Data protection is a set of good practice rules for handling information about people and should provide reassurance that we use data fairly and lawfully. If information is collected for any reason other than personal, family or household purposes, the legislation needs to be complied with.
The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 determine how personal data should be handled. Please see the GDPR and the Data Protection Act 2018 tabs for more information. The University Data Protection policy is available online.
The Information Commissioner's Office (ICO) regulates data protection in the UK. They offer advice and guidance, promote good practice, carry out audits and advisory visits, consider complaints, monitor compliance and take enforcement action (including fines) where appropriate. The ICO have produced a Guide to GDPR, which is a useful tool.
Information on security is also a key part of protecting personal data - see Guidance on University information security policies and practices. Guidance on other aspects of data protection is provided on these pages. Specialist terms used in data protection legislation and in these guidance pages are defined in the Glossary tab below.
- What is GDPR
The General Data Protection Regulation (GDPR) replaced the 1998 Data Protection Act as the cornerstone of data protection on 25 May 2018. It marks a step-change for the University and other organisations that handle personal information.
The GDPR is European legislation that took effect in all EU member states on 25 May 2018. The planned withdrawal from the European Union does not affect our obligations to comply with the GDPR.
The GDPR is an evolution in data protection, not a revolution. The definition of personal data is more detailed than in the DPA 1998, but is not changed substantially. The core handling rules, the Data Protection Principles, are recognisably similar under the GDPR. The University remains classed as the data controller for most of the personal data we handle, and the contractors we use to process personal data on our behalf remain our data processors. Please see the Data Protection Principles tab below for more information.
The GDPR builds on the previous legislation by providing more protections for individuals, and significantly more privacy obligations for organisations such as the University. A summary of the key changes is outlined below.
- Data Protection Offences
There are a number of offences which exist under the legislation; many of them build on or update parts of the Data Protection Act 1998. They cover different aspect of processing personal data and they are described below:
Access or Disclosure Offences
Section 170 of the Act relates to occasions where an individual knowingly or recklessly obtains, discloses, procures, sells or offers for sale, personal data without the consent of the data controller. The Controller is the person/organisation who decides on the purposes for processing personal data.
An additional section is that it is an offence to knowingly or recklessly retain personal data (which may have been lawfully obtained) without the consent of the controller.
What these offences mean on a practical, day-to-day basis is that you should only process personal data for a work purpose, and if you are inclined or asked to do so for any other reason, you should stop and take advice from your line manager or the Information Governance Team
Section 184 of the Act relates to Subject Access Requests. It is designed to prevent organisations from using such requests as background checks. It is an offence to require relevant records as a requirement for employment or a contract for the provision of services. Organisations are expected to run the necessary background checks without compelling people to obtain and disclose their personal data.
Section 144 relates to the provision of false statements in response to an information notice (a demand from the ICO to produce information within a certain timeframe);
Section 148 (2) (a) makes it an offence for a person to destroy or otherwise dispose of, conceal, block or falsify all or part of the information, document, equipment or material in the circumstances of being served with an information notice. Section 148 (2) (b) makes to cause or permit the actions set out in the previous subsection an offence.
Para 15 of Schedule 15 relates to obstructing a warrant or making a false statement in response to a request for information connected to a warrant
Section 119 criminalises the obstruction of the ICO’s inspection of European information systems.
Section 132 criminalises an action by former or current ICO member of staff to unlawfully disclose data obtained during the course of their duties.
Section 171 criminalises the re-identification of personal data that has been ‘de-identified’ to remove/conceal personal data;
Section 173 relates to the processing of requests for data from individuals for their personal data, and makes it a criminal offence for organisations to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure.
The data protection fee replaces the requirement to ‘notify’ (or register) with the Information Commissioner (ICO). The ICO has the power to enforce this and to serve monetary penalties on those who refuse to pay their data protection fee.
Liability and Sentencing
The Act can allow proceedings against individuals, body corporates and those associated with them. Courts may impose unlimited fines.
If you have any questions about any of the offences listed above, please make contact with the Information Governance Team at firstname.lastname@example.org or call 01224 27(3175).
- GDPR Myth-Busting
Do you feel confused about GDPR and find it difficult to reconcile what you hear about GDPR and what it says in the guidance we provide? We have collated the most often heard myths about GDPR below and pointed out why they are wrong and what the correct guidance is.
If you have any GDPR queries, please contact us in the Information Governance Team at email@example.com or 01224 27(3175) where guidance specific to your query can be given.
Myth 1: You always need to get consent before you can process personal data.
WRONG!: There are a number of legal bases which allow you to process personal data and most often it is NOT consent. If you are processing personal data for teaching or research purposes, then you are undertaking work relating to the University’s public task and this is your legal basis for processing. Consent can be unreliable because it can be withdrawn at any time, therefore if you have another legal basis, this is always a safer option.
Myth 2: All personal data breaches must be reported to the Information Commissioner (ICO).
WRONG! Although all personal data breaches need to be recorded by the University, it is not the case that all breaches must be reported to the ICO. Consideration must be given on whether a breach should be reported, and a risk assessment undertaken, but this often concludes that the breach is NOT reportable. If a breach involves a large amount or a large number of people’s data; relates to sensitive data and could result in significant harm to the data subject(s), then this could lead to a the breach being reported. This decision will be reached by the Information Governance Team along with the information owners.
Myth 3: Huge fines will be handed out by the Information Commissioner (ICO) for data breaches.
WRONG! Indeed some large fines will be issued, but likely only in cases where the breach related to a large number of people, information which is sensitive or could lead to significant harm to the individual or where there was a significant absence of technical and organisational measures being put into place. Early examples of fines are against BA and Mariott where fines of £183m and £99m have been intimated. But these cases are likely to be exceptions rather than the rule.
Myth 4: GDPR won’t be relevant after Brexit.
WRONG! Once the UK has left the European Union, a UK version of GDPR will be put into place, but this will not likely result in any significant change, so it is important that we continue to handle personal data as we are required to under GDPR, as this will continue to be the standard we need to meet.
Myth 5: GDPR is an unnecessary burden.
WRONG! The work that is done to comply with GDPR is to ensure that people’s personal data is handled correctly and only used in a way that they would expect and is lawful. If personal data is not handled correctly, this could result in harmful effects for data subjects, enforcement action, or in some cases, a fine for the University.
Myth 6: Companies outwith the EU do not need to comply with GDPR.
WRONG! If a company provides a service to EU citizens, then GDPR does apply to that company and they need to abide by it.
Myth 7: The right to be forgotten is absolute.
WRONG! It is a qualified right and not all information needs to be deleted. All considerations would be taken into account as to whether the information should be deleted. This would include whether there is a legal requirement to retain the information and what the legal basis is for the processing.
WRONG! The GDPR standard for consent requires that a positive choice is made by data subjects to give consent, and not something simply assumed or accepted. The cookie statement must be clear and easy to understand, so that those giving their consent are fully aware of what they are agreeing to. Consent is only not needed for cookies that are strictly necessary to ensure that the website runs correctly.
MYTH 9: Analytics cookies are strictly necessary so no consent is required.
WRONG! Although analytics can provide useful information on how websites are being used, they are not part of the functionality that the user requests when using the online service, so consent MUST be sought for the use of analytics cookies.
- Record of Processing Activities
Description of processing:
The following is a broad description of the way we process personal data. To understand how your own personal information is processed you may need to refer to any personal communications you have received, check any relevant privacy notices or contact us to ask what information is held about you.
Reasons/purposes for processing information:
We process personal information to enable us to provide education and support services to our students and staff; advertising and promoting the university and the services we offer; publication of the university magazine and alumni relations, undertaking research and fundraising; managing our accounts and records and providing commercial activities to our clients. We also process personal information for the use of CCTV systems to monitor and collect visual images for the purposes of security and the prevention and detection of crime.
