Guidance and Codes of Practice

The Codes of Practice within this section will assist staff and students in ensuring their obligations under the Data Protection Act are carried out.

Code of Practice 1 - handling of personal data

1. Introduction

Print: Code of Practice 1

1. Introduction

1.1 This Code of Practice, drawn up in association with the College's Data Protection Policy, relates to the collection, holding and disclosure of data relating to individuals. The Code provides best practice for staff and students of the College and other authorised persons who collect, process, disclose or have access to personal data in whatever medium that data is held. In the terms of the DPAct98 "processing" covers all aspects of handling personal data, including obtaining, recording, holding, retrieving, collating, disclosure, erasure and destruction of data.

2. Registration and notification

2.1 The College has an obligation to notify the Data Protection Commissioner of collections of personal data held by its members and other authorised persons on computers or in relevant filing systems. If you hold or control personal data you must ensure that your use, or processing, of it is in accordance with the College's notification. You should inform the relevant Data Protection Co-ordinator (DPC) [2] when a new dataset has been established or if the purpose for which personal data stored in a dataset, which has already been registered, has changed.

2.2 Any personal data held in networked datasets must be registered with the College Data Protection Officer by the CAU controlling the dataset through the relevant Data Protection Co-ordinator.

2.3 Anyone extracting personal data from a networked dataset to form their own dataset should register this new dataset, and the purpose for which it is being used, with their CAU's Data Protection Co-ordinator. Data Protection Co-ordinators will advise the College Data Protection Officer of it and s/he will decide if an amendment is required to the College's notification.

2.4 When applying to the College Data Protection Officer for registration or amendment to the College's notification, broad descriptions of the following are required:

  • the classes of personal data held;
  • the purposes for which it is used;
  • the sources from which the data has been obtained;
  • types of people to whom the data may be disclosed;
  • those countries to which the data may be transferred.

2.5 The College's Data Protection notification is in the public domain and can be accessed via the website of the Information Commissioner's Office ( It is also available for inspection, by arrangement, in the Central Secretariat. It should be noted that a register entry only shows what a data user is registered to do; it does not reveal whether the data user holds specific personal information on an individual.

3. Collecting and processing of personal data

3.1 Collection of Personal Data

3.1.1 Staff, and to some extent students, in CAUs collect both standard and sensitive personal data on employees, students and other individuals.

3.1.2 Most personal data which is collected on a day-to-day basis will be "standard", i.e. for general administrative purposes, and will cover categories such as:

  • General personal details such as name, address, date of birth and next of kin;
  • Details about class attendance, course-work marks and grades and associated comments;
  • Notes of personal supervision, including matters about behaviour and discipline;
  • Management of student clubs and societies.

3.1.3 Data Subjects must be informed of the purposes for which data are being collected at the point of collection. Any additional processing which is done in CAUs will necessitate the Data Subjects in those units being given the opportunity to opt out of such processing.

3.1.4 Some types of data are deemed to constitute sensitive data, a definition of which is given at Appendix 1, and such data, with a few exceptions, can be collected and processed only with the individual's explicit consent.

3.2 Processing all Standard Data

3.2.1 Data Users have a duty to make sure that they comply with the Data Protection Act and handle personal data in accordance with the data protection principles, which are set out in the College Data Protection Policy. In summary these state that personal data shall:

  • Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met.
  • Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
  • Be adequate, relevant and not excessive for those purposes.
  • Be accurate and kept up to date.
  • Be kept only for as long as is necessary for that purpose.
  • Be processed in accordance with the Data Subject's rights.
  • Be kept safe from unauthorised access, accidental loss or destruction.
  • Be transferred to a country outside the European Economic Area, only where that country has equivalent levels of protection for personal data.

