Frequently asked questions about data protection

 Listed below are a number of frequently asked Data Protection questions, which we hope you will find helpful. If you have any other questions to ask, please get in touch with the College's Data Protection Officer, Catherine Mitchell, on x 41557, or by email: catherine.mitchell1@imperial.ac.uk

1. Does a list of colleagues' names, telephone numbers and e-mail addresses constitute a registerable database under the DP Act 1998?

Yes, any list of names which can be processed to find out information about a person is subject to the Act. Any such person has a right under the Act to be excluded from such a list if s/he can show that the publication of such a list could cause them substantial damage or distress.

2. Can I use personal data collected by a cookie from hits on my website to send these people details about a magazine I am publishing?

No. By capturing personal data in this way you can only use that data for the purpose you declared on your website assuming, that is, that you informed them of your intention to capture their data in the first place! A Data Subject has a right to be informed of any processing done on their data if it is different from the purpose originally declared and a right to opt out of such processing particularly if that purpose is Direct Marketing.

3. I have a pile of application forms and related papers on my desk left over from a series of interviews for a post in my department last year. The post was subsequently filled, so are these papers subject to the DP Act?

Yes. Such a pile of forms constitutes "manual data forming part of a relevant filing system" as it is possible to search through the file to find out information about a particular person. You have an obligation under the 5th Principle of the Act to keep personal data only for as long as is necessary for the purpose you collected them for. The application forms in your case have long since ceased to be necessary for the purpose and should be destroyed, thus saving you the obligation to keep the data up to date and the purpose registered.

4. One of the applicants for the job referred to above suspects he did not get it, because I was sent uncomplimentary information about him by his former boss and he has requested he see this information. Does he have a right to see it?

If he is correct in his assumption and you still hold that data he has a right to see it so long as, by giving him a transcript of it, you do not reveal the identity of any third party e.g. the originator of the data or another person referred to in that data. You must not personnaly hand the data over, but tell the person that there is a formal College procedure for Subject Access Requests and that he should contact either your departmental Data Protection Co-ordinator or the College Data Protection Officer.

5. I am told that it is unsafe to send personal data in an e-mail. Will a disclaimer at the end of my message safeguard that data?

E-mail messages are unsafe because they can be intercepted at many points when passing through the internet and a disclaimer does not prevent such an interception. It is of dubious legal value and may create a false sense of security whilst if fact you may be breaching the law by transmitting personal data in this way without adequate protection.

6. I am a registered postgraduate student of the College but am carrying out my research at a hospital in Middlesex where I collect personal data from patients there. This data is held on Trust-networked PC's. This use is registered through the Trust's notification, so do I need to complete a registration with the College as well?

No. So long as that data remains on the Trust's network and is not transferred to the College network you do not have to register this use with the College. If, with the authorisation of the Trust, you transfer that data to a College system, then if the data is not fully anonymised, it must be registered as a College database and in any case be protected with a level of security appropriate to the risks incurred by processing the data on that system.

7. I am a student and have just completed an examination paper this month (May) and think I have done badly. I would like to see what marks have been awarded for this paper before I sit my final papers next month and the results are officially published.

Under the DP Act 98 you do not have a right to see your examination paper, although you do have a right to see your marks. However, to do this you have to complete an official Data Subject Access Request form obtainable from the College Data Protection Offcier. Even then the College can withhold your marks until 5 months after the completion of the examination or 40 days after receiving your request, whichever is the longer. If, however, you fear that you have done badly and you do not wish to have your results published on the College notice board you have a right to request that they be not so published.

8. I run courses on behalf of my department which are attended by academics from other institutions and commercial organisations. I maintain a database of those who have attended in order to notify them of future courses. I have been asked by a commercial organisation if I will let them have for a fee, a copy of my database so that they can make contact with these people to give them details of their products. The fee will help considerably with funding future courses, but am I allowed to do this under the DP Act 98?

In registering with you, presumably you informed them of you intention to use their data for sending information about future courses. However, if at the same time you did not give them the chance of opting out of disclosing their data to related commercial companies then you cannot pass on this personal data. As for selling the database you need to register not only the Direct Marketing purpose, but also the trading of the database.