Type/classes of information processed
We process information relevant to the above reasons/purposes. This may include:
- personal details
- family details
- lifestyle and social circumstances
- education details and student records
- education and employment details
- financial details
- disciplinary and attendance records
- vetting checks;
- goods or services provided
- visual images, personal appearance and behaviour
- information held in order to publish university publications
- We also process sensitive classes of information that may include:
- racial or ethnic origin
- trade union membership
- religious or other similar beliefs
- physical or mental health details
- sexual life
We also process details of criminal offences and alleged offences, criminal proceedings, outcomes and sentences
Who the information is processed about: We process personal information about:
- contracted personnel
- professional advisers and consultants
- business contacts
- donors and friends of the University
- authors, publishers and other creators
- persons who may be the subject of enquiry
- third parties participating in course work
- health, welfare and social organisations
- friends of the University
- individuals captured by CCTV images
Who the information may be shared with:
We sometimes need to share the personal information we process with the individual themself and also with other organisations. Where this is necessary we are required to comply with all aspects of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.
Where necessary or required we share information with:
- family, associates and representatives of the person whose personal data we are processing ‡ current, past or prospective employers
- healthcare, social and welfare organisations
- educators and examining bodies
- suppliers and service providers
- student union
- financial organisations
- debt collection and tracing agencies
- police forces, security organisations
- courts and tribunals
- prison and probation services legal representatives
- local and central government
- consultants and professional advisers
- trade union and staff associations
- survey and research organisations
- press and the media
- voluntary and charitable organisations
Personal information is also processed in order to undertake research involving volunteers and NHS patients. For this reason the information processed may include name, contact details, family details, lifestyle and social circumstances, financial details, good and services. The sensitive types of information may include physical or mental health details, racial or ethnic origin and religious or other beliefs. This information is about survey respondents. Where necessary or required this information may be shared with customers and clients, agents, service providers, survey and research organisations.
It may sometimes be necessary to transfer personal information overseas. When this is needed, information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with all aspects of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
- Notification/Privacy Notices
It should be transparent to people how their personal data is handled. The GDPR requires the University to provide more information when we collect personal data from individuals, or after we receive their data from a third party.
This 'privacy information' includes what data we collect, why and how, with whom we share it, and how long we keep it. The University takes a layered approach, providing details in manageable portions.
There are currently privacy notices for the following:
- Legal Basis
The lawful basis for processing data must be cited in the corporate-level record of processing activities and provided as privacy information. Many of the University’s core activities are undertaken in pursuit of our public tasks or for statutory purposes, rather than on consent.
What are the lawful bases for processing?
These are set out in Article 6 of the GDPR. At least one must apply whenever processing personal data:
(a) Consent: the individual has given clear consent for the processing of their personal data for a specified purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because you need to take steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law.
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for a task in the public interest or for official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for our or a third party's legitimate interests, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This lawful basis cannot apply for a public authority using data to perform their public tasks).
More information on each of the lawful bases can be found on the Information Comissioner's website at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
When you are processing special category data, you must also find an additional lawful basis for such processing https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/
Consent must be a freely given, specific, informed and an unambiguous indication of a person’s wishes. It must be opt-in rather than opt-out and a simple means of withdrawal of consent must be provided. It is not good enough to rely on implicit consent.
The standard for consent under GDPR is high, but for much of the University’s processing of personal data, consent isn’t the lawful basis for processing. So, where there is an option other tham consent, , this should be considered.
Where you do need to rely on consent, this requires a positive opt-in and we should never use pre-ticked boxes or any other method of default consent.
Where explicit consent is required, a very clear and specific statement of consent is required, as explicit consent is only required when the information being processed is special category data, which requires further protections. The information which is classed as special category data is: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Please be aware that Consent as a legal basis is different to ethical consent, which is still required for research purposes.
Key things to remember when you are processing information based on consent:
- The consent statement should be separate to other terms and conditions, so that it is not hidden with other information.
- We specify why we want the data and what we’re going to do with it.
- We are specific and granular and get separate consent for separate things. A non-specific blanket consent is not good enough.
- The statement must be clear and easy to understand.
- Make it clear that people can withdraw consent and how to do so.
- When you receive consent, you must keep a copy of this, including when the consent was given, by who, how this was provided and what they were told and what to expect.
- Be sure to review consent and refresh it if anything changes.
- Consent is not appropriate as a precondition of a service.
- As a public authority and an employer, we need to be careful to show that consent is freely given. We should only rely on consent when we must.
When is it appropriate for consent to be used as your legal basis for processing personal data?
Consent is appropriate if you can offer people real choice and control over how you use people's data. If genuine choice cannot be offered, then consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading.
If you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis.
Public authorities, employers and other organisations in a position of power over individuals should avoid relying on consent unless they are confident that they can demonstrate it is freely given.
Consent must be a freely given, specific, informed and unambiguous indication of a person’s wishes. It must be opt-in rather than opt-out and a simple means of withdrawal of consent must be provided.
When data processing is based on consent, such as for some student support services or for electronic direct marketing, the quality must meet this standard. Please see the Using data for marketing tab below for more information.
If you have any questions about using consent as your legal basis for processing information, please contact the Information Governance Team on 01224 27(3175) or at firstname.lastname@example.org
- Suppliers who Process Personal Data
The University must ensure personal data is protected by our suppliers.
Before passing data to a processor (a third party that handles personal data on our behalf), the University must check that the processor will use the data properly, hold it securely and co-operate with us in the event of an incident or request.
The minimum terms of the written contract with the processor are much more detailed under GDPR. Central contracts are being reviewed currently, and supplier due diligence arrangements updated. Information on supplier due diligence can be found on Using a data Processor tab below.
- Data Breaches
If personal information is compromised, and individuals are likely to be disadvantaged, the incident must be reported to the people affected and to the Information Commissioner. The external reporting deadline is 72 hours after discovery.
The University must keep a record of all breaches regardless of the likely outcome. Central recording and reporting falls to the Data Protection Officer is essential. All staff need to be able to recognise a breach and know what to do. Information on Reporting a data breach can be found on tab below.
- Bitesize Data Protection
Bitesize Data Protection
If you have been keeping an eye on the E-Zine this year, you may have seen our monthly articles, different aspects of data protection and providing guidance on these topics.
In case you missed our articles, here is a summary of the topics covered with the relevant links to the guidance available.
GDPR rights: updated Staffnet pages detail all the rights available to people and how they can use them, such as asking an organisation to provide all information held about them, or asking that all information about them be deleted.
Personal Data Breaches: New Staffnet pages were made available with guidance on what to do if you think a breach has occurred. We also produced a postcard which you may have seen around campus with tips on what to do.
How to send emails safely. Tips and guidance on how to do this, including 2 new Toolkit guides; one on how to turn off AutoComplete to avoid selecting the wrong recipient and also one on Good Practice email tips.
How to navigate GDPR when undertaking research: a Checklist was created to be used by researchers to ensure they consider all relevant aspects, from recruiting volunteers, providing them with privacy notices and making sure you have necessary safeguards in place, amongst other things.
How to encrypt information to send by email. A step-by-step Toolkit guide on how to use the encrypted ZendTo services to send personal data securely was created. ZendTo can also be used to send large files, that could not otherwise be sent by email.
GDPR Myth-busting. There are lots of inaccuracies out there about GDPR and our myth-busting page aims to dispel these.
Do you really understand when you need to get consent to allow you to process personal data? More information on this is covered on the Staffnet page on this topic.
How to manage shared drives and shared mailboxes. Tips on how to manage personal data that you work with and also how to manage shared mailboxes. Good records management leads to good data protection!
Use and misuse of personal data. Updated staffnet pages provide detail of the offences that can be committed under GDPR and our Toolkit infographic provides tips on how to stay on the right side of the law.
