Data Protection Policy: Overview of the Data Protection Act 1998
The Data Protection Act 1998 commenced on 1 March 2000, with most of its provisions being effective from 24 October 2001. It replaced and broadened the Data Protection Act 1984. The purpose of the Act is to protect the rights and privacy of individuals, and to ensure that data about them are not processed without their knowledge and are processed with their consent wherever possible. The Act covers personal data relating to living individuals, and defines a category of sensitive personal data which are subject to more stringent conditions on their processing than other personal data.
The Data Protection Act covers data held in electronic formats, and also applies to manual data which are held in what the Act calls a relevant filing system. While this might appear to limit the categories of non-electronic data to which the Act applies, the definitions of personal data in the Data Protection Act have been broadened by the Freedom of Information Act 2000 in respect of public authorities like SOAS to which the Freedom of Information Act applies. The main effect of this is that since 1 January 2005 (when the Freedom of Information Act came into force), unstructured personal information held by SOAS in manual form - i.e. not in a relevant filing system - is covered by the Data Protection Act, except for unstructured data relating to appointments, removals, pay, discipline and other personnel matters, which remain outside the scope of the Act.
It should therefore be assumed, as a general rule, that any personal data relating to an identifiable living individual which are held by SOAS in any form are covered by the Data Protection Act. However, unstructured manual data are exempt from many aspects of the Act, including the first, second, third, fifth, seventh and eighth Data Protection Principles, and from the sixth Data Protection Principle except in regard to the rights of data subjects to have access to their data and to require the rectification, blocking, erasure or destruction of inaccurate data. Further information about the Data Protection Principles is provided below.
SOAS is a data controller in respect of the data for which it is responsible. This means that SOAS is responsible under the Data Protection Act for decisions in regard to the processing of personal data, including the decisions and actions of external data processors acting on SOAS's behalf. The Data Protection Act requires that processing should be carried out according to eight Data Protection Principles. These are outlined below, together with SOAS's commitments to upholding these principles:
(1) Personal data shall be processed fairly and lawfully.
SOAS will ensure that data are obtained fairly, and will make reasonable efforts to ensure that data subjects are told who the data controller is, what the data will be used for, for how long the data will be kept and any third parties to whom the data will be disclosed. In order for processing to be fair and lawful, data which is not sensitive personal data will only be processed by SOAS if at least one of the following conditions, set down in the Data Protection Act, has been met:
- The data subject has given his/her consent to the processing.
- The processing is necessary for the performance of a contract with the data subject, or for taking steps with a view towards entering into a contract.
- The processing is required under a legal obligation other than a contract.
- The processing is necessary to protect the vital interests of the data subject.
- The processing is necessary for the administration of justice, the exercise of functions under an enactment, the exercise of functions of the Crown or a government department, or any other functions of a public nature exercised in the public interest.
- The processing is necessary to pursue the legitimate interests of SOAS or of third parties, and does not prejudice the rights, freedoms or legitimate interests of the data subject.
Processing of sensitive personal data is subject to more stringent restrictions under the Data Protection Act. Processing of sensitive personal data will only be carried out by SOAS if at least one of the above conditions, applicable to non-sensitive data, has been met. In addition, at least one of the following conditions, set down in the Data Protection legislation, must also be met:
- The data subject has given his/her explicit consent.
- The processing is required by law in connection with employment.
- The processing is necessary to protect the vital interests of the data subject or another person.
- The information has been made public by the data subject.
- The processing is necessary for legal proceedings, obtaining legal advice, or establishing or defending legal rights.
- The processing is required for the administration of justice, the exercise of functions under an enactment, or the exercise of functions of the Crown or a government department.
- The processing is necessary for medical purposes, and is carried out by a health professional or a person with an equivalent duty of confidentiality.
- The processing is necessary to trace equality of opportunity between people of different racial or ethnic backgrounds, different religious beliefs, or different states of physical or mental health or physical or mental conditions.
- The processing is in the substantial public interest, and is necessary for preventing or detecting any unlawful act or failure to act.
- The processing is in the substantial public interest, and is necessary for the protection of the public against dishonesty, malpractice, unfitness, incompetence, seriously improper conduct, mismanagement in the administration of services or failure in services.
