Checklist for Data Protection Advisers
Ensure that staff in your Department know the following:
- Staff may not hold personal data without consent or good reason;
- Staff should be particularly careful with sensitive data (see University's guidance - Processing of Personal Data);
- Staff should not give personal data to third parties without consent or good reason (see University's guidance - Exemptions from Data Protection Legislation);
- Staff should seek permission from the Information Rights Manager and/or the University Secretary prior to sending personal data outside the EEA;
- Staff should seek permission prior to putting personal data on the Internet, aside from basic information which is a condition of employment or acceptance as a student (see Rules and Regulations for Students, Student Declaration and the Staff Handbook);
- Staff should be accurate and measured in what they write on paper and in emails about students and other members of staff (see sections 3 to 5 of University guidance on Subject Access Requests);
- When writing references, staff should refer to the University's guidelines for writing references;
- Any data protection queries should be sent to the Information Rights Manager at email@example.com.
- Keep secure all personal files in the Department, whether on paper or on computer;
- Remind staff of the need for care if taking personal data home (see University's guidance - Security Measures);
- If students disclose sensitive data/information, for instance about their health, ensure that it is revealed only to those members of staff who need to know it, if necessary by a separate filing system;
- Do not sell or give away Departmental computers until they have been checked by Information Services as cleared of all personal data;
- Ensure that a member of staff is responsible for checking at least annually that personal data in personal files is up to date and accurate and unnecessary documents are thrown away;
- Ensure that confidential waste is always shredded, and not simply put into a waste paper basket or recycling bin;
- Ensure files are sent to be filed centrally once a student or member of staff has left the Department;
- Ensure files relating to staff and student applications are not kept for more than one year (see University's Guidelines on Recommended Minimum Period for Retention).
- Ensure that the originals of all documents relating to an individual are on the official Departmental file;
- Ensure the Department is so organised that it can respond within seven days to a request for disclosure of personal information made to the Information Rights Manager;
- Subject to the rights of others to confidentiality, encourage openness about personal data being held on individuals.
- Inform external examiners that their reports are no longer confidential and the student about whom they are written may see them on request (see University's guidance on Examinations and Data Protection).