Sound Data Management Training

h2. Data Protection

Data protection protects the rights of individuals over their personal information. The core of the Data Protection Act is a set of data protection principles. These state that personal data shall be processed fairly and lawfully and shall not be processed unless the subject gave their consent except under "specific conditions":http://www.legislation.gov.uk/ukpga/1998/29/schedule/2 (for sensitive personal data such as marital status, ethnic origin or health information there are "further restrictions":http://www.legislation.gov.uk/ukpga/1998/29/schedule/3). In addition, personal data should be:

* obtained only for specified purposes, and should not be used for anything else;

* adequate, relevant and not excessive in relation to the purposes (i.e. only the data that is required);

* accurate and, where necessary, kept up to date;

* kept no longer than is necessary for the purposes;

* processed in accordance with the rights of the data subjects under the Act;

* protected from:

** unauthorised or unlawful processing

** and loss, destruction; or damage

* shall not be transferred outside the European Economic Area without similar protection being provided.

In general, data subjects have a right to access to data held about them. The onus to provide this data is on QMUL as the data controller, and, as such, QMUL 

However, there is a specific exemption, for research which is not targeted at particular individuals and will not cause distress or damage to a data subject, which allows data to be processed for other purposes and held indefinitely. Data subjects alsio have no immediate right of access for personal data where the data is processed for research purposes and the results do not identify the data subjects.

JISC "state":http://www.jisc.ac.uk/publications/generalpublications/2001/pub_dpacop_0101.aspx:

bq. Data controllers are required by the Act to process personal data only where they have a clear purpose for doing so, and then only as necessitated by that purpose. A data controller’s purpose for any personal data processing operation should thus be clearly set out in advance of the processing, and should be readily demonstrable to data subjects. 

They also note: that the majority of the Data Protection principles do apply to research data; that there should be a review to ensure compliance with Data Protection requirements; and that a mechanism should be in place for subjects to object to the processing if they believe it would cause them damage or distress. Patricul;ar care must still be taken when processing involves sensitive data.

Further information:

* QMUL Academic Registry and Council Secretariat (ARCS) information on "data protection":http://www.arcs.qmul.ac.uk/information_governance/dp/data_protection.html

* JISC "Data Protection Code of Practice for HE and FE":http://www.jisc.ac.uk/publications/generalpublications/2001/pub_dpacop_0101.aspx with specific section on "personal data in research":http://www.jisc.ac.uk/publications/generalpublications/2001/pub_dpacop_0101.aspx#research

* Canterbury Christchurch University document on "Data Protection in Research":http://www.canterbury.ac.uk/Research/Documents/DataProtection.pdf

* "EU Data Protection Directive":http://ec.europa.eu/justice/data-protection/index_en.htm

The Act:

* "Data Protection Act 1998":http://www.legislation.gov.uk/ukpga/1998/29/contents