Information for Staff

The Data Protection Act and its Implications on Research
Using Photographs and Data Protection
Data Protection considerations associated with CCTV
Statistical Information
Subject Access Requests for Examination Marks
The use of Privacy Notices
Withdrawal of consent
Working from Home
Further Guidance

If you would like more information on the Data Protection Act, please contact the Information Compliance Team – email:

The Data Protection Act and its Implications on Research

Across the University there is an increased amount of research being undertaken. This research may involve the use of personal information, and those undertaking such work must take into consideration the implications of the Data Protection Act.

Personal information can be used as the basis of research work, but in order to do so, the personal information must either be;

  • anonymised so that it doesn’t fall within the confines of the Act, or,
  • used so that it complies with the 8 Data Protection Principles.

Researchers opting to comply with the 8 Data Protection Principles are able to rely on exemptions from two of the Principles provided that the following conditions are met:

  • No data is processed that could in any way support measures or decisions relating to particular individuals, including, but not restricted to, the data subject, and;
  • The data is not processed in any way that causes or could cause substantial damage or substantial distress to any data subject.

If these conditions are met then the personal data would be exempt from:

  • Data Protection Principle 2 in so much that: Personal data can be further processed for research purposes even if it was not obtained for that purpose
  • Data Protection Principle 5 in so much that: Personal data used for research can be kept indefinitely

It may be the case that it is not possible to meet with the two conditions. Under such circumstances the researcher will need to ensure that personal data processed complies with all 8 Principles of the Act.

In conducting research, researchers should attempt, where possible, to get individual consent. If that is not possible then researchers may rely on the condition that it is in their legitimate interests to process this data provided that they take in to account the rights and freedoms of data subjects.

In undertaking research, researchers must ensure that they submit details in their research proposal of the methodology to be adopted in handling personal data and securing such data from accidental damage or unauthorised access.

Under the terms of the Data Protection Act 1998, the University must notify the Information Commissioner if it processes any new personal information that is not covered under the existing notification. Research activities may from time to time involve the capture of new personal information and it is the responsibility of those undertaking research to ensure that the information they are processing is covered by the University’s notification.

Using Photographs and Data Protection

Photos taken for personal use are not subject to the Data Protection Act, however, any photographs taken to be used in a professional capacity are. The data protection implications on the use of photographs vary according to the type of picture taken.

Photographs taken of individuals/small groups
Photographs taken of individuals or very small groups where the focus may be on certain individuals would require a specified consent. The consent form should provide the person whose image is being photographed with adequate information so that they are aware as to what the photo is to be used for and in what media it will be used for in the future eg website, prospectus and how widespread it will be available eg local, national or worldwide.

General Photographs
If individuals are not readily identifiable from the photograph and it seems unlikely that any damage or distress will result from such processing then it will not be necessary to obtain consent. Therefore, students and staff whose images appear as incidental detail such as at awards ceremonies in publicity photographs will not need to give consent for the use of their image. It would be considered good practice, where possible to display notices advising individuals that during the course of the event/day that their photo is likely to be taken for promotional purposes.

Photographs of Group Activities
Where photographs are to be taken of a group activity such as a lecture then this should be announced in advance so that individuals may leave the room if they do not wish to appear in the photographs.

Once the photo is taken and displayed publicly, the subject of the photo retains the right to ask for it to be removed. The University must remove any photographs within 21 days of a request for its removal being received.

Data Protection considerations associated with CCTV

CCTV at the University is utilised primarily for the prevention and detection of crime. It also monitors the safety of staff, students and other data subjects whilst on University premises including University accommodation. These purposes are disclosed within the University’s notification with the Information Commissioner.

Signs showing the University’s address, phone number and contact information for details of the scheme have been placed in close proximity to the cameras and give details on purposes of the CCTV usage. Signs have been sited in such a manner that individuals are warned prior to entering these areas, and on entering will be deemed to have consented to being filmed.

Disclosure of images from the CCTV system must also be controlled and consistent with the purpose for which the system was established. For example, if the system is established to help prevent and detect crime it will be appropriate to disclose images to law enforcement agencies where a crime needs to be investigated, but it would not be appropriate to disclose images of identifiable individuals to the media for entertainment purposes or place them on the internet.

The University is committed to transparency and will endeavour to provide access to personal information where possible. In accordance with the Data Protection Act 1998, requests to view CCTV footage should be made to the Information Compliance Manager.

Statistical Information

The University collates, processes and disseminates statistics based on an aggregation of the data held about data subjects. The University will only publish data that is depersonalised, so that no individual data subject can be identified from the resulting Information.

