Purpose and Scope The University is subject to the Processing of Personal Data (Protection of Individual Law 2001 (138(1)/2001) and its amendments).
DATA PROTECTION CODE OF PRACTICE The University must comply with the Principles of the Processing of Personal Data (Protection of Individual Law 2001 (138(1)/2001. The Act contains eight governing Principles relating to the collection, use and disclosure of data, and the rights of data subjects to have access to personal data concerning themselves. These Principles are:
THE FIRST PRINCIPLE Personal data shall be processed, fairly and lawfully according to “specific conditions” For more information on these conditions, please refer to the Data Protection Code of Practice
THE SECOND PRINCIPLE ‘Personal Data shall be obtained only for one or more specified lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes’.
THE THIRD PRINCIPLE ‘Personal Data shall be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are processed.’
THE FOURTH PRINCIPLE ‘Personal Data shall be accurate and, where necessary, kept up to date.’
THE FIFTH PRINCIPLE ‘Personal Data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.’
THE SIXTH PRINCIPLE ‘Personal Data shall be processed in accordance with the rights of Data Subjects under this Act.’ The rights of the Data Subject include the following:
– the right of Data Subjects to request access to the information held about them, the purpose (s) for which the information is being used and those to whom it is or may be disclosed; – to prevent processing likely to cause damage or distress; – to prevent processing for the purposes of direct marketing; – to be informed of the logic behind any automatic decision making; – to take action for compensation if they suffer damage for any contravention of the Act by the Data Controller; – to take action to rectify, block, erase or destroy inaccurate data; – the right to ask the Information Commissioner to assess whether or not it is likely that any processing of Personal Data has not been carried out in accordance with the Act.
THE SEVENTH PRINCIPLE ‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of or damage to Personal Data.’
THE EIGHTH PRINCIPLE 1 ‘Personal Data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of Personal Data.’