• Data Policy Statement:
  The University of Gibraltar employee’s will be involved in processing personal and student data. This policy sets rules and provides guidance for the use of the University of Gibraltar data.
• Applicability:
  The policy applies to all full-time and part-time employees of the University of Gibraltar, contracted third parties (including agency staff), students/trainees, other staff on placement with the University of Gibraltar, and staff of partner organisations with approved access. All users must accept this policy to make use of, or access to, the University’s information systems and services.
• Definition of ‘Data’:
  Data is information relating to a student or employee where the structure of the data allows information about the student or employee to be readily accessed. The information may be held in manual form (e.g., as written notes relating to a person or as part of a filing system, including card index or filing cabinets structured by name, address or student identifier) or in a form capable of being processed electronically. Personal data is any data relating to a living individual (e.g., name, address, exam grades, etc). Sensitive data form a subset of personal data that relate to a person, recording such things as racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, criminal convictions, etc. Data is processed whenever compiled, stored or otherwise operated upon. So disseminating the results of a staff member or student involves processing data relating to each of them, as does giving and receiving personal references, producing agenda items or minutes for committees at which students or employees are discussed as individuals, etc.
• Protecting the University of Gibraltar Data:
  The Data Protection Act 1998 requires that all staff and others who process or use anypersonal/student information must ensure that they adhere to the following. In summary these require that student data shall:

• be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met;
• be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose;
• be adequate, relevant and not excessive for those purposes;
• be accurate and kept up-to-date;
• not be kept for longer than is necessary;
• be processed in accordance with the data subject’s rights;
• be kept safe from unauthorised access, accidental loss or destruction;
• not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.

Whenever and wherever you are processing personal data for the University of Gibraltar you must keep this confidential and secure, and you must take particular care not to disclose the data to any other third party unless authorised to do so. The Data Protection Act gives every individual the right to see a wide range of information that the University of Gibraltar holds about them. Personal remarks and opinions must be made or given responsibly, and they must be relevant and appropriate as well as accurate and justifiable.

It is a criminal offence to obtain or disclose personal data without the consent of the data controller. This includes the gathering of student/personal data by employees at work without the authorisation of the employer.

Whenever you are unsure of what is required or you otherwise need guidance in data protection, you should consult your direct line Manager, Director of ICT or HR Department.