Code of Conduct for Handling Personal Data using Information Technology Systems
The use of computers, networks and other systems for handling personal data is governed by the Data Protection legislation and associated statutory instruments. The University has also published a Data Protection Policy to which all staff and students and any other persons using personal data on behalf of the University must comply.
Personal data means data that relate to a living individual who can be identified either from that data alone, or from that data used in conjunction with other information that is held or likely to be held. The University requires users of personal data to adhere to the eight principles of the Data Protection Act:
1. The data shall be obtained and processed fairly and lawfully, and in particular, shall not be processed unless at least one of the conditions set out in Schedule 2 and, where appropriate, one of the conditions in Schedule 3 of the Data Protection 1998 is met.
2. The data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. The data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. The data shall be accurate and, where necessary, kept up-to-date.
5. Data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. The data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of the data and against accidental loss or destruction of, or damage to, the data.
8. The data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Staff and students must only process personal data for the purposes covered in the University's entry in the Data Protection Register maintained by the Information Commissioner's Office. Staff or students who wish to process personal data for additional purposes must inform the Records Manager (the University's Data Protection Officer) before this processing is undertaken. The University's current entry is available through http://www.ico.gov.uk/ESDWebPages/search.asp
Further information about Data Protection can be obtained from the Records Manager in the Governance Support Unit, from the University's Data Protection webpage at http://www.dur.ac.uk/data.protection/ or from the Information Commissioner's Office website at www.ico.gov.uk