PECR & GDPR. Our updated Staffnet pages provide details of the linkage between the Privacy & Electronic Communications Regulation and GDPR. Also explained is how PECR regulates the marketing activity that we undertake, as well as recruitment of volunteers for research projects.
If you want more information on any of the topics above, please get in touch by emailing email@example.com or calling 01224 27(3175)Please also take a look at our Staffnet pages and Toolkit guides for more useful information.
- Information Champions
All Schools and Directorates have an Information Champion, and their role is to work with the Information Governance and Information Security teams to help ensure that the University handles its data securely and lawfully.
As the legislative frameworks around information handling become ever more complex, and the threats to the digital working environment ever more real, there is a need to make sure that knowledge about these issues is spread across the University.
Champions will provide advice to colleagues and to their Head of School / Director and will signpost staff with more complex issues to the Information Governance or Information Security teams. They will also highlight emerging or recurring issues on which guidance and direction is required.
Below is the list of Information Champions
School/Directorate Champion Contact details Biological Sciences Maree McCombie firstname.lastname@example.org 01224 272860 Mel McCann email@example.com 01224 273603 Business School Thereza Raquel DeAguiar Thereza.firstname.lastname@example.org 01224 274357 Divinity, History, Philosophy Kate A Smith email@example.com 01224 273158 Education Sharon Smith Sharon.firstname.lastname@example.org 01224 274526 Engineering Alireza Bagheri Sabbagh Alireza.email@example.com 01224 274289 Zaib McNeilly firstname.lastname@example.org 01224 274289 Geosciences Nick Schofield email@example.com 01224 272096 Languages, Literature Music Laura Bowie firstname.lastname@example.org 01224 272550 Law Titilayo Adebola email@example.com 01224 272423 Medical Service & Nutrition Tom Skelton firstname.lastname@example.org 01224 559194 Sarah Gray email@example.com 01224 437254 Janice Forsyth Janice.firstname.lastname@example.org 01224 437505/438133 Natural & Computing Sciences Vacant Psychology Mauro Manassi email@example.com 01224 272240 Social Sciences Dimitrios Anagnostakis Dimitrios.firstname.lastname@example.org 01224 272735 Academic & Student Services Lisa Hall email@example.com 01224 272324 Alumni Relations Chloe Bruce firstname.lastname@example.org 01224 274571 Martin Skelly email@example.com 01224 272641 Development Trust Mairi Clinton firstname.lastname@example.org 01224 273179 Digital & Information Services Claire Bell Claire.email@example.com 01224 272592 Estates & Facilities Kris Glodek firstname.lastname@example.org 01224 272177 Finance Martin Phillips email@example.com 01224 274057 Marketing & Student Recruitment Nicol Mellis firstname.lastname@example.org 01224 273870 People Andrew Mackie email@example.com 01224 272107 Planning Linda Murdoch firstname.lastname@example.org 01224 272109 Research & Innovation Paul Connolly email@example.com 01224 273341
- GDPR and Brexit
A frequently asked question is whether GDPR will still apply to the UK once we have left the EU?
The answer is Yes, as the UK intends to write the GDPR into UK law, with the necessary changes to tailor its provisions for the UK. It will sit alongside an amended version of the Data Protection Act 2018.
The key principles, rights and obligations will stay the same – but there are implications for the rules on transfers of personal data between the UK and the EEA.
How to prepare for the changes?
Understand your flows of personal data with EEA countries. Most important will be the transfers from the EEA.
- Think about how to continue to receive these transfers lawfully after exit date.
- In most cases, the simplest way to provide an appropriate safeguard for a transfer is to enter into standard contractual clauses with the sender of the personal data.
You can keep making transfers of personal data from the UK to the EEA under UK adequacy regulations.
What are the main changes?
Once the UK has left the EU there will be two sets of rules to consider:
- The UK rules on transferring data from the UK.
- The impact of EU rules on those sending personal data in the UK from outside the UK.
If you transfer personal data outside the EEA now, you should already have in place arrangements for making a restricted transfer under the GDPR.
You won’t need any new arrangements for transfers from the UK, but you need to put in place safeguards to maintain data flows from the EEA into the UK.
How can personal data lawfully be transferred from the UK?
If you need to undertake a transfer outwards of the UK:
- the UK version of the GDPR applies to this transfer;
- the UK GDPR does not apply to the importer of the data - usually because they are located outside the UK (which may be in the EU, the EEA or elsewhere);
- you, the sender of the personal data (within the UK), and the receiver of the data (outwith the UK) are separate organisations, even if you belong to the same parent company.
The UK government has said that after Brexit, transfers of data from the UK to the EEA will be permitted. The UK government will allow transfers to Gibraltar to continue.
If your restricted transfer is not to the EEA, you should proceed as you would have before Brexit.
- You will be able to make a restricted transfer if it is covered by new UK adequacy regulations. Adequacy regulations confirm that a country, territory or international organisation, has an adequate data protection regime.
- The UK government intends to recognise the EU adequacy decision made by the European Commission before the exit date. This will allow for restricted transfers to continue to those covered by a decision.
- Modified arrangements will apply regarding the EU adequacy decision for the EU/US Privacy Shield, as this is an EU/US-specific arrangement.
- The UK government is making arrangements for its continued application to restricted transfers from the UK to the USA.
- You will be able to continue to transfer personal data to US organisations participating in the Privacy Shield if they have updated their public commitment to comply with the Privacy Shield to expressly state that it applies to transfers of personal data from the UK.
- It is hoped that by the end of the transition period, the EU will have reached a decision on adequacy.
- If there is no adequacy decision which covers your transfer, you should consider putting in place an appropriate safeguard.
- Most commonly we rely on the use of standard contractual clauses. The UK government intends to recognise EC-approved standard contractual clauses as providing an appropriate safeguard for restricted transfers from the UK.
There are different clauses available to use depending on what the relationship is with those you are sharing data with.
This can be where both bodies are a Controller, or where one is a Controller and the other the processor.
If you consider that you need to undertake a restricted transfer, you should contact the Information Governance team at firstname.lastname@example.org or 01224 27(3175) for assistance.
How to continue with transfers from the EEA to the UK?
The EU GDPR will continue to apply to an EEA sender of personal data. The EEA sender will have to put actions into place to ensure the secure transfer. As of exit date the UK will be a third country outside the EEA and will be treated as such when it comes to the transfer of personal data.
You are receiving a restricted transfer if you are a controller or processor located in the UK and an EEA-located controller or processor sends you personal data.
The ICO has significat information available about Brexit on their website which can be seen here
Please contact the Information Governance team at email@example.com or 01224 27(3175) if you have any questions,
- Data Protection Principles
The principles set the standards that must be met when processing personal data. The principles lie at the heart of the legislation. There are exemptions from some of the requirements in certain circumstances. Using personal data in research and disclosure in legal proceedings are examples of circumstances when an exemption may apply.
Advice on the operation of the exemptions should be sought from the Data Protection Officer.
The University is responsible for and shall be able to demonstrate compliance with the following principles when processing personal data.
Principle 1 - Lawfulness, fairness and transparency
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Principle 2 - Purpose limitation
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Principle 3 - Data minimisation
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Principle 4 - Accuracy
Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Principle 5 - Storage limitation
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Principle 6 - Integrity and confidentiality
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The University must comply with these principles when processing personal data.
- Reporting a Data Breach
What is a personal data breach?
The definition of a personal data breach provided by the Information Commissioner’s office (ICO) is, “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Examples of a data breach are when:
- any personal data is lost, destroyed, corrupted or disclosed unlawfully
- someone accesses personal data and passes it on without proper authorisation
- personal data is made unavailable, and this has a significant negative effect on individuals
- Data breaches can be the result of both accidental and deliberate causes, and they can involve information that is electronic, on paper or in any other format. Common examples of personal data breaches include;
- sending personal data to the wrong recipient
- laptops and memory sticks being lost or stolen
- corruption or loss of data during migration between systems
A personal data breach goes further than just the loss of data. It needs to be considered more widely as a security incident that has affected the confidentiality, integrity or availability of personal data.
