A copy of this policy is available as a pdf
file. This policy was updated in April 2013.
1.1 This policy
applies to all members of the University of Wolverhampton (“the
University”). For the purposes of this policy, the term “Staff”
means all members of University staff including permanent, fixed
term, and temporary staff, governors, secondees, any third party
representatives, agency workers, volunteers, interns, agents and
sponsors engaged with the University in the UK or overseas. This
policy also applies to all members of staff employed by any of the
University’s subsidiary companies.
contractors and agents acting for or on behalf of the University
should be made aware of this policy.
1.3 This policy
applies to all personal and sensitive personal data processed on
computers and stored in manual (paper based) files. It aims
to protect and promote the rights of individuals and the
Personal Data: Any information which relates to a
living individual who can be identified from the information. It
also extends to any information which may identify the individual.
Examples of personal data:
· A person’s name and address (postal
· Date of birth
· Statement of fact
· Any expression or opinion
communicated about an individual
· Minutes of meetings, reports
· Emails, file notes, handwritten
notes, sticky notes
· CCTV footage if an individual can
be identified by the footage
· Employment and student
· Spreadsheets and/or databases with
any list of people set up by code or
· Employment or education history
Sensitive Personal Data: Any information relating
to an individual’s:
· Religious or other
· Political opinions
· Membership of a trade
· Sexual orientation
· Medical history
Offences committed or alleged to have been committed by that
3.1 The Data
Protection Act 1998 is designed to protect individuals and personal
data, which is held and processed on their behalf. The Act
defines the individual as the ‘data subject’ and their personal
information as ‘data’. These are further defined as:
Subject: Any living individual who is the subject of
personal data whether in a personal or business capacity
Any personal information which relates to a living individual who
can be identified. This includes any expression of opinion about
(iii) Data is
information stored electronically i.e. on computer, including word
processing documents, emails, computer records, CCTV images,
microfilmed documents, backed up files or databases, faxes and
information recorded on telephone logging systems
records which are structured, accessible and form part of a
‘relevant filing systems’ (filed by subject, reference, dividers or
content), where individuals can be identified and personal data
easily accessed without the need to trawl through a file.
4.1 The Data
Protection Act 1998 sets legislative requirements for organisations
processing personal data (referred to under the Act as ‘Data
Controllers’). The University will be open and transparent
when processing and using private and confidential information by
ensuring we follow the 8 Data Protection Principles of good data
Principle 1: Personal data shall be obtained and
processed fairly and lawfully.
Principle 2: Personal data shall be obtained only
for the specified and lawful purposes and shall be processed for
Principle 3: Personal data shall be adequate,
relevant and not excessive in relation to the purpose for which it
(iv) Principle 4:
Personal data shall be accurate and kept up to date.
5: Personal data shall not be kept for longer than
(vi) Principle 6:
Personal data shall be processed in accordance with the rights of
the data subject under the Data Protection Act 1998.
Principle 7: Personal data (manual and electronic)
must be kept secure.
Principle 8: Personal data shall not be
transferred outside the European Union unless that country provides
adequate levels of protection for the rights of the data
University recognises and understands the consequences of failure
to comply with the requirements of the Data Protection Act 1998 may
· Criminal and
· Fines and damages;
· Personal accountability and
· Suspension/withdrawal of the right
to process personal at by the Information
· Loss of confidence in the integrity
of the University’s systems and procedures;
Irreparable damage to the University’s reputation.
4.3 The University
may also consider taking action, in accordance with the
University’s Disciplinary Procedure, where staff do not comply with
the Data Protection Act 1998.
Roles and Responsibilities
5.1 Staff will
not attempt to gain access to information that is not necessary to
hold, know or process. All information which is held will be
relevant and accurate for the purpose for which it is required. The
information will not be kept for longer than is necessary and will
be kept secure at all times.
University will ensure that all personal or sensitive personal
information is anonymised as part of any evaluation of assets and
liability assessments except as required by law.
5.3 Staff who
manage and process personal or sensitive personal information will
ensure that it is kept secure and where necessary confidential.
Sensitive personal information will only be processed fairly and
lawfully and in line with the provisions set out in the Data
Protection Act 1998 and only processed in accordance with
instructions set out by the respective Data Controllers.
University will ensure that all staff are made aware of the reasons
why personal and sensitive personal data is being processed:
· how it will be processed
· who will process it
· how it will be stored and
how it will be disposed of when no longer required.
University acknowledges individuals (data subjects) rights under
the Data Protection Act to access any personal data held on our
systems and in our files upon their request, or to delete and/or
correct this information if it is proven to be inaccurate,
excessive or out of date.
University recognises that individuals have the right to make a
request in writing and upon payment of a fee, obtain a copy of
their personal information, if held on our systems and files.
University recognises that individuals have the right to prevent
data processing where it is causing them damage or distress, or to
opt out of automated decision making and stop direct marketing.
University (Data Controllers) Obligations
University will follow Code of Practice issued by the ICO when
developing policies and procedure in relation to data
University will ensure that Data Processing Agreements are applied
to all contracts and management agreements where the University is
the data controller contracting out services and processing of
personal data to third parties (data processors). The
University will ensure this agreement clearly outlines the roles
and responsibilities of both the data controller and the data
University will adhere to and follow the 8 principles of data
protection when conducting surveys, marketing activities etc.,
where the University collects, processes, stores and records all
types of personal data.
University will not transfer or share personal information with
countries outside of the European Economic Area (EEA) unless that
country has a recognised adequate level of protection in place in
line with the recommendations outlined in the Data Protection
University will ensure all staff are provided with data protection
training and promote the awareness of the University’s data
protection and information security policies, procedures and
relating to breaches of the Data Protection Act 1998 and/or
complaints that an individual’s personal information is not being
processed in line with the 8 principles of data protection will be
managed and processed by The Registrar.
complaints of dissatisfaction will also be processed in accordance
with the University’s Complaints Process and should be sent to:
Head of the Conduct & Appeals
c/o MB Building, City Campus South
University of Wolverhampton
West Midlands WV1 1LY
Confidentiality and Information Sharing
University will only share information in accordance with the
provisions set out in the Data Protection Act 1998.
applicable the University will inform individuals of the identity
of third parties to whom we may share, disclose or be required to
pass on information to, whilst accounting for any exemptions which
may apply under the Data Protection Act 1998.
Corporate Strategy & Governance Unit, University of
Wolverhampton, MA Building, Wulfruna Street, Wolverhampton, WV1 1LY
or firstname.lastname@example.org or
University of Wolverhampton, Wulfruna Street, Wolverhampton, WV1 1LY
Course enquiries: 0800 953 3222, General enquiries: 01902 321000 | Email: email@example.com
Freedom of Information | Disclaimer and copyright | The University as a charity | Cookies Policy