Jobs
Contact Us
Accessibility
Find us on: University of East Anglia on Facebook Follow University of East Anglia news on Twitter University of East Anglia's YouTube channel

Important guidance to new staff on the Data Protection Act, Freedom of Information Act and Environmental Information Regulations

Personal Data

Data Protection Act

The Data Protection Act (DPA) covers personal data, that is,  data which relates to a living individual who can be identified from that data, or from that data and other information available to the University.

The DPA imposes important and significant obligations on every employee of the University in regards the manner in which we acquire, store, and dispose of (i.e. ‘process’) personal data. It should not be disclosed to anyone other than in accordance with the DPA, and if you receive a request for personal data you should always seek advice from the Information Policy and Compliance Manager or Your FOI contact.

It is extremely important that personal data held by the University is kept and handled securely.  It should not be held on portable computers, or on portable storage devices unless they are password protected (or desirably, encrypted) and you must ensure that such devices cannot be accessed by unauthorised individuals, lost or stolen. 

Personal data kept on University premises must be secured and should not be accessible to unauthorised staff, and where it is held on computer, work stations should not be left unattended in circumstances where an unauthorised person could access the work station and personal data.

The DPA defines eight (8) principles which we must abide by in processing personal data, namely that personal data must: 

1. be obtained and processed fairly and lawfully and only if certain conditions are met  (see below)
2. be obtained for specified and lawful purposes and not be processed for any other purposes
3. be adequate, relevant and not excessive for those purposes
4. be accurate and up-to-date
5. not be kept for longer than is necessary
6. be processed in accordance with the rights of data subjects
7. be kept safe from unauthorised access, loss or destruction
8. not be transferred to countries outside the European Economic Area, unless to countries with equivalent levels of data protection

Conditions under which Personal Data must be held or Processed

The conditions referred to in (1) above are that:

No personal data can be held or otherwise processed unless one of the following conditions is met:

1. the Data Subject consents; or
2. the processing is necessary for
• the performance of a contract to which data subject is party; or
• compliance with legal obligation by the University; or
• the administration of justice; or
• functions of public nature in public interest; or
• the protection of vital interests of the Data Subject; or
• pursuit of legitimate interests of the  the University or any 3rd party except where the rights, freedoms & legitimate interests of the data subject are prejudiced

Requests for Information

Freedom of Information Act and the Environmental Regulations

The Freedom of Information Act (FoIA) gives anyone a right to access any recorded information held by UEA unless that information is covered by an exemption.  The Environmental Regulations (EIR) make special provision for disclosing information related to the environment (the meaning of both ‘the environment’ and ‘related to’ is drawn very widely) but is in many ways similar to the provisions of the Freedom of Information Act.  Recorded information includes all internal documents, emails, and data held for or generated by research.  Of course, personal data  should never be released, other than under the provisions of the DPA. 

Exemptions

While the FoIA and EIR presumes that we will make information available wherever we can; there are a number of exemptions under the FoIA/EIR which mean that information does not necessarily have to be disclosed.  The application of these exemptions is not straightforward and in most cases, the public interest in disclosure has to be weighed in the balance.  Experience suggests that the exemptions most likely to be relevant are that the information:

• is already published;
• is intended for future publication;
• could prejudice the prevention or detection of crime
• if published, would be prejudicial to the effective conduct of public affairs (including in the case of EIR, internal communications);
• could harm an individual;
• was provided in confidence to the University;
• is legally privileged;
• would be damaging to the commercial interests of anyone.

What is a request for Information?

A request does not have to mention the FoIA or EIR but must:

• be in a recorded format (e.g. print, email); and
• state the name of the requester and contain contact details (an email address is sufficient); and
• be clear enough to determine what exactly is being requested.

What do you do if you receive a request for Information?

If you routinely give out certain information to the public, staff and students, continue to give out this information as before.

If you receive a request for information which

• mentions the FoIA or EIR; or
• is not information you already routinely provide in the course of your work; or
• you have any doubts about the request;

you MUST pass the request immediately to your FOIA Contact.  If your FOIA Contact is unavailable, pass the request immediately to Dave Palmer, UEA Information Policy & Compliance Manager.  Act quickly!  By law the request must be answered within 20 working days.

The FOI Contacts

There is an FOI Contact for each administrative unit and Faculty within the University.  A link to the list of contacts can be found at intranet.uea.ac.uk/is/foi/foia-contacts

Other Points

• You should ensure that UEA records are well maintained and accessible so that colleagues can locate information needed to answer a request when you are not there.
• As all documents and emails could potentially be released under the Act, you should ensure that those you create are clear and professional.
• It is a criminal offence to destroy, conceal or amend information, data, emails or any other record that has been requested and you may be liable for prosecution if you do so. 

More about Personal Data and Freedom of Information

Useful links can be found at www.uea.ac.uk/is/strategies/infregs.

If you want a more ‘personal’ introduction to Freedom of Information Act, then the Staff and Educational Development Centre at UEA (CSED) offers a course twice yearly.  Contact CSED or visit their website for further information or to book yourself on a course and you can contact the Information Policy and Compliance Manager for advice and guidance.

Colleagues with established responsibility in relation to FoIA/EIR, will receive specific training.
 

QR code for Important guidance to new staff on the Data Protection Act, Freedom of Information Act and Environmental Information Regulations

Send this page to your mobile phone by scanning this code using a 2D barcode (QR Code) reader. These can be installed on most modern Smart Phones.