3.2.2 All personal data must be held securely and in confidence, subject to the disclosure provisions set out in this Code, and in accordance with the College's Information Systems Security Policy. All persons having access to such data shall treat as confidential all information about an individual (which is not otherwise in the public domain) which they may learn in the course of their work. They shall not communicate it to other persons or bodies except in accordance with this Code of Practice and the College's DP notification with the Information Commissioner.

3.2.3 Before processing any personal data, members of the College and other authorised individuals should study the checklist for recording data (Appendix 1).

3.2.4 Where any of the Data Protection principles are not followed data users may find themselves subject to College disciplinary procedures. If, in addition, a data subject suffers significant damage or distress as a result, the individual Data User, as well as the management of the College, may be subject to investigation and liable to prosecution under the Act by the Data Protection Commissioner.

3.3 Processing Sensitive Data

3.3.1 The 1998 Act introduces a number of restrictions and conditions on data controllers who want to record and process this type of data, including an obligation to obtain the "explicit consent" of the relevant individual, before doing so.

3.3.2 CAOs will authorise certain individuals as the only persons in each CAU authorised to hold or process sensitive data.

3.3.3 The only exception to this will be if a non-authorised person member is satisfied that the processing of the data is necessary:

  • in the best interests of the Data Subject, or the College; AND
  • he or she has either informed the authorised person of this, or has been unable to do so and processing is urgent and necessary in all the circumstances. In such instances, the non-authorised person must inform the authorised person of their action as soon as possible t hereafter.

3.3.4 Authorised persons will be responsible for ensuring that all sensitive data is kept securely, whether held electronically or in a relevant manual filing system.

3.4 Disclosure of Personal Data to Third Parties

3.4.1 All disclosures of personal data must be consistent with the College's notification under the Data Protection Act which registers the purposes for which data is processed.

3.4.2 No data relating to a particular student, member of staff or oth e r individual acquir ed i n th e course of an individual's duties should be disclosed to anyone (includ ing other students or staff) unless:

  • required for normal academic, administrative or pastoral purposes of College business, or
  • the individual concerned has given permission, or
  • they are required to do so in the discharge of regulatory functions or required by legislation, or
  • in the case where, even though prior consent has not been given, disclosure is deemed to be needed to protect the vital interests of the Data Subject or it is required for the prevention or detection of crime or the apprehension or prosecution of offenders, or
  • it is used for research purposes, where special conditions apply.

3.5 Transfer of Data Overseas

3.5.1 Posting personal data to the World Wide Web constitutes transfer of data worldwide. Subject to taking appropriate security measures, as set out in 3.6 below, personal data may be transferred to countries in the European Economic Area (EEA) without further restriction.

3.5.2 Personal data may be transferred to a country or territory outside the EEA only where:

  • it is required for the performance of a contract between a Data Subject and a Data Controller, or
  • for taking steps at the request of a Data Subject with a view to entering into such a contract, or
  • where specific and informed consent of the Data Subject has been obtained for effecting such a transference, or
  • where it has been established that the country/territory exercises a level of protection of that personal data sufficient to ensure the rights and freedoms of the Data Subject in the processing of that data.

3.5.3 Proper records must be kept justifying any decision made about such exempted transfers, or clear evidence can be demonstrated showing the Data Subject had given consent to the transfer, having been suitably informed.

3.5.4 In the absence of a sponsorship arrangement between the College and an external body in respect of a particular student, personal data should not be disclosed in response to a request from non-EEA governments, agencies or organisations for the purposes of assessing the names, numbers and whereabouts of foreign nationals studying overseas without specific informed consent of the Data Subject(s) concerned, nor should such data be disclosed to such bodies for the purposes of determining liability to attend National Service without such consent.

3.6 Security

3.6.1 Proper security measures must be applied to all methods of holding or displaying personal data and appropriate measures taken to prevent loss, destruction or corruption of data. For fuller details on security measures see the College Information Systems Security Policies, associated Codes of Practice and Guidelines on the College website.

