Data protection is a set of good practice rules for handling information about people and should provide reassurance that we use data fairly and lawfully. If information is collected for any reason other than personal, family or household purposes, the legislation needs to be complied with.
The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 determine how personal data should be handled. Please see the GDPR and the Data Protection Act 2018 tabs for more information. The University Data Protection policy is available online.
The Information Commissioner's Office (ICO) regulates data protection in the UK. They offer advice and guidance, promote good practice, carry out audits and advisory visits, consider complaints, monitor compliance and take enforcement action (including fines) where appropriate. The ICO have produced a Guide to GDPR, which is a useful tool.
Information on security is also a key part of protecting personal data - see Guidance on University information security policies and practices. Guidance on other aspects of data protection is provided on these pages. Specialist terms used in data protection legislation and in these guidance pages are defined in the Glossary tab below.
General Data Protection Regulation (GDPR)
- What is GDPR
The General Data Protection Regulation (GDPR) replaced the 1998 Data Protection Act as the cornerstone of data protection on 25 May 2018. It marks a step-change for the University and other organisations that handle personal information.
The GDPR is European legislation that took effect in all EU member states on 25 May 2018. The planned withdrawal from the European Union does not affect our obligations to comply with the GDPR.
The GDPR is an evolution in data protection, not a revolution. The definition of personal data is more detailed than in the DPA 1998, but is not changed substantially. The core handling rules, the Data Protection Principles, are recognisably similar under the GDPR. The University remains classed as the data controller for most of the personal data we handle, and the contractors we use to process personal data on our behalf remain our data processors. Please see the Data Protection Principles tab below for more information.
The GDPR builds on the previous legislation by providing more protections for individuals, and significantly more privacy obligations for organisations such as the University. A summary of the key changes is outlined below.
- Record of Processing Activities
The accountability principle requires the University to demonstrate that we comply with the legislation.
This involves keeping records of the way we handle personal data, assessing and monitoring the privacy risks (please see the Impact Assessment tab below) involved in new projects and involving the Data Protection Officer in key decisions about the use of personal information.
Record-keeping at a corporate level will be co-ordinated by the Data Protection Officer.
It should be transparent to people how their personal data is handled. The GDPR requires the University to provide more information when we collect personal data from individuals, or after we receive their data from a third party.
This 'privacy information' includes what data we collect, why and how, with whom we share it, and how long we keep it. The University will be taking a layered approach, providing details in manageable portions.
- Legal Basis
The legal basis for processing data must be cited in the corporate-level record of processing activities and provided as privacy information. Many of the University’s core activities are undertaken in pursuit of our public tasks or for statutory purposes, rather than on consent.
Any notices given to individuals by schools, services and research teams as part of a layered approach to privacy information will need to reflect the appropriate legal basis.
Consent must be a freely given, specific, informed and unambiguous indication of a person’s wishes. It must be opt-in rather than opt-out and a simple means of withdrawal of consent must be provided.
When data processing is based on consent, such as for some student support services or for electronic direct marketing, the quality must meet this standard. Please see the Using data for marketing tab below for more information.
- Data Subject Rights
The GDPR provides new rights (the right to data portability, the right to object and the right of erasure) and enhanced rights (easier right of access, extended conditions to restrict processing).
Many of these rights are conditional, and there are significant exemptions where personal data is processed for research purposes - for more information on this please see the Academic Research Data Protection tab below.
Subject rights will continue to be exercised formally through the Data Protection Officer.
- Suppliers who Process Personal Data
The University must ensure personal data is protected by our suppliers.
Before passing data to a processor (a third party that handles personal data on our behalf), the University must check that the processor will use the data properly, hold it securely and co-operate with us in the event of an incident or request.
The minimum terms of the written contract with the processor are much more detailed under GDPR. Central contracts are being reviewed currently, and supplier due diligence arrangements updated. Information on supplier due diligence can be found on Using a data Processor tab below.
- Data Breaches
If personal information is compromised, and individuals are likely to be disadvantaged, the incident must be reported to the people affected and to the Information Commissioner. The external reporting deadline is 72 hours after discovery.
The University must keep a record of all breaches regardless of the likely outcome. Central recording and reporting falls to the Data Protection Officer is essential. All staff need to be able to recognise a breach and know what to do. Information on Reporting a data breach can be found on tab below.
- Information Champions
All Schools and Directorates have an Information Champion, and their role is to work with the Information Governance and Information Security teams to help ensure that the University handles its data securely and lawfully.
As the legislative frameworks around information handling become ever more complex, and the threats to the digital working environment ever more real, there is a need to make sure that knowledge about these issues is spread across the University.
Champions will provide advice to colleagues and to their Head of School / Director and will signpost staff with more complex issues to the Information Governance or Information Security teams. They will also highlight emerging or recurring issues on which guidance and direction is required.
