Data Protection policy
The Data Protection Act 1998 came into force on 1 March 2000 and superseded the Data Protection Act 1984. The purpose of the Act is to protect the rights and privacy of individuals, and to ensure that data about them are not processed without their knowledge and are processed with their consent wherever possible. The Act covers personal data relating to living individuals, and defines a category of sensitive personal data which are subject to more stringent conditions on their processing than other personal data. The School is committed to a policy of protecting the rights and freedoms of individuals with respect to the processing of their personal data. The policy covers:
1.1 The Data Protection Act applies to electronic and paper records held in structured filing systems containing personal data, meaning data which relates to living individuals who can be identified from the data. This includes any expression of opinion about an individual and intentions towards an individual. It also applies to personal data held visually in photographs or video clips (including CCTV) or as sound recordings. The School collects a large amount of personal data every year including: staff records, names and addresses of those requesting prospectuses, examination marks, references, fee collection as well as the many different types of research data used by the School.
2.1 Data Protection means that the School must:
- Manage and process personal data properly
- Protect the individual's rights to privacy
- Provide an individual with access to all personal information held on them
2.2 The School has a legal responsibility to comply with the Act. The Senior Management Team member with overall responsibility for this policy is the Secretary & Registrar. The School, as a corporate body, is named as the Data Controller under the Act.
2.3 The School is required to notify the Information Commissioner of the processing of personal data, this is included in a public register. The public register of data controllers is available on the Information Commissioner's website.
2.4 The School's Archivist & Records Manager is responsible for drawing up guidance on good data protection practice and promoting compliance with this guidance through advising staff on the creation, maintenance, storage and retention of their records which contain personal information.
2.5 Every member of staff that holds information about identifiable living individuals has to comply with data protection in managing that information. Individuals can be liable for breaches of the Act.
This policy has been formulated within the context of the following School documents:
- Records Management policy
- Information Management & Security policy
- Freedom of Information policy
Compliance with this policy will in turn facilitate compliance not only with information-related legislation (specifically FOI 2000) but also with other legislation or regulations (including audit, equal opportunities and research ethics) affecting the institution.
Guidance on the procedures necessary to comply with this policy is available from the Archivist & Records Manager. This guidance covers:
- Introduction to Data Protection including Data Protection principles, types of data involved and key concepts
- Best practice guidelines including:
- Use of personal data by employees and students
- Transfer of personal data to third parties
- Security of personal data
- Use of personal data in research
- Confidential references
- Transfer of personal data to non-EEA countries
- Procedures for dealing with subject access requests
This guidance is available on the intranet data protection pages (LSHTM staff only) at:
Guidance for the public on Data Protection and how to make a request is available on the Data Protection pages
This policy was approved by the Information Services Advisory Group in May 2006 and by Senior Management Team in June 2006. It was reviewed and approved by ISAG in October 2012.
It will be reviewed every three years.
Archivist & Records Manager
Tel: 020 7927 2966