3.6.2 Staff, students and authorised third parties are not permitted to remove from the College personal data with the intention of processing this information elsewhere, unless such use is authorised by the Data Owner and that authorisation recorded. Removing data in this way must not compromise the standards of security operating within the College, and the Data Protection Principles should be observed at all times. This includes the storage and processing of data on external Personal Storage Sites e.g. iSpace or

3.7 Subject Consent to Processing

3.7.1 Agreement to the College processing some specified classes of personal data for normal College administrative purposes is a condition of acceptance of a student on to any course, and a condition of employment for staff. Therefore, all prospective staff and students will be asked to sign a Consent to Process form regarding particular types of information when an offer of employment or offer of a course place is made. A refusal to sign such a form could result in the offer being withdrawn.

Appendix 1 - checklist for recording and retention of personal data

  1. Do you really need to record the information?
  2. Is the information "standard" or is it "sensitive"?
    1. If it is sensitive, do you have the Data Subject's express consent?
  3. if you do not have the Data Subject's express consent to process, are you satisfied that it is in the best interests of the Data Subject to collect and retain the sensitive data?
  4. Has the data subject been told how the data will be processed?
  5. Are you authorised to collect/store/process the data?
  6. If yes, have you checked that the data are accurate?
  7. Is it clear who else has a right to access/process these data?
  8. Do you have mechanisms in place to ensure that the data are kept securely whether held electronically or in a relevant filing system?
  9. Are you clear as to how long you may retain these data?
  10. Do you have procedures in place to ensure that the data are kept up to date?
  11. Do you have procedures in place to remove these data securely when it is no longer needed?
  12. Do you have procedures in place to remove these data where a data subject exercises their right for it not to be processed;

[1] A collection is normally a dataset of information held electronically or information in a relevant filing system as defined in the Data Protection Act 1998. It is identified by a broad description of the data, and what the user intends to do with it, rather than any specific detail.

[2] Each Department/Division/Centre, Academic Service, College Central Administration Division, the Imperial College Union and each wholly-owned College Company, known as College Administrative Units (CAUs) has a Data Protection Co-ordinator

Code of practice 2 - handling of patient data

Processing patient data on computers attached to the College network

Print: Code of Practice 2

Processing patient data on computers attached to the College network

1. It is recognised that some research, particularly clinical, requires the processing and/or storage of personal and sensitive information relating to living individuals e.g. patients. All such activity is governed by the Data Protection Act 1998 and members of College must comply with the Act and process/store all personal information in accordance with the eight Data Protection Principles shown at the end of this note.

2. It is a condition of Use of Information Technology (IT) Facilities at Imperial College that members of College may only process and/or store information relevant to their College work on computers, portables, desk-top or servers, attached, permanently or temporarily, to the College network. Examples of processing and/or storage include e-mail messages (whether stored locally, or on a College server), word processed documents, medical images, databases and Web pages. Processing of data for patient management purposes is not permitted on the College network or equipment connected to it.

3. With respect to the security of personal data (Principle 7 below) it must be noted that the College network is widely and legitimately accessible across the campus and from the internet via its connection to JANET. In terms of the processing and storage of personal data, the network must be regarded as being insecure, having no access restrictions. Consequently, any identifiable patient data stored on any computer connected to the academic network must be encrypted and/or secured behind an appropriate firewall. It is not sufficient to rely on normal system passwords. It is also not acceptable for unencrypted personal data to pass across the College network.

4. Information relating to the clinical management of patients under the care of an NHS Trust typically belongs to that Trust (and not to the individual clinician), irrespective of the usage to which the data is being put, i.e. clinical diagnosis or research purposes. However, in the latter case, the data may well be transferred to a third party, such as the sponsor of a study. Information obtained on patients and healthy volunteers specifically for the purpose of a research study, i.e. beyond normal clinical care, will belong either to the study sponsor or the investigator.

