DP guidance

The Data Protection Act in a nutshell.

Guide 3 - Brief Data Protection guide a


The EU Data Protection Directive (95/46/EC) took effect in the UK from the 24 October 1998. The Directive is implemented in the form of the Data Protection Act 1998 which came into force on the 1 March 2000.

The Act contains elements from the previous legislation (i.e. the 1984 Act), for example, the Data Protection Principles of good practice; a registration/notification system; and the data subject's right to have access to his or her personal data and to correct it where inaccurate. However the Directive imposed additional requirements which are reflected in the new law.

The Data Protection Act 1998 imposes stringent requirements with which the College, as an organisation holding personal data, must comply. All processing of personal data must be fair and lawful, accurate and up-to-date, and the data must be adequate, relevant, not excessive and be held for no longer than is necessary. It is mandatory that appropriate technical and procedural measures are taken to cover the security of personal information. This relates, among other things, to prevention of unauthorised or unlawful processing or disclosure of data, as well as accidental loss or destruction of, or damage to, personal data. Special conditions apply to sending personal data outside the European Economic Area (EEA), including transmitting it via the Internet.

Data held in manual or paper form (as part of a relevant filing system) is covered by the Act and therefore processing must comply with the Act.

The College's Data Protection Policy and Codes of Practice detail the rights and responsibilities of staff, students and other authorised individuals who process information on behalf of the College. If you have any further queries please contact your departmental/divisional Data Protection co-ordinator.


Proper security measures must be applied for all methods of holding or displaying personal data and appropriate measures taken to prevent loss, destruction or corruption of data. The following general advice is given:

Computers that can access personal data should not be left unattended when logged on and the screen should always be cleared of personal data after use
Staff who have contact with personal data must take care that this is kept away from people not entitled to see it
Printouts should be stored securely when not in use and shredded when no longer required
Passwords should be changed regularly and not disclosed to unauthorised persons. Staff who are processing personal data locally should ensure that floppy disk files of personal data are removed from their machine and stored securely when not in use and are erased and reformatted when no longer required, and that personal data held on permanent hard disk have adequate protection, e.g. password access.