Birkbeck, University of London Human Resources

Data protection code of practice


Key Concepts

Existing Notifications

Collection and Amendment of Personal Data

Disclosure and Transfer of Personal Data

Publication of College Information

Retention and Disposal of Personal Data

Minimum Retention Periods for Records Containing Personal Data pdf format

Subject Access Requests

Subject Access Request Form pdf format

Data protection policy and code of practice leaflet pdf format


1. This Code of Practice must be read in conjunction with the College’s Data Protection Policy document to give the fullest picture of Birkbeck’s data protection regime. This document gives an introduction to some basic points of practice relating to the handling and processing of personal data at Birkbeck. It also lists the particular activities carried out within the College’s administrative and academic departments that involve the handling and processing of personal data.

back to top

Key Concepts

2. The Data Protection Act 1998 places an obligation upon Birkbeck, as a data controller, to collect and use personal data in a responsible and accountable fashion. Birkbeck College is committed to ensuring that every current employee and registered student complies with this Act to ensure the confidentiality of any personal data held by the College in whatever medium. Three key concepts to be considered are those of purpose, fairness and transparency.


3. Data controllers can only process personal data where they have a clear purpose for doing so, and then only as necessitated by that purpose. Paragraphs 39–50 of this Code of Practice summarise the purposes for which the College processes personal data. Personal data cannot be processed for purposes that have not been defined and declared in the College’s Data Protection Register entry (see paragraph 6 below).


4. In defining the purposes for which Birkbeck processes personal data, the fairness of that processing must be considered. For some types of processing the required elements of fairness and legality are clearly outlined in the legislation, but for many others they are not. In such cases, Birkbeck has tried to take a broad approach to deciding what is fair in each case, based on an interpretation of the 1998 Act and in conjunction with advice from the Information Commissioner, the College’s own legal advisors, and on wider practice within the UK HE sector.


5. Members of staff, students and others must be able to feel that there is no intention to hide from them details of how their personal data are collected, used and distributed by the College. One of the functions of this Code of Practice is to provide that assurance.

back to top

Existing Notifications

6. The Act requires many data controllers to notify the Information Commissioner of the purposes for which personal data are processed, together with certain details of that processing. Those notifications are then held on a public register. The College has two existing Register entries – for the College and the Students’ Union – that can be examined on-line at

7. It is an offence for the College to hold personal data that falls outside of the classes declared in these notifications or to process personal data for any purposes that are not defined there. It is therefore very important that those who work with personal data in the course of their College duties are familiar with the details contained in these notifications.

8. Any changes that may be required should be passed to the College Secretary’s Office as these entries are periodically reviewed and amended as necessary by the College Secretary.

9. Paragraph 35 of this Code of Practice gives details of the College’s Designated Data Controllers, who are responsible for handling subject access requests and dealing with data protection enquiries within the College.

back to top

Collection and Amendment of Personal Data

Collection of personal data, amendment of personal data, security of personal data, secure storage of personal data and  the secure processing of personal data.

Collection of personal data

10. In most cases, the personal data held by the College will be obtained directly from the data subjects themselves. The law stipulates that a data protection notice must accompany any request for personal data. Any members of staff responsible for managing the collection of personal data for the legitimate activities of the College must ensure that a notice containing the following information is included in the request for that data:

Amendment of personal data

11. From time to time data subjects will wish to update some of their personal data held by the College, for example their home addresses or other contact details previously submitted. To do this, the data subjects must either contact the specific member of staff designated in the data protection notice at the time the data was submitted, or the appropriate Designated Data Controller as set out in paragraph 35. Proof of identity will be required before any amendments can be made.

12. As and when ‘self-service’ computer-based administrative systems are introduced for staff, students or others, the data subjects themselves will be able to take responsibility for the maintenance of certain elements of their personal records.

13. These systems will incorporate the necessary authentication and security mechanisms to ensure that data subjects are only able to view and amend their own data.

Security of personal data

14. Of fundamental importance within any data protection regime is the security of the personal data that is being processed. Data subjects have the right to expect that their personal data will be kept and processed securely and that no unauthorised disclosures or transfers will take place to anyone either within or outside the College. Authorised disclosures or transfers are those that are defined within the appropriate Notifications (see paragraphs 6–9 above) and declared to the data subject either at the point of data collection or subsequently, the necessary consent for disclosure or transfer having been obtained if required.