5. In all cases, it is a requirement of the Data Protection Act that the explicit consent of the Data Subject be obtained, by the Data Owner, before any such sensitive data are stored or processed. The Data Owner may be a Trust, a sponsor or the investigator. When seeking consent, Data subjects should be informed of the purposes for which it will be used, in accordance with the first principle, and the likely recipients to whom their information could be disclosed (e.g. the College if the data has been collected by the Trust). Where such data are to be processed on a computer connected to the College network, or passed across that network, a separate registration of the data must be made with the College Data Protection Officer through your Departmental/Divisional Data Protection Co-ordinator.

6. To summarise, data on living individuals e.g. clinical data, collected for whatever purpose, must not be stored or transmitted on the College network unless both registered and adequately protected to prevent disclosure of that data to unauthorised persons. This requires either that adequate security measures are in place or that the data are adequately anonymised. It should be noted that where the data has been codified there exist separate records, electronic or paper, which enable the individual to be ultimately identified, then that data is not fully anonymised and falls under the Act. Thus it must be registered, properly processed in accordance with the Act and adequately protected.

Code of practice 3 - access to personal data by subjects

1. Introduction

Print: Code of practice 3

1.1 This Code of Practice, drawn up in association with the College's Data Protection Policy, relates to the access by individuals to data relating to themselves. The Code provides procedures for past and present staff and students of the College and other third parties (Data Subjects) to access the personal data held on them in College systems in whatever medium that data is held, and for dealing with requests for such subject access.

2. Access to personal information

2.1 The College respects the right of individuals to check the accuracy of any personal data that is being kept about them, either on computer or in a relevant filing system, as defined in the DPAct98.

2.2 Exceptions to 2.1 are:

  • where disclosure would simultaneously disclose data about another person (unless that person consents to the disclosure);
  • third party references and examination marks (see paragraphs 3 and 4 below for further information)

2.3 Any Data Subject wishing to gain access to personal data held about them may do so by the submission of a request in writing to the Data Protection Officer together with the payment of a fee, as required under DPAct98, on each occasion that access is requested. The College aims to comply with requests for access to personal data as quickly as possible, but will ensure that it is provided within 40 days of receipt of the application form and fee, unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the Data Subject making the request.

2.4 A copy of the standard request form for "Access to Personal Information" is available on our website from the Central Secretariat, the CAU Data Protection Co-ordinator or from the Registry (in the case of students) or Personnel (in the case of staff and other Data Subjects).

3. Confidential references

3.1 References Issued by or on Behalf of the College

Confidential references issued by the College or an individual member of it in the performance of College duties are exempt from subject access where these references relate to:

  • education , training or employment of the Data Subject;
  • appointment of the Data Subject to any office;
  • provision by the Data Subject of any service.

3.2 References Received by the College

3.2.1 Confidential references received by the College are not exempt from the right of access by the subject to whom they refer, but consideration must be given by those receiving a request for access to any potential breach of confidence of a referee by such a disclosure. Information contained in a reference need not be provided if the release of this information would identify a referee unless:

  • the identity of the referee can be protected by anonymising the information;
  • the referee has given his/her consent;
  • it is reasonable in all the circumstances to release the information without consent having been given.

In cases where a confidential reference discloses the identity of an organisation, but not an identifiable individual, as referee, disclosure will not breach data privacy rights.

3.2.2 Where, in response to a Subject Access Request, the College declines to disclose a reference received in confidence from a referee, it will supply clear reasons in writing for doing so. Members of the College may not refuse to disclose references received in confidence from referees without providing, in writing, the reasons for the refusal.

4. Examinations

4.1 In accordance with DPAct98, information recorded on their scripts by students during an examination are exempt from subject access. However, students are entitled to information about their marks for both coursework and examinations. In accordance with the Act, this will be made available either 5 months from the day on which the Data Protection Officer received the request and any fee which may apply, or 40 days from the announcement of the examination results. The College, however, reserves the right to withhold certificates, accreditation or references in the event that the full course fees have not been paid, or all books and equipment returned to the College.

