• DP training
  • Data Protection

    Protection of personal information is especially important and anyone who handles or processes personal information should be aware of the University Data Protection Policy. Copies of the Data Protection Handbook, which gives a brief overview of the Data Protection Act 1998, are available from the Information Compliance team. 

    Remember: a request for personal data doesn’t have to mention subject access or the Data Protection Act.  It just has to be a request in writing (email will do).  If you get such a request – alert the Information Compliance Officer (info.sec@brookes.ac.uk) immediately.

  • 1.  Under the Data Protection Act 1998, all individuals have a right to see the personal data that we hold on them.

    2.  This extends to emails, letters, memos, minutes and spreadsheets etc – in short any recorded information from which they can be identified.  Even audio, video and CCTV recordings can be requested by an individual.

    3.  Everything that the university holds on an individual can be, and frequently is, requested.  By law we have to release the data. This includes opinions and intentions towards that individual.   For example if you wrote in an email “I believe that person x is a nuisance and should be sacked”, we would probably release this in its entirety.

    ...are the point of contact for both internal and external requests.  You may be asked to perform a search for data and provide the output to them.  It is a legal obligation to search for and provide the data.  It can be a criminal offence for a public authority to destroy or conceal information which an individual has a right to receive.

    Individuals in most cases have the automatic right to view all of their own data, however they have no automatic right to see third party data.  We may seek consent to release third party data, but there are other factors we take into consideration when making such a judgement.

    Generally we release the majority of data when dealing with requests. There are some exemptions, but these are very specific and infrequently applied.  

    We have 40 calendar days to provide the information once the request is finalised.  It is important for staff to respond promptly and comprehensively despite other demands on their time.  The deadline can’t be extended.

    DO – remember that whatever you write about an individual may be disclosed to them

    DO – make sure that ALL your communications about others are appropriate and professional

    DO – make sure you recognise when you receive a request for data and DON’T ignore it

    When asked for data by the University DO provide it:  DON’T conceal or destroy it