Below is the list of Information Champions
School / Directorate Information Champion(s) Contacts Biological Sciences Maree McCombie and
Business School Robert Duncan email@example.com
Divinity History Philosophy Kate A Smith firstname.lastname@example.org
Education Sharon Smith email@example.com
Engineering Alireza Bagheri Sabbagh firstname.lastname@example.org
Geosciences Nick Schofield email@example.com
Language Literature Music Visual Culture Laura Bowie firstname.lastname@example.org
Law Malcolm Combe email@example.com
Medical Sciences & Nutrition Gwen Smith firstname.lastname@example.org
Natural & Computing Sciences To be confirmed To be confirmed Psychology Jasna Martinovic email@example.com
Social Science Dimitrios Anagnostakis firstname.lastname@example.org
Academic & Student Services Lisa Hall email@example.com
Alumni Relations Chloe Bruce firstname.lastname@example.org
Development Trust Mairi Clinton email@example.com
Digital & Information Services Claire Bell firstname.lastname@example.org
Estates & Facilities Kris Glodek email@example.com
Finance Martin Phillips firstname.lastname@example.org
Marketing & Student Recruitment Nicol Mellis email@example.com
People Andrew Mackie firstname.lastname@example.org
Planning Linda Murdoch email@example.com
Research & Innovation Paul Connolly firstname.lastname@example.org
- GDPR and Brexit
The basis on which the UK will leave the EU has still to be decided, however, the Government has made clear that the General Data Protection Regulation (GDPR) will be absorbed into UK law at the point of exit, so there will be no substantive change to the rules that we need to follow.
However, as we engage in transfers of personal data between the UK and the European Economic Area (EEA), we will be affected.
Personal information has been able to flow freely between organisations in the UK and European Union without any specific measures. That’s because of the common set of rules – the GDPR.
This two-way free flow of personal information will no longer be the case if the UK leaves the EU without a withdrawal agreement that specifically provides for the continued flow of personal data.
In this event, the Government has already made clear its intention to permit data to flow from the UK to EEA countries. But transfers of personal information from the EEA to the UK will be affected.
The Information Commissioner (ICO) has published guidance to help us understand the implications and to aid planning.
- Data Protection Principles
The principles set the standards that must be met when processing personal data. The principles lie at the heart of the legislation. There are exemptions from some of the requirements in certain circumstances. Using personal data in research and disclosure in legal proceedings are examples of circumstances when an exemption may apply.
Advice on the operation of the exemptions should be sought from the Data Protection Officer.
The University is responsible for and shall be able to demonstrate compliance with the following principles when processing personal data.
Principle 1 - Lawfulness, fairness and transparency
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Principle 2 - Purpose limitation
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Principle 3 - Data minimisation
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Principle 4 - Accuracy
Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Principle 5 - Storage limitation
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Principle 6 - Integrity and confidentiality
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The University must comply with these principles when processing personal data.
- Reporting a Data Breach
What is a personal data breach?
The definition of a personal data breach provided by the Information Commissioner’s office (ICO) is, “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Examples of a data breach are when:
- any personal data is lost, destroyed, corrupted or disclosed unlawfully
- someone accesses personal data and passes it on without proper authorisation
- personal data is made unavailable, and this has a significant negative effect on individuals
- Data breaches can be the result of both accidental and deliberate causes, and they can involve information that is electronic, on paper or in any other format. Common examples of personal data breaches include;
- sending personal data to the wrong recipient
- laptops and memory sticks being lost or stolen
- corruption or loss of data during migration between systems
A personal data breach goes further than just the loss of data. It needs to be considered more widely as a security incident that has affected the confidentiality, integrity or availability of personal data.
Whenever any personal data is lost, destroyed, corrupted or inappropriately disclosed, this will constitute a personal data breach.
All personal data breaches must be reported to the Information Governance Team as soon as possible.
Even where the breach does not need to be reported to the Information Commissioner, a record must be retained. We are required to do so, and we may be asked to provide this to the Information Commissioner on request.
Some breaches need to be reported to the Information Commissioner’s Office (ICO). Where this is the case, the report must be made within 72 hours of the breach being detected.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we must also inform the individuals informed without undue delay.
If such a breach is not reported, when required to do so, we could face a fine of up to £8.5 million pounds (10 million Euros) or 2% of our annual turnover. AS well as a fine, the ICO can take other corrective measures available them under Article 58 of GDPR.
It is vital that all staff report a personal data breach, however minor, promptly after discovery.
You can also call the Information Governance Team if you wish to discuss a breach or whether an incident is a personal data breach on 01224 27(2596), 27(3175), 27(3079).
For urgent breaches that occur out of hours, contact the out-of-hours helpline via the IT Service Desk extension number, 3636.
What do I need to include in my notification?
The Data Protection Officer or security incident team will need some basic information to assess the incident. Include brief details in answer to the following questions. If you cannot provide all the answers, do not delay in reporting the incident.
- What has happened to the data? Has it been stolen, or lost, or disclosed, or damaged?
- Was the data protected, such as by encryption or password protocols?
- What type of personal data is involved? Is the data sensitive or private?
- Whose data has been breached? Does it relate to students, staff, research participants etc?
- How many individuals’ data are involved?
Do I need to tell the individuals affected by the breach or the Information Commissioner?
No. External reporting will be co-ordinated by the response team.
Will I be penalised for reporting a data breach or security incident?
No. The University encourages all staff to report actual or potential breaches.
A supplier or data sharing partner has notified me about a breach involving University data.
What should I do?
