Responsibilities as a data controller

Under the Data Protection Act 1998 (DPA) it is the responsibility of the data controller to comply with the obligations set out in the Act, which are contained in the data protection principles in schedule 1. Therefore if data is transferred directly to you, it is imperative that you ensure you comply with these principles.

The obligations imposed by the DPA are:

  • To process data fairly and lawfully;
  • To process data in accordance with one of the conditions in schedule 2 and for sensitive personal data also schedule 3 of the DPA;
  • To process data only in such a way that is compatible with the purpose for which you specified the data would be processed;
  • To not process personal data which are excessive or irrelevant for the purpose for which they are processed;
  • To ensure that personal data is accurate and up to date;
  • To only keep personal data for as long as is necessary for the purposes of processing;
  • To process data in accordance with the rights of the data subject;
  • To ensure that adequate security measures- both physical, technical and managerial- are in place to protect personal data;
  • To not transfer personal data outside the European Economic Area unless adequate security safeguards are in place.

In practical terms, in order to comply with the data protection principles you must ensure that:

  • Data is not reused for purposes outside the scope of each project, share it with colleagues who are not project staff or collaborators, attempt to link it to other datasets, or to de-anonymise it.
  • Further transfer of data between named project collaborators or staff should only be of encrypted data, usually directly from an access controlled FTP server to the FTP client but data may also be sent via email using encrypted data files. SHIP can offer advice and provide encryption tools, to help meet this requirement.
  • Researchers should notify SHIP when the project is complete and arrange for the return of the data and the analysis syntax used for archiving or deleting all local copies. SHIP will require written confirmation that all locally-held data has been deleted. This confirmation will be added to the project management system.

Return to top of page

Return to route-map