Data Protection

The Central Academic Bodies and central activities of the University of London (the "central University") Data Protection Guidelines and Subject Access Request Application Form can be found under the Data Protection Policy

1 Principles 
2 Benchmarks for Security of Workers’ Personal Data
3 Sensitive Data
4 Sickness, Accident and Absence Records


1 Principles

Anyone processing personal data must comply with the eight enforceable principles of good practice.  They say that data must be:

  • Fairly and lawfully processed;
  • Processed for limited purposes;
  • Adequate; relevant and not excessive;
  • Accurate;
  • Not kept longer than necessary;
  • Processed in accordance with the data subject’s rights;
  • Secure;
  • Not transferred to countries without adequate protection.

Personal data covers both facts and opinions about the individual.  It also includes information regarding the intentions of the data controller towards the individual, although in some limited circumstances, exemptions will apply.  With processing, the definition is far wider than before.  For example, it incorporates the concepts of ‘obtaining’, ‘holding’ and ‘disclosing’.

For further more detailed information on the principles of data protection go to the Information Commissioner's Officeor contact the central University Data Protection Team on

To top

2 Benchmarks for Security of Workers' Personal Details

Apply security standards that take account of the risk of unauthorised access to, accidental loss or destruction of, or damage to, employment records.

Institute a system of secure cabinets, access controls and passwords to ensure that staff can only gain access to employment records where they have a legitimate business need to do so.

Use the audit trail capabilities of automated systems to track who accesses and amends personal data.

Take steps to ensure the reliability of staff that have access to workers’ records.  Remember this is not just a matter of carrying out background checks.  It also involves training and ensuring that workers understand their responsibilities for confidential or sensitive information.  Place confidentiality clauses in their contracts of employment.  Do not overlook workers in management positions as they may pose as great a risk as other workers, or even a greater one, as they may enjoy wider access to information than other workers.

Ensure that if employment records are taken off-site, e.g. on laptop computers, this is controlled.  Make sure only the necessary information is taken and there are security rules for staff to follow.

Take account of the risks of transmitting confidential worker information by fax or e-mail.  Only transmit such information between locations if a secure network or comparable arrangements are in place.  In the case of e-mail deploy some technical means of ensuring security, such as encryption.  To secure fax and e-mail systems:

  • Ensure that copies of e-mails and fax messages containing sensitive information received by managers are held securely and that access to them is restricted;
  • Provide a means by which managers can permanently delete e-mails from their personal work stations that they receive or send and make them responsible for doing so;
  • Check whether ‘deleted’ information is still stored on a server.  If so, ensure that this too is permanently deleted unless there is an overriding business need to retain it.  In any event, restrict access to information about workers held on servers.  Don’t forget that those providing IT support have access to servers.  They may be outside contractors;
  • Draw the attention of all workers to the risks of sending confidential or sensitive personal information by e-mail or fax;
  • Ensure that your information systems security policy properly addresses the risk of transmitting worker information by e-mail.

To top

3 Sensitive Data

The Data Protection Act defines eight categories of sensitive personal data.  These are:

  • The racial or ethnic origin of data subjects;
  • Their political opinions;
  • Their religious beliefs or other beliefs of a similar nature;
  • Whether they are a member of a trade union;
  • Their physical or mental health or condition;
  • Their sexual life;
  • The commission or alleged commission by them of any offence, or;
  • Any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.

The Data Protection Act sets out a series of rules, at least one of which has to be met before an employer can collect, store, use, disclose or otherwise process sensitive personal data.  In brief, these are that processing:

  • is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment;
  • is necessary for the purpose of legal proceedings or for the purpose of obtaining legal advice or is otherwise necessary for the purposes of establishing, exercising or defending legal rights;
  • is of information in categories relating to racial or ethnic origin, religious/similar beliefs, physical/mental health/conditions, is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment, and contains safeguards for the data subject;
  • occurs where the information has been made public as a result of steps deliberately taken by the data subject;
  • is necessary for the exercise of any functions conferred on any person by or under an enactment or for the exercise of any functions of the Crown, a Minister of the Crown or a government department;
  • is necessary for medical purposes (including preventative medicine), and is undertaken by a health professional or someone else subject to an equivalent duty of confidentiality.*
  • is in the substantial public interest, is necessary for the prevention or detection of any unlawful act and must necessarily be carried out without the explicit consent of the data subject being sought, so as not to prejudice those purposes;
  • is in the substantial public interest, is necessary for research purposes, does not support decisions about individuals and is unlikely to cause substantial damage or distress;*
  • occurs where the data subject has given his or her explicit consent to the processing.

*  These conditions are not likely to have any application on the part of the audience at whom this handbook is aimed.

The conditions for processing sensitive data are quite narrow and the subject of further guidance by the Information Commissioner.  As a result, managers are strongly advised to seek specific advice from the Data Protection Officer or, as appropriate, from the HR Division before commencing collecting, storing, using, disclosing or otherwise processing sensitive personal data.

The most common form of sensitive data with which managers are likely to come into contact in terms of employment matters are sickness and accident records.  Specific guidance on the handling of sickness and accident records from a data protection perspective is given elsewhere in this handbook.

It is important to remember that, while the Data Protection Act provides categories of particularly sensitive data for the purposes of assigning conditions under which it is possible to process information, all personal data may be considered sensitive.   Managers should act to ensure that all staff personal data is safeguarded and that information (such as address and birth date) is maintained with appropriate confidentiality.

For further more detailed information on the rules applying to the processing of sensitive personal data, go to the Information Commissoner's Office or contact the University’s Data Protection team on .

To top

4 Sickness, Accident and Absence Records

The term ‘sickness record’ is used to indicate a record containing details of the illness or condition responsible for a worker’s absence.    Similarly, the term ‘accident record’ means a record which contains details of the injury suffered.  The term ‘absence record’ is used to describe a record that may give the reason for absence as ‘sickness’ or ‘accident’, but does not include any reference to specific medical conditions.

Sickness and accident records will include information about workers’ physical or mental health and therefore involve the processing of sensitive personal data so that one of the conditions for processing sensitive data must be met.

The Information Commissioner provides the following benchmarks for the processing of sickness and accident records.

Ensure that the holding and use of sickness and accident records satisfies a sensitive data condition.

Keep sickness and accident records separately from absence records.

Do not use sickness and accident records for any purpose when records of absence could be used instead.

Only disclose information from sickness or accident records about a workers’ illness, medical condition or injury where there is a legal obligation to do so, where it is necessary for legal proceedings or where the worker has given explicit consent to the disclosure.*

Do not make the sickness, accident or absence records of individual workers available to other workers other than to provide managers with information about those who work for them in so far as this is necessary for them to carry out their managerial roles.

Given the benchmarks above, it is important to realise that the sensitivity of health data requires that detailed information on sickness and accident records be restricted on a ‘need to know’ basis. 

Managers are reminded that staff are not obliged to give detailed reasons for sickness absence when calling in sick and are not only entitled but expected to return sickness certification direct to Human Resources.  This avoids both delay in sick pay and related processing and the unnecessary disclosure of health data.  Human Resources will inform managers as necessary of any sickness detail requiring their attention.  The reporting requirements, mentioned elsewhere on the intranet, are not affected by this provision.

*  This benchmark does not apply to the disclosure of number of days of absence such as might be involved in giving a reference.

To top