15. To help ensure the security of personal data within the College, all those in Birkbeck who process such data in the course of performing their duties are required to follow the general guidelines set out below.

Secure storage of personal data

16. Each member of staff whose work involves storing personal data, whether in electronic or paper format, must take personal responsibility for its secure storage, in line with Birkbeck’s Data Protection Policy, which states that personal data should:



17. Ordinarily, personal data should never be stored at staff members’ homes, whether in manual or electronic form, on laptop computers or other personal portable devices or at other remote sites.

18. Staff should be aware that log files would record details of all users who access, alter or delete or attempt to access, alter or delete centrally held computerised databases and files containing personal data.

Secure processing of personal data

19. While staff members in the course of performing their legitimate duties are using personal data, reasonable precautions must be taken to ensure the safety and privacy of that data. For example:

20. Ordinarily, personal data should not be processed at staff members’ homes, whether in manual or electronic form, on laptop computers or other personal portable devices or at other remote sites. In cases where such off-site processing is felt to be necessary or appropriate, the agreement of the relevant Head of School or Department must be obtained, and all the security guidelines given in this document must still be followed.

back to top

Disclosure and Transfer of Personal Data

Authorised and unauthorised disclosures, security of data during transfer, and disclosures outside the College.

Authorised and unauthorised disclosures

21. Staff members working with personal data will be made aware by their line managers or other appropriate staff of the purposes for which the data is processed and the legitimate parties either within or outside Birkbeck to whom that data, either in whole or in part, may be disclosed or transferred. Personal information must not be disclosed either orally or in writing or via Web pages or by any other means, manual or electronic, accidentally or otherwise, to any unauthorised third party.

22. Staff should note that unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases.

Security of data during transfer

23. Where personal data is transferred between staff members within the College in the course of their legitimate activities, the level of security appropriate to the type of data and anticipated risks should be applied. For example, sensitive personal data should either be transferred by internal mail in sealed envelopes or by hand. If transferred by e-mail, such data should normally either be encrypted or sent in a password-protected attachment (for example using Microsoft Word’s ‘require password to open’ feature), with the password being supplied separately. Further advice on secure email and password protection can be obtained from Central Computing Services.

Disclosures outside the College

24. When a request to disclose or amend personal data relating to a member of the College (student or staff) is received from an individual or organization outside the College, in general no data should be disclosed or amended unless the authority and authenticity of the request can be established. Disclosures requested by those claiming to be relatives or friends should be refused unless the consent of the data subject is obtained for such disclosures or in one of the few situations where disclosure without consent is permitted by the law (see:

25. Requests for the disclosure of personal data from the Police, Government bodies, the British Council or other official bodies and agencies should be investigated sufficiently to verify the authenticity of the request and may then be acted upon if there is a legal requirement for such disclosure or the consent of the data subject has been given for the disclosure.

26. Details of any specific procedures and practices to be adopted when responding to requests for disclosure in individual administrative Departments or Academic Schools within the College will be available from the appropriate senior members of staff.

back to top

Publication of College Information

27. While the majority of personal data held by the College is processed for internal administrative purposes and is never disclosed outside the institution, some categories of data are routinely or from time to time released through one or more forms of publication.

Legal obligations, staff directory, staff personal data on Web pages and student personal data on Web pages.

Legal obligations

28. When required by law or College statute, the names of Senior Officers and Governors of the College and certain other personal data relating to employees and Governors are published in the annual Calendar and on the Web site. The College also fulfils all obligations placed upon it by its relationship with various funding bodies, Government Agencies and the like with regard to the release of personal data and statistical information concerning students and staff. Data subjects are informed of the College’s obligations in this respect at the time the data is collected.

Staff Directory

29. In order to meet the legitimate needs of researchers, visitors and enquirers to be able to make contact with appropriate staff, Birkbeck intends to make available on its public Web site a directory containing the job title, organizational unit, title, forename, surname, office telephone number, office room number and location and office e-mail address of each staff member. However, at the time of appointment and at any time while in post (via a request to the designated Data Controller) each individual member of staff will be able to specify the level of detail that will appear in this public directory, i.e. being able to request that the following be omitted: title, forename, e-mail address. The Web-based public directory will be searchable by name and organisational unit and will only return personal contact data for those staff that have given their consent for this disclosure. A complete directory is available on the College intranet, but this is password-protected and is only available to current students and staff. A printed directory is made available to all members of staff within the College, but is not ordinarily given to anyone else.