The University provides comprehensive individual data on staff and student to the Higher Education Statistic Agency (HESA) under the terms of the Financial Memorandum issued by the Welsh Funding Council. Only information needed to fulfil this statutory requirement will be disclosed to HESA without needing the consent of the data subject. For any other request for personal data from HESA or other similar organisations that is not based on a statutory requirement, consent of the data subject, staff or student or ex-student, will be obtained prior to any disclosure.

This information is used by HESA to provide statistical analysis information for Government bodies, Funding Councils and to publish reports on Higher Education. Further details on the work of HESA can be found at Details on the Financial Memorandum can be found at

Subject Access Requests for Examination Marks

There are a number of exemptions within the Data Protection Act that relate to the release of personal information in respect of examination papers and results.

The University is under no obligation to provide completed examination scripts but students can be supplied with any comments written by the examiner that relate to student performance.

Under normal circumstances responses to Subject Access Requests must be made within 40 days as per the Act. There are exemptions that extend the period in which the University has to deal with the request that can be used in the eventuality that students request their examination marks in advance of the date for which they are due for release. This ensures that all students have simultaneous access to the results.

For requests received in respect of examination results that have yet to be released the University must respond within either; five months of the date of the request, or, 40 days of the date the results are public; whichever is earlier.

The use of Privacy Notices

The first data protection principle requires that all personal information collected is gathered in a fair and lawful manner.

To comply with the Act, it is necessary to ensure that when collecting personal information, a privacy notice is included so that the individual is made aware of what will happen to the information. The privacy notice should include the following information:

  • Identity of the data controller
  • If the data controller has nominated a representative for the purposes of the Act, the identity of that representative
  • The purpose or purposes for which the data are intended to be processed; and
  • Any further information which is necessary, taking into account the specific circumstances in which the data are, or are to be processed, to enable processing in respect of the data subject to be fair

In producing a privacy notice, the Information Commissioner’s Office advises that:

  • The language should be simple and the notice produced in a manner that makes it understandable for those it is aimed at.
  • The layout and format should be set out to enable the reader to read with ease.
  • Providing too much information can be confusing. To avoid this from happening a ‘layered approach’ can be adopted whereby a certain amount of information would be on the notice and then further detail and information could be accessed via a hyperlink.

Further advice on privacy notices may be obtained from the Information Compliance Team. It is recommended, to ensure good practice that copies of any prospective notices are sent to the Information Compliance Team in advance of their use.

Withdrawal of consent

The data subject may, having initially given consent for their information to be processed, then decide that they wish to withdraw their consent.

In the event of an individual requesting for the processing of their information to cease, the University must make every effort to comply with their wishes. It will not always be possible to accommodate such requests as there are certain types of information that the University must process.

When such a request is received, the University, in the first instance must open dialogue with the individual to listen to their concerns. It may be that having listened to the data subject’s concerns an alternative solution may be proposed that will be to the satisfaction of the data subject.

If it is possible to cease processing the University must comply with the wishes of the data subject.
Should there be no alternative solution, the University will then investigate the viability of ceasing to process that particular information. If it is considered that to do so would impact on the ability of the University to fulfil its obligations then a judgement must be made taking into account the damage and distress caused to the data subject and the University’s need to process the information.

Working from Home

Where University employees are working from home it is essential that the security and integrity of personal data and confidential information is maintained. It is the employee’s responsibility to take all reasonable precautions to protect information relating to their employment with the University.
Care must be taken when taking information (either in hard copy or on portable devices) away off campus to ensure that it is kept secure when in transit. For information held on laptops, cd rom, memory sticks, tablets and mobile phones employees should refer to the Mobile Device Security Policy

Within the home environment employees need to consider in particular access that other people residing in or visiting the home may have to the information. Where there is a risk that other household occupants might gain access to work related computer files these should be password protected. Passwords must not be shared with others.

Those working from home must ensure any computer at home that holds work related information files has up-to-date anti-virus software and that any broadband connections have a properly configured firewall.

Paperwork containing personal/confidential information held in hard copy must be kept in a lockable filing cabinet. In the event that this paperwork then needs to be disposed of whilst at home, employees must ensure that they do so in accordance with the Disposal Policy

Information files/documentation related to work taken home must also be accessible to anyone within the University who needs to use it for their work. This would mean that employees must not take home the only copy of information held.

Further Data Protection Guidance

For further guidance in relation to the Data Protection Act, please contact:

Head of Compliance
University of South Wales
CF37 1DL

or by e-mail to: