Further guidance

Guidance on best practice in data protection


The EU Data Protection Directive (95/46/EC) took effect in the UK from the 24 October 1998. The Directive is implemented in the form of the Data Protection Act 1998 which came into force on the 1 March 2000.

The Act contains elements from the previous legislation (i.e. the 1984 Act), for example, the Data Protection Principles of good practice; a registration/notification system; and the data subject's right to have access to his or her personal data and to correct it where inaccurate. However the Directive imposed additional requirements which are reflected in the new law.

The Data Protection Act 1998 imposes stringent requirements with which the College, as an organisation holding personal data, must comply. All processing of personal data must be fair and lawful, accurate and up-to-date, and the data must be adequate, relevant, not excessive and be held for no longer than is necessary. It is mandatory that appropriate technical and procedural measures are taken to cover the security of personal information. This relates, among other things, to prevention of unauthorised or unlawful processing or disclosure of data, as well as accidental loss or destruction of, or damage to, personal data. Special conditions apply to sending personal data outside the European Economic Area (EEA), including transmitting it via the Internet.

Data held in manual or paper form (as part of a relevant filing system) is covered by the Act and therefore processing must comply with the Act.

The College's Data Protection Policy and Codes of Practice detail the rights and responsibilities of staff, students and other authorised individuals who process information on behalf of the College. If you have any further queries please contact your departmental/divisional Data Protection co-ordinator.