Lancaster University Data Protection
Project 2000-01



About the Project
Summary of the Act
DP  Principles
Project Guidelines
Project Closure

The Data Protection Act 1998 – A Summary


Key Points to Note

bulletPersonal data must be obtained fairly and lawfully. The data subject should be informed of who the data controller is (the institution); who the data controller’s representative is; the purpose or purposes for which the data are intended to be processed; and to whom the data will be disclosed. For students this is done by the University during registration. Personal data processing may only take place if specific conditions have been met- these include the subject having given consent or the processing being necessary for the legitimate interests of the data controller. Additional conditions must be satisfied for the processing of sensitive personal data, that relating to ethnicity, political opinion, religion, trade union membership, health, sexuality or criminal record of the data subject
bulletThe new Act covers personal data in both electronic form and manual form (e.g. paper files, card indices) if the data are held in a relevant, structured filing system
bulletPersonal data processing must be in accordance with the purposes notified by the University to the data protection commissioner- if any ‘new processing’ is to take place the Data Protection Representative, must be consulted
bulletPersonal data must be kept accurate and up to date and shall not be kept for longer than is necessary
bulletAppropriate security measures must be taken against unlawful or unauthorised processing of personal data and against accidental loss of, or damage to, personal data. These include both technical measures, e.g. data encryption and the regular backing-up of data files and organisational measures, e.g. staff data protection training
bulletPersonal data shall not be transferred to a country outside the European Economic Area unless specific exemptions apply (e.g. if the data subject has given consent) this includes the publication of personal data on the internet


Data Subject Rights

The Act gives significant rights to individuals in respect of personal data held about them by data controllers. These include the rights:


To make a subject access request- an individual is entitled to be supplied with a copy of all personal data held.


To require the data controller to ensure that no significant decisions that affect them are based solely upon an automated decision-taking process


To prevent processing likely to cause damage or distress


To prevent processing for the purposes of direct marketing


To take action for compensation if they suffer damage by any contravention of the Act by the data controller


To take action to rectify, block, erase or destroy inaccurate data, and


To request the Data Protection Commissioner to make an assessment as to whether any provision of the Act has been contravened


Details of the eight Principles on which the Act is based may be viewed on the project website. Further information is also available at the Data Protection Commissioner’s website (

A list of the guidelines relating to HE-specific effects of the 1998 Data Protection Act, to be produced by the project, is available here.



M Mukerji

March  2001




'The material contained on this site is intended as a guide to Higher Education Institutions (HEIs) in the UK in complying with the Data Protection Act 1998. As such, it may be reproduced or adapted for use by HEIs. It is not intended and should not be treated as legal advice. The University of Lancaster can accept no liability in negligence or otherwise to those who rely directly or indirectly on any statements contained on this site.'
Webmaster:  Malcolm Baldwin
Revised: 05 Nov 2003 10:42 .