Data Protection at Swansea University
The Data Protection Act 1998 gives an individual a right of access to the data which organizations hold about them, and specifies how that data can be gathered, used and disseminated. Swansea University is committed to protecting the rights of individuals under the Data Protection Act.
All departments within the University must be aware of the potentially far-reaching effects of this legislation. Those that record and use personal information are required to follow eight data protection principles. In particular, personal data must:
- be processed fairly and lawfully;
- be held only for specified and lawful purposes and must not be further processed in any manner incompatible with those purposes;
- be adequate, relevant and not excessive in relation to the purpose for which it is processed;
- be accurate and where necessary kept up to date;
- not be kept for longer than is necessary;
- be processed in accordance with the rights of the data subject under the Act;
- be protected using appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss or destruction of the data;
- not be transferred to a country or a territory outside the European Economic Area without an adequate level of protection for the rights and freedoms of data.
Further to data being processed fairly and lawfully, Swansea University will making reasonable efforts to ensure that Data Subjects are told who the Data Controller is, what the data will be used for, how long the data will be kept and any third parties to whom the data will be disclosed. This will be in the form of a privacy statement or data collection notice.
In order for processing to be lawful, personal data (which is not Sensitive Personal Data) will only be processed by Swansea University if at least one of the following conditions, set down in Schedule 2 of the DPA, has been met:
- The Data Subject has given his/her consent to the Processing.
- The Processing is necessary for the performance of a contract with the Data Subject, or for taking steps with a view towards entering into a contract.
- The Processing is required under a legal obligation other than a contract.
- The Processing is necessary to protect the Vital Interests of the Data Subject.
- The Processing is necessary for the administration of justice, the exercise of functions under an enactment, the exercise of functions of the Crown or a government department, or any other functions of a public nature exercised in the public interest.
- The Processing is necessary to pursue the legitimate interests of Swansea University or of third parties, and does not prejudice the rights, freedoms or legitimate interests of the Data Subject.
Processing of Sensitive Personal Data is subject to more stringent restrictions under Schedule 3 of the DPA. Processing of Sensitive Personal Data will only be carried out by Swanasea if at least one of the above conditions, applicable to non-sensitive data, has been met and one of the following Schedule 3 conditions can also be met:
- The Data Subject has given his/her explicit consent.
- The Processing is required by law in connection with employment.
- The Processing is necessary to protect the vital interests of the Data Subject or another person.
- The information has been made public by the Data Subject.
- The Processing is necessary for legal proceedings, obtaining legal advice, or establishing or defending legal rights.
- The Processing is required for the administration of justice, the exercise of functions under an enactment, or the exercise of functions of the Crown or a government department.
- The Processing is necessary for medical purposes, and is carried out by a health professional or a person with an equivalent duty of confidentiality.
- The Processing is necessary to trace equality of opportunity between people of different racial or ethnic backgrounds, different religious beliefs, or different states of physical or mental health.
- The Processing is in the substantial public interest; is necessary for the functions of a confidential counselling, advice, support or other service; and consent cannot be given by the Data Subject, Swansea University cannot reasonably be expected to obtain the explicit consent of the Data Subject, or the Processing must necessarily be carried out without consent so as not to prejudice the provision of that counselling, advice, support or other service.
- The Processing is in the substantial public interest, and is necessary for research purposes; provided that the Processing will not support measures or decisions with regard to individuals, and will not cause substantial damage or distress to the data subject or any other person.