Checklist for compliance with DPA for Databases holding Personal Data
The DPA places responsibility on the University to control the processing of personal data within the University. The processing must meet the eight basic Principles of the DPA. The following points should help determine whether your databases, planned or new or existing, are subject to the DPA and, if so, what precautions you must take.
Please work your way through all the points unless you conclude, after point 1, that the DPA does not apply to your database. If you are unsure at any stage, you must consult the University's Data Protection Officer to ensure compliance with the DPA. The A to Z Guide expands on each of the issues mentioned in the following check list.
- Check that you know what is meant by personal data and sensitive personal data. If your database does not contain such data then your database is not subject to the DPA.
- If your database is being used for administrative and management purposes related to students - including current & past students, and applicants & potential applicants - check the content and reason for the database fits with the rules for processing student personal data [from the Fees and General Information for Students section of the 2005 University Calendar];
- If your database is being used for administrative and management purposes related to staff - including current & past staff, and applicants & potential applicants - check that the content & reason for the database fits with HR Policy & Procedures;
- If your database is being used for research purposes?
- Check that you know what is meant by, and the conditions relevant to, Research on Personal Data;
- Check that you know and apply the additional rules relevant to Research on Sensitive Personal Data;
- Check that you have obtained appropriate Consent from all the individuals who are the target of the research;
- If the research data is to be transferred either (a) into the University or (b) outwith the University at any stage, ensure that an appropriate contract, approved by Research and Enterprise, is in place that covers data protection requirements & responsibilities;
- Check the Research and Enterprise publication Good Practice in Research, which provides recommendations on documenting results and storing primary data based on the requirements of several Research Councils, as it takes into account:
- The legal and regulatory framework for particular types of research;
- The terms and conditions imposed by external research sponsors;
- The commercial, political or ethical sensitivity of particular types of research, or any research for particular external sponsors.
- If the purpose or reason for creating your database does not fit any of the above Sections 2-4, you must immediately consult the Data Protection and Freedom of Information Office to ensure compliance with the DPA.
- Is your database non-research related and about individuals from outwith the University?
- Check that, if the data is being supplied from outwith the University by another organisation or company, that either (a) an appropriate contract covering data protection requirements & responsibilities is in place, or (b) there is a legislative requirement upon the University;
- Check that a suitable consent statement is specified on any forms that are used to collect the personal data from the individuals.
- Consider using the Information Padlock Symbol on forms and literature when appropriate.
- Are you duplicating, in part or whole, a central corporate database? Have you considered a suitable download of data from a central corporate database to ensure compliance with the 4th Principle of the Data Protection Act?
- Check the conditions if you need to transfer personal data elsewhere within the University, and/or outwith the University, and/or outwith the UK;
- Check that your arrangements meet the security requirements of the DPA;
- Check how long the personal data in the database must be retained to fulfill the purpose for which it was originally collected. There are many determining factors such as legal requirements as well as legitimate business practices that will influence the decision on the period of time for the retention of records containing personal data. Ensure that, when the database is not longer required, its contents are either (a) retained in line with the University's Records Centre guidelines, or (b) are securely destroyed in line with the University's Computer Equipment Disposal Policy and not retained on a computer's disk storage.
Recording of Conversations
A tape recording of a conversation, where (a) any individual can be identified from the recording and the conversation, and (b) including opinions and intentions about any individual, is personal data about those individuals under Section 1(2) of the DPA.
Schedule II, section 1 of the DPA states that personal data may only be collected with the consent of the individual.
Thus, if the individual does not know in advance that the conversation is being recorded and did not give consent to the recording, then the individual's rights to 'fair processing' under the 1st Principle of the DPA will be breached.