Guidance for Staff
Records and Information Management
- Records and Information Management is the process by which the University manages all the elements of records and information whether externally or internally generated and in any format or media type, from their inception/receipt, all the way through to their disposal.
- Implementing good records and information management practices:
- will ensure that the University produces and manages information that is authentic, accurate, credible and reliable
- will assist the University in complying with the Freedom of Information (Scotland) Act 2002, the Data Protection Act 1998 and the Environmental Information (Scotland) Regulations 2004
- provides evidence of people’s rights and entitlements,
- providing evidence of decisions made and the reasons why.
- The Records and Information Management Service [R&IMS] provides advice and guidance on all aspects of managing the University's records including their creation and use and storage and destruction.
It is essential to consult the detailed guidance on Records and Information Management that includes a range of Best Practice Guides and training courses run in conjunction with the Staff Developement Service.
Data Protection Act
- The Data Protection Act 1998 [DPA] gives rights to all individuals, including staff and students, about whom the University holds personal information, called personal data in DPA terms, and gives responsibilities to the University regarding that information.
- The University is committed to a policy of adhering to the eight basic Principles of the DPA .
- The Principles aim to protect the rights and freedoms of individuals with respect to the processing of their personal data and sensitive personal data regardless of the format or media where the personal data is held and, in respect of IT systems, the ownership of the equipment if the processing is for University purposes.
- The University sets out the purposes for which it holds and processes personal data in its Notification to the UK Information Commissioner.
- The UK Information Commissioner's Office is the UK's independent public body set up to protect personal information, and to regulate and enforce the Data Protection Act. It provides guidance to organisations and individuals, rules on eligible complaints, and can take action when the law is broken. The Commissioner has powers to order compliance and ultimately prosecution.
- Personal data can be an image/picture, document, or statement, or record in a filing system, from which you as an individual person can be identified from that information where;
- you are the focus of the document or record,
- the information is particularly relevant to you,
- the information includes significant biographical facts and opinions about you,
- the information affects your privacy in your personal, family, educational or professional life.
- Examples of personal data include the contents of an individual student file, or appraisal assessment, or home phone number. The mere mention of your name in a document, for example as a record of attendence at an open meeting, is not enough to make the information in that document personal data about you.
Processing Personal Data
- In brief, the University will process or use personal data about you for academic, administrative, management, pastoral, and health and safety reasons.
- The personal data section of the University Calendar describes in some detail the reasons why and how the data about a student has to be collected and processed and secured by the University.
Access to your Personal Data
- Academic departments are responsible for providing assessment information to students. The University's Senate Office provide detailed guidance to academic departments on the management and retention of information and records relating to teaching material and assessment performance.
- The DPA provides a procedure, called the Subject Access Request, for a member of staff or a student to formally request details of information about themselves that is held by the University.
Requests from external agencies
- Schedule III(3) of the DPA allows authorised agencies, such as the Police & Hospitals and other emergency services, to request information from the University about a specific member of staff or a student in emergency situations in order to protect the vital interests of that person or another individual - such as medical emergencies, accidents, and next-of-kin requirements.
- Section 29(3) of the DPA provides authorised agencies, such as the Police, with the mechanism to request, and the University the authority to either release or decline to release, information about a member of staff or a student without the explicit consent for the purposes of the prevention or detection of crime and the apprehension or prosecution of offenders.
- Section 29(3) also provides the authority for the University to release information about a member of staff or a student without their explicit consent for the purposes of the assessment or collection of any tax or duty or of any imposition of a similar nature.
- The University operates CCTV and similar equipment to monitor safety and security, and may monitor telecommunications, data communications, and other communications as permitted by the relevant legislation and University regulations.
- The University's IT Services undertake monitoring of IT systems and services according to its regulations and policies.
- A brief summary of the legislative framework for monitoring and interception of communications is available.
Freedom of Information
- The Freedom of Information [Scotland] Act 2002 [FOISA] and the Environmental Information [Scotland] Regulations 2004 [EIRs] provide a general right of access to most of the recorded information that is held by the University. The information may be about its activities, decisions, priorities, and plans. The Acts set out a number of exemptions/exceptions to this right of access.
- An Information Request may be sent to any member of staff of the University - it is important that it is acted upon immediately. The Quick Link guidance on handling general information requests should be consulted.
- The Scottish Information Commissioner is the official regulator set up to regulate and enforce FOISA. He provides guidance to organisations and individuals, rules on eligible complaints and appeals, and can take action when the law is broken. The Scottish Information Commissioner has powers to order compliance and ultimately prosecution.
- The University's Publication Scheme lists the main categories of information published therefore, if you are seeking access to information, you may initially wish to search the Scheme.
- There are separate, but broadly similar, legislation that covers England, Wales and Northern Ireland.