Whenever any personal data is lost, destroyed, corrupted or inappropriately disclosed, this will constitute a personal data breach.
All personal data breaches must be reported to the Information Governance Team as soon as possible.
Even where the breach does not need to be reported to the Information Commissioner, a record must be retained. We are required to do so, and we may be asked to provide this to the Information Commissioner on request.
Some breaches need to be reported to the Information Commissioner’s Office (ICO). Where this is the case, the report must be made within 72 hours of the breach being detected.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we must also inform the individuals informed without undue delay.
If such a breach is not reported, when required to do so, we could face a fine of up to £8.5 million pounds (10 million Euros) or 2% of our annual turnover. AS well as a fine, the ICO can take other corrective measures available them under Article 58 of GDPR.
It is vital that all staff report a personal data breach, however minor, promptly after discovery.
You can also call the Information Governance Team if you wish to discuss a breach or whether an incident is a personal data breach on 01224 27(2596), 27(3175), 27(3079).
For urgent breaches that occur out of hours, contact the out-of-hours helpline via the IT Service Desk extension number, 3636.
What do I need to include in my notification?
The Data Protection Officer or security incident team will need some basic information to assess the incident. Include brief details in answer to the following questions. If you cannot provide all the answers, do not delay in reporting the incident.
- What has happened to the data? Has it been stolen, or lost, or disclosed, or damaged?
- Was the data protected, such as by encryption or password protocols?
- What type of personal data is involved? Is the data sensitive or private?
- Whose data has been breached? Does it relate to students, staff, research participants etc?
- How many individuals’ data are involved?
Do I need to tell the individuals affected by the breach or the Information Commissioner?
No. External reporting will be co-ordinated by the response team.
Will I be penalised for reporting a data breach or security incident?
No. The University encourages all staff to report actual or potential breaches.
A supplier or data sharing partner has notified me about a breach involving University data.
What should I do?
Report the breach to the Data Protection Officer, along with details of your contact in the supplier or partner organisation.
You can pass the contact details of the Data Protection Officer to the supplier or partner to give them a point of contact for any joint investigation.
- Data Rights
The General Data Protection Regulation (GDPR) introduced new rights for data subjects, as well as amending and augmenting some of the rights which existed under the previous legislative regime.
The sections below provide more details on these rights.
If you have questions about these rights, please email the Informaiton Governance Team at firstname.lastname@example.org or telephone 01224 273175.
Right to be informed
Articles 13 – 14 of the General Data Protection Regulation (GDPR)
The GDPR is specific about the information that needs to be provided to people about what is done with their personal data.
Organisations must actively provide this information to people in a way that is easy to access, read and understand. This specific and direct approach goes further than the requirements under the previous legislation.
The GDPR lays out what individuals should be told about when we collect and use their personal data.
How the information should be provided
- In an intelligible form
- Easily accessible
- In clear and plain language.
It should include:
- Why your personal data is being used
- Where the data was received from
- The categories of personal data obtained (if received from another source)
- What type(s) of data is being using
- How long it is being kept for
- The lawful basis for the processing
- Who your data is shared with and what is shared
- If the information is being transfered to third parties, who it is being shared with, the reasons for the transfer and what will be done with the data
- The information rights available to individuals
- If the personal data is being used for automated decision-making, such as profiling
- The name and contact details of the organisation and data protection officer
- The legitimate interests for the processing (if applicable)
- Your right to withdraw consent, if applicable
- Your right to complain to the Information Commissioner’s Office (ICO)
- Whether you are under a statutory or contractual obligation to provide the personal data
All the above is classed as your privacy information. This should be provided within the privacy notice you are directed to when data is collected. If the data is received from another source, their contact details should be provided within one month. This may be done in the form of a privacy notice.
The principle of transparency runs through GDPR and providing individuals with this information is a key part of the principle.
Right of access
Article 15 of the General Data Protection Regulation (GDPR)
The right of access, often referred to as ‘subject access’, gives individuals the right to receive a copy of their personal data as well as other information about how and why their data is being used.
Key things to know about making such requests:
- People have the right to access their personal data.
- They can make a request verbally or in writing.
- Organisations are given one month to respond to a request, with the possibility of an extension of two months in cases of complex or multiple requests.
- No fee can be generally be charged for dealing with such a request, and this would only be levied.in exceptional circumstances.
- Verification of the requestor's identity may need to take place.
- Such requests are dealt with by the Information Governance Team (email@example.com) and they should be made aware of such requests as soon as is possible.
What are people entitled to?
- confirmation that their personal data is being processed;
- a copy of their personal data;
- the other information that should be provided will likely be covered by the contents of the relevant privacy notice, which people can be directed to. More information is on the Right to be informed tab above.
- Individuals are entitled to their own personal data, but not information about other people, unless they are either acting on their behalf or it is seen to be reasonable to do so.
- It can sometimes be difficult to determine whether information is personal data or not but there is more guidance available - what is personal data.
How to recognise a request
An individual can make a subject access request verbally or in writing. It does not need to be made in any specific format and we do not use a form for making such requests. It is good pratice to keep a written record of a verbal request to ensure an audit trail.
A request can be made to any member of staff or department in the University. It does not have to be made to the Information Governance Team for it to be a valid request.
The request does not have to quote GDPR or use the term ‘Subject Access Request’ to be valid.
If any requests are received, the staff member should record the details and pass this onto the Information Governance Team at firstname.lastname@example.org as soon as is possible,
How should a response be provided?
If the request is made electronically, the information should be provided in a commonly used electronic format, unless the individual requests otherwise.
The wishes of the requestor in terms of how they wish to receive the data should be respected, where possible.
Can the information be updated or changed once a request is made?
It is not acceptable to amend or delete the data if this would not have otherwise been the case. Under the Data Protection Act 2018 (DPA 2018), it is an offence to make any amendment with the intention of preventing its disclosure.
If, however, the routine use of the data results in it being amended or even deleted while you are dealing with the request, it would be reasonable to supply the information you hold when you send out a response.
What if someone makes a request on behalf of someone else?
This is permitted under the GDPR, and sometimes it will be a solicitor acting on behalf of a client, but often it is a friend or family member. In such cases, we need to be sure that the third party making the request is entitled to act for the data subject and it is the third party’s obligation to provide evidence of this. It could be a communication authorising this, or something more formal, such as Power of Attorney.
What happens if the requested data includes information about others.
The Data Protection Act 2018 says that it is not necessary to comply with a request where it would mean disclosing information about another individuals who can be identified from that information, except if:
- the other individual has given consent; or
- it is reasonable to comply with the request without their consent
Can a request be refused?
Where the request is manifestly unfounded, excessive or repetitive it may be reasonable to refuse the request or to charge a reasonable fee.
In both cases the decision needs to be justified.
Can an individual be forced to make a subject access request?
Under the Data Protection Act 2018 it is a criminal offence, in certain circumstances and regarding certain information, to require an individual to make such a request.
Right to rectification
Article 16 of the General Data Protection Regulation (GDPR)
The GDPR includes a right for individuals to have inaccurate data rectified or completed (if it is incomplete)
- Such requests can be made verbally or in writing.
- As with access requests, verbal requests should be recorded to ensure there is an audit trail
- Such a request can be made to anyone or any department in the University and on receipt the Information Governance Team should be made aware
- The timescale for response is one month. The timescale can be extended by two months where the request is complex or there are multiple requests from the same individual.
- In some circumstances the request for rectification can be refused.
- This right is closely linked to the obligations under the accuracy principle of the GDPR (Article (5)(1)(d)).
How to recognise a request?
There is no specific way in which data subjects must make such a request and it can be done either verbally or in writing. The request can be made to any member of staff in any department and they must tell the Information Governance team as soon as possible at email@example.com
What needs to be done to address a request for rectification?
