The principles are that personal information shall be:
- Fairly and lawfully processed (in particular that the individual whose information it is has consented to the processing of his/her personal information)
- Processed for limited purposes (only for the purposes for which it was originally supplied. University departments receiving personal information from individuals are obliged to ensure such individuals are fully aware of what we will use this information for. Staff should NOT assume that the provision of personal information gives the University the right to use that information for any purpose).
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept longer than is necessary (personal information should only be retained by the University for as long as is required to fulfill the purposes for which it was originally provided. Beyond this point it should be securely destroyed. Please see the University's Records Management Policy and Records Retention Schedule for guidelines on how long certain types of information should be kept).
- Processed in accordance with the data subjects' rights (not to do anything with the information which would prejudice the rights of the individual in any way).
- Secure (from the point at which personal information is received until the point at which it is destroyed, such information must be processed securely. University departments are obliged to ensure they have appropriate mechanisms in place to ensure adequate security for the storage and transmission of all electronic and paper records containing personal information, particularly more sensitive personal information. Advice on how to process electronic information securely can be found at at the University's website on Information Security. BE AWARE that the loss, disclosure or unplanned destruction of personal information can lead to legal action being taken against the University).
- Not transferred to a country or a territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection (if you need to transfer data in this way, please consult the Legal Compliance Team at infocompliance at warwick dot ac dot uk who can offer advice).
Staff, students and members of the University must comply with the eight data protection principles.
Definitions as set out by the Information Commissioner's Office covering electronic and hardcopy information:
Personal data refers to data which relate to a living person who can be identified from the data or from the data and other information in the possession of, or likely to come into the possession of the party holding the data.
Sensitive data refers to data which relate to a living person who can be identified from the data or from the data and other information in the possession of, or likely to come into the possession of the party holding the data and which consists of information relating to the following:
- racial/ethic origin
- political beliefs, affiliations with trade unions
- religious beliefs
- medical history
- sexual life
- commission/alleged commission of any offence including any proceedings relating to offences (alleged or otherwise)
- financial details (i.e. card details) when coupled with other personal data