Staff personal data on Web pages

30. Apart from the staff directory described above, staff biographical details or other personal data may be published on Birkbeck’s Web sites or in other media, but only where the staff concerned have given their consent for such information to be made publicly available. However, publication in this way does not mean that such data have been placed into the public domain. Birkbeck retains control and copyright of such data, and the data must not be reproduced or further processed without the College’s express permission.

Student personal data on Web pages

31. Apart from the obligations mentioned above (paragraph 28) the College will not ordinarily reveal any personal details of students enrolled at Birkbeck to any individual or body outside the College. However, some research students may consent to contact details or other personal data being published, for example via the College’s public Web sites. It may also be the case that students enrolled on certain courses may produce Web-based material containing personal data as part of their course work. In such cases, responsibility for such disclosures rests entirely with the individual students concerned and is not indicative of any College-wide policy.

back to top

Retention and Disposal of Personal Data

The retention of personal data and the disposal of personal data.

The retention of personal data

32. The College has a duty to retain some staff and student personal data for a period of time following their departure from the College, mainly for legal reasons, but also for other purposes such as being able to provide references and academic transcripts, or for financial reasons, for example relating to pensions and taxation. Some material will also be retained to form part of the official College archive (selected following the guidance given in the JISC publication ‘Study of the Records Life Cycle’, available at Different categories of data will be retained for different periods of time, and these are set out in the table overleaf.

The disposal of personal data

33. When a record containing personal data is to be disposed of, the following procedures will be followed:

34. Employees and, where appropriate, students, will be provided with guidance as to the correct mechanisms for disposal of different types of personal data and audits will be carried out to ensure that this guidance is adhered to. In particular, employees and students will be made aware that erasing/deleting electronic files does not equate to destroying them.

back to top

Minimum Retention Periods for Records Containing Personal Data pdf format

Subject Access Requests

35. All staff, students, applicants and other users have a right under the Act to access certain personal data being kept about them at Birkbeck either on computer or in certain files. Any person who wishes to exercise this right should complete the Subject Access Request Form in Annexe 1 and submit it to the appropriate Designated Data Controller, who is:

For students: The Registrar

For staff: The Director of Human Resources

For all others: The College Secretary

36. The College will make a charge of £10 on each occasion that access is requested, although the College has discretion to waive this.

37. The College will comply with requests for access to personal information as quickly as is practicable, but will ensure that the information is provided within 40 days, as required by the Act.

38. Students and former students should be aware that exam scripts are exempted from the subject access rules and copies will not ordinarily be given to those who make a subject access request. However, a copy or summary of both internal and external examiner’s comments can be requested as part of a subject access request. If such a request is made before the results of the examination are announced, the College will provide the information within 5 months of the request being received or 40 days from the announcement of the result, whichever is the earlier, as required by the Act. The Processing of Personal Data within Specific Administrative Departments and Academic Schools Activities involving the processing of personal data

39. Listed In the following sections are categories of activities carried out within each of the specified organisational units within the College that involve the processing of personal data. It is the responsibility of the appropriate Directors and Heads to ensure that sufficiently detailed guidance is given to their staff to enable them to carry out these activities in accordance with the requirements of the Data Protection Act 1998.

Schools and Research Centres, Central Computing Services, College Secretary’s Office, Estates and Facilities, External Relations, Finance, Human Resources and Organisational Development , Library, Master’s Office, Registry, Students’ Union and the Vice-Master’s Office.

40. Schools and Research Centres

41. Central Computing Services

42. College Secretary’s Office

43. Estates and Facilities

44. External Relations

45. Finance

46. Human Resources and Learning and Organisational Development

47. Library

48. Master’s Office

49. Registry

50. Students’ Union

51. Vice-Master’s Office

The wording of this document draws heavily on version 2.0 of the ‘JISC Data Protection Code of Practice for the HE and FE Sectors’, produced by Andrew Charlesworth, Senior Lecturer in IT Law at the University of Hull Law School. The JISC document can be viewed on-line at

Printed from:
Date printed: 22/09/2018