Complying with data protection laws

We are all responsible for ensuring that our use of personal data (information that can identify living individuals) is compliant with the law. That include GDPR, the Data Protection Act 2018, and PECR and other related legislation. There are lots of tools to help you with compliance, including our Information Security Essentials Moodle course , and our policy and guidance.

This page provides guidance for some of the everyday situations you’re likely to come across. If you can’t see the information you need here then please contact the Information Assurance Team.

Data Protection and every day activities

Examination marks and scripts

Examination marks

Students have a right to see their own examination results, but only after the results have been published. Students still have this right if they are in debt to the University.

Examination scripts 

The law says that the University does not have to give copies of exam scripts to students who ask for them. However, we can let students see scripts if we chose to.

A student who has failed a paper or been offered a re-sit can be offered the chance to see the script, with a member of academic staff present, if we think that will help the student. The student is not allowed to take originals or copies of the exam scripts away with them.

Examiners’ comments

Students have a right to see comments made by internal and external examiners. This means that comments must be intelligible and appropriate. It’s helpful if examiners’ comments are made on separate comment sheets, rather than directly on the scripts. Examiners need to be made aware of this in advance.

If comments are handwritten and potentially illegible, it may be necessary to supply a typed version. If the examiners’ comments have been made directly onto the exam script itself, the student cannot see the script so the comments would have to be transferred to a separate sheet that the student is allowed to see.

Staff and student personal files

The University keeps files of relevant information on staff and students. Everyone has a right to ask to see the information we keep about them.

This means that you need to think carefully about the information you keep about people. It does not mean you can only ever write nice things about people on their file. It does mean that you should always use balanced and measured language in what you write. You should stick to facts, not opinions. Where you do need opinions then you should clearly state that’s what they are. You should never make notes that are rude, offensive, derogatory or damaging.

Information about someone doesn’t need to be in an actual physical file for them to ask to see it. It can be an email or electronic document. This means that you should think carefully about what you put in emails. See our email guidance for more information.

There are retention schedules that explain how long we keep information for.

Personal information on the University website

The website is a public space. We generally publish information about people’s official roles and functions. This helps people who need to deal with the University to find the right person to contact. It can also promote the University by letting people see which high profile academic staff we have in departments.

It is important that anybody whose name and other information appears on the website knows that it is there and that there are ways for them to object and for the information to be removed if need be. Personal information about people should not be published on the website. This applies to information that’s on the open part of the website, and on the campus only sections. It applies to staff, students and anyone else whose details we put on the website.

Research activity

The Act applies to people collecting or using personal information as part of research. It’s important that if you collect personal information as part of your research you explain to people what you are collecting, why you are doing it, what you will do with the information. Remember to tell them about all the things you’ll do with their information. You may be collecting for a PhD thesis now, but if you are intending to publish that as a book later, then let people know.

There are some parts of the Data Protection Act that don’t apply in quite the usual way when personal information is being collected for research. The main one is that personal information collected and used only for research purposes, can be kept indefinitely.

Please read our guidance on data protection and research activity. You can get more advice from the Information Assurance Manager or the Research and Enterprise Office.

If you are doing social research you’ll find more detailed ethical guidelines on the website for the Social Research Association and the Economic and Social Research Council.

Working from home

When you work from home you still have to data protection law. It is important that personal information isn’t accidentally lost or revealed to anyone who doesn’t have a right to see it.

You should avoid taking personal information home. Instead, dial into your work PC with Open VPN, or put the information in Box, which is secure but can be accessed from anywhere.

If you work on electronic information at home then make sure you do not save it to your own computer. If you need to do that while you are working on it then remember to delete it when you’ve finished. If you need to print something out when you are at home you should either shred it afterwards (if you are able) or bring it back to work for shredding.

If people in your section or department regularly need to take personal information home with them then it’s best to have a system to record who has taken information away, what information they took, when they took it, whey they took it, and when they bring it back again. This means you can be sure that you know where all of your information is.

Arrow symbol
Contact us
Information Assurance Manager
Telephone: 01206 874853