Jobs
Contact Us
Accessibility
Find us on: University of East Anglia on Facebook Follow University of East Anglia news on Twitter University of East Anglia's YouTube channel
Search UEA Courses

Data Protection

Introduction to the Data Protection Act

The Data Protection Act 1998 (DPA) places responsibilites and obligations on the University in the way that it processes information about living individuals. The Act gives individuals certain rights and also specifies that those who record and use personal data must be open about how that information is used and must follow the eight Data Protection Principles (outlined below) when processing that information. The University is also required to notify its use of personal data to the Information Commissioner where it is published in a public register.

The University administers its obligations under the Data Protection Act in accordance with its approved Data Protection Policy.

What does the Data Protection Act cover?

The DPA covers personal data which is defined as data which relates to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or likely to come in the possession of, the data controller (the University).
The DPA recognises that certain types of personal data should be treated with particular regard. Such sensitive personal data includes data on ethnic or racial origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexuality, and criminal offences. 

What are the 8 Data Protection principles?

Under the DPA, personal data must be processed in accordance with the following eight Data Protection Principles. The term processing has a very wide application which includes the mere fact of holding data about a living individual, as well as the alteration, disclosure and destruction of personal information. The eight Data Protection Principles state that data must:

  1. be obtained and processed fairly and lawfully and only if certain conditions are met
  2. be obtained for specified and lawful purposes
  3. be adequate, relevant and not excessive for those purposes
  4. be accurate and up-to-date
  5. not be kept for longer than is necessary
  6. be processed in accordance with the rights of data subjects
  7. be kept safe from unauthorised access, loss or destruction
  8. not be transferred to countries outside the European Economic Area, unless to countries with equivalent levels of data protection

How does the Data Protection Act affect how the University uses personal data?

In addition to the eight Data Protection Principles, no processing of personal data is allowed under the Act unless one of the following conditions is met:

  • Data Subject Consent; or
  • Processing is necessary for
    • Performance of a contract to which data subject is party
    • Compliance with legal obligation
    • Administration of justice, or
    • Functions of public nature in public interest
    • Protection of vital interests of the Data Subject
    • Pursuit of legitimate interests of the Data Controller 

For more specific guidance about the DPA for staff and students please visit our guidance page.

QR code for Data Protection

Send this page to your mobile phone by scanning this code using a 2D barcode (QR Code) reader. These can be installed on most modern Smart Phones.