Report the breach to the Data Protection Officer, along with details of your contact in the supplier or partner organisation.
You can pass the contact details of the Data Protection Officer to the supplier or partner to give them a point of contact for any joint investigation.
- Data Rights
The General Data Protection Regulation (GDPR) introduced new rights for data subjects, as well as amending and augmenting some of the rights which existed under the previous legislative regime.
The sections below provide more details on these rights.
If you have questions about these rights, please email the Informaiton Governance Team at email@example.com or telephone 01224 273175.
Right to be informed
Articles 13 – 14 of the General Data Protection Regulation (GDPR)
The GDPR is specific about the information that needs to be provided to people about what is done with their personal data.
Organisations must actively provide this information to people in a way that is easy to access, read and understand. This specific and direct approach goes further than the requirements under the previous legislation.
The GDPR lays out what individuals should be told about when we collect and use their personal data.
How the information should be provided
- In an intelligible form
- Easily accessible
- In clear and plain language.
It should include:
- Why your personal data is being used
- Where the data was received from
- The categories of personal data obtained (if received from another source)
- What type(s) of data is being using
- How long it is being kept for
- The lawful basis for the processing
- Who your data is shared with and what is shared
- If the information is being transfered to third parties, who it is being shared with, the reasons for the transfer and what will be done with the data
- The information rights available to individuals
- If the personal data is being used for automated decision-making, such as profiling
- The name and contact details of the organisation and data protection officer
- The legitimate interests for the processing (if applicable)
- Your right to withdraw consent, if applicable
- Your right to complain to the Information Commissioner’s Office (ICO)
- Whether you are under a statutory or contractual obligation to provide the personal data
All the above is classed as your privacy information. This should be provided within the privacy notice you are directed to when data is collected. If the data is received from another source, their contact details should be provided within one month. This may be done in the form of a privacy notice.
The principle of transparency runs through GDPR and providing individuals with this information is a key part of the principle.
Right of access
Article 15 of the General Data Protection Regulation (GDPR)
The right of access, often referred to as ‘subject access’, gives individuals the right to receive a copy of their personal data as well as other information about how and why their data is being used.
Key things to know about making such requests:
- People have the right to access their personal data.
- They can make a request verbally or in writing.
- Organisations are given one month to respond to a request, with the possibility of an extension of two months in cases of complex or multiple requests.
- No fee can be generally be charged for dealing with such a request, and this would only be levied.in exceptional circumstances.
- Verification of the requestor's identity may need to take place.
- Such requests are dealt with by the Information Governance Team (firstname.lastname@example.org) and they should be made aware of such requests as soon as is possible.
What are people entitled to?
- confirmation that their personal data is being processed;
- a copy of their personal data;
- the other information that should be provided will likely be covered by the contents of the relevant privacy notice, which people can be directed to. More information is on the Right to be informed tab above.
- Individuals are entitled to their own personal data, but not information about other people, unless they are either acting on their behalf or it is seen to be reasonable to do so.
- It can sometimes be difficult to determine whether information is personal data or not but there is more guidance available - what is personal data.
How to recognise a request
An individual can make a subject access request verbally or in writing. It does not need to be made in any specific format and we do not use a form for making such requests. It is good pratice to keep a written record of a verbal request to ensure an audit trail.
A request can be made to any member of staff or department in the University. It does not have to be made to the Information Governance Team for it to be a valid request.
The request does not have to quote GDPR or use the term ‘Subject Access Request’ to be valid.
If any requests are received, the staff member should record the details and pass this onto the Information Governance Team at email@example.com as soon as is possible,
How should a response be provided?
If the request is made electronically, the information should be provided in a commonly used electronic format, unless the individual requests otherwise.
The wishes of the requestor in terms of how they wish to receive the data should be respected, where possible.
Can the information be updated or changed once a request is made?
It is not acceptable to amend or delete the data if this would not have otherwise been the case. Under the Data Protection Act 2018 (DPA 2018), it is an offence to make any amendment with the intention of preventing its disclosure.
If, however, the routine use of the data results in it being amended or even deleted while you are dealing with the request, it would be reasonable to supply the information you hold when you send out a response.
What if someone makes a request on behalf of someone else?
This is permitted under the GDPR, and sometimes it will be a solicitor acting on behalf of a client, but often it is a friend or family member. In such cases, we need to be sure that the third party making the request is entitled to act for the data subject and it is the third party’s obligation to provide evidence of this. It could be a communication authorising this, or something more formal, such as Power of Attorney.
What happens if the requested data includes information about others.
The Data Protection Act 2018 says that it is not necessary to comply with a request where it would mean disclosing information about another individuals who can be identified from that information, except if:
- the other individual has given consent; or
- it is reasonable to comply with the request without their consent
Can a request be refused?
Where the request is manifestly unfounded, excessive or repetitive it may be reasonable to refuse the request or to charge a reasonable fee.
In both cases the decision needs to be justified.
Can an individual be forced to make a subject access request?
Under the Data Protection Act 2018 it is a criminal offence, in certain circumstances and regarding certain information, to require an individual to make such a request.
Right to rectification
Article 16 of the General Data Protection Regulation (GDPR)
The GDPR includes a right for individuals to have inaccurate data rectified or completed (if it is incomplete)
- Such requests can be made verbally or in writing.
