Skip navigation

Data protection

9: Data protection

9.1 Data protection and confidential information

The Data Protection Act 1998 imposes responsibilities on organisations and their employees in respect of all personal data held and processed.
You should be aware of the requirements of the Acts and how the rules apply to you. An overview is given in this section of the terms and conditions. For further advice, please contact the Office Services Administrator or Head of Human Resources (HR) and Office Services.

You have a responsibility to ensure that you respect confidential information in your possession. Disclosure to a third party of confidential information gained as part of your employment, or assisting others to do so, will be viewed by QAA with the utmost seriousness.

9.2 Data Protection Policy

This is a statement of the data protection policy adopted by The Quality Assurance Agency for Higher Education (QAA).  It applies to all QAA employees.

QAA needs to collect and use certain types of information about people with whom it deals with in order to operate. These include current, past and prospective employees, reviewers, professional experts, delegates and others with whom it communicates. This personal data must be dealt with properly however it is collected, recorded and used - whether on paper, in a computer, or recorded on other material - and there are safeguards to ensure this in the Data Protection Act 1998.

We regard the lawful and correct treatment of personal information by QAA as very important to successful operations, and to maintaining confidence between those with whom we deal and ourselves. We ensure that our organisation treats personal information lawfully and correctly.

To this end we fully endorse and adhere to the Principles of data protection, as enumerated in the Data Protection Act 1998.

Specifically, the Principles require that personal information must:

  1. be processed fairly and lawfully
  2. not be used for a purpose for which it was not collected
  3. be adequate, relevant and not excessive for the purpose
  4. be accurate and up-to-date
  5. not be kept longer than necessary
  6. be processed in accordance with the data subject's rights
  7. be kept secure and protected from unauthorised processing, loss or  destruction and
  8. be transferred only to those countries outside the European Economic Area that provide adequate protection for personal information.

Therefore, QAA will, through appropriate management, and strict application of criteria and controls;

  • Fully observe conditions regarding the fair collection and use of information
  • meet its legal obligations to specify the purposes for which information is used
  • collect and process appropriate information, and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements
  • ensure the quality of the information used
  • hold personal information on QAA systems for as long as is necessary for the relevant purpose, or as long as is set out in any relevant contract held with QAA or QAA’s Records Retention Schedule (this is a database that defines which documents should be kept and for how long). 
  • ensure that the rights of people about whom information is held can be fully exercised under the Act. (These include: the right to be informed that processing is being undertaken; the right of access to one's personal information; the right to prevent processing in certain circumstances; the right to correct, rectify, block or erase information which is regarded as wrong information)
  • take appropriate technical and organisational security measures to safeguard personal information
  • ensure that personal information is not transferred abroad without suitable safeguards.

In addition, QAA will ensure that:

  • there is someone with specific responsibility for data protection in the organisation. The nominated person is currently the Office Services Administrator. The Office Services Administrator will report on any data protection matters to the Head of HR and Office Services and Company Secretary. The Chief Executive has overall responsibility for compliance with the Act but individual members of staff are responsible for the proper use of the data they process
  • everyone managing and handling personal information understands that they are contractually responsible for following good data protection practice; this policy is available to each member of staff and is part of the terms and conditions of employment. All staff have a responsibility to ensure that they respect any confidential information in their possession. Unauthorised disclosure of confidential information to a third party is viewed by QAA with the utmost seriousness
  • everyone managing and handling personal information is appropriately trained and supervised
  • queries about handling personal information are promptly and courteously dealt with and clear information is available to all staff
  • the Office Services Administrator reports to The Information Management Group (IMG) at regular intervals to update them on data protection work being carried out.  Any amendments to policy or procedure will initially be discussed by IMG prior to being approved by the Executive committee. 

9.3   Subject Access Requests

Under the Act individuals have the right to have access to the personal information QAA may hold about them. If you wish to request such information from QAA please contact:

Samantha Phillips
Office Services Administrator
QAA for Higher Education
Southgate House
Southgate Street
Gloucester
GL11UB

Alternatively you can send your request via email to dataprotection@qaa.ac.uk

TopTop