The legal framework for the processing of personal data in the UK is set by the Data Protection Act (1998), but it was modified in detailed ways by the Freedom of Information Act (2000) and is also affected by legislation in other areas, such as disability.
"Personal data" is recorded information which relates to identifiable living individuals (known as "Data Subjects").
"Processing" of personal data occurs when it is collected, retained, used or disclosed.
Processing must be justified, based on specific grounds listed in the Data Protection Act. (Other legislation may also be involved, and the Data Protection Act itself defines how this interface is to be managed.)
It is important to note that merely retaining data, regardless of whether anything is being done with it, constitutes "processing" and therefore requires legal justification.
Organisations are prevented by the Act's normal provisions from holding personal data about individuals (called "Data Subjects") without their knowledge. Those individuals also have rights under the Act concerning information held about them, and these rights are defined particularly stringently where the material being processed is designated in the Act as sensitive personal data.
A high proportion of members of the College will be both its Data Subjects in their individual capacity, and at the same time responsible for processing personal data in their professional capacity. This particularly applies to staff, but may apply to students, for example where they work for the College (eg on the Library issue desk) or where they are engaged in research projects involving living individuals. For this reason, and for reasons of transparency generally, this College Data Protection Policy is addressed to both staff and students, and to both Data Subjects and those processing personal data.
Most of the personal data held by the College is in written form. However, some is held in other forms - such as CCTV footage, which is personal data if it shows individuals who can be identified. The rules set out on this website are designed to apply to personal data in all formats.
It will be evident from the above definitions that staff of the College will generally hold personal data in a private capacity (eg addresses or dietary requirements of family or personal friends) as well as in a "public" capacity (as a College employee, officer of a professional body, or perhaps on behalf of some other organisation such as a club, church or private business). Processing in a private capacity ("for personal or domestic purposes") is not subject to the requirements of the Act. However, It is important not to allow the distinction between public or private, and between different "public" capacities to become blurred, as this could lead to illegal processing for which a member of staff could inadvertently break the law, or incur personal liability for which they were uninsured.
[Further information about processing in a private or public capacity is found in the section of this Policy concerning Notification.]
Eight Principles are set out as a basis for the Data Protection Act which - in summary - require that personal data should be:
[ Further details on the meaning of the Eight Principles ]
Organisations processing personal data are required to register with the Information Commissioner a "Notification" listing the classes of personal data which they hold. This then becomes a public document which defines both the personal data which the organisation is allowed to process, and that for which it is responsible. The personal data covered by a Notification is defined not according to its physical location on the relevant institution's premises, but according to whether it is generated in the course of its business. Hence, for example, personal data held as research material in the hands of a member of staff at home would be "held" by the College (if conducting research was part of the individual's College duties). This would however not apply to a personal Christmas card list kept by the same member of staff in his or her office or network space: this would be held by the individual rather than by the College.
[ Further guidance on the Goldsmith's Notification and its scope. ]
Within the Data Protection Act there are both general requirements which affect all processing of personal data, and special arrangements prescribed for particular areas of concern to academic institutions - notably Examinations and Research.
It is likely that some requests under the Freedom of Information Act for information held by public authorities (eg universities) will relate to personal data. Public authorities can claim an Exemption if disclosing the information requested would constitute a breach of the Data Protection principles. Goldsmiths has published some specific aspects of its approach to this issue in the Staff Privacy Statement.
The Joint Information Systems Committee (JISC), working in collaboration with the national authority for Data Protection (then the Data Protection Commissioner; now the Information Commissioner) has published a Code of Practice on the application of the Data Protection Act in the HE and FE sectors. The material in the College's Data Protection Policy and Guidance webpages is to a significant extent derived from the recommendations in the JISC Code.
Detailed guidance on many data protection issues relevant to universities has been produced by a HEFCE Good Management Practice project and is mounted on Lancaster University's website.
Goldsmiths, University of London, New Cross, London, SE14 6NW, UK
Telephone: + 44 (0)20 7919 7171
Goldsmiths has charitable status