Data Protection

The Data Protection Act 1998 gives rights to people about whom the University holds information and gives the University responsibilities regarding that information. To find out more about data protection follow the links below.

On this page:

Data protection: the 5 key points that every member of staff needs to know
What is data protection?
Definitions
Data protection policy at the University of Edinburgh

In this section:

Advice and guidance
Handling information requests
- Dealing with subject access requests
Training and awareness raising
- Briefings and training
- Information governance: what Directors of Studies and Student Support Officers need to know
Data protection at the University of Edinburgh
Further information
- Data Protection & Privacy Newsletters - restricted to freedom of information practitioners only
- Useful external links

Data protection: the 5 key points every member of staff needs to know

Individuals have the right to ask to see any information the University of Edinburgh holds about them. The University has 40 calendar days to respond. If someone asks to see information that you hold about them, contact your local freedom of information practitioner as soon as possible.
You must tell individuals what you do with information regarding them, including to whom you disclose it.
You must keep personal data securely, for example if you use large amounts of personal data or sensitive personal data, store them on University networks or use encryption.
If you pass personal data outwith the University, follow University policies and procedures. This includes publishing personal information on the internet, allowing contractors access to systems, and sharing personal data with government agencies and others.
You must not keep personal data for longer than is necessary.

For advice on data protection or if you have concerns about disclosing any information contact the Data Protection Officer at the below email address.

recordsmanagement@ed.ac.uk

What is data protection

The Data Protection Act 1998 came into force on 1st March 2000.

The Act applies to information about individuals ("personal data"). It gives an individual ("the data subject") the right to access personal information that the University holds about them. They do this by making a subject access request.

What is personal data?

The Act also sets out the requirements for handling personal data; these requirements are codified as the eight data protection principles. The full text of the Act is available on the Office of Public Sector Information website.

The Act is policed by the UK Information Commissioner. The University must tell the Commissioner about all the purposes for which it processes personal data. This is called notification and all the purposes are maintained in a searchable register by the Commissioner.

Definitions

Definitions of the terms used in the Data Protection Act 1998 are available. They will assist University staff in their understanding of the Act and help ensure that Personal Data is processed in accordance with the eight data protection principles.

Data protection definitions

Data protection policy at the University of Edinburgh

When the data protection legislation was coming into force the University established a working group. The working group developed the University's data protection policy which was approved by the University Court in July 2001.

The Policy is supported by a number of guidance documents.

The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336