This is the first of two posts based on session I attended recently entitled What’s private and what’s public? Data Protection and Freedom of Information. This post does not constitute formal legal advice.
The Data Protection Act 1998 (DPA) is mostly concerned about information you must not disclose, whereas the Freedom of Information Act 2000 (FoI) covers information which you have an obligation to provide.
Personal data in libraries
In libraries, we hold information which is affected by the DPA, such as:
- Info about students themselves and their use of libraries – where they’ve been, what they’ve borrowed, name, address, email etc ; as well as information about staff and possibly non-members of the University (external visitors)
- Other examples: trading information about customers (if your organisation has an online shop); personnel info about staff (such as the results of Criminal Records Bureau checks, employment records)
8 principles for handling personal data
- Be processed fairly and lawfully
- Be held only for specified purposes
- Be adequate, relevant and not excessive
- Be accurate and kept up-to-date
- Not be kept for longer than necessary
- Be processed in accordance with the data subject’s rights
- Be kept secure
- Not be transferred outside the European Economic Area, unless the recipient country can ensure an adequate (equivalent) level of protection
How the University fulfils these criteria
- Be processed fairly and lawfully – our processing is lawful because we undertake it in pursuit of the legitimate interests of our business, namely providing readers with books. The University of Oxford asks its members (and external readers) to sign their agreement to the University holding the data when they apply for their University Card. The agreement reads: “I understand that the information will be collected and processed according to the provisions of the Data Protection Act 1998”
- Be held only for specified purposes – the University is registered for lending and hire, education and training; and these cover all activities relating to the access and borrowing privileges of readers. This also means that we can’t use readers’ data for purposes beyond this remit without their permission
- Be adequate, relevant and not excessive – we only gather the data we need for library purposes
- Be accurate and kept up-to-date – when a reader informs us of a change to their details, we must update their record promptly
- Not be kept for longer than necessary – The main University Card database holds records indefinitely as people may return for further study or employment. However, once a reader’s record expires, their record is deleted from the library’s database
- Be processed in accordance with the data subject’s rights – the data subject has the right to inspect the data we hold about them; and if they believe that something is wrong and/or that damage or distress is being caused, they have the right to prevent processing of data about them, to rectify, block or erase data and to sue for damage being caused
- Be kept secure – we must not disclose personal data to unauthorised persons. Library staff are authorised persons because they are employees of the Data Controller. Take care with the angle of computer screens at enquiry desks so that readers can’t see personal info about other people. Don’t write passwords on notes kept by the computer. Ensure filing cabinets containing personal data are kept locked. Dispose of personal data securely (i.e. by shredding it). If students occupy a staff area, switch off computers immediately. It is good practice to lock computers [PC: Ctrl-Alt-Del and Enter] when not in use, even in staff-only areas
- Not be transferred outside the European Economic Area, unless the recipient country can ensure an adequate (equivalent) level of protection – for example, the USA does not have such provisions. Take care over the location of your servers and cloud computing services. If using a site like SurveyMonkey, you might choose to state that “this data will be processed in the USA”
A step beyond personal data, sensitive data is defined as information relating to:
- Racial or ethnic origin
- Political opinions
- Religious beliefs or similar
- Trade union membership
- Physical or mental health
- Sexual life
- Commission or alleged commission of any offence
- Proceedings relating to any offence or alleged offence
Sensitive data may only be recorded with the explicit consent of the person. If the person has disclosed some of this information to any one person in the University, the whole University is deemed to know, even though the info is secret and therefore probably not being passed on.
Data controller: person who determines the purposes for which and the manner in which any personal details are or are to be processed
Data processor: any person (other than an employee of the data controller) who processes the data on behalf of the data controller
Data subject: an individual who is the subject of personal data
Information captured by a closed-circuit television system counts as personal data. People should know they are being recorded: have a notice displayed to let them know, with contact details in case anyone has any queries.
If a CCTV screen is on display to readers or other members of the public, it must be recording a view of the place where they are, not somewhere else.
You may only circulate images from CCTV to people who really need to know. Images may be passed to the police if they ask us to supply them.
Claims by data subjects
Data subjects can ask to see all our records relating to them – within 21 days, for a small admin fee. Therefore, only record what you are prepared for the data subject to see!
Only the data subject can ask, or their representative with written consent. Only living people have rights under the DPA. In supplying records, we must not breach others’ DPA rights. Always refer to the University’s DP officer if in doubt.