The data protection rules contain some basic principles that you must always comply with. If you are in doubt about how to process personal information, you can always return to the principles and make sure that you follow them.
1. Lawfulness, fairness and transparency: When we process personal information, the processing must be lawful, fair and transparent.
2. Purpose limitation: When we process personal information, there must always be one (or more) legitimate and valid purpose(s) of the processing. In addition, subsequent processing of personal information must not be incompatible with the original purpose of processing the information.
3. Data minimisation: The processing must be limited to what is necessary to fulfil the purpose. In other words, only process personal information if the information is ‘need to know’ and not ‘nice to know’. If name and email are sufficient, then do not also process date of birth and gender.
4. Accuracy: Information must be up to date, and if you discover or are made aware that some information is incorrect, it must be deleted or updated.
5. Storage limitation: Only process information for as long as necessary. When it is no longer necessary to process the information in order to perform your work, it must be deleted or anonymised.
6. Integrity and confidentiality: Information must not come to the knowledge of unauthorised persons, be lost or damaged. We must therefore provide the necessary technical and organisational security measures when processing personal information. If it turns out that unauthorised persons have had access to personal data, you must report it. (NB! Students neither can nor should report security breaches).