Data protection is the fair and proper use of information about people. It’s part of the fundamental right to privacy – but on a more practical level, it’s really about building trust between people and organisations. It’s about treating people fairly and openly, recognising their right to have control over their own identity and their interactions with others, and striking a balance with the wider interests of society.
Yes, all staff will inevitably process personal data in the course of their jobs at Queen Mary and the University is obliged to comply with the law as the controller of that personal data, to which all staff need to contribute.
In short, personal data is information about a particular living individual, who can be identified from that information. This might be anyone, including a student, employee, or member of the public. It doesn’t need to be ‘private’ information – even information which is public knowledge or is about someone’s professional life can be personal data.
It doesn’t cover truly anonymous information – but if you could still identify someone from the details, or by combining it with other information, it will still count as personal data.
The Data Protection Principles set the standards that must be met when processing personal data. These Principles lie at the heart of the legislation and Queen Mary's Data Protection Policy. For details on how these apply specifically in Queen Mary’s context, please contact data-protection@qmul.ac.uk.
Principle 1 - Lawfulness, fairness and transparency
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Principle 2 - Purpose limitation
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Principle 3 - Data minimisation
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Principle 4 - Accuracy
Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Principle 5 - Storage limitation
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Principle 6 - Integrity and confidentiality (security)
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Principle 7 - Accountability
This requires us to take responsibility for what is done with personal data and how we comply with the other principles, having appropriate measures and records in place to be able to demonstrate compliance.
A retention schedule is a control document. It sets out the classes of records which Queen Mary retains and the length of time these are retained before a final disposition action is taken (i.e. destruction or transfer to The Archives). It applies to information regardless of its format or the media in which it is created or might be held. For example, personal data can be inadvertently retained in your work email account (e.g. sent items) and is subject to freedom of information and subject access requests. Download the retention schedule for a comprehensive list of items covered.
The Freedom of Information Act affects all public authorities, including universities. Members of the public have a right of access to any recorded information held by Queen Mary, subject to certain conditions and exemptions. In other words, individuals have a ‘right to know’ and receive copies of information.
Queen Mary has two main duties under the Act:
(a) To maintain a Publication Scheme that lists the types of information it can routinely make available to the general public.
(b) To deal with requests for information from any individual (or organisation) from any country.
The provision of advice and certain statutory duties in relation to the Act, including enforcement, comes within the remit of the Information Commissioner's Office.
Guidance on the Freedom of Information Act outlines the steps necessary to ensure compliance including dealing with requests for information under the Act.
For further information and advice please email foi-enquiries@qmul.ac.uk.
There is an FAQs page to help you understand what you need to do to ensure that any Queen Mary data you are working with while away from Queen Mary sites is secure and you are complying with data protection principles.
You can find out how to ensure that your laptop or device is secure and read some hints and tips on how to make sure that you are keeping the data you work with secure.