Data Protection Act, 1998.

This document last updated 10 August 2007.


This document is on the Institute's web pages at

The Institute has notified under the Data Protection Act (1998). David Blair is our nominated representative. Our notification (i.e. registration) is based on a profile of activity for a University. Hence our notification should be broad enough to cover any reasonable activity. The detail of the Rowett's notification is available at and via the Data Protection searchable database at

Until 1998, the main focus of the law was on prohibiting any computer processing of personal data that was not registered. By "personal data" was (and is) meant data naming living people or containing codes by which the names of the people can be determined. "Data" means any information, including memos, messages, statistical tables, etc. The new law requires processing (computer or otherwise) to be carried out according to a code of conduct. It is less concerned with the detail of what types of processing are going on. The code of conduct, the Principles of Data Protection, became legally binding on us from October 2001.

The Principles of Data Protection are summarised below.

A useful executive summary (aimed at Universities) is at

Points of particular relevance to the Rowett

There are a few points that are particularly worth noting:

a. Personal data held in manual filing systems. The Act is in force for information held in these systems as well as in electronic systems.

b. You MAY process personal data (apart from sensitive data, see below) without the person's consent if the process is necessary for the legitimate interests of the Rowett.

c. Sensitive personal data (physical or mental health, racial origin, sexual life, political opinions, religious beliefs, trade union membership, (alleged) commission of offences or proceedings for an offence). Sensitive data MUST NOT be processed without the explicit consent of the individual.

d. When a data subject requests it, we must generally provide them with all the information held about them (if it does not involve disproportionate effort) and various other details including the purposes for which the data is being processed.

e. An individual may serve written notice that our processing of personal data about them causes unwarranted substantial damage or substantial distress to them and requiring us to stop doing this. We MUST reply within 21 days either (i) saying we have or will comply or (ii) giving reasons why we consider the notice unjustified.

Principles of Data Protection

Anyone processing personal data MUST comply with the eight enforceable principles of data protection. They say that data MUST be:

1. fairly and lawfully processed;

2. processed for limited purposes;

3. adequate, relevant and not excessive;

4. accurate;

5. not kept longer than necessary;

6. processed in accordance with the data subject's rights;

7. secure;

8. not transferred to countries without adequate protection. Adequate, that is, in relation to the sensitivity of the particular data.

Personal data covers both facts and opinions about the individual. It also includes information regarding the intentions of the data controller towards the individual, although in some limited circumstances exemptions will apply. With processing, the definition is far wider than before. For example, it incorporates the concepts of 'obtaining', 'holding' and 'disclosing'.

Other useful links:

Maintained by,