The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 determine how personal data should be handled. If information is collected for any reason other than personal, family or household purposes, the legislation needs to be complied with.
The University Data Protection Policy provides guidance on your responsibilities under the legislation and Guidance on University information security policies and practices also provides more detail on the importance of security in keeping personal data safe.
More guidance on data protection is below. Specialist terms used are defined in the Glossary tab below.
- What is UK GDPR?
UK GDPR is the legislation, which, along with the Data Protection Act 2018 governs how personal data should be processed in the UK. UK GDPR is currently in line with EU GDPR, however, it is possible that over time UK GDPR might diverge from the European legislation.
The 7 Data Protection Principles are central to the legislation and offer guidance on what actions are appropriate when it comes to personal data. Please see the Data Protection Principles tab below for more information.
UK GDPR provides protections for individuals and a number of rights, as well as significant privacy obligations for organisation, such as the University. Individuals are provided with more information about how their data is being handled and gives them the ability to request access to their information and also to object to processing or request deletion.
- What is personal data?
What is personal data?
Information about a living individual, which allows you to identify who they are either from that information alone or that plus other available information. This is the short answer.
The definition from the Information Commissioner (ICO) is a little longer….
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
When you are processing information and you are trying to judge whether it is personal data, here are some key things to remember:
- Deceased persons do not have data protection rights, so data solely identifying them cannot be personal data.
- Truly anonymous information is not personal data because you cannot identify anyone from it.
- Information which is abstract but does not allow for identification of the person it relates to is not personal data.
- Information about a company is not personal data, it has to relate to a ‘natural person’ i.e. a living individual.
- Personal data has to be information that relates to an individual, who can be identified or is identifiable directly or indirectly from one or more identifiers or factors specific to the individual.
If you cannot decide whether the data you are processing is personal data, please contact the Information Governance team at firstname.lastname@example.org discuss.
Is pseudonymised data still personal data?
Pseudonymisation is where personal data is processed in such a manner that the subject of the data can no longer be identified. This is due to a technique that replaces or removes information in a data set that identifies an individual.
However, pseudonymisation is effectively only a security measure. It does not change the status of the data as personal data.
What is identifiability?
If you can distinguish an individual from other individuals, then that person is ‘identified’ or is ‘identifiable’. Often an individual’s name with some other information is enough to identify them.
A person’s name is a common means of identifying someone. But whether it actually does will depend on the context. A name, on its own might not identify you, especially where it is a common name such as ‘John Smith’. But if the name is combined with other information such as a place of work, telephone number or address, the person may become identifiable.
The UK GDPR makes it clear that other factors can identify an individual. These include:
“…one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
These sorts of characteristics can help to uniquely identify an individual as they tell you something about them.
What are online identifiers?
The UK GDPR provides a non-exhaustive list of elements which may be personal data:
- internet protocol (IP) addresses;
- cookie identifiers; and
- other identifiers such as radio frequency identification (RFID) tags.
- MAC addresses;
- advertising IDs;
- pixel tags;
- account handles; and
- device fingerprints.
You must consider whether online identifiers, on their own or with other information may be used to distinguish one user from another.
- Special Categories of Personal Data
Special Categories of Personal Data
This is a distinct sub-set of personal data, which includes personal data which reveals:
racial or ethnic origin;
religious or philosophical beliefs;
trade union membership;
biometric data (where used for identification purposes);
data concerning health;
data concerning a person’s sex life; and
data concerning a person’s sexual orientation.
It does not include personal data about criminal allegations, proceedings or convictions. There are separate rules which apply to criminal offence data.
If you are processing special category data, there is a greater chance that you may need to undertake a Data Protection Impact Assessment (DPIA) and you should read our guidance and consult with the Information Governance Team to get further advice.
- Data Protection Principles
The principles set the standards that must be met when processing personal data. The principles lie at the heart of the legislation. There are exemptions from some of the requirements in certain circumstances. Using personal data in research and disclosure in legal proceedings are examples of circumstances when an exemption may apply.
Advice on the operation of the exemptions should be sought from the Data Protection Officer.
The University is responsible for and shall be able to demonstrate compliance with the following principles when processing personal data.
Principle 1 - Lawfulness, fairness and transparency
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Principle 2 - Purpose limitation
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Principle 3 - Data minimisation
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Principle 4 - Accuracy
Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Principle 5 - Storage limitation
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Principle 6 - Integrity and confidentiality
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Principle 7 - Accountability
The University shall be responsible for, and be able to demonstrate compliance with, the UK GDPR.
The University must comply with these principles when processing personal data.
- Data Sharing
Sharing data can make life easier, but only when it is done correctly, both in terms of the information being shared and the reasons for which it is being shared. Along with considering whether the data sharing achieves a benefit and is necessary, you must consider your overall compliance with data protection legislation.
Data sharing should be done in a manner where it is: accountable, lawful, fair, and secure.