4.2 A Data Subject has a right to request a copy or summary "in an intelligible form" of any comments made on an examination script by an examiner, within the same periods as laid down for access to examination marks and subject to the same fee.

4.3 A Data Subject has a right of access to those parts of Minutes of Examination Boards or special circumstance committees which contain discussion about themselves where they are named or referred to by identifiers from which the candidate may be identified, unless the data cannot be disclosed without additionally disclosing personal data about a third party.

Code of practice 4 - CCTV

1. Introduction

Print: Code of practice 4

The use of CCTV systems across the sites of HE institutions to ensure site security and personal safety has become common practice. As a user of such systems the College has to comply with the provisions of the Data Protection Act 1998. Compliance with this Code of Practice, notably with those standards that are directly based on the Data Protection Principles and the Act, will aid the users of CCTV systems and similar surveillance equipment in meeting their legal obligations.

2. Initial assessment procedures

Before installing and using CCTV and similar surveillance equipment or, retrospectively for systems already in operation, users will need to establish the purpose or purposes for which they intend to use the equipment, as the First Data Protection Principle requires Data Controllers to have a legitimate basis for processing personal data, in this case images of individuals. Hence the following procedures should be carried out:

  1. Assess the appropriateness of, and reasons for, using CCTV or similar surveillance equipment and document this process.
  2. Establish the purpose of the scheme.
  3. Establish the person or persons responsible for ensuring the day-to-day compliance with this Code of Practice.
  4. Establish the associated security and disclosure policies.
  5. Obtain the approval of the College Data Controller or his/her nominee for this activity.

3. Siting the cameras

It is essential that the location of the equipment is carefully considered, because the way in which images are captured will need to comply with the First Data Protection Principle. The following standards should be met:

  1. The equipment should be sited in such a way that it monitors only those spaces which are intended to be covered by the scheme.
  2. The user should consult with owners of adjacent spaces if images from those spaces might be recorded.
  3. Operators must be aware of the purpose(s) for which the scheme has been established.
  4. Operators must be aware that they are permitted to use the equipment only to achieve that purpose for which it has been installed.
  5. If cameras are adjustable by the operators, this should be restricted so that operators cannot adjust them to over look spaces which are not intended to be covered by the scheme.
  6. If it is not possible physically to restrict the equipment to recording images from those spaces intended to be covered by the scheme, then operators should be trained in recognising the privacy implications of such spaces being covered.
  7. Signs should be placed so that the public are aware that they are entering a zone which is covered by surveillance equipment.
  8. The signs should be clearly visible to members of the public.
  9. The signs should be of an appropriate size.
  10. The signs should contain the following information:
    1. the identity of the person or organisation responsible for the scheme,
    2. the purposes of the scheme,
    3. details of who to contact regarding the scheme.
  11. Where covert surveillance is carried out to obtain evidence of a specifically identified criminal activity and the use of signs would prejudice the success of obtaining such evidence, they need not be displayed, but the information so obtained must only be for the prevention or detection of criminal activity and should not be retained for any other purpose.
  12. When the purpose of a particular surveillance operation has ceased that surveillance must be discontinued.

4. Quality of the images

It is important that the images produced by the equipment are as clear as possible in order that they are effective for the purpose(s) for which they are intended. The following standards should therefore be observed:

  1. Carry out an initial check on installation to ensure that the equipment performs properly.
  2. Ensure that, where tapes are used they are of good quality.
  3. Images should be retained for no longer than 30 days.
  4. Media should not continue to be used once it becomes clear that the quality of the images has begun to deteriorate.
  5. If the system records features such as the location of the camera and/or the date and time reference, these should be accurate and there should be a documented system for ensuring their accuracy; where the date and time are not recorded automatically this must be done manually.
  6. Cameras should be situated so that they will capture images relevant to the purpose for which the scheme has been established.
  7. Users should assess whether it is necessary to carry out real time recording, or whether the activity or activities about which they are concerned occur at specific times.
  8. Cameras should be properly maintained and serviced to ensure that clear images are recorded and a maintenance log kept.
  9. Cameras should be protected from vandalism in order to ensure that they remain in working order.
  10. If a camera is damaged there should be clear procedures for defining the person responsible for getting it repaired and for ensuring that the camera is fixed within a specific time period.