- The processing is in the substantial public interest, and involves the publication of information relating to point (10) or publication for the purposes of journalism, literature or art.
- The processing is in the substantial public interest, and is necessary for the functions of a counseling service.
- The processing is in the substantial public interest, and is necessary for research purposes; provided that the processing will not support measures or decisions with regard to individuals, and will not cause substantial damage or distress to the data subject or any other person.
This list omits some conditions relating to the processing of sensitive personal data which are unlikely to be relevant to SOAS.
Data relating to the disabilities of students, staff and other individuals are sensitive personal data under the Data Protection Act. Such data must be processed in accordance with SOAS's Disability Policy.
(2) Personal data shall be obtained only for a specified and lawful purpose or purposes, and shall not be further processed in any manner incompatible with that purpose or purposes.
SOAS will ensure that data which are obtained for a specified purpose are not used for a different purpose, unless that use is done with the consent of the data subject, is covered by SOAS's registration with the Information Commissioner, or is otherwise permitted under the Data Protection Act.
(3) Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
SOAS will not collect personal data which are not strictly necessary for the purpose or purposes for which they were obtained.
(4) Personal data shall be accurate and, where necessary, kept up to date.
SOAS will take reasonable steps to ensure the accuracy of personal data which it holds, and will take steps to correct inaccurate data when requested to do so by a data subject.
(5) Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
SOAS will ensure that personal data are not kept for longer than is required by the purpose or purposes for which the data were gathered. SOAS may retain certain data indefinitely for research purposes (including historical or statistical purposes), as permitted under the Data Protection Act, subject to the conditions laid down in the Act for this type of processing (see Use of personal data in research).
(6) Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act.
SOAS will ensure that personal data are processed in accordance with the rights of data subjects under the Data Protection Act. These rights include the right to:
- Make subject access requests (see Access to data) to find out what information is held about them, the purposes for which it will be used, and to whom it has been disclosed.
- Prevent the processing of data which is likely to cause them substantial damage or substantial distress.
- Prevent processing for the purposes of direct marketing.
- Be informed about automated decision making processes that affect them.
- Prevent significant decisions that affect them from being made solely by automated processes.
- Sue for compensation if they suffer damage through contravention of the Act.
- Take action to require the rectification, blocking, erasure or destruction of inaccurate data.
- Request an assessment by the Information Commissioner of the legality of any processing that is occurring.
(7) Appropriate technical and organisational measures shall be taken to prevent the unauthorised or unlawful processing of personal data and the accidental loss, destruction of or damage to personal data.
SOAS will take steps to ensure the security of personal data which are held electronically and in manual form, to prevent the unauthorized disclosure of data to third parties, and loss or damage to data that may affect the interests of data subjects. SOAS will also ensure that data processors provide an appropriate level of security for the personal data which they are processing on SOAS's behalf (see Security of data).
(8) Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
SOAS will not transfer data outside the European Economic Area unless the transfer would be permitted under the Data Protection Act (see Transferring data outside the EEA).
The Data Protection Act requires bodies which record and use personal information to register with the Information Commissioner. SOAS's registration details are included in the Register of Data Controllers which is available on the website of the Information Commissioner. It records the purposes for which SOAS gathers personal data, the types of data subjects covered by each purpose, the classes of data gathered, recipients to whom the data will be disclosed, and countries or territories to which the data may be transferred. Any use by SOAS of personal data must be in accordance with the terms of SOAS's registration.
Information about how SOAS processes data relating to its students is contained in the Student Data Protection Statement. This explains to students what data the School collects about them; how their information will be used by SOAS while they are a student and after they cease to be a student; what external agencies may receive their data; and what their rights and responsibilities are in regard to their data. The Statement expands on the more general information about the processing of personal data which is contained in this Policy.
Further information about the Data Protection Act is available on the website of the Information Commissioner. Members of SOAS may also wish to consult the Data Protection Code of Practice for the HE and FE Sectors which has been prepared by the Joint Information Systems Committee (JISC), and the Data Protection resources published by the JISC Legal Information Service.
Last updated December 2007