• Home
  • Login
  • Welcome to the Staff Intranet
YOU ARE HERE: Skip Navigation LinksEdinburgh Napier Staff Intranet > Service Depts > Governance & Compliance > Governance Services > Data Protection > Code of Practice

Data Protection Code of PracticeVault

Edinburgh Napier University's Data Protection Code of Practice concentrates on key issues of concern to the University, reflects our agreed policies and procedures, provides links to these where appropriate and to other resources which have been developed.

 

The University's Code was based on a JISC Model Code and has been revised by members of the University's Information Governance Group and other key staff to include:

• New legislation and developments in case law

• Codes and other guidance issued by the UK Information Commissioner (ICO)

• Updated University guidance documents on the application of the Data Protection Act Legislation and other resources

 

In addition to JISC and the contributors to the model Code, Edinburgh Napier University gratefully acknowledged other material originally incorporated from guidance published by the University of Edinburgh, University of Brighton and the University of Essex.                                

                                                                                                                   Page last updated 21 February 2019

Contents

  • Section

     

     

     

     

    1

    Foreword and Acknowledgements

     

     

     

     

    2

    Key Definitions

     

     

     

     

    3

    Interaction with Other Legislation

     

    3.1

    Freedom of Information (Scotland) Act 2002

     

    3.2

    Human Rights Act 1998

     

    3.3

    Regulation of Investigatory Powers Act 2000

     

    3.4

    Privacy and Electronic Communications (EC Directive) Regulations 2003

     

    3.5

    The Electronic Commerce (EC Directive) Regulations 2002

     

    3.6

    Equality Act 2010

     

    3.7

    Other Legislation

     

     

     

    4

    Processing of Personal Data by Employees

     

    4.1

    Processing Under the University's Notification to the UK Information Commissioner

     

    4.2

    Employee Access to and Use of Personal Data

     

    4.3

    Temporary Staff

     

    4.4

    Sensitive Personal Data

     

    4.5

    Responsibilities

     

    4.6

    Processing Outside the University's Notification

     

     

     

     

    5

    Processing of Personal Data by Students

     

    5.1

    The University's Responsibility

     

    5.2

    Permitted Use

     

    5.3

    Staff Responsibilities

     

    5.4

    Student Access to and Use of Personal Data

     

     

     

     

    6

    Use of Personal Data in Research

     

    6.1

    Factors to Consider in Using Personal Data for Research

     

    6.2

    Exemptions for Research Purposes

     

    6.3

    Factors to be Considered When Processing Personal Data for Research Purposes

     

    6.4

    Processing Sensitive Personal Data

     

    6.5

    Online Research with Human Subjects

     

    6.6

    Provision of Research Data to Third Parties

     

     

     

     

    7

    Security of Personal Data

     

    7.1

    Electronic Data

     

    7.2

    Manual Data

     

    7.3

    Contractors, Vendors and Suppliers

     

    7.4

    Students

     

    7.5

    Transfer of Personal Data

     

    7.6

    Migration or Update Plans

     

    7.7

    Back-Up of Personal Data

     

    7.8

    Working Off-Site, on Home Computers or at Remote Locations

     

    7.9

    Destruction of Personal Data

     

    7.10

    Data Breach

     

     

     

    8

    Data Sharing

     

    8.1

    Conditions for Processing of Personal Data

     

    8.2

    Conditions for Processing of Sensitive Personal Data

     

    8.3

    Key Elements

     

    8.4

    Data Sharing within the University

     

    8.5

    Data Sharing with Third Parties

     

    8.6

    Disclosures without Consent

     

    8.7

    Emergency Requests

     

    8.8

    Mandatory Disclosures

     

    8.9

    Disclosures to Employees Under Discrimination Legislation

     

    8.10

    Verification of Attendance, Employment and Qualifications

     

    8.11

    False Qualification Claims

     

    8.12

    Further Information on Data Sharing

     

     

     

     

    9

    The Internet, Online and Web 2.0 Services

     

    9.1

    University Web Pages

     

    9.2

    Web Pages Used to Collect Personal Data

     

    9.3

    Internet and Intranet Monitoring

     

    9.4

    Web 2.0 Services

     

    9.5​

    Cloud Computing Services

    9.6

    e-Learning Systems, Virtual Learning Environments and ePortfolios

     

     

     

     

    10

    Privacy Impact Assessments

     

    10.1

    General Information

     

    10.2

    Guidance

     

     

     

     

    11

    International Transfers of Personal Data

     

    11.1

    Transfers of Personal Data to European Economic Area (EEA) Countries

     

    11.2

    EU Commission Approved List

     

    11.3

    Transfers of Personal Data to Non-EEA Countries

     

    11.4​

    ​Transfers of Personal Data to USA under Safe Harbor Scheme

    11.5

    Exceptions to Prohibition on Data Transfer

     

    11.6

    Consent

     

    11.7

    Method of Transferring Personal Data

     

    11.8

    Third Party Requests

     

    11.9

    Data Controller Assessment of Adequacy for Non-EEA Transfer

     

    11.10

    Further Information on International Transfer

     

     

     

     

    12

    Collection and Processing of Personal Data Relating to Disability

     

    12.1

    General Information

     

    12.2

    Disclosure by Individuals

     

    12.3

    Seeking and Giving Consent

     

    12.4

    Where Consent is Withheld

     

    12.5

    Disclosure in Exceptional Circumstances

     

    12.6

    Disclosure in References

     

    12.7

    Disclosure to Third Parties

     

    12.8

    Further Information

     

     

     

     

    13

    Next of Kin and Emergency Contact Information

     

     

     

     

    14

    Counselling Services

     

    14.1

    Counselling for Staff

     

    14.2

    Counselling Service for Students

     

     

     

     

    15

    Student Advice

     

    15.1

    Student Development

     

    15.2

    Applications for Access Funding and Other Discretionary Funding

     

    15.3

    Napier Students' Association

     

     

     

     

    16

    CCTV and Similar Surveillance Equipment

     

     

    17

    Photography and Film

     

     

     

    18

    Examinations and Assessment Process

     

     

    19

    References

     

    19.1

    References given by the University

     

    19.2

    References received by the University

     

    19.3

    Internal References

     

    19.4

    Disclosure of Disability in a Reference

     

     

     

    20

    Retention of Records Containing Personal Data

     

    20.1

    Records Retention under Data Protection Legislation 

     

    20.2

    University and JISC Retention Schedules

     

    20.3

    Destruction of Records Containing Personal Data

     

    20.4

    Record of Destruction

     

     

     

     

    21

    Glossary and Acronyms

     

    • Edinburgh Napier University is a registered Scottish charity.
    Registration number SC018373