Steps should be taken to ascertain whether the data is accurate and if not, to rectify the data, As part of this process, it is important to take into account the comments and evidence provided by the data subject.
What steps can be taken and are reasonable to take will depend on the nature of the personal data, what it is and will be used for.
The more important it is that the personal data is accurate, the greater the effort that should be put into checking its accuracy and, if necessary, rectifying it. For example, personal data that will be used to make significant decisions.
When is data inaccurate?
The Data Protection Act 2018 states that personal data is inaccurate if it is incorrect or misleading as to any matter of fact.
What should be done about data that records a mistake?
Ascertaining whether personal data is inaccurate is more complicated where the data refers to a mistake that has now been resolved. It can be argued that the record of the mistake is accurate and therefore should be retained
In such circumstances it may be more helpful to provide a record clarifying that a mistake was made, describing this and clearly stating the remedy which has taken place. This means that the mistake is correctly recorded, but also the fact that it had been fixed.
What about a disputed opinion?
It is complex if the data in question records an opinion. Opinions are, by their very nature, subjective, and it can be difficult to conclude whether the record is inaccurate. As long as the record clearly shows that the information is an opinion and, where appropriate, whose opinion it is, it may be difficult to say that it is inaccurate and needs to be rectified.
It can sometimes be appropriate to add a note to the record to indicate that the data subject does not agree with the stated opinion and the reasons for their disagreement.
What should be done while considering the accuracy?
The data subject is entitled to request restriction of the processing of the disputed data where they contest its accuracy.
It is good practice to restrict the processing whilst we are determining whether rectification should take place, even if the data subject has not requested this.
What if it is thought that the data is accurate?
The data subject should be advised that the personal data will not be amended and the reasons why we do not think that the data is inaccurate. The data subject would also be informed that they have the right to make a complaint to the Information Commissioner (ICO).
Can a request for rectification be refused?
Yes, and in some circumstances it may be appropopriate to request a reasonable fee before dealing with it.
In either case the data subject must be made aware and the decision justified. They must also be advised of their right to make a complaint to the Information Commissioner (ICO).
Do other organisations need to be told if personal data is rectified?
If personal data has been disclosed to others, they must be contacted to tell them of the rectification or completion of the personal data. This is unless this proves impossible or involves disproportionate effort.
Right to erasure and restriction
Articles 17 and 18 of the General Data Protection Regulation (GDPR)
- Gives the right to request the deletion or removal of personal data.
- Gives the right to request to ‘block’ or restrict processing of personal data.
The overarching principle to this right is to allow data subjects to request the deletion or removal of their personal data where there is no compelling reason for its continued processing.
There is also the right to request the restriction of the processing of your personal data. In such cases it may be permitted that the data continues to be stored, but not further processed. Just enough information would be retained to ensure that the restriction is respected in future. Restriction could involve transferring data to a separate system or limiting the access through access controls.
What needs to be considered when dealing with an erasure request?
The personal data must be erased without undue delay if:
- the processing of the personal data infringes on the data protection principles;
- we do not meet safeguards for archiving and processing of special category data; or
- we have a legal obligation to erase the data.
How to recognise a request
Requests can be made verbally or in writing to any member of the University in any department. Those receiving the request must tell the Information Governance team at firstname.lastname@example.org as soon as is possible.
If there are any doubts about the identity of the individual, a request for identification to establish identity can be made.
How long is given to comply?
A response should be provided within one month, but without undue delay. This timeframe can be extended by two months if the request is complex or there are multiple requests.
What needs to be done to comply with requests for erasure or restriction?
Handling of such a request should be reasonable and proportionate, taking into consideration the nature of the personal data held and the relationship with the individual.
If the personal data in question has been disclosed to third parties, the third party must be informed about the erasure or restriction of the personal data. The third parties will also have to erase or restrict the personal data they hold.
If the decision is that the data will not be erased or rectified, the requestor should be informed of their right to raise a complaint with the Information Commissioner (ICO) or take the matter to court.
What if the request is manifestly unfounded or excessive?
If requests are manifestly unfounded or excessive, in particular because they are repetitive, we can:
- charge a reasonable fee or refuse to respond
In such circumstances, it must be demonstrated why a request is manifestly unfounded or excessive
Right to portability
Article 20 of the General Data Protection Regulation (GDPR)
There is the right to receive personal data in a way that is accessible and machine-readable, for example as a csv file.
- This is known as the right to data portability.
- What kind of data this right relates to. This right only applies to data that:
- is held electronically, and that you have provided
Data you have provided does not just mean information you have inputted but can also capture data gathered from monitoring activities when you have used a device or service.
How to ask for your data
- make a request and be specific about what you want
A request can be made verbally or in writing.
When to make a portability request
You can make a portability request at any time to any organisation that:
- relies on your consent to use your personal data, or
- uses your data as part of a contract you have with them.
What to do if you are dissatisfied with the outcome of a portability request?
You should first complain to the organisation and if you remain dissatisfied you can make a complaint to the Information Commissioner (ICO).
What can you expect to receive?
- A copy of the requested data in a commonly used and machine-readable format.
- You may need to confirm your identity and then the information will be sent to you.
- Your data may not automatically be deleted, so you may need to exercise your in addition to portability.
When can your request be rejected?
If the request is “manifestly unfounded or excessive”.
In these circumstances:
- a reasonable fee can be requested, or
- the request can be refused
In reaching this decision, we can take into account whether the request is repetitive. In either case we will tell you and provide justification of our decision.
How long is given to answer the request?
One month. In some circumstances more time may be needed to consider the request and it is possible to take an extra two months. You must be made aware if more time is needed and why.
Right to object
Article 21 of the General Data Protection Regulation (GDPR)
- The GDPR gives a right to object to the processing of personal data in certain circumstances.
- There is an absolute right to stop personal data being used for direct marketing.
- In other cases where the right to object applies, personal data may continue to be processed if it can be demonstrated there is a compelling reason for doing so.
- Data subjects must be told about the right to object.
- A request does not have to include the phrase 'objection to processing' or Article 21 of the GDPR to be valid.
- Objections can be made verbally or in writing. They can be made to any part of the University and to any member of staff.
- If required to verify identity, a data subject can be asked to provide copies of identification documents.
- A response to an objection should be provided within one month. The time for response can be extended by a further 2 months, but this needs to be explained and the reasons justified.
What is the right to object?
Article 21 of the GDPR gives the right to object to the processing of personal data.
The right to object only applies in certain circumstances. Whether it applies depends on the purposes for processing and the lawful basis for processing.
When does the right to object apply?
There is an absolute right to object to the processing of your personal data if it is for direct marketing purposes.
An objection to processing can be made if the processing is for:
- a task carried out in the public interest
- the exercise of official authority
- legitimate interests
In these circumstances the right to object is not absolute.
If the processing of data is for scientific or historical research, or statistical purposes, the right to object is more limited.
Specific reasons must be given for the objection to the processing of the data and these must be based upon the specific situation.
Processing can continue if:
- if it can be demonstrated that there is compelling legitimate grounds for the processing, which override your stated interests and your rights and freedoms
- the processing is for the establishment, exercise or defence of legal claims.
If the decision is that there is no requirement to stop processing the personal data, you must be made aware and given an explanation of why and be told of your rights to complain to the Information Commissioner (ICO)
Where personal data is being processed for scientific or historical research, or statistical purposes, the right to object is more restricted.
If the data is being processed for these purposes and there are appropriate safeguards in place (eg data minimisation and pseudonymisation where possible) you only have the right to object if the lawful basis for processing is:
- public task (on the basis that it is necessary for the exercise of official authority vested in the organisation), or
- legitimate interests.
There is no right to object if the lawful basis for processing is public task because it is necessary for the performance of a task carried out in the public interest.
Does personal data always need to be erased to comply with an objection?
