University home > University Secretary's … > Data Protection > Data Protection Act 1998 - Do's …

DO

• Comply with Data Protection Principles at all times;
• Remember the Act applies to paper files, information held electronically, video/DVD, audiotapes and photographs;
• Think of personal data held about individuals as though it were held about you;
• Get permission from the data subject to hold their personal data unless consent is obviously implied;
• Be particularly careful about sensitive data: concerning race, political opinion, religious belief, trade union membership, physical or mental health, sexual life, criminal offences;
• Hold personal data about people only when necessary;
• Do your best to ensure personal data is kept accurate and up to date;
• Tell people you hold personal data about them and tell them why you need to do so (fair processing);
• Be open with people about information held about them;
• Ensure that you have a contract (data processing agreement) in place when sharing personal data with other organisations;
• Be very careful about passing personal data to third parties;
• Respect confidentiality and the rights of the data subject;
• Refuse requests from family or friends for information about a student, including examination results, unless prior written permission has been received from the student;
• Review personal data kept in files from time to time and at least annually;
• Ensure all personal data is disposed of as confidential waste;
• Always consider writing open references;
• When writing documents, bear in mind that the data subject has a right to see information relating to them;
• Realise even deleted emails may be retrieved and revealed to those about whom they are written;
• Hold personal data in such a way that it can be collected for inspection at short notice;
• Where possible, anonymise personal data for statistical analysis;
• Only use software and hardware supported and provided by the University;
• Direct any official requests to see personal data to the Information Rights Officer at Data-Protection@bristol.ac.uk

DON'T

• Worry about the complexities of the Act - the Data Protection Principles are simple;
• Reveal personal data to third parties without the data subject's permission or justification (see University's guidance on Individual Rights);
• Disclose any personal data over the telephone;
• Hold sensitive data about a person without explicit consent or advice from the Information Rights Officer;
• Put personal data about an individual on the Internet without his/her permission, unless it is a condition of his/her employment or acceptance as a student (see Rules and Regulations for Students, Student Declaration and the Staff Handbook);
• Send personal data outside the European Economic Area (EEA) without taking advice from the Information Rights Officer;
• Leave personal data insecure in any way, whether it is physical files or information held electronically;
• Take personal data home without particular care for security;
• Process personal data on a computer not owned or supplied by the University;
• Part with University computers without advice on deletion of data from Information Services (Policy on Disposal of Computer Equipment);
• Use email for sending confidential communications or unencrypted personal data, as it is relatively insecure;
• Use personal data held for one purpose for a different purpose without permission from the data subject;
• Aside from routine amendments, erase or alter any personal data after the Information Rights Officer has received a request to inspect and/or disclose that personal data.