Processing data off campus

Take extra care when processing personal data off campus.

Staff Responsibilities

Under the Data Protection Act 1998 ("the Act), personal data can only be processed off campus if all of the following conditions are met:

Any breach of these responsibilities could lead to disciplinary action.

Use of Non-University owned equipment

The processing of personal data in order to carry out work as a member of staff at the University requires that member of staff to register with the Information  Commissioner. Therefore the University has determined that staff should not process personal data on a computer that is not owned by the University. In very exceptional circumstances that create a need to use a non University-owned computer permission must be obtained in writing from the Head of Department with the agreement of the University Secretary. An application to register with the Information Commissioner as a Data Controller should be completed through the University's Information Rights Manager.

The Internet

The Act applies to processing on the Internet. Any personal data that is downloaded from the Internet and then processed at the University or on an Internet page must be registered with the Information Commissioner. The Data Protection Principles and the rules regarding the Data Subject's rights under the Act must be strictly followed. Appropriate security measures should be taken against unauthorised access to, or alteration, disclosure or destruction of personal data on an Internet page; the Internet is a fundamentally insecure media and the type of personal data that is put on Internet pages should reflect this.

Sending  personal data abroad

Security should be appropriate to the degree of harm that could occur if the personal data is misused.