Erasure may not be appropriate if the data is processed for other purposes and the data needs to be retained for those purposes.
Can a request be refused for other reasons?
Yes, where it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
If the objection is considered manifestly unfounded or excessive then;
- a "reasonable fee" to deal with it can be requested; or
- the request can be refused.
The reason must be justified on both occasions.
- Providing Privacy Information
Explaining clearly to people how the University handles their personal data is a key obligation under data protection.
Students, research participants, staff, visitors to the University and other people whose data we hold and use should know what happens to their information. We need to explain what information we collect, why, how it will be used and protected, when it will be destroyed and with whom it will be shared.
The GDPR sets out a detailed specification for the privacy information we need to provide, and when we are required to inform people.
The term ‘privacy notice’ is used as a shorthand to describe this privacy information. In practice the University uses a blended approach, providing information to people at key interaction points, such as student registration, staff recruitment, research participation and website browsing. To meet GDPR requirements, there has to be greater co-ordination and publication of privacy information on the University website.
Is a privacy notice the same as a consent form?
No. The purpose of a privacy notice is to inform individuals about the way their personal information will be used. It does not need to be signed by the people affected. The purpose of a consent form is to gain the individual’s approval to collect and use their personal information. There are some details that would be included on both a privacy notice and a consent form, such as the purpose for processing data and any sharing arrangements. They do not fulfil the same function however.
Do I need to add privacy information to the forms I use to collect personal data?
Not at this stage. The University is taking a layered approach to providing privacy information. This means that mandatory information that is common across the University, such as the contact details of the Data Protection Officer and the range of individual rights, will be provided on the website.
It will be important to reference that overarching privacy information when we collect or receive personal data, and to provide any outstanding details that are not in the common privacy notice. Once we have established the approach to providing privacy information on the website, the next step will involve reviewing and aligning the forms we use to gather personal data.
Updates will be published here and circulated to key contacts.
Where can I find privacy information on the University website?
Privacy information is currently available on various webpages. These include information for:
- Sharing Personal Data
Personal data can be shared with other organisations if it is done responsibly and securely.
Data protection legislation recognises that sharing personal data can bring significant benefits, for individuals and for organisations. Any sharing that takes place must still meet the data protection principles to make sure that individuals are not disadvantaged. The University also needs to know about information sharing arrangements, so that they can be included in privacy notices (see the Providing Privacy Information tab).
Please liaise with the Data Protection Officer when establishing or reviewing any data sharing arrangements.
What is ‘data sharing’?
The term describes instances when the University provides personal data to an external organisation or person to be used for their purposes. The disclosure of student data to AUSA to populate the AUSA membership database is an example of a data sharing arrangement.
The University also uses external organisations to handle personal data for our purposes. Analysis of University website visitors by a third party, cloud storage of personal data and destruction of confidential waste by a contractor are all examples of a third party handling data on our behalf. These are ‘data processing’ arrangements rather than ‘data sharing’ arrangements. There are distinct legal requirements and guidance on data processing (please see the Using a data processor tab below).
How do I know if an arrangement involves data sharing or data processing?
It is not always simple to decide whether an external organisation is a data sharing partner or a data processor. This will depend on how far the organisation determines what personal data will be collected, and how the data will be used. The Information Commissioner has produced guidance on this topic.
Advice is also available from the Data Protection Officer.
What do I need to share personal data?
There are three essential requirements to share personal data:
- a clear and justifiable purpose
- an appropriate legal basis
- secure handling methods, particularly for sending and receiving the data. See the information security pages for practical guidance.
Do I need a data sharing agreement?
It is good practice to have an agreement in place where personal data will be shared on a large scale, or on a regular basis. The University does not have a template data sharing agreement. An agreement proposed by a partner should always be checked to ensure the terms are appropriate.
- Using a Data Processor
Third parties that process information on our behalf must be vetted and accountable to the University under a contract.
External organisations or persons appointed to handle personal data on our behalf operate as our data processors. The University must make sure that any data processor can safeguard the data appropriately. Due diligence checks must be carried out before transferring any personal data to a data processor. Once the organisation or person has provided the University with sufficient guarantees of their suitability, the arrangement must be documented in a written agreement or data processing contract. Contract requirements under the GDPR are extensive (see GDPR tab above).
Separate guidance is provided on data sharing arrangements, which are subject to different requirements.
How do I know if an arrangement involves data sharing or data processing?
It is not always simple to decide whether an external organisation is a data sharing partner or a data processor. This will depend on how far the organisation determines what personal data will be collected, and how the data will be used. The Information Commissioner has produced guidance on this topic. Advice is also available from the Data Protection Officer.
How do I carry out a due diligence check on a potential supplier?
You should ask your preferred supplier to complete the University questionnaire about their data security practices. The completed questionnaire should be sent to email@example.com The Data Protection Officer and IT Security Manager will respond with any risks you need to consider before signing the contract or sending data to the supplier.
What must be included in a data processing contract?
- the particular processing arrangement. This includes what personal data is being processed, who the data subjects are, why and how the data will be processed and for how long.
- the obligations on the data processor. These include requirements to respect confidentiality, ensure security and assist the data controller to comply with data protection legislation. The GDPR sets out a detailed specification for these terms.
Further information is provided in the Information Commissioner’s guidance on contracts.
Contract templates are available from Procurement.
The Data Protection Officer can also assist with the assessment of data processing contracts.
Do data processing contracts in place before GDPR need to meet the new standard?
Yes. The GDPR requirements apply to both existing and new contracts. Existing contracts must be checked and, if necessary, updated to meet GDPR requirements.
The University has a group working to identifying relevant contracts. If you are responsible for a contract that involves an external organisation processing personal data on behalf of the University, and you have not yet been contacted about a contract, please contact the Data Protection Officer to make sure it has been included in the review.
- the particular processing arrangement. This includes what personal data is being processed, who the data subjects are, why and how the data will be processed and for how long.
- Transferring Data Abroad
International transfers of personal data require additional conditions to be in place.
Please see our Brexit tab above on how this might change, depending on how the UK leaves the EU.
Data protection legislation sets high standards for handling personal data in the European Union. GDPR seeks to guarantee European citizens a similar level of protection if their data is transferred out of the Union by specifying additional conditions for international data transfers.
Personal data can move freely within the European Union, or to countries whose data protection regimes are considered ‘adequate’ by the European Commission, as long as all other data protection requirements are met. These requirements include complying with the data protection principles listing international transfers in privacy information provided to individuals, and ensuring data sharing or data processing arrangements are documented adequately.
Transfers to countries with no decision of adequacy can take place in two circumstances. Either there must be an agreement in place that meets specific standards, or one of a number of exemptions must apply. The operation of the exemptions is complex. Some exemptions, including consent, are not available to the University for international transfers for core teaching and research purposes.
The Information Commissioner has provided guidance on international transfers.
Further guidance for the University will follow in due course. Advice on should be sought from the Data Protection Officer in the meantime.
Which countries have been designated as ‘adequate’ for international transfers?
Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. Commercial organisations in Canada, and organisations covered by the Privacy Shield in the United States are also deemed adequate. The European Commission publishes the current list.
- Impact Assessments
A data protection impact assessment (DPIA) must be carried out before embarking on certain types of data processing.
An impact assessment is a process to help identify and minimise the privacy risks involved in a project or initiative. Under GDPR, data protection impact assessments are mandatory where our data processing may result in a high privacy risk to individuals. The DPIA must be completed before any processing begins.
The assessment should be integrated into the planning and implementation stages of a project, and should be initiated and conducted by the project team. It is a requirement that the DPIA is documented and that the Data Protection Officer (DPO) is involved in the assessment.
When should an impact assessment be carried out?