If you are unsure of this, a Data Protection Impact Assessment (DPIA) is a helpful tool to assess any risks in proposed data sharing. It allows for an assessment of the risks that exist and to make a judgement as to whether the data sharing will be fair, lawful and transparent. This also means that those decisions are documented.
Accountable: The University and all staff are responsible for compliance with data protection legislation, and we must be able to demonstrate this compliance.
The personal data that you process will differ depending on your specific role and it could include data about students, suppliers and staff as well as others.
You also need to demonstrate accountability. This means assessing the risks you create, taking appropriate action to mitigate and minimise them, and being able to show your compliance.
To help enable this, it is good practice to document your decisions and where appropriate, have a data sharing agreement in place. Ultimately, we should be open about how we process personal data, to ensure that data subjects can hold us to account where we may not have processed their data correctly.
Lawful: Which lawful basis you are relying on. This will vary depending on the reason you want or need to share the personal data. Please see our Staffnet page on Lawful Basis for more information.
You’ll need to document this and be clear about what lawful basis is being used. This information can be included in your Privacy Notice. If you put these measures in place, it should mean that individuals can reasonably expect how you will process their data, and this should not be a surprise to them.
Fair: Personal data of individuals should not be used in a manner they would not expect and if a privacy notice is in place and you have acted within the realms of what could reasonably be expected, then it is likely that your actions are fair. If, for example you have received personal data from another source and this is not included in your privacy notice or you are using the data for a different purpose, then it is not likely to be fair.
Secure: When sharing personal data, this should always be done securely. The exact measures you take should be tailored to the specific instance of sharing, taking into account the sensitivity of the data and the likely impact on the data subjects should the information be intercepted. If sharing is being done across the same institution, the risk is lessened given that the sharing is happening across the same network. However, the information could still be at risk if it is sent to an incorrect recipient. It may still be advisable in this instance to use a secure email transfer service where the file(s) are protected by a password. Please take a look at our Guidance on ZendTo for more details.
Data Sharing Agreements
Sometimes when sharing is done regularly, it is useful to document this in an agreement which all Controllers sign up to. This allows for clarity on the sharing, in terms of who is involved, their role, what is shared with whom and when this should happen. Although not a legal requirement, it is especially useful where you are a Joint Controller with another party, as this allows for a transparent agreement to be in place, which ensures that the responsibilities of Controllers is clear.
The list below acts as a guide on what should be within the agreement.
- When do I need a data sharing agreement?
It is helpful to have one when you are sharing personal data, on a routine basis with specific parties. For example, if the Police, a local authority and a University are working on a joint project, where they are all using the data gathered for their own purposes and all need to share personal data with each other.
What should be in a data sharing agreement
- Who are the parties to the agreement?
- The agreement should state who the controllers are at every stage.
- What is the purpose of the data sharing initiative? Including:
the specific aims;
why the data sharing is necessary to achieve them; and
the benefits that will be brought to individuals
This should all be documented in the agreement so that all parties are clear about the purposes for which they may share or use the data.
- Which other organisations will be involved in the data sharing?
- Each organisation should be listed along with contact details.
- Are we sharing data along with another controller?
- What data items are we going to share?
- Specific detail of exactly what is to be shared should be listed.
- What is our lawful basis for sharing? This needs to be clearly explained. The lawful basis for one organisation in the agreement might different to the others.
If consent is the lawful basis for disclosure, then your agreement should provide a model consent form. There should also be details of how data subjects can withdraw consent and the process for this.
- Is there special category, sensitive or criminal offence data?
This should be documented, along with the lawful basis for processing such data under Article 9 of UK GDPR and Data Protection Act 2018.
There should be a procedure for compliance with individual rights. This includes the right of access to information as well as the right to object, to rectification and erasure. It should be clear in the agreement that all controllers have responsibly for compliance, even if one controller will actually respond to these requests.
Further guidance is provided by the Information Commissioner (ICO) in their Data Sharing Information Hub.
Can I share personal data with the police or other law enforcement authorities?
Yes – if they can demonstrate that it is necessary for the prevention and detection of crime or to protect the vital interests of an individual.
Can I share data in an emergency?
Yes – as above if it is necessary to protect the vital interests of an individual. But this must be clear and it should not be relied on when it is not a genuine concern for the welfare of an individual.
Can I share personal data freely within the University?
It depends. You must always be able to show that the sharing was necessary, as Data Protection law states that data minimisation should occur at all times and should be part of our design, in order to limit the amount of personal data that has be shared and with whom. So this does not stop you from doing your job and sharing when necessary, but you should stop and think about it and try to minimise the sharing where possible.
When can I share personal data with a third party?
Consider whether the data subject would expect their data to be shared and what the lawful basis for sharing is and also whether it is necessary to share to achieve the desired outcome. If the information was collected for one purpose and you wish to share it for another, this will require consideration as to whether this is reasonable and compatible with the original purpose.
What is the difference between a Controller and a Processor?
A controller is the person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
A processor means a person, public authority, agency or other body which processes personal data on behalf of the controller. The details of the instructions will form part of a contract and/or a data processing agreement.
What is a Joint Controller?
Where two or more controllers jointly determine the purposes and means of processing personal data. They must jointly decide, in a transparent manner their specific responsibilities to comply with Data Protection legislation, with specific regard to the exercising of the rights of the data subject and their respective duties to provide privacy information.
What is the difference between a Data Processing Agreement and a Data Sharing Agreement?
A Data Sharing Agreement is set up where sharing takes place between Controllers, whereas a Data Processing Agreement is where the University is sharing information with a Processor (see above definition) who we have contracted to undertake work for us and will be bound by contractual terms only to undertake work as instructed.
If you have any queries about data sharing, please contact the Information Governance Team at email@example.com
- Reporting a Data Breach
What is a personal data breach?
The definition of a personal data breach provided by the Information Commissioner’s office (ICO) is, “A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Examples of a data breach are when:
- any personal data is lost, destroyed, corrupted or disclosed unlawfully
- someone accesses personal data and passes it on without proper authorisation
- personal data is made unavailable, and this has a significant negative effect on individuals
- Data breaches can be the result of both accidental and deliberate causes, and they can involve information that is electronic, on paper or in any other format. Common examples of personal data breaches include;
- sending personal data to the wrong recipient
- laptops and memory sticks being lost or stolen
- corruption or loss of data during migration between systems
A personal data breach goes further than just the loss of data. It needs to be considered more widely as a security incident that has affected the confidentiality, integrity or availability of personal data.
Whenever any personal data is lost, destroyed, corrupted or inappropriately disclosed, this will constitute a personal data breach.
All personal data breaches must be reported to the Information Governance Team as soon as possible.
Even where the breach does not need to be reported to the Information Commissioner, a record must be retained. We are required to do so, and we may be asked to provide this to the Information Commissioner on request.
Some breaches need to be reported to the Information Commissioner’s Office (ICO). Where this is the case, the report must be made within 72 hours of the breach being detected.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we must also inform the individuals informed without undue delay.
If such a breach is not reported, when required to do so, we could face a fine of up to £8.5 million pounds or 2% of our annual turnover. AS well as a fine, the ICO can take other corrective measures available them under Article 58 of UK GDPR.
It is vital that all staff report a personal data breach, however minor, promptly after discovery.
They can be reported to the Data Protection Officer, or via the IT Service Desk, if the breach is part of an IT support request.
You can also call the Information Governance Team if you wish to discuss a breach or whether an incident is a personal data breach on 01224 27(3175), 27(3079).
For urgent breaches that occur out of hours, contact the out-of-hours helpline via the IT Service Desk extension number, 3636.
What do I need to include in my notification?
The Data Protection Officer or security incident team will need some basic information to assess the incident. Include brief details in answer to the following questions. If you cannot provide all the answers, do not delay in reporting the incident.
- What has happened to the data? Has it been stolen, or lost, or disclosed, or damaged?
- Was the data protected, such as by encryption or password protocols?
- What type of personal data is involved? Is the data sensitive or private?
- Whose data has been breached? Does it relate to students, staff, research participants etc?
- How many individuals’ data are involved?
Do I need to tell the individuals affected by the breach or the Information Commissioner?
No. External reporting will be co-ordinated by the response team.
Will I be penalised for reporting a data breach or security incident?
No. The University encourages all staff to report actual or potential breaches.
A supplier or data sharing partner has notified me about a breach involving University data.
What should I do?
Report the breach to the Data Protection Officer, along with details of your contact in the supplier or partner organisation.
You can pass the contact details of the Data Protection Officer to the supplier or partner to give them a point of contact for any joint investigation.
- Data Protection Impact Assessments (DPIA's)
A data protection impact assessment (DPIA) must be carried out before embarking on high risk processing of personal data.
An impact assessment is a process to help identify and minimise the privacy risks involved in a project or initiative. Under UK GDPR, DPIA's are mandatory where our data processing may result in a high privacy risk to individuals. The DPIA must be completed before any processing begins.
The assessment should be integrated into the planning and implementation stages of a project, and should be initiated and conducted by the project team. It is a requirement that the DPIA is documented and that the Data Protection Officer (DPO) is involved in the assessment.
When should an impact assessment be carried out?
A DPIA must be undertaken if you plan to do any of the following:
- use systematic and extensive profiling with significant effects on individuals
- process special category or criminal offence data on a large scale
- systematically monitoring publicly-accessible places on a large scale
- use profiling or special category data to decide on access to services, opportunities or benefits
- profile individuals on a large scale
- match data or combine datasets from different source
- profile children or target marketing or online services at them
- process data that might endanger the individual’s physical health or safety in the event of a security breach
A DPIA is also required if you plan to do one the following activities:
- use new technologies to process personal data or apply existing technologies in a novel way that also involves one of the additional criteria (below)
- process biometric data in a way that also involves one of the additional criteria (below)
- process genetic data other than in the provision of health care in a way that also involves one of the additional criteria (below)
- collect personal data from a source other than the individual without providing them with a privacy notice (an additional criterion (below) must also be met)
- track individuals’ online or offline location or behaviour (an additional criterion (below) must also be met)
The additional criteria are:
- Evaluation or scoring of an individual’s performance, economic situation, health, preferences, interests, behaviour, location or movements
- Automated decision-making about individuals with legal or similar significant effect on them
- Systematic monitoring to observe, monitor or control individuals
- Sensitive data or data of a highly personal nature
- Data processed on a large scale
- Matching or combining datasets collated for different purposes or by different controllers
- Data concerning vulnerable data subjects, such as children, employees, physically or mentally ill persons
- Innovative use or applying new technological or organisational solutions
- Preventing data subjects from exercising a right or using a service or contract
Please refer to the Glossary for definitions of key terms described below.
The Information Commissioner has published guidance that explains these categories in more detail.
There are some limited exceptions from the obligation to undertake a DPIA. If you think an exception applies to your project, consult the DPO.
How should a DPIA be carried out?
The process involves seven main stages:
- identify the need for a DPIA
- describe the processing that is proposed
- consider who needs to be consulted
- assess necessity and proportionality
- identify and assess privacy risks
- identify measures to mitigate the privacy risks
- sign off and record outcomes
The actions you have decided to take forward can then be integrated into your project plan.
This template can be used to guide you through the steps and to document the assessment.
The Information Commissioner has published helpful guidance on each of these steps.
When should I involve the DPO?
As soon as possible. The DPIA must be sent to the DPO at Step 7 in the process for comment on whether the assessment has been conducted properly. Early engagement with the DPO will ensure this step proceeds smoothly. The DPO can assist from the outset with the decision whether to carry out a DPIA (Stage 1), and is best placed to advise on the UK GDPR compliance assessment (Stage 4).
Do I need to consult with anyone else?
The views of individuals who may be affected by the proposal should be taken into account, unless there is a good reason not to do so. Consultation time should be factored in to your project plan.
If the assessment concludes there is a high risk to individuals that cannot be reduced, the decision whether to proceed must be referred to the Information Commissioner.
What if i later change how the personal data is processed?
If you have already conducted a DPIA, but you later change how you process the personal data, you need to undertake a Mini-DPIA. This is a process where you undertake a shorter and more focussed version of a DPIA to examine the changes and how this impacts the risks to individuals. The templete form can be found here. As with any other DPIA, you should involve the Information Governance Team at an early stage by contacting firstname.lastname@example.org
- Data Subject Rights
The UK General Data Protection Regulation (UK GDPR) introduced new rights for data subjects, as well as amending and augmenting some of the rights which existed under the previous legislative regime.
The sections below provide more details on these rights.
If you have questions about these rights, please email the Information Governance Team at email@example.com or telephone 01224 273175.
Right to be informed
Articles 13 – 14 of the UK General Data Protection Regulation (UK GDPR)
The GDPR is specific about the information that needs to be provided to people about what is done with their personal data.
Organisations must actively provide this information to people in a way that is easy to access, read and understand. This specific and direct approach goes further than the requirements under the previous legislation.
The GDPR lays out what individuals should be told about when we collect and use their personal data.
How the information should be provided
- In an intelligible form
- Easily accessible
- In clear and plain language.
It should include:
- Why your personal data is being used
- Where the data was received from
- The categories of personal data obtained (if received from another source)
- What type(s) of data is being using
- How long it is being kept for
- The lawful basis for the processing
- Who your data is shared with and what is shared
- If the information is being transfered to third parties, who it is being shared with, the reasons for the transfer and what will be done with the data
- The information rights available to individuals
- If the personal data is being used for automated decision-making, such as profiling
- The name and contact details of the organisation and data protection officer
- The legitimate interests for the processing (if applicable)
- Your right to withdraw consent, if applicable
- Your right to complain to the Information Commissioner’s Office (ICO)
- Whether you are under a statutory or contractual obligation to provide the personal data
All the above is classed as your privacy information. This should be provided within the privacy notice you are directed to when data is collected. If the data is received from another source, their contact details should be provided within one month. This may be done in the form of a privacy notice.
The principle of transparency runs through GDPR and providing individuals with this information is a key part of the principle.
Right of access
Article 15 of the UK General Data Protection Regulation (UK GDPR)
The right of access, often referred to as ‘subject access’, gives individuals the right to receive a copy of their personal data as well as other information about how and why their data is being used.
Key things to know about making such requests:
- People have the right to access their personal data.
- They can make a request verbally or in writing.
- Organisations are given one month to respond to a request, with the possibility of an extension of two months in cases of complex or multiple requests.
- No fee can be generally be charged for dealing with such a request, and this would only be levied.in exceptional circumstances.
- Verification of the requestor's identity may need to take place.
- Such requests are dealt with by the Information Governance Team (firstname.lastname@example.org) and they should be made aware of such requests as soon as is possible.
What are people entitled to?
- confirmation that their personal data is being processed;
- a copy of their personal data;
- the other information that should be provided will likely be covered by the contents of the relevant privacy notice, which people can be directed to. More information is on the Right to be informed tab above.
- Individuals are entitled to their own personal data, but not information about other people, unless they are either acting on their behalf or it is seen to be reasonable to do so.
- It can sometimes be difficult to determine whether information is personal data or not but there is more guidance available - what is personal data.
How to recognise a request
An individual can make a subject access request verbally or in writing. It does not need to be made in any specific format and we do not use a form for making such requests. It is good pratice to keep a written record of a verbal request to ensure an audit trail.
A request can be made to any member of staff or department in the University. It does not have to be made to the Information Governance Team for it to be a valid request.
The request does not have to quote GDPR or use the term ‘Subject Access Request’ to be valid.
If any requests are received, the staff member should record the details and pass this onto the Information Governance Team at email@example.com as soon as is possible,
How should a response be provided?
If the request is made electronically, the information should be provided in a commonly used electronic format, unless the individual requests otherwise.
The wishes of the requestor in terms of how they wish to receive the data should be respected, where possible.
Can the information be updated or changed once a request is made?
It is not acceptable to amend or delete the data if this would not have otherwise been the case. Under the Data Protection Act 2018 (DPA 2018), it is an offence to make any amendment with the intention of preventing its disclosure.
If, however, the routine use of the data results in it being amended or even deleted while you are dealing with the request, it would be reasonable to supply the information you hold when you send out a response.
What if someone makes a request on behalf of someone else?
This is permitted under the UK GDPR, and sometimes it will be a solicitor acting on behalf of a client, but often it is a friend or family member. In such cases, we need to be sure that the third party making the request is entitled to act for the data subject and it is the third party’s obligation to provide evidence of this. It could be a communication authorising this, or something more formal, such as Power of Attorney.
What happens if the requested data includes information about others.
The Data Protection Act 2018 says that it is not necessary to comply with a request where it would mean disclosing information about another individuals who can be identified from that information, except if:
- the other individual has given consent; or
- it is reasonable to comply with the request without their consent
Can a request be refused?
Where the request is manifestly unfounded, excessive or repetitive it may be reasonable to refuse the request or to charge a reasonable fee.
In both cases the decision needs to be justified.
Can an individual be forced to make a subject access request?
Under the Data Protection Act 2018 it is a criminal offence, in certain circumstances and regarding certain information, to require an individual to make such a request.
Right to rectification
Article 16 of the UK General Data Protection Regulation ( UK GDPR)
The GDPR includes a right for individuals to have inaccurate data rectified or completed (if it is incomplete)
- Such requests can be made verbally or in writing.
- As with access requests, verbal requests should be recorded to ensure there is an audit trail
- Such a request can be made to anyone or any department in the University and on receipt the Information Governance Team should be made aware
- The timescale for response is one month. The timescale can be extended by two months where the request is complex or there are multiple requests from the same individual.
- In some circumstances the request for rectification can be refused.
- This right is closely linked to the obligations under the accuracy principle of the GDPR (Article (5)(1)(d)).
How to recognise a request?
There is no specific way in which data subjects must make such a request and it can be done either verbally or in writing. The request can be made to any member of staff in any department and they must tell the Information Governance team as soon as possible at firstname.lastname@example.org
What needs to be done to address a request for rectification?
Steps should be taken to ascertain whether the data is accurate and if not, to rectify the data, As part of this process, it is important to take into account the comments and evidence provided by the data subject.
What steps can be taken and are reasonable to take will depend on the nature of the personal data, what it is and will be used for.
The more important it is that the personal data is accurate, the greater the effort that should be put into checking its accuracy and, if necessary, rectifying it. For example, personal data that will be used to make significant decisions.
When is data inaccurate?
The Data Protection Act 2018 states that personal data is inaccurate if it is incorrect or misleading as to any matter of fact.
What should be done about data that records a mistake?
Ascertaining whether personal data is inaccurate is more complicated where the data refers to a mistake that has now been resolved. It can be argued that the record of the mistake is accurate and therefore should be retained
In such circumstances it may be more helpful to provide a record clarifying that a mistake was made, describing this and clearly stating the remedy which has taken place. This means that the mistake is correctly recorded, but also the fact that it had been fixed.
What about a disputed opinion?
It is complex if the data in question records an opinion. Opinions are, by their very nature, subjective, and it can be difficult to conclude whether the record is inaccurate. As long as the record clearly shows that the information is an opinion and, where appropriate, whose opinion it is, it may be difficult to say that it is inaccurate and needs to be rectified.
It can sometimes be appropriate to add a note to the record to indicate that the data subject does not agree with the stated opinion and the reasons for their disagreement.
What should be done while considering the accuracy?
The data subject is entitled to request restriction of the processing of the disputed data where they contest its accuracy.
It is good practice to restrict the processing whilst we are determining whether rectification should take place, even if the data subject has not requested this.
What if it is thought that the data is accurate?
The data subject should be advised that the personal data will not be amended and the reasons why we do not think that the data is inaccurate. The data subject would also be informed that they have the right to make a complaint to the Information Commissioner (ICO).
Can a request for rectification be refused?
Yes, and in some circumstances it may be appropopriate to request a reasonable fee before dealing with it.
In either case the data subject must be made aware and the decision justified. They must also be advised of their right to make a complaint to the Information Commissioner (ICO).
Do other organisations need to be told if personal data is rectified?
If personal data has been disclosed to others, they must be contacted to tell them of the rectification or completion of the personal data. This is unless this proves impossible or involves disproportionate effort.
Right to erasure and restriction
Articles 17 and 18 of the UK General Data Protection Regulation (UK GDPR)
- Gives the right to request the deletion or removal of personal data.
- Gives the right to request to ‘block’ or restrict processing of personal data.
The overarching principle to this right is to allow data subjects to request the deletion or removal of their personal data where there is no compelling reason for its continued processing.
There is also the right to request the restriction of the processing of your personal data. In such cases it may be permitted that the data continues to be stored, but not further processed. Just enough information would be retained to ensure that the restriction is respected in future. Restriction could involve transferring data to a separate system or limiting the access through access controls.
What needs to be considered when dealing with an erasure request?
The personal data must be erased without undue delay if:
- the processing of the personal data infringes on the data protection principles;
- we do not meet safeguards for archiving and processing of special category data; or
- we have a legal obligation to erase the data.
How to recognise a request
Requests can be made verbally or in writing to any member of the University in any department. Those receiving the request must tell the Information Governance team at email@example.com as soon as is possible.
If there are any doubts about the identity of the individual, a request for identification to establish identity can be made.
How long is given to comply?
A response should be provided within one month, but without undue delay. This timeframe can be extended by two months if the request is complex or there are multiple requests.
What needs to be done to comply with requests for erasure or restriction?
Handling of such a request should be reasonable and proportionate, taking into consideration the nature of the personal data held and the relationship with the individual.
If the personal data in question has been disclosed to third parties, the third party must be informed about the erasure or restriction of the personal data. The third parties will also have to erase or restrict the personal data they hold.
If the decision is that the data will not be erased or rectified, the requestor should be informed of their right to raise a complaint with the Information Commissioner (ICO) or take the matter to court.
What if the request is manifestly unfounded or excessive?
If requests are manifestly unfounded or excessive, in particular because they are repetitive, we can:
- charge a reasonable fee or refuse to respond
In such circumstances, it must be demonstrated why a request is manifestly unfounded or excessive
Right to portability
Article 20 of the UK General Data Protection Regulation (UK GDPR)
There is the right to receive personal data in a way that is accessible and machine-readable, for example as a csv file.
- This is known as the right to data portability.
- What kind of data this right relates to. This right only applies to data that:
- is held electronically, and that you have provided
Data you have provided does not just mean information you have inputted but can also capture data gathered from monitoring activities when you have used a device or service.
How to ask for your data
- make a request and be specific about what you want
A request can be made verbally or in writing.
When to make a portability request
You can make a portability request at any time to any organisation that:
- relies on your consent to use your personal data, or
- uses your data as part of a contract you have with them.
What to do if you are dissatisfied with the outcome of a portability request?
You should first complain to the organisation and if you remain dissatisfied you can make a complaint to the Information Commissioner (ICO).
What can you expect to receive?
- A copy of the requested data in a commonly used and machine-readable format.
- You may need to confirm your identity and then the information will be sent to you.
- Your data may not automatically be deleted, so you may need to exercise your in addition to portability.
When can your request be rejected?
If the request is “manifestly unfounded or excessive”.
In these circumstances:
- a reasonable fee can be requested, or
- the request can be refused
In reaching this decision, we can take into account whether the request is repetitive. In either case we will tell you and provide justification of our decision.
How long is given to answer the request?
One month. In some circumstances more time may be needed to consider the request and it is possible to take an extra two months. You must be made aware if more time is needed and why.
Right to object
Article 21 of the UK General Data Protection Regulation (UK GDPR)
- The GDPR gives a right to object to the processing of personal data in certain circumstances.
- There is an absolute right to stop personal data being used for direct marketing.
