the data subject can exercise his/her rights under the Data Protection Act (e.g. by linking to SOAS's Data Protection web pages or by providing contact details for SOAS's Information Compliance Manager) [desirable].
To avoid infringement of the third Data Protection Principle, forms and other methods of data collection should not gather more data than are necessary for the task at hand. Staff who are responsible for the design of forms should ensure that there is a clear business need for each data item requested. Otherwise, the form should be amended to remove the data item.
Data subjects have the right to prevent the processing of their data for direct marketing purposes (e.g. promotional mailshots). If personal data gathered via a form is to be used for direct marketing, the form must also include:
- A statement explaining how the data will be used for direct marketing.
- Information on how the data subject can opt out of the use of the data for that purpose (e.g. by ticking a box).
Where direct marketing is involved, the form should indicate that it is assumed that the data subject consents to the use of the data for direct marketing purposes unless he/she specifies otherwise.
Information about visitors to a website gathered through cookies, web bugs and other devices will become personal data if the data is linked to personal details of the user, such as name and address details submitted through an online form. SOAS websites which use cookies, web bugs and other tracking devices in this way should include a privacy statement explaining:
- Which data will be collected in this way.
- Which parts of SOAS will use the data.
- How the data will be used.
- How long the data will be kept.
- How users can disable cookies, web bugs and other devices if they wish to do so.
For further information on cookies and web bugs, see the SOAS website's Privacy Policy.
Last updated December 2007
