Switch to low bandwidth version Close

Guide to Data Protection

This guide gives you an introduction to Data Protection and information on how to make a request for personal information relating to yourself or for someone that you are acting on behalf of.


 What is Data Protection?

The Data Protection Act 1998 came into forced on 1 March 2000 and superseded the Data Protection Act 1984. It aims to protect individual's fundamental rights and freedoms, notably privacy rights, in respect of personal data processing.

The Act applies to paper and electronic records held in structured filing systems containing personal data, meaning data which relates to living individuals who can be identified from the data. This includes any expression of opinion about an individual and intentions towards an individual. It also applies to personal data held visually in photographs or video clips (including CCTV) or as sound recordings. The School collects a large amount of personal data every year including: staff records, names and addresses of those requesting prospectuses, examination marks, references, fee collection as well as the many different types of research data used by the School.

Data protection operates by giving individuals the right to gain access to their personal data. This is done by making a subject access request in which they are entitled to:

Individuals can also prevent processing of their data in certain circumstances, opt-out of having their data used for direct marketing and in automated decision making processes, apply to the courts for inaccurate data to be corrected and claim compensation for damage and distress caused as a result of any data protection breach.

All organisations have to notify the Information Commissioner of the processing of personal data; this is included in a public register. The public register of data controllers is available on the Information Commissioner's website, from here you can search for the School's or any other organisation's notification.

 What data is involved?

Personal data means information which relates to a living individual who can be identified from that data or from data and other information which is in the possession of the data controller. It includes opinions about individuals.

Personal data is information on:

Sensitive personal data is information on:

The processing requirements for sensitive personal data are more stringent than for personal data.


 Data Protection Principles

Data Protection principles state that personal data shall be:

  1. Obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met.
  2. Obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with those purposes.
  3. Adequate, relevant and not excessive in relation to the purposes for which they are held.
  4. Accurate and where necessary, kept up to date.
  5. Held no longer than is necessary for the purposes for which they were obtained.
  6. Processed in accordance with the rights of the data subjects, including the general rights to access information held about them and, where appropriate, to correct and erase it.
  7. Kept securely and safely with appropriate measures to prevent unauthorised or unlawful processing of the data and against accidental loss, destruction or damage.
  8. Only transferred to a country outside the European Economic Area if that country has an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. 

 How do I access my personal data held by the School?

To make a subject access request you will need to complete a subject access request form. This form is available to download as a Subject access request form (PDF 0.01 MB) or Subject access request form (DOC 0.04 MB) document, or you can request a form from the Archivist & Records Manager at foi@lshtm.ac.uk or by writing to the School address.

Back to top