- In other cases where the right to object applies, personal data may continue to be processed if it can be demonstrated there is a compelling reason for doing so.
- Data subjects must be told about the right to object.
- A request does not have to include the phrase 'objection to processing' or Article 21 of the GDPR to be valid.
- Objections can be made verbally or in writing. They can be made to any part of the University and to any member of staff.
- If required to verify identity, a data subject can be asked to provide copies of identification documents.
- A response to an objection should be provided within one month. The time for response can be extended by a further 2 months, but this needs to be explained and the reasons justified.
What is the right to object?
Article 21 of the GDPR gives the right to object to the processing of personal data.
The right to object only applies in certain circumstances. Whether it applies depends on the purposes for processing and the lawful basis for processing.
When does the right to object apply?
There is an absolute right to object to the processing of your personal data if it is for direct marketing purposes.
An objection to processing can be made if the processing is for:
- a task carried out in the public interest
- the exercise of official authority
- legitimate interests
In these circumstances the right to object is not absolute.
If the processing of data is for scientific or historical research, or statistical purposes, the right to object is more limited.
Specific reasons must be given for the objection to the processing of the data and these must be based upon the specific situation.
Processing can continue if:
- if it can be demonstrated that there is compelling legitimate grounds for the processing, which override your stated interests and your rights and freedoms
- the processing is for the establishment, exercise or defence of legal claims.
If the decision is that there is no requirement to stop processing the personal data, you must be made aware and given an explanation of why and be told of your rights to complain to the Information Commissioner (ICO)
Where personal data is being processed for scientific or historical research, or statistical purposes, the right to object is more restricted.
If the data is being processed for these purposes and there are appropriate safeguards in place (eg data minimisation and pseudonymisation where possible) you only have the right to object if the lawful basis for processing is:
- public task (on the basis that it is necessary for the exercise of official authority vested in the organisation), or
- legitimate interests.
There is no right to object if the lawful basis for processing is public task because it is necessary for the performance of a task carried out in the public interest.
Does personal data always need to be erased to comply with an objection?
Erasure may not be appropriate if the data is processed for other purposes and the data needs to be retained for those purposes.
Can a request be refused for other reasons?
Yes, where it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
If the objection is considered manifestly unfounded or excessive then;
- a "reasonable fee" to deal with it can be requested; or
- the request can be refused.
The reason must be justified on both occasions.
- Providing Privacy Information
Explaining clearly to people how the University handles their personal data is a key obligation under data protection.
Students, research participants, staff, visitors to the University and other people whose data we hold and use should know what happens to their information. We need to explain what information we collect, why, how it will be used and protected, when it will be destroyed and with whom it will be shared.
The UK GDPR sets out a detailed specification for the privacy information we need to provide, and when we are required to inform people.
The term ‘privacy notice’ is used as a shorthand to describe this privacy information. In practice the University uses a blended approach, providing information to people at key interaction points, such as student registration, staff recruitment, research participation and website browsing. To meet UK GDPR requirements, there has to be greater co-ordination and publication of privacy information on the University website.
Is a privacy notice the same as a consent form?
No. The purpose of a privacy notice is to inform individuals about the way their personal information will be used. It does not need to be signed by the people affected. The purpose of a consent form is to gain the individual’s approval to collect and use their personal information. There are some details that would be included on both a privacy notice and a consent form, such as the purpose for processing data and any sharing arrangements. They do not fulfil the same function however.
Do I need to add privacy information to the forms I use to collect personal data?
Not at this stage. The University is taking a layered approach to providing privacy information. This means that mandatory information that is common across the University, such as the contact details of the Data Protection Officer and the range of individual rights, will be provided on the website.
It will be important to reference that overarching privacy information when we collect or receive personal data, and to provide any outstanding details that are not in the common privacy notice. Once we have established the approach to providing privacy information on the website, the next step will involve reviewing and aligning the forms we use to gather personal data.
Updates will be published here and circulated to key contacts.
Where can I find privacy information on the University website?
Privacy information is currently available on various webpages. These include information for:
- GDPR and Brexit
Does GDPR still apply now that the UK has left the EU?
The answer is Yes, as the GDPR has been written into UK law, and is known as UK GDPR. It sits alongside the Data Protection Act 2018.
The rights and obligations remain the same, as UK GDPR does not currently diverge from EU GDPR.
On 28 June 2021, the European Commission confirmed the adequacy of the UK’s data protection arrangements (other than for immigration control) for a period of four years. This means that transfer of personal data to the UK from the EU can continue without additional safeguards being put into place.
The approval is conditional on the UK maintaining equivalent standards to EU GDPR and to following the judgements of European courts.
As the UK Government have deemed that countries within the EU as having adequate data protection arrangements, the transfer of personal data to the EU does not require additional safeguards to be put into place.
Please contact the Information Governance team at firstname.lastname@example.org if you have any questions.