- As with access requests, verbal requests should be recorded to ensure there is an audit trail
- Such a request can be made to anyone or any department in the University and on receipt the Information Governance Team should be made aware
- The timescale for response is one month. The timescale can be extended by two months where the request is complex or there are multiple requests from the same individual.
- In some circumstances the request for rectification can be refused.
- This right is closely linked to the obligations under the accuracy principle of the GDPR (Article (5)(1)(d)).
How to recognise a request?
There is no specific way in which data subjects must make such a request and it can be done either verbally or in writing. The request can be made to any member of staff in any department and they must tell the Information Governance team as soon as possible at firstname.lastname@example.org
What needs to be done to address a request for rectification?
Steps should be taken to ascertain whether the data is accurate and if not, to rectify the data, As part of this process, it is important to take into account the comments and evidence provided by the data subject.
What steps can be taken and are reasonable to take will depend on the nature of the personal data, what it is and will be used for.
The more important it is that the personal data is accurate, the greater the effort that should be put into checking its accuracy and, if necessary, rectifying it. For example, personal data that will be used to make significant decisions.
When is data inaccurate?
The Data Protection Act 2018 states that personal data is inaccurate if it is incorrect or misleading as to any matter of fact.
What should be done about data that records a mistake?
Ascertaining whether personal data is inaccurate is more complicated where the data refers to a mistake that has now been resolved. It can be argued that the record of the mistake is accurate and therefore should be retained
In such circumstances it may be more helpful to provide a record clarifying that a mistake was made, describing this and clearly stating the remedy which has taken place. This means that the mistake is correctly recorded, but also the fact that it had been fixed.
What about a disputed opinion?
It is complex if the data in question records an opinion. Opinions are, by their very nature, subjective, and it can be difficult to conclude whether the record is inaccurate. As long as the record clearly shows that the information is an opinion and, where appropriate, whose opinion it is, it may be difficult to say that it is inaccurate and needs to be rectified.
It can sometimes be appropriate to add a note to the record to indicate that the data subject does not agree with the stated opinion and the reasons for their disagreement.
What should be done while considering the accuracy?
The data subject is entitled to request restriction of the processing of the disputed data where they contest its accuracy.
It is good practice to restrict the processing whilst we are determining whether rectification should take place, even if the data subject has not requested this.
What if it is thought that the data is accurate?
The data subject should be advised that the personal data will not be amended and the reasons why we do not think that the data is inaccurate. The data subject would also be informed that they have the right to make a complaint to the Information Commissioner (ICO).
Can a request for rectification be refused?
Yes, and in some circumstances it may be appropopriate to request a reasonable fee before dealing with it.
In either case the data subject must be made aware and the decision justified. They must also be advised of their right to make a complaint to the Information Commissioner (ICO).
Do other organisations need to be told if personal data is rectified?
If personal data has been disclosed to others, they must be contacted to tell them of the rectification or completion of the personal data. This is unless this proves impossible or involves disproportionate effort.
Right to erasure and restriction
Articles 17 and 18 of the General Data Protection Regulation (GDPR)
- Gives the right to request the deletion or removal of personal data.
- Gives the right to request to ‘block’ or restrict processing of personal data.
The overarching principle to this right is to allow data subjects to request the deletion or removal of their personal data where there is no compelling reason for its continued processing.
There is also the right to request the restriction of the processing of your personal data. In such cases it may be permitted that the data continues to be stored, but not further processed. Just enough information would be retained to ensure that the restriction is respected in future. Restriction could involve transferring data to a separate system or limiting the access through access controls.
What needs to be considered when dealing with an erasure request?
The personal data must be erased without undue delay if:
- the processing of the personal data infringes on the data protection principles;
- we do not meet safeguards for archiving and processing of special category data; or
- we have a legal obligation to erase the data.
How to recognise a request
Requests can be made verbally or in writing to any member of the University in any department. Those receiving the request must tell the Information Governance team at email@example.com as soon as is possible.
If there are any doubts about the identity of the individual, a request for identification to establish identity can be made.
How long is given to comply?
A response should be provided within one month, but without undue delay. This timeframe can be extended by two months if the request is complex or there are multiple requests.
What needs to be done to comply with requests for erasure or restriction?
Handling of such a request should be reasonable and proportionate, taking into consideration the nature of the personal data held and the relationship with the individual.
If the personal data in question has been disclosed to third parties, the third party must be informed about the erasure or restriction of the personal data. The third parties will also have to erase or restrict the personal data they hold.
If the decision is that the data will not be erased or rectified, the requestor should be informed of their right to raise a complaint with the Information Commissioner (ICO) or take the matter to court.
What if the request is manifestly unfounded or excessive?
If requests are manifestly unfounded or excessive, in particular because they are repetitive, we can:
- charge a reasonable fee or refuse to respond
In such circumstances, it must be demonstrated why a request is manifestly unfounded or excessive
Right to portability
Article 20 of the General Data Protection Regulation (GDPR)
There is the right to receive personal data in a way that is accessible and machine-readable, for example as a csv file.
- This is known as the right to data portability.
