Guidance for Staff

Guidance for Staff

Records and Information Management

  • Records and Information Management is the process by which the University manages all the elements of records and information generated in any format or media type, from their inception/receipt through to their disposal. 
  • Implementing good records and information management practices:
    • will ensure that the University produces and manages information that is authentic, accurate, credible and reliable
    • will assist the University in complying with the Freedom of Information (Scotland) Act 2002, the Data Protection Act 1998, and the Environmental Information (Scotland) Regulations 2004
    • provides evidence of people’s rights and entitlements
    • providing evidence of and reasoning for decisions made
  • The Records and Information Management Service (RIMS) provides advice and guidance on all aspects of managing the University's records

Consult our detailed guidance on records and information management for further information, including a range of best practice guides and SDS-run training courses. 

Data Protection Act

  • The Data Protection Act 1998 (DPA) gives rights to all individuals, including staff and students, about whom the University holds personal information, and outlines responsibilities to the University regarding that information held.
  • The University is committed to a policy of adhering to the eight basic principles of the DPA.
  • The principles protect the rights of individuals with respect to the processing of their personal data and sensitive personal data, regardless of the format or media in which the personal data is held or, in respect of IT systems utilised for University purposes, the ownership of the equipment. 
  • The University sets out the purposes for which it holds and processes personal data in its Notification to the UK Information Commissioner.
  • The UK Information Commissioner's Office is the UK's independent public body responsible for the protection of personal information through the regulatation and enforcement the Data Protection Act.  The ICO provides guidance to organisations and individuals, rules on eligible complaints, and takes action when the law is broken. The Commissioner has powers to order compliance and prosecution.

Personal Data

  • Personal data is an image/picture, document, statement, or record in a filing system, from which an individual can be identified, and where;
    • the individual is the focus of the document or record,
    • the information is particularly relevant to the individual,
    • the information includes significant biographical facts and opinions about the individual,
    • the information affects the individual's privacy in his or her personal, family, educational or professional life.
  • Examples of personal data range from the contents of an individual student or staff file, an appraisal assessment, a home phone number, or an email mentioning personal activities. The mere mention of your name in a document, for example as a record of attendence at an open meeting, is not enough to make the information in that document personal data about you.

Processing Personal Data

  • In brief, the University will process or use personal data about you for academic, administrative, management, pastoral, and health and safety reasons.  
  • The personal data section of the University Calendar describes the reasons why and how student personal data has to be collected, processed, and secured by the University.

Access to your Personal Data

  • Academic departments are responsible for providing assessment information to students. The University's Senate Office  provide detailed guidance to academic departments on the management and retention of information and records relating to teaching material and assessment performance. 
  • The DPA provides a procedure, called the Subject Access Request, which enables a member of staff or a student to formally request details of information about themselves that are held by the University.

Requests from external agencies

  • Schedule III(3) of the DPA allows authorised agencies, such as the Police, hospitals, and other emergency services, to request information from the University about a specific member of staff or a student in emergency situations in order to protect the vital interests of that person or another individual. These situations may include medical emergencies, accidents, and next-of-kin requirements.
  • Section 29(3) of the DPA provides authorised agencies such as the Police with the mechanism to request -- and the University the authority to either release or decline to release -- information about staff or students without their explicit consent. These requests must be made for the purposes of the prevention or detection of crime, and/or the apprehension or prosecution of offenders.
  • Section 29(3) also provides the authority for the University to release information about staff or students without their explicit consent, for the purposes of the assessment or collection of any tax or duty, or of any imposition of a similar nature.

Data Protection training for staff

Further information on our online training module for staff members can be found here.

Data Protection courses are also run through the Staff Development Service. Details of upcoming courses can be found here.






  • The University operates CCTV and similar equipment to monitor safety and security, and may monitor telecommunications, data communications, and other communications as permitted by the relevant legislation and University regulations. 
  • The University's IT Services undertake monitoring of IT systems and services according to its regulations and policies.
  • A brief summary of the legislative framework for monitoring and interception of communications is available in our A to Z guide.

Freedom of Information

  • The Freedom of Information (Scotland) Act 2002 (FOISA) and the Environmental Information (Scotland) Regulations 2004 (EIRs) provide a general right of access to most of the recorded information that is held by the University. The information may be about its activities, decisions, priorities, plans, etc. The acts set out a number of exemptions/exceptions to this right of access.
  • An information request may be sent to any member of staff of the University -- it is important that any request is acted upon immediately. Consult the Quick Link guidance on Handling general information requests - FOISA for further information.
  • The Scottish Information Commissioner is the official regulator set up to monitor and enforce FOISA.  She provides guidance to organisations and individuals, rules on eligible complaints and appeals, and takes action when the law is broken. The Scottish Information Commissioner has powers to order compliance and prosecution.
  • The University's Publication Scheme lists the main categories of information published by the University. If you are seeking access to information, you may initially wish to search the Scheme.
  • There is separate, but broadly similar, legislation that cover access to information in England, Wales and Northern Ireland.