Data Protection

You should be aware that the Data Protection Act applies to us. These notes are NOT intended to be a general introduction to the Data Protection Act; they are intended to serve as a guide to the Act as it applies to members of the Particle Physics sub department in their every day use of the departmental computers.

All files on our computers are covered by the Data Protection Act which seeks to protect individuals against abuse of data about them. More specifically files must be registered if they contain information about any living person whose identity can be inferred directly or indirectly. Many files on our computers fall into this category not because they are a basic part of our research but simply because the computer has become the standard medium of communication between research centres. Were it necessary to register every individual file separately the overhead would be enormous but the Act recognises this fact and permits ``blanket'' registrations of certain standard applications. These include:-

• Membership Administration

• Ancillary and Support Functions
  • Computer Administration
  • Electronic Mail

• Information and Data Bank Administration
  • Catalogues, Bibliographies
  • Academic Directories, Data Bases

The registrations include details of the type of individuals concerned, the classes of data held, the sources of personal data and disclosures of this information and the countries to which the data may be sent to in machine readable form. The university has, on behalf of its members, registered as a data user and as a computer bureau for these applications.

It is important to understand that a user can fall foul of the Act in two quite distinct ways. The first is to possess unauthorised data and the second is to process authorised data in ways for which the file was not intended. For example, it is quite legal to hold a simple mailing list (see below) but it would be illegal to use the information it contains as part of a survey; the file should only be used to send mail. The key point is to stay within the limits set by the registration made by the university.

Listed below are the sorts of files that a typical user might have together with any actions necessary to comply with the Act. If users wish to hold files that might be covered by the Act but are not listed below, they should seek advice.

1. A program or document that bears the name(s) of the author(s).

   Action: none.

2. A mailing list containing just names, addresses (postal and/or electronic) and business information.

   Action: none.

3. A club membership list (as with all private files, users must seek the permission of the general administrator before creating such files).

   Action: It is not necessary to seek permission before creating such lists. All that is required is that people on such lists should be informed of the fact and offered the chance to have their name removed.

4. A letter or mail message that is received or sent and which may be kept for reference.

   Action to send/receive mail: none - the sending or receiving of mail in itself is an activity that is excluded from the Act. Action to keep mail: such files are covered by the act just like any other file. Users would be well advised not to keep any communications that contain sensitive information such as expressions of opinions about people.

5. BACKUP and ARCHIVE files. A copy of a file that is made to a removable volume (e.g. a tape or floppy disk) is considered to be a BACKUP or ARCHIVE. A BACKUP file is one that is made solely as an insurance against accidental destruction of the original; the only reason for copying such a file back to the main file store is to recover from such an accident. An ARCHIVE file covers all other cases and is normally done to move a file from disk to save space or to keep the current version of a file before modifying it.

   Action: none for BACKUP for none is needed; the master copy remains on disk and is covered by the Act. For ARCHIVE the file is the master copy and is subject to exactly the same conditions as if it were still on disk. This includes all rights that individuals have to see data about themselves. Of course it is possible to delete a file from disk knowing that it exists on a BACKUP tape and with the intention of restoring it at a later time. In which case the file must be regarded as an ARCHIVE one; to do otherwise is unethical. In any case it is unwise as the standard BACKUP system is not intended to function as an ARCHIVE.

6. Private Files. If permission has been granted by the general administrator private files may be held for work not connected with the university.

   Action: in this case the university is only acting as a bureau; the user must take out a private registration.

The Act still has some grey areas in which it is unclear exactly what is and is not legal. For this reason, if for no other, it is important that all users act responsibly using the guidelines of ``best reasonable efforts'' and that they can demonstrate this if called upon to do so. In this context consider the following points:-

1. Don't keep personal data unnecessarily; delete it as soon as it is no longer needed. Consider printing it out and then deleting the file; it is generally easier to protect a piece of paper than a file on our computers!

2. Where it makes sense to do so, remove all information that could identify individuals.

3. Keep files protected. Bear in mind that hackers attempt to break into our machines on a regular basis and have succeeded from time to time.

The University has an officer responsible for the administration of the Act who can be contacted in the University Offices in Wellington Square. However, in the first instance, advice about the contents or use of files in respect of the Act should be addressed to the system manager of the computer being used or to our administrator. For more general information see:-

University Administration Service ; Data Protection