Data Protection Policy
The amount of personal information about individuals which is held by people and companies has increased greatly in recent years. The Data Protection Act 1998 ('the DPA') sets out the rules for how personal information about living individuals should be held and used, particularly sensitive data such as gender, racial or ethnic origin. The DPA also gives individuals the right to find out what personal data is held about them either electronically or in a relevant filing system, and to see and correct personal data held. Technical terms used in the DPA, such as personal data, data subject, and relevant filing system are defined in Annex 1 below.
This personal data must be dealt with properly however it is collected, recorded and used whether on paper, in a computer, or recorded on other material - and there are safeguards to ensure this in the Data Protection Act 1998. The 1998 Act provides for wider access to data than the previous 1984 Act, covering both electronic and some manually-held data. The Freedom of Information Act 2000 ('the FOI Act') has amended the 1998 DPA, and the DPA now covers both structured and unstructured manual records.
The AHRC context
The Arts and Humanities Research Council (AHRC) needs to collect and use certain types of information about people with whom it deals in order to operate:
- people who have applied for or been awarded funding for research or postgraduate study or in connection with support for museums and galleries
- members of council, boards, committees, and peer review bodies
- past, current and prospective employees
- suppliers, external stakeholders, and others with whom the AHRC communicates.
In addition, the AHRC may occasionally be required by law to collect and use certain types of information of this kind to comply with the requirements of government departments.
Information is the foundation of the operations of the AHRC and it is essential that information is handled effectively and reliably. The AHRC is committed to operating in accordance with relevant legislation and to ensuring staff are appropriately trained and supported to achieve this. We regard the lawful and correct treatment of personal information by the AHRC as very important to successful operations, and to maintaining confidence between ourselves and all those with whom we deal. We ensure that the AHRC treats personal information lawfully and correctly.
To this end we fully endorse and adhere to the eight Principles of data protection, as set out in the Data Protection Act 1998.
Data Protection Principles
Specifically, the eight Principles of the DPA require that personal information:
- shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met;
- shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes;
- shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;
- shall be accurate and, where necessary, kept up to date;
- shall not be kept for longer than is necessary for that purpose or those purposes;
- shall be processed in accordance with the rights of data subjects under the DPA (These include: the right to be informed that processing is being undertaken: the right of access to one's personal information; the right to prevent processing in certain circumstances; the right to correct, rectify, block or erase information which is factually inaccurate or misleading.), and that
- appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data;
- shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The AHRC will manage appropriately and apply strict criteria and controls to ensure that it implements the DPA in accordance with the eight data protection principles listed above, and with relevant government standards and guidance. In particular it will:
- ensure that information is collected, processed, held, transferred and disposed of appropriately, with care for its quality and security, and
- ensure that the rights of people about whom information is held can be fully exercised under the DPA, including the right to access information.
In addition, the AHRC will ensure that:
- staff understand their responsibilities with respect to the proper handling of data, including their own contractual responsibility for good practice and their responsibility for data handling by other staff through the management, supervision, training and performance monitoring of those staff,
- there is someone with specific responsibility for data protection in the organisation,
- anybody wanting to make enquiries about handling personal information knows what to do and enquiries are dealt with promptly and courteously,
- the requirements of the DPA are considered in key decision-making processes, such as in the development of policy and procedures and the design and the implementation of information systems and the monitoring and evaluation of operational systems and performance, and
- methods of handling personal information are clearly described and the way personal information is handled and managed is regularly reviewed and audited.
More detailed guidance will be provided in notes of guidance for staff.
Rights of employees and other data subjects
The AHRC's Data Protection Officer can provide advice for individuals on how to request information from the AHRC. Upon making a request in writing (including by electronic means), an individual data subject is entitled, within 40 days of making the request:-
- to be informed by the data controller whether it or a third party is processing that individual's personal data,
- if so, to be given a description of the data, the purpose(s) for which they are being processed and those to whom they are or may be disclosed,
- to be supplied with all the information which forms any such personal data, in permanent form, normally by way of a copy, and
- to be supplied with any information as to the source of those data.
The AHRC may charge a fee for this, which will be no more than £10. Some information held by the AHRC does not need to be provided to the data subject.
Comments and complaints
Individuals who want to comment on the way the AHRC deals with data protection should contact the AHRC's Data Protection Officer by email.
Anyone who wants to make a complaint about the AHRC's processing of their data, or who is not satisfied with the AHRC's handling of their request for information, should contact the AHRC's Data Protection Officer by email in the first instance.
If they are still unsatisfied, they are entitled to contact the Information Commissioner by email email@example.com or telephone 01625 545745.
The Data Protection Act 1998 uses a number of key definitions as follows:
- Data - Information which is
- being processed by means of equipment operating automatically in response to instructions given for that purpose, or
- which is recorded with the intention that it should be processed by means of such equipment, or
- which is recorded as part of a relevant filing system (see below)
- other recorded information held (applicable to public authorities only, under FoI Act 2000)
- Personal Data - Information relating to a living individual who can be identified from the data or from other information which is in, or is likely to come into, the possession of the data controller. It includes any expression of opinion about the individual and any intentions of the data controller or any other person in respect of the individual. Some personal data, including confidential references given (not received), consideration of suitability for honours, management forecasts and career planning, are exempted the DPA.
- Sensitive Personal Data - Personal information relating to racial or ethnic origin, political opinion, religious beliefs, trade union membership, sexual life, physical or mental health, commission or alleged commission of any offence.
- Processing - Obtaining, recording, holding information or carrying out any operation on the information such as organising, retrieving, consulting, disclosing and erasing. This is a far wider definition than that which applied for the 1984 Act.
- Data Subject - An individual about whom personal information is held.
- Data Controller - An individual or organisation which determines the purpose(s) for which, and the manner in which, any personal data is (or is to be) processed.
- Relevant Filing System - Any set of manual information relating to individuals to the extent that, although the information is not processed automatically, the set is structured either by reference to individuals or by reference to criteria relating to individuals in such a way that specific information relating to a particular individual is readily accessible.
- Subject Access Request - A request by a data subject, to the data controller, asking to see their personal data.
Approved by the AHRB Board of Management 17th December 2004.