General Data Protection Documents
Edinburgh Napier University is registered under the Data Protection Act 1998 to hold personal data about students, without which we would not be able to carry out our business activities or fulfil our education, training and support remits. The Data Protection Statement explains how we collect and use this data, as well as the rights and responsibilities of students and the University.
Download the Data Protection Fair Processing Statement for Students
The University is legally required to send some information to the Higher Education Statistics Agency (HESA). This document explains how HESA will use the information.
Download the HESA Data Protection Information for Students
Edinburgh Napier University is a data controller for the purposes of the Data Protection Act 1998 and processes the personal data of staff strictly in line with the Act and its notification to the UK Information Commissioner’s Office. The Data Protection Statement explains how we collect and use this data, as well as the rights and responsibilities of staff and the University.
Download the Data Protection Fair Processing Statement for Staff
Permission to Disclose Personal Data
The Data Protection Act allows the University to share a subject’s personal data with other areas of the University and third parties, where the subject has given his/her consent. This form should be used to ensure that there is a written record of the subject’s informed consent which is then to be retained as specified on the form. Further guidance on data sharing is available in Section 8 of the Code of Practice
and on the Data Sharing documents page
Download the form for Permission to Disclose Personal Data
Permission to Disclose Sensitive Personal Data
The requirements for processing sensitive personal data
, such as information relating to racial or ethnic origin, health issues or criminal convictions, are more stringent and such data may only be disclosed with the express written consent of the subject. This template consent form should be used when such a disclosure is proposed.
Download the form for Permission to Disclose Sensitive Personal Data
There are several steps to determining whether data (electronic or manual) is personal data for the purposes of the Data Protection Act. This extract from the UK Information Commissioner’s Data Protection Technical Guidance: Determining what is personal data helps explain and illustrate the Information Commissioner’s guidance on what is personal data.
The full version, including references, is available on the Information Commissioner's website.
Download the UK Information Commissioner's Guidance on Personal Data
The Data Protection Act (DPA) and Freedom of Information (Scotland) Act (FOISA) are both concerned with information but they have different and at times conflicting purposes. The DPA protects individuals’ rights to privacy and fair processing of their personal data, whilst FOISA provides people with rights of access to the information held by public sector bodies. The DPA and FOISA therefore operate alongside each other but their interaction could be potentially complex. This guidance note provides a comparison between the scope of the two acts, and an introduction to their interaction.
Download the Interaction between DPA and FOISA Guidance Note