The university's data protection pages should be regarded as the authoritative source of information regarding data protection issues.
Things to remember
- Data protection legislation is relevant to both paper and electronic data.
- Legally sensitive information requires specific consent: Physical/mental health, religion, race, information about sex life, political opinions, criminal convictions, alleged criminal acts, trade union membership.
- A good rule of thumb: Security should be appropriate to the degree of harm caused by misuse of the data. Misuse (eg. leaking) of health data could cause much more harm, usually, than, for example, publication of exam results. Any leakage could get the university sued and have serious consequences for the staff involved. Data such as HIV information would be particularly sensitive because it is likely also to be covered by disability legislation (being something that affects life in a major way, for more than 1 year and possibly being terminal).
- Security is only as good as you make it: If you do not logout (or lock) your computer when you leave it then it is not password protected and thus not secured. If you leave your office door unlocked then paper files and logged in computers are not secured. It is also questionable whether files are secured if they are located in a folder on your computer, or file server, that others also have access to.
- A hacked computer is not a secured computer: Keep virus scanners up to date and always apply security fixes to your computers, especially where they hold information concerning individuals.
Frequently Asked Questions
These are for the department and are distinct from those for the university. Answers are provided by Clare Coyne, Information Rights Manager, University Secretary's Office.
|Staff wish to keep a list of names and homework marks (including information that work was not handed in on certain weeks) for the students attending their courses. Can they do this?|
|Yes, this is not sensitive.|
|Can they keep this record on their desktop computer which is password protected?|
|Can they keep this record on paper?|
|Yes, provided it is secure.|
|Do they need the express permission of the students to do this?|
|No, we have this in the registration agreement and the rules and regulations for students.|
|Might they record that a student did not hand in work in a given week because the student was ill?|
|This is sensitive, and would require consent, or at least the retention of, say, an email or sicknote provided by the student disclosing sickness. They could record that the work was not handed in because of sickness, but anything more specific should be held centrally and securely by the Department on a server not a hard disk. Permission and appropriate (significant) security would be essential.|
|Or did not hand in work because the student was ill with, for example, HIV?|
|This is sensitive and would require specific consent and should only be recorded in detail if it is relevant and appropriate.|
|Do they need express permission?|
|Yes. We have an official departmental database that stores medical and other sensitive information but this is used on a strict "need to know" basis and the information is highly protected and kept extremely secure. However, the issue is what may the individual lecturer store in their office or computer that is "outside" of the official system. It is very bad practice to duplicate health records. It should be held on a secure server in one place, not on various desktops. The department procedure seems sensible - anything else would probably be excessive retention of information and therefore a potential breach of the act. I would have concerns if health information was used in this way.|
|If we obtain a request from a student (through University Secretary's Office) for an official request for information would we need produce information in the official database only or all information on that student held by any member of staff or postgraduate student who interacts with the student?|
|All of it.|
|For how long can information be retained?|
|The law says 'for no longer than is necessary for the purpose'. I have set up working groups to discuss this and establish a retention schedule.|