Data Protection Policy - Gathering Data
Personal data collected by Swansea University must be in accordance with the University's registration with the Information Commissioner. Staff should check the Register of Data Controllers on the Commissioner's website or consult with the Information Compliance Officer (FOI/DP) before introducing any new form of data gathering.
If it appears that the collection of the data would not be covered by Swansea University's existing registration, the Information Compliance Officer (FOI/DP) must be informed before the changes are implemented, so that the University's register entry can be updated.
While it is not always necessary to have the consent of the data subject in order for the processing of data to be fair and lawful, it is advisable to seek consent wherever possible, particularly in regard to sensitive personal data where explicit consent should normally be obtained (see information on the first Data Protection Principle in Data Protection Policy). Swansea University also has a general obligation under the first Data Protection Principle to ensure that data subjects are provided with information about how their data will be used by the University, unless doing so would involve disproportionate effort. To meet these requirements, paper and electronic forms (including web based forms) created by the University which gather personal data should always include a privacy notice.
It is recommended that privacy notices should explain:
- Why the data needs to be gathered and how the data will be used
- Any third parties outside Swansea University to whom the data will be disclosed or transferred
- How long the data will be kept
- The fact that completion of the form will be taken as consent by the data subject to the use of the data as outlined.
- How the data subject can exercise his/her rights under the Data Protection Act (e.g. by linking to the University's Data Protection web pages or by providing contact details for the University Compliance Office (FOI/DP)
To avoid infringement of the third Data Protection Principle, forms and other methods of data collection should not gather more data than are necessary for the task at hand. Staff who are responsible for the design of forms should ensure that there is a clear business need for each data item requested. Otherwise, the form should be amended to remove the data item.
Data subjects have the right to prevent the processing of their data for direct marketing purposes (e.g. promotional mailshots). If personal data gathered via a form is to be used for direct marketing, the form must also include:
- A statement explaining how the data will be used for direct marketing.
- Information on how the data subject can opt out of the use of the data for that purpose (e.g. by ticking a box).
Where direct marketing is involved, the form should indicate that it is assumed that the data subject consents to the use of the data for direct marketing purposes unless he/she specifies otherwise.
Marketing conducted by electronic means e.g. by telephone, fax, email or text message is subject to extra rules set out in the Privacy and Electronic Communications Regulations 2003 (PECR 2003). Please consult with theInformation Compliance Officer (FOI/DP) for further information to ensure that your marketing communications are being conducted in accordance with the Data Protection Act 1998 and with PECR 2003.