- What kind of data this right relates to. This right only applies to data that:
- is held electronically, and that you have provided
Data you have provided does not just mean information you have inputted but can also capture data gathered from monitoring activities when you have used a device or service.
How to ask for your data
- make a request and be specific about what you want
A request can be made verbally or in writing.
When to make a portability request
You can make a portability request at any time to any organisation that:
- relies on your consent to use your personal data, or
- uses your data as part of a contract you have with them.
What to do if you are dissatisfied with the outcome of a portability request?
You should first complain to the organisation and if you remain dissatisfied you can make a complaint to the Information Commissioner (ICO).
What can you expect to receive?
- A copy of the requested data in a commonly used and machine-readable format.
- You may need to confirm your identity and then the information will be sent to you.
- Your data may not automatically be deleted, so you may need to exercise your in addition to portability.
When can your request be rejected?
If the request is “manifestly unfounded or excessive”.
In these circumstances:
- a reasonable fee can be requested, or
- the request can be refused
In reaching this decision, we can take into account whether the request is repetitive. In either case we will tell you and provide justification of our decision.
How long is given to answer the request?
One month. In some circumstances more time may be needed to consider the request and it is possible to take an extra two months. You must be made aware if more time is needed and why.
Right to object
Article 21 of the General Data Protection Regulation (GDPR)
- The GDPR gives a right to object to the processing of personal data in certain circumstances.
- There is an absolute right to stop personal data being used for direct marketing.
- In other cases where the right to object applies, personal data may continue to be processed if it can be demonstrated there is a compelling reason for doing so.
- Data subjects must be told about the right to object.
- A request does not have to include the phrase 'objection to processing' or Article 21 of the GDPR to be valid.
- Objections can be made verbally or in writing. They can be made to any part of the University and to any member of staff.
- If required to verify identity, a data subject can be asked to provide copies of identification documents.
- A response to an objection should be provided within one month. The time for response can be extended by a further 2 months, but this needs to be explained and the reasons justified.
What is the right to object?
Article 21 of the GDPR gives the right to object to the processing of personal data.
The right to object only applies in certain circumstances. Whether it applies depends on the purposes for processing and the lawful basis for processing.
When does the right to object apply?
There is an absolute right to object to the processing of your personal data if it is for direct marketing purposes.
An objection to processing can be made if the processing is for:
- a task carried out in the public interest
- the exercise of official authority
- legitimate interests
In these circumstances the right to object is not absolute.
If the processing of data is for scientific or historical research, or statistical purposes, the right to object is more limited.
Specific reasons must be given for the objection to the processing of the data and these must be based upon the specific situation.
Processing can continue if:
- if it can be demonstrated that there is compelling legitimate grounds for the processing, which override your stated interests and your rights and freedoms
- the processing is for the establishment, exercise or defence of legal claims.
If the decision is that there is no requirement to stop processing the personal data, you must be made aware and given an explanation of why and be told of your rights to complain to the Information Commissioner (ICO)
Where personal data is being processed for scientific or historical research, or statistical purposes, the right to object is more restricted.
If the data is being processed for these purposes and there are appropriate safeguards in place (eg data minimisation and pseudonymisation where possible) you only have the right to object if the lawful basis for processing is:
- public task (on the basis that it is necessary for the exercise of official authority vested in the organisation), or
- legitimate interests.
There is no right to object if the lawful basis for processing is public task because it is necessary for the performance of a task carried out in the public interest.
Does personal data always need to be erased to comply with an objection?
Erasure may not be appropriate if the data is processed for other purposes and the data needs to be retained for those purposes.
Can a request be refused for other reasons?
Yes, where it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
If the objection is considered manifestly unfounded or excessive then;
- a "reasonable fee" to deal with it can be requested; or
- the request can be refused.
The reason must be justified on both occasions.
- Providing Privacy Information
Explaining clearly to people how the University handles their personal data is a key obligation under data protection.
Students, research participants, staff, visitors to the University and other people whose data we hold and use should know what happens to their information. We need to explain what information we collect, why, how it will be used and protected, when it will be destroyed and with whom it will be shared.
The GDPR sets out a detailed specification for the privacy information we need to provide, and when we are required to inform people.
The term ‘privacy notice’ is used as a shorthand to describe this privacy information. In practice the University uses a blended approach, providing information to people at key interaction points, such as student registration, staff recruitment, research participation and website browsing. To meet GDPR requirements, there has to be greater co-ordination and publication of privacy information on the University website.
Is a privacy notice the same as a consent form?
No. The purpose of a privacy notice is to inform individuals about the way their personal information will be used. It does not need to be signed by the people affected. The purpose of a consent form is to gain the individual’s approval to collect and use their personal information. There are some details that would be included on both a privacy notice and a consent form, such as the purpose for processing data and any sharing arrangements. They do not fulfil the same function however.
Do I need to add privacy information to the forms I use to collect personal data?
Not at this stage. The University is taking a layered approach to providing privacy information. This means that mandatory information that is common across the University, such as the contact details of the Data Protection Officer and the range of individual rights, will be provided on the website.
It will be important to reference that overarching privacy information when we collect or receive personal data, and to provide any outstanding details that are not in the common privacy notice. Once we have established the approach to providing privacy information on the website, the next step will involve reviewing and aligning the forms we use to gather personal data.
