Staff Guidelines for Data Protection

  1. The 1998 Data Protection Act covers any collection of data from which an individual may be identified. Under the 1998 Act, "processing" such data means performing almost any action upon it: storing, amending, ordering, erasing, and so on. A designated officer is responsible for ensuring that the University fulfils its obligations under the 1998 Act, and for implementing the University Data Protection Policy.
  2. All staff process data about students on a regular basis: when marking registers, writing reports or references, or as parts of pastoral or academic supervisory roles. BSU will ensure through registration procedures that all students give consent to this sort of processing, and are notified of the categories of processing, as required by the 1998 Act. The information that staff deal with on a day-to-day basis will be "standard" and will cover categories such as:
    1. general personal details like name and address
    2. details about class attendance, course work marks and grades and associated comments
    3. notes of personal supervision, including matters about behaviour and discipline.
  3. Information about a student's physical or mental health, sexual life, political or religious views, trade union membership, ethnicity or race is "sensitive" and can only be collected and processed with the student's express consent. (E.g. recording information about dietary needs, for religious or health reasons prior to taking students on a field trip; recording information that a student is pregnant, as part of pastoral duties.) If staff need to process such information, they must ensure that consent has been obtained using the Consent to Process form.
  4. Staff have a duty to make sure that they comply with the data protection principles, which are set out in the Data Protection Policy. In particular, staff must ensure that records are accurate, up-to-date, fair and kept and disposed of safely, in accordance with BSU policy.
  5. BSU has designated some staff as "Data Owners". Data Owners may authorise staff in certain areas to hold or process data that is sensitive, or not standard. Staff who are not so authorised may only process sensitive or non-standard data when they are satisfied that the processing of the data is necessary:
    1. in the best interests of the student or staff member, or a third person, or BSU; and if:
    2. they have either informed the authorised person, or have been unable to do so and processing is urgent and necessary. (This should only happen in very limited circumstances: e.g. a student is injured and unconscious, but in need of medical attention, and a tutor tells the hospital that the student is pregnant.)
  6. Staff must not disclose personal data to any student, unless for normal academic or pastoral purposes, without authorisation or agreement from the Data Owner, or the Data Protection Officer. Staff shall not disclose personal data to any other staff member except with the authorisation or agreement of the relevant Data Owner, or the Data Protection Officer.
  7. Before processing any personal data, staff should consider the following checklist.
    1. Do you really need to record the information?
    2. Is the information "standard" or is it "sensitive"?
    3. If it is sensitive, do you have the data subject's express consent?
    4. Has the student been told that this type of data will be processed? Are you authorised to collect/store/process the data?
    5. If yes, have you checked with the data subject that the data is accurate? Are you sure that the data is secure?
    6. If you do not have the data subject's consent to process, are you satisfied that it is in the best interests of the student or the staff member to collect and retain the data?
    7. Have you reported the fact of data collection to the authorised person within the required time?