Principles of data protection
Anyone processing personal data must comply with the eight enforceable principles of good practice. These say that data must be:
- Fairly and lawfully processed.
- Processed for limited purposes.
- Adequate, relevant and not excessive.
- Accurate.
- Not kept longer than necessary.
- Processed in accordance with the Data Subject's rights.
- Secure.
- Not transferred to countries without adequate permission.
Fair and lawful
The intention of the Act is not to prevent data processing, but to ensure that it is done fairly and without adverse effect on the individual the data relates to. The Data Subject should be informed of who the Data Controller is (in this case, the University); who the Data Controller's representative is (in this case, the Data Protection Co-ordinator); the purpose or purposes for which the data are to be processed; and to whom the data may be disclosed. For students this will be done as part of the matriculation process. Personal data processing may only take place if specific conditions have been met - these include the Data Subject's having given consent or the processing being necessary for the legitimate interests of the Data Controller. When it comes to processing sensitive personal data (data relating to ethnicity, political opinion, religion, trade union membership, health, sexuality or criminal record of the data subject) additional conditions must be met - in most cases this will require explicit (i.e. written) consent from the individual concerned.
Purposes
Personal data processing must be in accordance with the purposes notified by the University to the Data Protection Commissioner - in other words, you cannot gather information for one declared purpose, and then use it for another. If any 'new processing' is to take place the Data Protection Co-ordinator must be consulted.
Adequate, accurate, timely
The fact that electronic information is readily available does not mean that it can be treated casually. Nor can it be gathered and held because it might be useful some day, or simply because the software allows it. The requirement that personal data should not be kept longer than is necessary means that a policy should be in place for the disposal of the data once it has reached the end of its life - there can be no holding on to data simply because it is easier to do so than to ensure its disposal.
Data Subject's rights
The data must also be treated with regard to the Data Subject's rights, such as the right to have inaccurate data amended. A Data Subject has the right to request access to any data held about him or her within the University systems - consequently, the University must make provision to ensure that that data is retrievable from its systems.
Security
Appropriate security measures must be taken against unlawful or unauthorised processing (including unauthorised viewing) of personal data and against accidental loss of, or damage to, personal data. A Data Subject may apply to the Courts for compensation if he or she has suffered damage from such a loss. The Act puts HE institutions under an obligation to have in place policies, procedures and technologies to maintain the security of all personal data from collection to destruction. This covers not only the storage, but also the transmission, of personal data (including email).
Transfer of personal data
Personal data must not be transferred to a country outside the European Economic Area unless specific exceptions apply (e.g. if the Data Subject has given consent). This includes the publication of personal data on the internet.