Updates will be published here and circulated to key contacts.
Where can I find privacy information on the University website?
Privacy information is currently available on various webpages. These include information for:
- Sharing Personal Data
Personal data can be shared with other organisations if it is done responsibly and securely.
Data protection legislation recognises that sharing personal data can bring significant benefits, for individuals and for organisations. Any sharing that takes place must still meet the data protection principles to make sure that individuals are not disadvantaged. The University also needs to know about information sharing arrangements, so that they can be included in privacy notices (see the Providing Privacy Information tab).
Please liaise with the Data Protection Officer when establishing or reviewing any data sharing arrangements.
What is ‘data sharing’?
The term describes instances when the University provides personal data to an external organisation or person to be used for their purposes. The disclosure of student data to AUSA to populate the AUSA membership database is an example of a data sharing arrangement.
The University also uses external organisations to handle personal data for our purposes. Analysis of University website visitors by a third party, cloud storage of personal data and destruction of confidential waste by a contractor are all examples of a third party handling data on our behalf. These are ‘data processing’ arrangements rather than ‘data sharing’ arrangements. There are distinct legal requirements and guidance on data processing (please see the Using a data processor tab below).
How do I know if an arrangement involves data sharing or data processing?
It is not always simple to decide whether an external organisation is a data sharing partner or a data processor. This will depend on how far the organisation determines what personal data will be collected, and how the data will be used. The Information Commissioner has produced guidance on this topic.
Advice is also available from the Data Protection Officer.
What do I need to share personal data?
There are three essential requirements to share personal data:
- a clear and justifiable purpose
- an appropriate legal basis
- secure handling methods, particularly for sending and receiving the data. See the information security pages for practical guidance.
Do I need a data sharing agreement?
It is good practice to have an agreement in place where personal data will be shared on a large scale, or on a regular basis. The University does not have a template data sharing agreement. An agreement proposed by a partner should always be checked to ensure the terms are appropriate.
- Using a Data Processor
Third parties that process information on our behalf must be vetted and accountable to the University under a contract.
External organisations or persons appointed to handle personal data on our behalf operate as our data processors. The University must make sure that any data processor can safeguard the data appropriately. Due diligence checks must be carried out before transferring any personal data to a data processor. Once the organisation or person has provided the University with sufficient guarantees of their suitability, the arrangement must be documented in a written agreement or data processing contract. Contract requirements under the GDPR are extensive (see GDPR tab above).
Separate guidance is provided on data sharing arrangements, which are subject to different requirements.
How do I know if an arrangement involves data sharing or data processing?
It is not always simple to decide whether an external organisation is a data sharing partner or a data processor. This will depend on how far the organisation determines what personal data will be collected, and how the data will be used. The Information Commissioner has produced guidance on this topic. Advice is also available from the Data Protection Officer.
How do I carry out a due diligence check on a potential supplier?
You should ask your preferred supplier to complete the University questionnaire about their data security practices. The completed questionnaire should be sent to firstname.lastname@example.org The Data Protection Officer and IT Security Manager will respond with any risks you need to consider before signing the contract or sending data to the supplier.
What must be included in a data processing contract?
- the particular processing arrangement. This includes what personal data is being processed, who the data subjects are, why and how the data will be processed and for how long.
- the obligations on the data processor. These include requirements to respect confidentiality, ensure security and assist the data controller to comply with data protection legislation. The GDPR sets out a detailed specification for these terms.
Further information is provided in the Information Commissioner’s guidance on contracts.
Contract templates are available from Procurement.
The Data Protection Officer can also assist with the assessment of data processing contracts.
Do data processing contracts in place before GDPR need to meet the new standard?
Yes. The GDPR requirements apply to both existing and new contracts. Existing contracts must be checked and, if necessary, updated to meet GDPR requirements.
The University has a group working to identifying relevant contracts. If you are responsible for a contract that involves an external organisation processing personal data on behalf of the University, and you have not yet been contacted about a contract, please contact the Data Protection Officer to make sure it has been included in the review.
- the particular processing arrangement. This includes what personal data is being processed, who the data subjects are, why and how the data will be processed and for how long.
- Transferring Data Abroad
International transfers of personal data require additional conditions to be in place.
Please see our Brexit tab above on how this might change, depending on how the UK leaves the EU.
Data protection legislation sets high standards for handling personal data in the European Union. GDPR seeks to guarantee European citizens a similar level of protection if their data is transferred out of the Union by specifying additional conditions for international data transfers.
Personal data can move freely within the European Union, or to countries whose data protection regimes are considered ‘adequate’ by the European Commission, as long as all other data protection requirements are met. These requirements include complying with the data protection principles listing international transfers in privacy information provided to individuals, and ensuring data sharing or data processing arrangements are documented adequately.
Transfers to countries with no decision of adequacy can take place in two circumstances. Either there must be an agreement in place that meets specific standards, or one of a number of exemptions must apply. The operation of the exemptions is complex. Some exemptions, including consent, are not available to the University for international transfers for core teaching and research purposes.
The Information Commissioner has provided guidance on international transfers.
