Data Protection


The purpose of the Act is to protect the rights of the individual about whom data is obtained, stored, processed or supplied rather than those of the people or organisations who control and use personal data. The Act applies to both computerised and paper records.

The Act requires that appropriate security measures will be taken against unauthorised access to, or alteration, disclosure or destruction of personal data and against accidental loss or destruction of personal data.


The 1998 Act applies to:

  • Computerised personal data
  • Personal data held in structured manual files
  • It applies to anything at all done to personal data ("processing"), including collection, use, disclosure, destruction and merely holding data.

Principles of Data Protection

The Act is based on eight principles stating that data must be:

  1. Fairly and lawfully processed
  2. Processed for limited purposes
  3. Adequate, relevant and not excessive
  4. Accurate
  5. Not kept longer than necessary
  6. Processed in accordance with the data subjects rights
  7. Secure
  8. Not transferred to other countries without adequate protection

How does it affect me?

Employees can also be prosecuted for unlawful action under the legislation. Fines of up to £5000 could result if you use or disclose information about other people without their consent or proper authorisation. You could even be committing an offence if you give information to another employee or student who does not need the details to carry out their legitimate duties. You should take particular care when using the Internet, e-mail and the internal network. Special care must be taken with sensitive data such as ethnic origins, religious/political beliefs, health data, disabilities, details of offences or alleged offences, sexual life or trade union membership.

Individual Responsibilities

All staff and students have a duty to observe the Principles of the Act. Individuals who do not handle data as part of their normal work have a responsibility to ensure that any personal data they see or hear goes no further. This includes personal data and information extracted from such data, thus, for example, unauthorised disclosure of data might occur by passing information over the telephone, communicating information contained on a computer print-out or even inadvertently by reading a computer screen.

General Guidelines

  • Do not leave people's information on your desk when it is not in use,
  • Lock all filing cabinets,
  • Do not leave data displayed on screen, do not leave your computer logged on and unattended,
  • Do not give your password to anyone under any circumstances,
  • Do not choose a password that's easy to guess,
  • Never send anything by fax or e-mail that you wouldn't put on the back of a postcard.