forgot password / new user

Data Protection

Purpose of this guide

Information or data is held by a number of organisations about serving teachers. These include the school, employing authorities and Department of Education. The information may relate to your appointment as a teacher, your pay, threshold application and evaluation, disciplinary matters, pension or issues in which a complaint was raised or investigated by a particular body. Information may also be recorded by the school using CCTV systems, or monitoring of internet or e-mail activity.


This guide is therefore designed to inform and advise INTO members in relation to their rights under the Data Protection Act (NI) 1998.


What is the Data Protection Act?

The Data Protection Act is a piece of legislation which sets out the rules for the processing of personal information. It applies to computer and paper based systems on which data may be held about you.


How can the Data Protection Act help me?

The Data Protection Act works in two ways. Firstly, it gives you certain rights. It also places an obligation upon those who record, store or use your personal information to be open about how that information is used. Such individuals must also follow the eight principles of good information handling.


Why do I need to protect my personal data?

Many organisations (data controllers) have details about us (data subjects) on computer or in paper files. The growth in personal information (data) has many benefits. It can, however, cause possible problems if the information is out of date, was entered wrongly, or is confused with someone else’s data. This could lead to you being treated unfairly or even been refused employment or credit.


How do I protect my personal information?

Personal information is an extremely valuable resource. INTO advises members to:

Think before you supply it.

Ask why the information is being sought.

Ascertain if the information sought is really necessary.

Ask who will have access to the information.


In cases where you must give personal information, e.g. legal cases, this should be clearly explained to you.


If you wish to stop personally addressed marketing material being sent to you, contact Mailing Preference Service (MPS) at:

Freepost 22


W1E 7EZ        

Tel 0207 766 4410

To stop unwanted telesales calls contact Telephone Preference Services (TPS) on 0845 070 0707.


What are the eight principles of “good information” handling?

The eight principles were developed to ensure that personal information about individuals is handed properly.

Data must be:


Fairly and lawfully processed;

Processed for limited purposes;

Adequate, relevant and not excessive;


Not held longer than is necessary;

Processed in line with your rights;

Secure; and

Not transferred to countries without adequate protection.


By law, data controllers must keep to these principles.


How can I find out what is held about me?

The Data Protection Act allows you to find out what information about you is held on computer and some paper based records. This is known as the “right of subject access”.

If you want to know whether information is held about you, and if so, what it is, then you should write in the first instance to the person or organisation you believe holds the data. You should ask for a copy of all the information held about you to which the Data Protection Act applies. If you are unsure who to write to within an organisation, address your request to the Chief Executive. You can also obtain this information from the Information Commissioner whose details are included at the end of this guide.  A sample data request letter is also included with this guide.


If you want to know the logic involved in certain types of decisions (e.g. refusal of credit), you should insert in your letter after “section 7(1)”, the words “including information under section 7 (1) (d)”.


It is important that you specify the information requested, as the organisation is only obliged to send you the information you requested. An individual cannot make a global request to an organisation for “all and any information”. This will most probably be refused and you will be required to narrow your request to specific information.


INTO advises you to send your request by recorded delivery and keep a copy of the letter and any future correspondence. In many instances an organisation will ask you to provide information to confirm your identity. It therefore helps if you can provide as much information as possible in your initial subject access request.


You are entitled to receive a reply within 40 days of providing these details as long as you have paid the necessary fee (if requested). This cannot be more than £10.


What will be sent to me?

You will receive:

A copy of the information held about you;

A description of why your information is processed;

Details of any other organisations your information has been passed to; and

The logic behind certain automated decisions.

The information can be sent as a computer printout, letter or form. Any codes or abbreviations used should also be explained.


Can INTO request this information for me?

No. The request is made for personal data and this information can only be released to the individual to whom the data relates. INTO will advise and assist members in making data requests and the assessment of the information obtained from such requests.


Does a data controller always have to reply?

Yes. If you do not receive a reply within 40 days, send the organisation a reminder by recorded delivery (remember to keep a copy). If you do not receive a reply or the information received is wrong or incomplete you should contact the Information Commissioner immediately. The Information Commissioner also has the right to take enforcement action against an organisation that has been found to have broken any of the eight principles.


