Common sense will help you with many data protection issues. If you are unsure whether any actions you are taking in the collection, use, storage or release of personal information are inappropriate or could have adverse implications either for an individual or for WSU, stop and seek advice before proceeding.
- Where data can be attributed to a living individual, it is personal data and the rules in the Data Protection Act apply.
- People can be identified from seemingly anonymous data where it is used in conjunction with other information.
- The rules for processing the eight types of sensitive personal data are stricter than for other personal information, and extra caution is required. Always check this if you are in any way unsure!
- Simply having personal information, even if nothing is being done with it at the time, is enough for the rules of Data Protection Act to apply.
- When working in a partnership involving personal information or commissioning a person or organisation to process personal information on behalf of WSU, formal agreements between the parties will normally be required that take account of the requirements of the Data Protection Act. The Chief Executive will normally oversee such agreements.
- When collecting personal information, have you provided a clear and fair processing statement to the data subject (i.e. the person whose information you’re collecting) that covers ‘WHO, WHY, WHAT and for HOW LONG’? Below are some template data collection statements for use when collecting personal data in line the Data Protection Act 1998:
Any personal information you give to us will be processed in accordance with the UK Data Protection Act 1998. The insert club or society namewill use the information to insert purpose for which personal data will be used. If more than one purpose, list these out. Your personal information will be kept securely for insert retention period i.e. for the duration of your membership, until next year’s event etc.and not shared with any third parties without seeking your prior additional permission. If you have any concerns about the use of your personal information, please contact insert email or telephone number with name of contact.
Event Attendee information
Any personal information you give to us will be processed in accordance with the UK Data Protection Act 1998. The insert club or society namewill use the information to insert purpose for which personal data will be used. If more than one purpose, list these out. Your personal information will be kept securely for insert retention period i.e. for the duration of your membership, until next year’s event etc.and not shared with any third parties without seeking your prior additional permission. If you have any concerns about the use of your personal information, please contact insert email or telephone number with name of contact.
The personal information supplied will be used for insert purpose e.g. the purpose of course and event administration, and to compile either a paper delegate list to be distributed to all attendees at the event, or an electronic delegate list.It may be used by the insert club or society name for the purposes of advertising other events. It will not be shared with any third parties without seeking your prior additional permission. If you have any concerns about the use of your personal information, please contact insert email or telephone number with name of contact. If you do not wish to be contacted for further events, please contact insert email or telephone number with name of contact.
- Was the personal information with which you are working originally collected for another reason? If so, please seek advice from the Chief Executive. It is likely that you won’t be able to use it if the SU’s registration with the Information Commissioner’s Office doesn’t cover that specific type of processing.
- Do you intend to process personal information without obtaining the consent of data subjects? If so, please contact the Chief Executive.
- Have you reviewed your intended collection and use of personal information to make sure that only the minimum amount of personal information needed for a task is collected and used?
- Is the personal information for which you are responsible accurate and up-to-date?
- Have you thought about the length of time you need to keep this? Is this documented?
- Is personal data no longer needed? If not, make arrangements for its secure destruction.
- When destroying personal data, have you checked that the destruction has been properly authorised and documented? Refer to Records Retention Policy.
- Is someone asking questions or seeking access to their personal data? If it’s a member of staff, direct them to the HR Directors. If it’s a student or member of the public, contact the Chief Executive as soon as possible for advice on the best way to meet their needs or answer their questions.
- Remember the following practical steps to help minimise the risk to, or loss of, personal information:
- Do not share or disclose passwords.
- Never leave information unattended and lock computers/drawers/offices.
- Always password-protect and, where appropriate, encrypt information on portable devices and media.
- Implement formal agreements with third parties that include requirements in respect of personal information.
- Promptly remove access privileges from former staff or other individuals who should no longer need access.
- Ensure that everyone understands the sensitivity of the information disclosed to them in their duties.
- Report a potential loss or unauthorised access to information (see ‘What to do about a suspected data breach’ below).
- Shred or securely erase information when no longer required.
- Do not write papers or documents which disclose personal information without explicit permission.
- If you are unsure whether it is appropriate to place information onto a memory stick, pause and consider the implications of the data being lost or used against someone or WSU.
- Are you working with an international partner? Please contact the Chief Executive for advice & information on ‘safe harbour’ and model contract information.