Data Protection Policy Statement
Edinburgh Napier University is committed to protecting the rights and freedoms of individuals with respect to the processing of their personal data. This is done in accordance with:
- The Data Protection Act 1998 (the Act)
- associated legislation
- case law and the spirit of the Act
- the University's notification with the UK Information Commissioner, which sets out the purposes for which the University holds and processes personal data about employees, students, graduates and others
1. All users of personal data at Edinburgh Napier University are required to comply with:
- The Act
- the University's Data Protection Code of Practice and Information Security Policies
- associated University policies, procedures and guidance on the provisions and practical implementation of the Act
2. These requirements apply to all personal data created and received, regardless of where it is held and irrespective of the ownership of the equipment used, if the processing is for Edinburgh Napier University purposes.
3. Any breach of the University's policies, procedures or guidance may result in the University being legally liable for the consequences and internal disciplinary action being taken.
1. All employees and agents processing personal data for and on behalf of the University are responsible for ensuring that any processing of personal data carried out by them complies with the Act.
2. All line managers are responsible for ensuring that the processing of personal data carried out in their School/Service Area is compliant with the Act and that employees reporting to them are aware of their responsibilities under the Act and have received training.
3. Governance Services are responsible for overseeing compliance, developing guidance and providing advice and training to employees.
3. The University Secretary has overall responsibility for ensuring that the University complies with the Act and its associated legislation.
The Data Protection Principles
The Data Protection Act sets out eight principles governing the use of personal information with which all University users must comply unless an exemption applies. These principles ensure that personal information is:
1. Fairly and lawfully processed
2. Processed for limited purposes
3. Adequate, relevant and not excessive
4. Accurate and up to date
5. Not kept for longer than is necessary
6. Processed in line with individuals' rights
7. Kept secure
8. Not transferred to other countries without adequate protection
Further guidance is available in the University's Data Protection Code of Practice.
Download the University's Data Protection Policy Statement as a print-friendly PDF.
Governance Services can assist with queries relating to data protection and can be contacted at firstname.lastname@example.org