Protection of personal information is especially important and anyone who handles or processes personal information should be aware of the University Data Protection Policy.
Remember: a request for personal data doesn’t have to mention subject access or the Data Protection Act. It just has to be a request in writing (email will do). If you get such a request – alert the Information Compliance Officer (firstname.lastname@example.org) immediately.
What does the Data Protection Act mean for staff?
1. All individuals have a right to see the personal data that we hold on them.
2. This extends to emails, letters, memos, minutes and spreadsheets etc – in short any recorded information from which they can be identified. Even audio, video and CCTV recordings can be requested by an individual.
3. Everything that the university holds on an individual can be, and frequently is, requested. By law we have to release the data. This includes opinions and intentions towards that individual. For example if you wrote in an email “I believe that person x is a nuisance and should be sacked”, we would probably release this in its entirety.
The University’s Information Compliance Officers...
...are the point of contact for both internal and external requests. You may be asked to perform a search for data and provide the output to them. It is a legal obligation to search for and provide the data. It can be a criminal offence for a public authority to destroy or conceal information which an individual has a right to receive.
Individuals in most cases have the automatic right to view all of their own data, however they have no automatic right to see third party data. We may seek consent to release third party data, but there are other factors we take into consideration when making such a judgement.
Generally we release the majority of data when dealing with requests. There are some exemptions, but these are very specific and infrequently applied.
There is a strict time limit
We have 30 calendar days from the day after receipt of the request to provide the information once the request is finalised. It can be extended only in exceptional circumstances It is important for staff to respond promptly and comprehensively despite other demands on their time.
Dos and don'ts...
DO remember that whatever you write about an individual may be disclosed to them.
DO make sure that ALL your communications about others are appropriate and professional.
DO make sure you recognise when you receive a request for data and DON’T ignore it.
When asked for data by the University DO provide it: DON’T conceal or destroy it.
Information Security Office
Oxford Brookes University
Oxford OX3 0BP
+ 44 (0) 1865 484354