A DPIA must be undertaken if you plan to do any of the following:
- use systematic and extensive profiling with significant effects on individuals
- process special category or criminal offence data on a large scale
- systematically monitoring publicly-accessible places on a large scale
- use profiling or special category data to decide on access to services, opportunities or benefits
- profile individuals on a large scale
- match data or combine datasets from different source
- profile children or target marketing or online services at them
- process data that might endanger the individual’s physical health or safety in the event of a security breach
A DPIA is also required if you plan to do one the following activities:
- use new technologies to process personal data or apply existing technologies in a novel way that also involves one of the additional criteria (below)
- process biometric data in a way that also involves one of the additional criteria (below)
- process genetic data other than in the provision of health care in a way that also involves one of the additional criteria (below)
- collect personal data from a source other than the individual without providing them with a privacy notice
- track individuals’ online or offline location or behaviour (below)
The additional criteria are:
- Evaluation or scoring of an individual’s performance, economic situation, health, preferences, interests, behaviour, location or movements
- Automated decision-making about individuals with legal or similar significant effect on them
- Systematic monitoring to observe, monitor or control individuals
- Sensitive data or data of a highly personal nature
- Data processed on a large scale
- Matching or combining datasets collated for different purposes or by different controllers
- Data concerning vulnerable data subjects, such as children, employees, physically or mentally ill persons
- Innovative use or applying new technological or organisational solutions
- Preventing data subjects from exercising a right or using a service or contract
Please refer to the Glossary for definitions of key terms described below.
The Information Commissioner has published guidance that explains these categories in more detail.
There are some limited exceptions from the obligation to undertake a DPIA. If you think an exception applies to your project, consult the DPO.
How should a DPIA be carried out?
The process involves seven main stages:
- identify the need for a DPIA
- describe the processing that is proposed
- consider who needs to be consulted
- assess necessity and proportionality
- identify and assess privacy risks
- identify measures to mitigate the privacy risks
- sign off and record outcomes
The actions you have decided to take forward can then be integrated into your project plan.
This template can be used to guide you through the steps and to document the assessment.
The Information Commissioner has published helpful guidance on each of these steps.
When should I involve the DPO?
As soon as possible. The DPIA must be sent to the DPO at Step 7 in the process for comment on whether the assessment has been conducted properly. Early engagement with the DPO will ensure this step proceeds smoothly. The DPO can assist from the outset with the decision whether to carry out a DPIA (Stage 1), and is best placed to advise on the GDPR compliance assessment (Stage 4).
Do I need to consult with anyone else?
The views of individuals who may be affected by the proposal should be taken into account, unless there is a good reason not to do so. Consultation time should be factored in to your project plan.
If the assessment concludes there is a high risk to individuals that cannot be reduced, the decision whether to proceed must be referred to the Information Commissioner.
- Academic Research and Data Protection
Academic research is subject to data protection legislation, but its importance is recognised in several exemptions.
The GDPR recognises the value of the contribution research makes to knowledge-based policy, to the quality of life of people and the efficiency of social services. The legislation provides a new, explicit legal basis for processing special category data (sensitive personal data) for research as long as safeguards are in place and allows EU member states to specify many of the exemptions that apply to the use of data for research purposes. The safeguards and exemptions that apply to organisations in the UK are within the Data Protection Act 2018.
The GDPR places a new emphasis on the legal basis for processing personal data. The legal basis determines the rights that individuals can exercise over the way their data is processed. It is important therefore that the legal basis is stated correctly in privacy information given to participants.
Consent is one of the legal bases for processing personal data, but it is not the normal justification for processing personal data for research in the University. Instead, research is part of the University’s core task: that is the legal basis. “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.” This does not affect any ethical requirements to ensure that participation in research is voluntary and that participants are informed about the use of their information.
Safeguards are required when undertaking research with personal data. They include only processing the personal data that’s necessary (data minimisation), anonymising or pseudonymising where possible and ensuring that any processing of special category data does not cause substantial damage or distress or make impactful decisions for individuals. The research also must be deemed to be in the public interest.
Personal data should be held securely with an appropriate level of protection. More detail can be found on the Toolkit guidance
Do I need to complete a Data Protection Impact Assessment (DPIA)
Whenever you are considering undertaking research, you need to think about whether a DPIA should be undertaken. This should be built into your considerations on every occasion. It may be that it is not ultimately not required, but working through the procedure will ensure the correct decision is made.
Under GDPR, it is compulsory to carry out a DPIA where the processing of personal data is likely to pose a ‘high risk’ to the rights and freedoms of individuals. Where there is no available mitigation, the matter must be referred the ICO. More detail is available here and in the GDPR for research Toolkit guide.
Do I need to update my consent forms and participant information sheets for GDPR.
Not at this stage. As the legal grounds for conducting research is based on the University’s public task, rather than individual participant consent, forms you use routinely to gather consent do not need to be revised to take account of GDPR.
Participant information sheets (PIS) will form part of the University’s layered approach to providing privacy information to research participants. It is important that PIS align with the overall University approach, and signpost overarching privacy information provided on the University website. Template PIS are under development as part of the University review of ethical approval procedures.
Further guidance will be published here when available
How can I ensure personal data is being processed fairly and transparently?
The rights of research participants should be respected, and their personal data only used in line with their expectations. Transparency and fairness are intrinsically linked and therefore, personal data should not be used in ways unexpected by the data subject.
To ensure this is the case Information must be provided to participants. It should be concise and easy to understand. More information on this can be found in the GDPR for Research Toolkit guide.. In addition, a link should also be provided to the University’s overarching privacy notice on the website:
Data obtained direct from participants
When you are collecting personal data from the individuals concerned, you need to be clear, open and transparent with those individuals. You must set out what you intend to do with their data. Specifically:
- The purpose for which the personal data will be used. This might include use of the personal data in future research studies.
- Any organisations or recipients outside the University to whom you intend to disclose the personal data. (NB: this does not apply if sharing or publishing anonymised data.)
- The safeguards that will apply to any international data sharing arrangements. See checklist point 5 and contact the Information Governance team if this applies to your project.
- Information about any automated decision-making that will affect participants. Contact the Information Governance team for assistance if this applies to your project.
- How long the personal data will be kept. This may be a the storage period until the data is deleted, or a review period after which the research value of the data will be assessed.
This information must be provided at the time you collect information from the participants. It can be provided within your correspondence/communications with participants.
Data obtained from a third party
Research projects do not always collect personal data directly from the individual participants. Where this is the case, you still need to provide the individual participants with the information, as detailed above, together with the following additional information:
- The categories of personal data to be processed;
- the source of the personal data, and whether it came from public sources.
This needs to be provided within one month.
You do not need to provide the prescribed information if the participants already have it or to do so would involve a disproportionate effort or prevent or seriously impair the achievement of the research objectives. Even where this applies, you still must make the information publicly available.
Participants’ personal data rights
Data protection legislation provides individuals with the following data subject rights:
- The right of transparency.
- The right of access to their personal data.
- The right to rectification of their personal data, i.e. correction of inaccurate data.
- The right to restriction of processing, i.e. to limit the way in which their personal data is used.
- The right to portability, ie. to have their personal data transmitted to a different organisation.
- The right to object to their personal data being processed.
- The right not to be subject to a decision based on automated processing of their personal data.
- The right to erasure of their personal data, otherwise known as the right to be forgotten.
Individuals can exercise these rights verbally or in writing. The legislation recognises that it may not be appropriate to uphold these rights for personal data used in research, but this is not a blanket exemption. The University can restrict some of these rights if granting them would prevent or seriously impair the outcome of the research purpose. Each case must be judged on its own terms.
Try to ensure you can recognise any requests where participants are exercising their rights and refer formal requests to the Information Governance team. They will ensure any exemptions are applied appropriately and that the response meets statutory requirements.
Can an individual request that their data is removed from a research dataset under the right to be forgotten?
The right to erasure of personal data, known as the right to be forgotten, only applies to data processed in certain circumstances. It is unlikely that these circumstances will apply to personal data processed for research purposes.
