Ten rules for data protection compliance

Wherever possible obtain consent before acquiring, holding or using personal data. Any Staffordshire University forms, whether paper or web-based, which are designed to gather personal data should contain a statement explaining what the information is to be used for and who it may be disclosed to.

Be particularly careful with sensitive personal data (i.e. information relating to race, political opinion, physical or mental health, religious belief, trade union membership, sexuality, criminal offences etc). Such information should only be held and used where strictly necessary. Always obtain the consent of the individual concerned and notify them of there likely use(s) of such data.

Wherever possible be open with individuals concerning the information being held about them. When preparing reports or appending notes to official documents, bear in mind that individuals have the right to see all personal data and could therefore read any 'informal' comments made about them. Also be aware that this includes e-mails containing personal data and so the same caution should be used when sending e-mails.

Only create and retain personal data where absolutely necessary. Securely dispose of or delete any personal data which is out of date, irrelevant or no longer required. Hold regular reviews of files and discard unnecessary or obsolete data systematically.

When discarding paper records that contain personal data treat them confidentially (i.e. shred such files rather than disposing of them as waste paper). Similarly any unnecessary or out-of-date electronic records should be deleted. University computers should not be given away or sold unless Information Services have ensured that all information stored on it has been removed or deleted.

Keep all personal data up to date and accurate. Note any changes of address and other amendments. If there is any doubt about the accuracy of personal data then it should not be used.

Keep all personal data as securely as possible (e.g. in lockable filing cabinets or in rooms that can be locked when unoccupied). Do not leave records containing personal data unattended in offices or areas accessible to the members of the public. Ensure that personal data is not displayed on computers screens visible to passers-by. Be aware that these security considerations also apply to records taken away from the University e.g. for work at home or for an external meeting. Also bear in mind that e-mail is not necessarily confidential or secure so should not be used for potentially sensitive communications.

Never reveal personal data to third parties without the consent of the individual concerned or other reasonable justification. This includes parents, guardians, relatives and friends of the data subject who have no right to access information without the data subject's consent. Personal data can only be legitimately disclosed to third parties for purposes connected with a student's studies and to meet statutory requirements (e.g. to HEFCE, LEAs, Council Tax Offices and Research Councils) but only where we are satisfied to the enquirers' identity and the legitimacy of the request.

Requests for personal information are received from time to time from organisations such as the police and the inland revenue. The University endeavours to co-operate with these organisations but steps should first be taken to ensure that requests are genuine and legitimate.

Always obtain consent from the individual’s concerned before placing information about them on the Internet (apart from basic office contact details) and before sending any personal data outside the European Union, Iceland, Lichtenstein or Norway.

Be aware that if you are using a third party data processor e.g. for bulk mailings or database management and are giving them access to personal data, then you must have a written contract in place with them to ensure that they treat such information confidentially, securely and in compliance with the Data Protection Act 1998.