Data protection policy

Policy overview

The University of Essex is committed to full compliance with the Data Protection Act 1998 ["the Act] and recognises in full the rights and obligations established by the Act in relation to the management and processing of personal data. This policy sets out what the University does in practice to meet its data protection obligations.

Data Protection Act responsibility

In accordance with the University’s standard records management practice, the Governance Office is responsible for the general development, promotion, and adherence to this policy, although ultimate responsibility for compliance lies with each Head of Department[1].

Using information and guidance provided by the Governance Office, all University staff who are likely to process personal data in any way are expected to:

  • understand and adhere to the eight Data Protection Principles set out in the Act;
  • read, understand and manage personal data in accordance with the staff and student data protection "collection notices”, which set out the purposes for collecting an individual’s personal information, how it is used while in the University’s possession, and the process for retaining the information;
  • manage all records in accordance with the relevant records retention schedule to ensure personal information is not retained longer than necessary; and
  • dispose of and/or destroy confidentially where necessary those records that have reached the end of their retention period.

Each Department also nominates an individual to join the Records Management Network. As part of this Network, the individual is responsible for liaising with the Information Manager on all matters relating to the Act. Where necessary, the nominee reports directly to the Head of Department on data protection issues.

The University has no responsibility for the management of personal data processed by the University of Essex Students’ Union (SU), which has sole responsibility for its own compliance with the Act. The SU provides a separate notification to the Information Commissioner and is responsible for responding to requests for access to information in its possession. Separate policies are published that cover information sharing between the University and the SU, and interaction in relation non-academic disciplinary activity.

University compliance with the Data Protection Principles

The University is committed to the eight Data Protection Principles set out in the Act. Specific procedures, processes and mechanisms are in place to ensure that the management of personal data adheres to these principles.

The Information  Manager provides a central and focal point for promoting good management of personal data and for upholding the rights established in the Act. The Governance Office publishes online information about the Act and its provisions, including an online Data Protection Act Good Practice Guidance. All online information is published via designated data protection webpages.

Staff and students are provided with a collection notice when they commence employment or register as a student (also published online), which sets out the purposes for collecting an individual’s personal information, how it is used while in the University’s possession, and the process for retaining the information. Personal data are only ever processed in accordance with this statement.

Subject Access Requests are managed in accordance with specified and established procedures. The procedures are published online.

The Governance Office establishes, implements and monitors adherence to records management policies, procedures and accompanying retention schedules to ensure personal data are not retained longer than necessary.

In order to prevent unauthorised processing, or accidental loss, damage or destruction, records that hold personal data are stored in locked filing cabinets, access to University drives, applications and servers is managed by password only, and the University operates strict Electronic Information Security and Records Disposal Policies.

Annual notification

The Information Manager is responsible for submitting the annual notification to the Office of the Information Commissioner. There are three separate notifications, covering:

  • University of Essex;
  • University of Essex Commercial Services Limited;
  • University of Essex Pension Scheme.

The notification process confirms that the University is processing personal data and describes in general terms the categories of data being held. Hard copies of the University’s notifications are held in the Albert Sloman Library.

Subject access requests

The University recognises the right of all Data Subjects to access information held about them by the University and has an established procedure for responding to requests for access to such information. Data Subjects (or their nominee) are asked to submit a written request to the Information Manager. It is usually University policy to make a charge of £10 for each Subject Access Request made under the Act. The University aims to comply with requests for access to personal information as quickly as possible, and ensures that information is provided within the statutory 40-day limit unless there is good reason for delay.

The University reserves the right not to release any information, and the 40-day deadline period does not commence, until the University has received payment, the University has received adequate information to identify the individual requesting the information, and the University is satisfied that the request is a genuine request made by or with the knowledge and consent of the Data Subject.

Data Subjects are always informed about the progress of their request, including any decision not to release any data or any reason(s) for delaying a response.

Complaints procedure

The University has in place a specific complaints procedure to ensure individuals concerned about any aspect of the management of personal data at the University are able to raise their concerns in a fair and equal way. This complaints procedure is published online and/or available from the Records Management Office upon request.

Data protection awareness

The Records Management Office is responsible for ensuring that adequate and appropriate knowledge of the Act and the University’s legal obligations is available across the University. The means for performing this function include the Records Management webpages, adhoc training sessions to relevant groups, the new staff induction programme, adhoc individual advice as appropriate, and the Records Management Network.

Records Management Network

The Records Management Network is made up of representatives from all parts of the University. Through the Network, each part of the University is able to raise relevant data protection issues with the Governance Office, and the Information Manager is provided with a tool to enable communication as appropriate and the means to measure data protection compliance across the University.

The Network’s specific terms of reference are:

  1. To raise the profile and understanding of effective records management throughout the University and to ensure that good practice is adopted;
  2. To ensure University-wide compliance with key pieces of legislation, such as the Data Protection Act 1998 and the Freedom of Information Act 2000; and
  3. To ensure effective implementation of and adherence to the University’s records management policies in all parts of the University.

Policy review

In accordance with the University’s standard records management practice, the policy is reviewed every three years to ensure it meets effectively the University’s operational and legal requirements.

Policy Agreed: Spring 2005
Policy Effective from: October 2005
Policy due for renewal: Spring 2008

[1] In this context, "Department” is defined in the widest sense and encompasses administrative sections, major centres and other significant units in the University.

Further information