Can I see all the information held about me?

Yes, normally you can. However there are some exceptions. For example, if providing you with the information would be likely to affect:

The way a crime is detected or prevented;

Catching or prosecuting offenders; or

Assessing or collecting taxes or duty.


In certain cases your right to see certain health and social work details may be limited. If you think the information is being held from you contact the Information Commissioner or INTO.


What about paper records and filing systems?

As well as computerised records the Data Protection Act (NI) 1998 covers some paper files. These include information in relation to health records, education, housing and social services.


What about medical information?

Information of an employee’s physical and mental health is very sensitive matter. The relevant Code of Practice emphasises that one of the following conditions of the Data Protection Act (NI) 1998 must be satisfied before an employer can process such data. These are:

To comply with an employer’s legal obligations, such as ensuring health and safety and non-discrimination on the grounds of disability;

For medical purposes and undertaken by a medical professional;

With the worker’s explicit consent;

In connection with legal proceedings such as a tribunal.


An employee’s consent must be explicit and freely given. It cannot be assumed to be overarching and is not likely to include consent for acts in which the employee is less favourably treated.


Employers must also take as many steps as possible to limit the range of personnel who can access health information. The principle should be applied strictly so that, wherever practicable, only health professionals have access to medical records. Principals and Boards of Governors may be provided with a “sanitised” version of teacher’s medical records. In such instances a copy should also be provided to the teacher.


What about CCTV and other personal surveillance?

There are a variety of types of personal surveillance being undertaken in shops, the workplace and in the street.  This includes CCTV cameras in the street, in the workplace and in shops, Internet Service Providers (ISPs) keeping information about websites you visit, biometric identifiers for passports and visas and increased sharing of information between public authorities.


Whether in the public or private sector, these developments are intended to prevent crime, attack terrorism or improve services, but undoubtedly they result in our being watched in our everyday lives far more than in the past.  There is a real risk of an undue invasion of our right to private life and the creation of an oppressive climate of surveillance.  As an individual, if you think that the data being recorded about you is not in keeping with eight principles of data protection, you are entitled to make a “right of subject access” request under the Data Protection Act.


If an organisation has broken one of the principles of data protection you may wish to raise the matter with the Information Commissioner.


What is the register of data controllers?

The register of data controllers contains the names and addresses of all data controllers who are registered with the Commissioner. It also includes broad details of the data they process in terms of type, purpose, the people that they may want to give the information to, and whether they may be transferred to any countries or territories outside the European Economic Area. The register is available for personal inspection at the office of the Information commissioner or online at


What is the Commissioner’s role?

If you are unable to resolve a data request matter or believe that the data protection principles have been infringed you may wish to contact the Information Commissioner. The Commissioner will try to deal with matters informally. However, if they decide that requirements of the Data Protection Act have not been met they may decide to take action against the data controller in question. If the data controller has committed a criminal act then the Commissioner may prosecute them.


What about compensation?

You are entitled to claim compensation through the courts if damage has been done as a result of a data controller not meeting the requirements of the Data Protection Act. You can only claim compensation for distress in very limited circumstances.


Sample Data Request letter



<Data controller>

<Organisations Address>


Dear Sir or Madam


Re: Subject Data Access Request


Please send me the information which I am entitled to under section 7 (1)* (or section 7(1) (d))* of the Data Protection Act (NI) 1998.


If you require further information from me, or a fee, please let me know as soon as possible.


If you do not normally handle these requests for your organisation, please pass this letter to your Data Protection Officer or the appropriate individual.


I await your reply.


Yours faithfully


*Insert as appropriate


Useful Contact Details


Information Commissioner for Northern Ireland

Regent House, 33 Clarendon Dock, Belfast, BT1 3BG


Information Commissioner

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Tel:                   01625 545700

Fax:                   01625 524510




Labour Relations Agency

2 – 8 Gordon Street, Belfast, BT1 2LG

Tel: 02890321442



April 2004