Further guidance for the University will follow in due course. Advice on should be sought from the Data Protection Officer in the meantime.
Which countries have been designated as ‘adequate’ for international transfers?
Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. Commercial organisations in Canada, and organisations covered by the Privacy Shield in the United States are also deemed adequate. The European Commission publishes the current list.
- Impact Assessments
A data protection impact assessment (DPIA) must be carried out before embarking on certain types of data processing.
An impact assessment is a process to help identify and minimise the privacy risks involved in a project or initiative. Under GDPR, data protection impact assessments are mandatory where our data processing may result in a high privacy risk to individuals. The DPIA must be completed before any processing begins.
The assessment should be integrated into the planning and implementation stages of a project, and should be initiated and conducted by the project team. It is a requirement that the DPIA is documented and that the Data Protection Officer (DPO) is involved in the assessment.
When should an impact assessment be carried out?
A DPIA must be undertaken if you plan to do any of the following:
- use systematic and extensive profiling with significant effects on individuals
- process special category or criminal offence data on a large scale
- systematically monitoring publicly-accessible places on a large scale
- use profiling or special category data to decide on access to services, opportunities or benefits
- profile individuals on a large scale
- match data or combine datasets from different sources
- collect personal data from a source other than the individual without providing them with a privacy notice
- track individuals’ online or offline location or behaviour
- profile children or target marketing or online services at them
- process data that might endanger the individual’s physical health or safety in the event of a security breach
A DPIA is also required if you plan to do one the following activities:
- use new technologies to process personal data or apply existing technologies in a novel way that also involves one of the additional criteria (below)
- process biometric data in a way that also involves one of the additional criteria (below)
- process genetic data other than in the provision of health care in a way that also involves one of the additional criteria (below)
The additional criteria are:
- Evaluation or scoring of an individual’s performance, economic situation, health, preferences, interests, behaviour, location or movements
- Automated decision-making about individuals with legal or similar significant effect on them
- Systematic monitoring to observe, monitor or control individuals
- Sensitive data or data of a highly personal nature
- Data processed on a large scale
- Matching or combining datasets collated for different purposes or by different controllers
- Data concerning vulnerable data subjects, such as children, employees, physically or mentally ill persons
- Innovative use or applying new technological or organisational solutions
- Preventing data subjects from exercising a right or using a service or contract
Please refer to the Glossary for definitions of key terms described below.
The Information Commissioner has published guidance that explains these categories in more detail.
There are some limited exceptions from the obligation to undertake a DPIA. If you think an exception applies to your project, consult the DPO.
How should a DPIA be carried out?
The process involves seven main stages:
- identify the need for a DPIA
- describe the processing that is proposed
- consider who needs to be consulted
- assess necessity and proportionality
- identify and assess privacy risks
- identify measures to mitigate the privacy risks
- sign off and record outcomes
The actions you have decided to take forward can then be integrated into your project plan.
This template can be used to guide you through the steps and to document the assessment.
The Information Commissioner has published helpful guidance on each of these steps.
When should I involve the DPO?
As soon as possible. The DPIA must be sent to the DPO at Step 7 in the process for comment on whether the assessment has been conducted properly. Early engagement with the DPO will ensure this step proceeds smoothly. The DPO can assist from the outset with the decision whether to carry out a DPIA (Stage 1), and is best placed to advise on the GDPR compliance assessment (Stage 4).
Do I need to consult with anyone else?
The views of individuals who may be affected by the proposal should be taken into account, unless there is a good reason not to do so. Consultation time should be factored in to your project plan.
If the assessment concludes there is a high risk to individuals that cannot be reduced, the decision whether to proceed must be referred to the Information Commissioner.
- Academic Research and Data Protection
Academic research is subject to data protection legislation, but its importance is recognised in a number of exemptions.
The GDPR recognises the value of the contribution research makes to knowledge-based policy, to the quality of life of people and the efficiency of social services. The legislation provides a new, explicit legal basis for processing special category data (sensitive personal data) for research as long as safeguards are in place, and allows EU member states to specify many of the exemptions that apply to the use of data for research purposes.
The safeguards and exemptions that apply to organisations in the UK are within the Data Protection Act 2018.
The GDPR places a new emphasis on the legal basis for processing personal data. The legal basis determines the rights that individuals can exercise over the way their data is processed. It is important therefore that the legal basis is stated correctly in privacy information given to participants. Consent is one of the legal bases for processing personal data, but it is not the normal justification for processing personal data for research in the University. Instead, research is part of the University’s core task: that is the legal basis. This does not affect any ethical requirements to ensure that participation in research is voluntary and that participants are informed about the use of their information.
Do I need to update my consent forms and participant information sheets for GDPR?
Not at this stage. As the legal grounds for conducting research is based on the University’s public task, rather than individual participant consent, forms you use routinely to gather consent do not need to be revised to take account of GDPR.
Participant information sheets (PIS) will form part of the University’s layered approach to providing privacy information to research participants. It is important that PIS align with the overall University approach, and signpost overarching privacy information provided on the University website. Template PIS are under development as part of the University review of ethical approval procedures.
Further guidance will be published here when available.
What are the requirements for sharing research data?