5. Processing the images

To maintain the integrity of the images and to protect the rights of the individual, the following standards should be maintained:

  1. Monitors displaying images from areas in which individuals would have an expectancy of privacy should not be viewed by anyone other than the staff authorised to use the equipment.
  2. Access to recorded images should be restricted to the person responsible for managing the scheme (the Data Owner) or his/her nominee who will decide whether to allow requests for access by third parties in accordance with the College's documented disclosure policies (ie. in its Data Protection notification to the ODPC).
  3. Viewing of recorded images should take place in a restricted area to which other staff do not have access.
  4. Removal of the medium for the viewing of recorded images within the College should be documented to record the person removing the images, the person viewing them, the reason for viewing, the outcome, if any, of the viewing and the date and time the images were returned to the system.
  5. All operators and other employees with access to images should be made aware of the procedures to be followed when accessing recorded images.
  6. All operators should be trained in their responsibilities under this Code of Practice and they should be aware of the security and disclosure policies pertaining to the scheme and the rights of individuals in relation to their recorded images.
  7. Where images are retained, it is essential that their integrity be maintained, whether to ensure their evidential value or to protect the rights of the people whose images may have been recorded.
  8. Images should not be retained for longer than is necessary; once the retention period has expired, the images should be removed or erased.
  9. If the images are retained for evidential purposes, they should be kept in a secure place to which access is controlled.
  10. On removing the medium on which images have been recorded for use in legal proceedings, the operator should ensure that s/he has documented the date on which the images were removed from the general system for such use, the reason for doing so, a ny crime incident number to which the images may be relevant, the new location of the images and the si gnatu re of the person collecting the images.

6. Access to and disclosure of images to third parties

It is important that access to, and disclosure of, the images recorded by CCTV and similar surveillance equipment is restricted and carefully controlled, not only to ensure that the rights of the individual are preserved, but also to ensure that the chain of evidence remains intact should the images be required for evidential purposes. Staff should maintain the following standards:

  1. Access to recorded images should be restricted to those staff who need to have access in order to achieve the purpose(s) of using the recording equipment.
  2. All access to the medium on which images are recorded should be documented.
  3. Disclosure of recorded images to third parties, whether members of the College or not, should only be made in limited and prescribed circumstances.
  4. All requests for access or for disclosure should be recorded and, if access is denied, the reason should be documented.
  5. If access to or disclosure of images is allowed, then the following should be recorded:
    1. the date and time access was allowed or disclosure made.
    2. the identification of any third party who was allowed access or to whom disclosure was made.
    3. the reason for allowing access or disclosure.
    4. the extent of the information to which access was allowed or which was disclosed.

7. Access by data subjects

The Data Protection Act 1998 gives data subjects rights to access any personal data held on them by employers and other agencies, including visual data collected by CCTV cameras and other surveillance equipment. The following standards should be maintained:

  1. Staff involved in operating CCTV and other surveillance equipment should be aware of the College procedures for dealing with subject access requests and with the rights of the individual concerning subject access under the DP Act.
  2. Data Subjects who wish to view images of themselves that they believe have been captured on CCTV should submit a standard subject access request form. In order to enable the College to locate the relevant images, Data Subjects will need to provide certain information in order to identify themselves (a photo of themselves, the date, time and location when a particular image might have been captured, and a description of what they were wearing at the time). Giving the reason for their request would also assist the College to locate the image requested. Blanket requests will be considered unreasonable and will not be complied with.
  3. The Data Owner responsible for the system which captured the images should determine whether disclosure to the individual requesting access would entail disclosing images of third parties and if so whether images of third parties might need to be obscured.
  4. If third party images are not to be disclosed, the data owner shall arrange for the third party images to be disguised or blurred.
  5. If the data owner decides that a subject access request is not to be complied with, he/she should document the identity of the individual making the request, the date of the request, the reason for refusing to comply with the request and the name and signature of the person making the decision.

