Data protection ruling

Leicester University breached data protection laws by withholding information from a member of its staff involved in an employment dispute, an investigation by the Data Protection Registrar has found.

Following a visit to the university earlier this year, the Data Protection Registrar's regional investigating officer has concluded that Leicester did not comply with the terms of the 1984 Data Protection Act by failing to respond properly to a data access request by Andrew Colman, a reader in psychology who is involved in a dispute with the university over its promotion procedures.

Some data was not provided until ten months after the first formal request, and the registrar warned that it was "certainly a matter of concern" that staff were obliged to pass private and personal data on Dr Colman to his head of department, one of his main adversaries in the dispute.

Whistleblowers revealed in February that Dr Colman had been persistently refused a chair since 1992, despite the fact he was told more than six years ago that he had a strong case for promotion. Dr Colman has been passed over for promotion when candidates with lower formal rankings have been successful, a senior manager has confirmed.

The story has prompted John Sloboda, pro-vice-chancellor at Keele University and chair of the British Psychological Society's division for teachers and researchers, to make a public complaint against the university. In an open letter, he said that concern about the promotion procedures was supported by his own experiences as an external referee.

In a letter to Dr Colman late last month, obtained by the THES, the Data Protection Registrar's compliance officer said: "It is clear that the university acted outside the terms of the Data Protection Act 1984 in its failure to properly respond to your subject access request." She also said that the disclosure of personal and confidential information to Dr Colman's head of department "could be considered unfair", and a breach of the first data protection principle, which states that there should be "fair and lawful processing" of data.

Failure to comply with the Data Protection Act is not a criminal offence, but the registrar can enforce compliance. Dr Colman has been advised he may have a case for compensation.

Leicester University declined to comment on the case. "In matters concerning data protection for reasons of confidentiality and in accordance with the principles of data protection, the university is unable to comment on individual cases," said a spokesperson.