The circumstances are,
- the data are no longer required for the purposes for which they were collected
- the legal basis for processing data was consent, and there is no other available legal basis
- the data subject has objected, and there are no legitimate grounds for continuing to process the data
- the data were processed unlawfully
- it is a legal obligation to erase the data
- the data was collected in relation to the offer of information society services
Even where one of the above conditions applies, there is a GDPR exemption where erasing the personal data would render impossible or seriously impair achieving the objectives of the research.
What are the requirements for sharing research data?
There are no specific exemptions from data sharing and data processing requirements for research purposes. If the information you are transferring is personally identifiable information to a third party, data protection requirements still apply. You need to consider whether you are transferring the data to another controller or a data processor, and then put in place any necessary documentation. If the data is being transferred abroad, additional safeguards may also be required depending on the destination country.
Data protection legislation requires that any external organisations engaged to process personal data on behalf of the University are capable of processing the data securely, and that their processing operations are governed by a written contract.
‘Processing’ activities that could be subject to this requirement include collection of personal data by a third party, outsourcing analysis or transcription of personal data, or engaging a supplier to store data.
The GDPR is prescriptive of what such a written agreement must say. Where you are engaging a third party, you should seek advice from the Information Governance Team on 01224 273175 or firstname.lastname@example.org
- Using Data for Marketing and Contact Lists
Are you involved in direct marketing? Either by contacting potential students to engage with and encourage them to study here, or by contacting potential research participants?
If so, then you need to be aware of the Privacy & Electronic Communications Regulations 2003.
This is the legislation which governs how you can conduct direct marketing. Marketing by electronic means, including marketing calls, texts, video messages, emails, internet messaging and faxes are included.
The Information Commissioner has issued guidance on obtaining and recording consent.
There are specific rules about the use of personal data for marketing purposes.
When sending direct marketing messages by email or text, and for making marketing telephone calls you must follow specific rules. These are set out in the Privacy & Electronic Communication Regulations 2003 (PECR). GDPR has not changed these rules, but it sets a higher standard for the consent required to send marketing messages electronically.
You need specific consent to send direct marketing communications. The best way to obtain valid consent is to ask that people tick opt-in boxes confirming they are happy to receive marketing communication from you as part of your initial interaction.
See the Information Commissioner's Direct Marketing guidance for more details.
Can I use personal data held by the University to send marketing messages?
Yes, as long as you comply with the Data Protection Principles and PECR. In practice this means
- making sure the marketing activity is included in the University’s privacy notices (see the Providing Privacy tab above)
- only using contact details obtained by the University for related purposes
- making sure the personal data is accurate and up-to-date
- giving individuals the right to prevent direct marketing, usually by providing an opt out.
Do I need consent from the individual before sending marketing messages?
Consent is required before sending unsolicited direct marketing texts, emails or faxes, or for making calls to a number registered with the Telephone Preference Service (TPS). The University must keep a clear record of what an individual has consented to receive, and when and how consent was obtained. Providing an opt-out box is not sufficient evidence to demonstrate consent.
Frequently asked questions (FAQ’s)
When is a communication ‘direct marketing’?
“The communication (by whatever means) of advertising or marketing material which is directed to particular individuals.”
This covers all advertising or promotional material, including that promoting the aims or ideals of not-for-profit organisations.
The marketing must be directed to particular individuals and as all electronic messages are directed to someone (whether it is calls, faxes, texts or emails) they all fall within this definition.
When is it just a communication?
Routine customer service messages that the sender has a legal obligation to send, or the customer would be at a disadvantage if they did not receive (but it isn't a marketing email) are classed as service messages.
What is the difference between direct and indirect marketing?
Indirect marketing is a communication which is not intended for a specific individual and may not be specifically addressed and could be ‘To the Occupier’ or have no addressee at all. As a specific individual is not being targeted, this is not classed as direct marketing.
When do you not need specific consent and can act based on a previous provision of consent (soft opt-in)?
If an individual purchased something from you recently, gave you their details, and did not opt out of marketing messages, they are likely happy to receive marketing messages from you about similar products or services even if they haven’t specifically consented. However, you must give them a clear chance to opt out – both when you first collected their details, and in every message you send. This means you may be able to email or text your own customers, but it does not apply to prospective customers or new contacts. This does not apply to non-commercial promotions (charity fundraising or political campaigning).
What should your consent form say?
Your form should achieve consent which is fully informed and freely given. To achieve this, you must allow the individual real choice and allow them to opt-in by ticking a box or some other way of showing an affirmative action, but also ensure that there is no detriment from refusing to provide consent.
Your consent form should be granular and specific, with detail of what the individual is consenting to. If you need consent for another, unrelated matter, this should be on a separate form. We must also tell the individual that they can withdraw consent and how to do so.
You must also retain a record of the consent, so that you have an audit trail.
How often should you refresh consent previously gained?
This depends on the relationship, the processing and whether the purposes have changed. If there have been no changes, it is likely to be acceptable to leave a longer gap in between refreshing consent (such as annually). However, if there has been a change to the processing, the purposes or relationship, then this should act as your prompt to refresh consent.
Does the relationship between the sender matter?
Yes - there are different rules for marketing to companies than exist for marketing to individuals. In general, the rules for marketing to companies are not as strict.
What are the rules on Business to Business Marketing?
You can email or text any company or Government body.
The rules on consent, the soft opt-in and the right to opt-out do not apply for companies and Government bodies. However, the Information Commissioner (ICO) recommends that where companies have asked not to be contacted, that this should be respected.
Many employees have personal corporate email addresses, which they can be identified from - they have the right to individually object to receiving marketing emails.
Information from which no individual can be identified.
Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a person, which allow or confirm the unique identification of that person, such as facial images or dactyloscopic data.
Any freely-given, specific, informed and unambiguous indication of a data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of his or her personal data.
Criminal offence data
Personal data relating to criminal convictions and offences, or related security measures
see Personal data breach
Data concerning health
Personal data related to the physical or mental health of a person, including the provision of health services, which reveal information about his or her health status.
A person, public authority or body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
A person, public authority or body which processes personal data on behalf of the data controller.
The disclosure of data from one or more organisations to a third party organisation or organisation, or the sharing of data between difference parts of an organisation.
Data sharing agreement
A document that sets out a common set of rules to be adopted by organisations involved in a data sharing operation.
The identified or identifiable living individual to whom personal data relates.
The communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.
The Data Protection Act 1998. Superseded by the GDPR and the DPA 2018.
The Data Protection Act 2018
Data protection impact assessment
Data Protection Officer
Any structured set of personal data which is accessible according to specific criteria, whether held by automated means or manually and whether centralised, decentralised or dispersed on a functional or geographical basis.
The General Data Protection Regulation.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Personal data relating to the inherited or acquired genetic characteristics of a person which give unique information about the physiology or the health of that person and which result, in particular, from an analysis of a biological sample from the person in question.
Information Commissioner’s Office. The regulator for data protection legislation in the United Kingdom. www.ico.org.uk
A person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Information society services
A service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. See Directive (EU) 2015/1535 for an indicative list of services excluded from this definition.
The Privacy & Electronic Communications (EC Directive) Regulations 2003 - 2016
Any information relating to an identified or identifiable living person.
Personal data breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Any operation which is performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Any form of automated processing personal data consisting of the use of personal data to evaluate certain personal aspects relating to that person, in particular to analyse or predict aspects concerning that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movement.
The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable person.
An organisation in Scotland as defined by the Freedom of Information (Scotland) Act 2002.
Sensitive personal data
Personal data consisting of information relating to the data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or sexual life; offences committed or allegedly committed by the data subject, or proceedings for any offence.
Replaced under GDPR by ‘Special categories of personal data’.
Special categories of personal data
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data or biometric data when processed to identify a person; or data concerning a person’s health, sex life or sexual orientation.
Telephone Preference Service