8. Monitoring compliance with this code of practice

  1. A record of the number and nature of complaints or enquiries received should be maintained by the manager responsible for any scheme, together with an outline of the action taken in each case.
  2. A report on those numbers should be made available to the College Data Protection Officer, acting on behalf of the College Data Controller.
  3. The College Data Protection Officer should undertake regular reviews of the documented procedures to ensure that the provisions of this Code are being complied with and a report on these reviews submitted to the College Data Controller to ensure that compliance with legal obligations is being maintained.
  4. College Authorised Officers should carry out regular assessments to evaluate the effectiveness of the scheme being operated in light of the stated purpose for that scheme. If the scheme is not achieving its purpose it should be discontinued or modified.

Code of practice 5 - internal registration

1. What data processing must be registered?

Print: Code of practice 5

In order for the College to meet its legal obligations under the Data Protection Act 1998 and be able to notify the Information Commissioner of its activities in relation to processing personal information and to handle Data Subject Access requests, it needs to hold a register of all systems holding personal information. These systems can be electronic, including video footage, or structured manual filing systems in which information about an individual is readily accessible.

The personal data has to be about living individuals who can be identified from those data, or from those data and from other data which is in the possession, or likely to come into the possession of the College. This includes not only facts about individuals, but also any expression of opinion about an individual and any indication of the intention of the College or other third party in respect of the individual.

It follows, therefore, that any data about individuals collected, held in or processed by manual or electronic systems must be registered with the College unless:

  • the data held is purely about dead persons, unless it is possible to make connections with living persons from it or,
  • the data has been anonymised ie. the person cannot be identified from it.

(NB. If personal data has been treated in such a way that a code or other identifier has been used to conceal the personal identity for security reasons, but a record of that code or identifier has been retained elsewhere in electronic form or hard copy, then this is regarded as coded data and not anonymised data and must be registered).

2. Mechanism of registration

A registration form must be completed by a Data Owner in respect of each purpose for which personal data is held or otherwise processed. Thus each registration will comprise the first page of the document attached, together with one other section duly completed by ticking the relevant boxes. Completed forms should be sent to the Data Protection Co-ordinators for your particular College Administrative Unit (CAU). That person in turn will produce a composite registration covering the data processing activities being carried out in the CAU and send it to the College Data Protection Officer.

Code of practice 6 - Security of laptops and the data stored therein

1. Introduction

Print: Code of practice 6

The use of laptops and other electronic computing devices [1] is commonplace these days as the need to record, store, process and transmit data electronically increases, as well as the ability to work away from the office. The fact that these devices are portable means that they can be carried off College premises and can be connected to more than one network. As a result, they are more likely to be lost or misplaced and the data they contain fall into the hands of unauthorised persons. Such breaches of security could have severe consequences for the College, in the loss of highly important commercial data, for the individual, in the loss of vital research data, or from the unauthorised disclosure of sensitive personal data. It could possibly lead to legal proceedings being taken against the Data Owner and/or the College.

Any individual connecting a laptop to the College network automatically renders the use of that device subject to College rules, irrespective of whether or not it is being used to process College-related data.

Individuals who use a laptop to process College-related data must do all that is reasonable to keep their laptop, associated media and the data contained therein secure at all times.

Data should not be carried on a laptop unless a risk assessment has been carried out beforehand and appropriate risk management processes put in place.

