Data protection

The UK's current Data Protection Act (“the Act”) came into force on 25th May 2018, alongside the General Data Protection Regulation (GDPR). The Act is derived from Article 8 of the European Convention on Human Rights 1950 that provides a “right to respect for one’s private and family life, his home and his correspondence”, essentially personal privacy. The University is a registered data controller under the Act and its registration number with the Information Commissioner's Office is Z6650067.

The Act gives individuals rights over their personal data and protects them from the erroneous use of their personal data. The Act also imposes responsibilities and requirements on any organisation that handles personal data, obligating them to comply with a number of important principles and legal obligations. The Data Protection Principles state that personal data shall:

1. be collected and processed fairly, lawfully and transparently

The purpose for which personal data is collected and processed should be made clear to the data subject. Data subjects should not be deceived or misled as to the purpose for which their personal data is held or used, and must be given full information about how it will be used. Personal data should only be obtained from a person who is legally authorised to supply it.

2. be obtained only for specified, explicit and legitimate purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes

Personal data held for one purpose should not be used for another, e.g. research data should not be used for direct marketing. All personal data held must be within terms of a register entry or be specifically exempt from registration.

Personal data must not be disclosed to any person not connected to the purpose it was obtained for. Details of persons to whom data may be disclosed and by whom are contained in the registration. When deciding whether to disclose data, Departments should also consider what disclosure procedures were outlined to data subjects when they gave permission for their data to be held. If data subjects have been told that data will only be released with their permission data should not be released without permission, regardless of the register entry.

3. be adequate, relevant, and limited to what is necessary for the purpose or purposes for which they are held

All personal data held must be clear in meaning, and convey sufficient information for others to understand them. Only information that is strictly necessary should be collected and held. Records should be unambiguous, accurate and professionally worded. Any abbreviations should be widely agreed. Opinions should be clearly distinguishable from matters of fact. Sensitive personal data must only be held if really necessary.

4. be accurate and, where necessary, be kept up to date

Personal data must not be inaccurate or misleading to any matter of fact. This is equally applicable to information received from a third party. The source of information should always be included on records. 

5. held in a form which permits identification of data subjects for no longer than is necessary for the purpose it was collected for

Personal must not be retained longer than is necessary for the purpose it was initially collected. Personal data must not be retained "just in case" it will be of use at some future date. The personal data could be fully anonymised to ensure compliance with this principle. However, personal data may be kept for longer than the original purpose requires if subsequently being used for formal University research purposes.

6. be held securely, incorporating appropriate technical and organisational measures to prevent unauthorised or unlawful processing of personal data and protect against accidental loss or destruction of, or damage to, personal data

Access to personal data must be permitted only for the purposes necessary for the fulfilment of legitimate purposes pursued by the University (in line with its notification with the Information Commissioner's Office). The personal or private use of personal data held by the University is strictly forbidden. It is important to consider the sensitivity of the data processed, the locations where data are stored and security measures necessary to hold data securely.

Additional requirements

The following key rules must also be complied with at all times:

i) Personal data must not be transfered outside of the European Economic Area (EEA), including the use of websites or applications hosted on servers based outside of the the EEA, unless appropriate safeguards are in place.

ii) Data subjects right in relation to their personal data must be fully respected. This includes the rights of access, rectification, erasure, restriction, objection, portability and other.

iii) The Univeristy and its staff must be able to demonstrate compliance with, and accountability for, the requirements of data protection legislation at all times.

Data Protection Officer

The University's Data Protection Officer (DPO) is Henry Stuart:
Henry Stuart
Information Governance Manager & Data Protection Officer
University Secretary's Office
University of Bristol
Beacon House
Queens Road
Bristol, BS8 1QU
Tel: 0117 45 56325