There are no specific exemptions from data sharing and data processing requirements for research purposes. If the information you are transferring personally identifiable information to a third party, data protection requirements still apply. You need to consider whether you are transferring the data to another controller or a data processor, and then put in place any necessary documentation. If the data is being transferred abroad, additional safeguards may also be required depending on the destination country.
Can an individual request that their data is removed from a research dataset under the right to be forgotten?
The right to erasure of personal data, known as the right to be forgotten, only applies to data processed in certain circumstances. It is unlikely that these circumstances will apply to personal data processed for research purposes.
The circumstances are,
- the data are no longer required for the purposes for which they were collected
- the legal basis for processing data was consent, and there is no other available legal basis
- the data subject has objected, and there are no legitimate grounds for continuing to process the data
- the data were processed unlawfully
- it is a legal obligation to erase the data
- the date was collected in relation to the offer of information society services
Even where one of the above conditions applies, there is a GDPR exemption where erasing the personal data would render impossible or seriously impair achieving the objectives of the research.
- Using Data for Marketing and Contact Lists
There are specific rules about the use of personal data for marketing purposes.
Sending marketing messages to named individuals is known as direct marketing, and is governed by data protection legislation. The definition of marketing is wide. It covers any advertising or marketing material, not just commercial marketing, including material promoting the aims of not-for-profit organisations.
There are particular rules for sending direct marketing messages by email or text, and for making marketing telephone calls. These are set out in the Privacy & Electronic Communication Regulations (PECR). GDPR has not changed these rules, but it sets a higher standard for the consent required to send marketing messages electronically.
See the Information Commissioner's Direct Marketing guidance for more details.
Can I use personal data held by the University to send marketing messages?
Yes, as long as you comply with the Data Protection Principles and PECR. In practice this means
- making sure the marketing activity is included in the University’s privacy notices (see the Providing Privacy tab above)
- only using contact details obtained by the University for related purposes
- making sure the personal data is accurate and up-to-date
- giving individuals the right to prevent direct marketing, usually by providing an opt out.
Do I need consent from the individual before sending marketing messages?
Consent is required before sending unsolicited direct marketing texts, emails or faxes, or for making calls to a number registered with the Telephone Preference Service (TPS). The University must keep a clear record of what an individual has consented to receive, and when and how consent was obtained. Providing an opt-out box is not sufficient evidence to demonstrate consent.
The Information Commissioner has issued guidance on obtaining and recording consent.
You do not need consent for
- • sending marketing material that has been specifically requested
- • making marketing calls to telephone numbers not registered with the TPS
- • commercial marketing of similar products to existing customers (‘soft opt in’)
- • business-to-business texts and emails
- • sending marketing material by post
Can I rely on consent gathered before GDPR to continue sending marketing messages?
You do not need to seek consent again from existing contacts, as long as the consent records you have meet the GDPR standard. The Information
Commissioner’s consent checklist can assist in deciding what action you may need to take.
Information from which no individual can be identified.
Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a person, which allow or confirm the unique identification of that person, such as facial images or dactyloscopic data.
Any freely-given, specific, informed and unambiguous indication of a data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of his or her personal data.
Criminal offence data
Personal data relating to criminal convictions and offences, or related security measures
see Personal data breach
Data concerning health
Personal data related to the physical or mental health of a person, including the provision of health services, which reveal information about his or her health status.
A person, public authority or body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
A person, public authority or body which processes personal data on behalf of the data controller.
The disclosure of data from one or more organisations to a third party organisation or organisation, or the sharing of data between difference parts of an organisation.
Data sharing agreement
A document that sets out a common set of rules to be adopted by organisations involved in a data sharing operation.
The identified or identifiable living individual to whom personal data relates.
The communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.
The Data Protection Act 1998. Superseded by the GDPR and the DPA 2018.
The Data Protection Act 2018
Data protection impact assessment
Data Protection Officer
Any structured set of personal data which is accessible according to specific criteria, whether held by automated means or manually and whether centralised, decentralised or dispersed on a functional or geographical basis.
The General Data Protection Regulation.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Personal data relating to the inherited or acquired genetic characteristics of a person which give unique information about the physiology or the health of that person and which result, in particular, from an analysis of a biological sample from the person in question.
Information Commissioner’s Office. The regulator for data protection legislation in the United Kingdom. www.ico.org.uk
A person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Information society services
A service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. See Directive (EU) 2015/1535 for an indicative list of services excluded from this definition.
The Privacy & Electronic Communications (EC Directive) Regulations 2003 - 2016
Any information relating to an identified or identifiable living person.
Personal data breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Any operation which is performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Any form of automated processing personal data consisting of the use of personal data to evaluate certain personal aspects relating to that person, in particular to analyse or predict aspects concerning that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movement.
The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable person.
An organisation in Scotland as defined by the Freedom of Information (Scotland) Act 2002.
Sensitive personal data
Personal data consisting of information relating to the data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or sexual life; offences committed or allegedly committed by the data subject, or proceedings for any offence.
Replaced under GDPR by ‘Special categories of personal data’.
Special categories of personal data
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data or biometric data when processed to identify a person; or data concerning a person’s health, sex life or sexual orientation.
Telephone Preference Service