2. Authorisation

You may use laptops to process data as part of your employment as a member of staff, as an honorary member of staff or as a registered student, if authorised to do so by the Head of your College Administrative Unit (CAU) or by his/her nominated representative. In the case of students this will normally be that student's supervisor. This authorisation will normally be effected through the Department's Information Systems Liaison Officer who should ensure that the owner of the laptop is made aware of the encryption tools available for securing the data to be held. Additionally, authorisation must be given before staff and students are permitted to carry College-related data away from College premises and process them off-site.

3. Security of data held within the device or on associated media

3.1 Data must not be carried on laptops unless that data is adequately secured. A risk assessment must be carried out [2] and appropriate risk management procedures determined and put into place before data is put on to a laptop and prior to leaving the College or leaving an authorised off-site location and returning to the College. The level of security required will depend upon the sensitivity of that data, for example sensitive personal data, valuable commercial data, research data that cannot be easily replicated or may have patent potential will all require high levels of security. Hence, encryption of the device's disk may need to be carried out so that if, in spite of taking measures to ensure the security of the device, it falls into the wrong hands, the data cannot be accessed by unauthorised personnel. All laptops must have an up-to-date virus scanning programme installed.

3.2 When processing personal data on laptops you must take all reasonable steps to ensure the security of that personal data. This is one of the eight Data Protection Principles set out in the Data Protection Act 1998 and the College Data Protection Policy [3] with which you must comply. In particular, when using a laptop, you must not process personal data in public places e.g. when travelling on public transport. All processing should be carried out in privacy, even within your own home, to avoid accidental disclosure to non-authorised persons. It is an offence to deliberately disclose personal data to an unauthorised person. As with commercially sensitive data, a risk assessment should be carried out and the appropriate procedures put in place. This may involve encryption, anonymisation of the data or key coding, with the key code being kept securely and separately.

3.3 Sensitive personal data, as defined in the Act, should not be stored in these systems unless you can demonstrate that you have taken special security precautions e.g. encryption of files on the hard disk or on a storage medium (College Data Protection Policy refers [4]). In addition, such data should be processed on this system or on a network only where you have registered the processing activity with your Departmental Data Protection Co-ordinator.

3.4 When processing patient data, you should note that the Hospital Trusts each have their own policy regarding the use of laptops for storing and processing of patient data. Members of staff and students must ensure that they comply with the relevant Trust policy before processing any patient data owned by a Trust on such a device.

4. Security of a laptop and associated media

When laptops are used to record, store, process or transmit data as part of your employment as a member of staff or your registration as a student, you should take such measures as are appropriate to ensure the security of the device, in accordance with the College Information Systems Policy and associated codes of good practice. Because of their portable nature you should keep laptops in a locked brief case or similar container and these containers should not be left unattended during the course of your journey, nor should they be left exposed on the seat of a car or other vehicle. Always protect access to your laptop by using a system password, if at all possible. Whilst this will not provide complete security, it will often prevent casual interception of the data, for example, in some cases of loss or theft. You should be aware that anyone stealing or finding a laptop could use it to gain access to the College network and do untold damage not only to your data but that of many others.

5. Connection to the college network

You may only connect your laptop to the College network when you have been authorised to do so and then you should do so in accordance with College Information Systems Security Policy. If your laptop stores sensitive data you should ensure that you connect it to the College network for as short a time as possible, commensurate with the processing in hand. Once a laptop is connected to the network it is possible to access data held on other devices or networks. In addition, you should not allow any other person to access the network from your laptop by using your login/password or by giving them your login/password to use with their own laptop.

Laptops attached to the College network will be treated just the same as any other computing system connected to the network. Hence, for example, you should not use or attempt to use such a device to transmit pornographic material or to harass or libel others. Nor should you store such material on a laptop used, even in part, for College business. Such actions are illegal and will lead disciplinary action being taken by the College and possibly to criminal and/or civil proceedings being taken against you.