- Supplier Assessment
The University must ensure personal data is protected by our suppliers and that our information is given the appropriate level of security. Third parties that process information on our behalf must be vetted and accountable to the University under a contract.
Whenever you are considering entering into a contract with a new supplier which will involve personal data or information that requires an assessment as to the security risk, then you need to undertake a Supplier Cyber and Data Assessment. This will include where the new supplier will be acting as a Processor for our data, and also where they may act as a Controller of the data and are using the data for their own purposes.
There are two processes for undertaking an assessment, either Standard or Enhanced assessments. Which one you undertake is entirely dependent on the total value of the contract.
Standard: For contracts with a total value (exc. VAT) of £10,000 or under they must be assessed using the University’s Standard Cyber and Data Assessment.
Enhanced: For contracts with a total value of over £10,000 must follow the Enhanced process which is the Scottish Governments Scottish Cyber Assessment tool.
This process requires the purchaser within the University to complete part 1 of the assessment. This involves providing the contact details of the relevant person to be contacted is there are any questions, what service is being purchased, what University activities will be supported by the purchase an also what University data is involved. A step-by step guide on how to complete the assessment can be found on Toolkit.
This involves using the Scottish Cyber Security Procurement Support Tool. Firstly you need to download this from the Scottish Government website, and register to use it. Then you can work through the questions that you want the supplier to answer. A step-by step guide on how to complete the assessment can be found on Toolkit.
Although different forms are completed for each process, they both involve the purchaser having some input on what is included in the form and sending onto the proposed supplier(s) for the completion of the remaining sections. Depending on what stage you are undertaking this process, you may only send the form to one supplier, or there could be multiple.
It is suggested that this process is done as early as is possible, to ensure there is adequate time for completion and also consideration of the responses provided by the supplier(s).
The responses will include the security afforded to the data, where the data will be stored, whether any sub-processors will be used and where they are based as well as the level of encryption provided and whether they would co-operate with us in the event of an incident or request.
This is not just a box-ticking exercise and real consideration is given to the answers provided and there can be occasions where more information is sought to ensure adequate assurances have been provided and also occasions where suppliers are deemed unsuitable, which can mean a new supplier must be sought. Any final decisions on this would be taken by a relevant senior manager, such as Head of School or a Director, based on the level of risk the University would be exposed to and what the appetite is.
Where the supplier is to act as a processor i.e they will be asked to undertake specific tasks and to use the data provided to them in a specific way. They will not have permission to use it for any other purpose. The specifics will be enshrined in a contract and the minimum terms of such a written contract are detailed under GDPR.
Separate guidance is provided on data sharing arrangements, which are subject to different requirements.
How do I know if an arrangement involves data sharing or data processing?
It is not always simple to decide whether an external organisation is a data sharing partner or a data processor. This will depend on how far the organisation determines what personal data will be collected, and how the data will be used. The Information Commissioner has produced guidance on this topic. Advice is also available from the Data Protection Officer.
How do I carry out a due diligence check on a potential supplier?
You should ask your supplier(s) to complete either the Standard or the Enhanced assessment. The completed assessment should be sent to email@example.com and it was then be allocated to the Information Security and Governance Teams for assessment, along with any draft data processing contract or agreement with the supplier that covers data protection or information security. The Data Protection Officer and IT Security Manager will respond with any risks you need to consider before signing the contract or sending data to the supplier.
What must be included in a data processing contract?
A data processing contract has two main sets of requirements. It must set out the particular processing arrangement. This includes what personal data is being processed, who the data subjects are, why and how the data will be processed and for how long.
- The obligations on the data processor. These include requirements to respect confidentiality, ensure security and assist the data controller to comply with data protection legislation. The GDPR sets out a detailed specification for these terms.
Further information is provided in the Information Commissioner’s guidance on contracts.
Contract templates are available from Procurement.
The Information Governance Team can also assist with the assessment of data processing contracts.
For any other question you may have, please contact either the Information Governance Team at firstname.lastname@example.org or the Information Security Manager, Gary Fisher email@example.com
- Transferring Data Abroad
International transfers of personal data require additional conditions to be in place.
Data protection legislation sets high standards for handling personal data in the UK and European Union. UK GDPR and EU GDPR seek to guarantee citizens have a similar level of protection if their data is transferred out of the UK and the EU by specifying additional conditions for international data transfers.
Personal data can move freely to and from countries whose data protection regimes are considered ‘adequate’ by the UK Government. These countries should meet requirements such as complying with the data protection principles, listing international transfers in privacy information provided to individuals, and ensuring data sharing or data processing arrangements are documented adequately.
Transfers to countries with no decision of adequacy can take place in two circumstances. Either there must be an agreement in place that meets specific standards, or one of a number of exemptions must apply. The operation of the exemptions is complex. Some exemptions, including consent, are not available to the University for international transfers for core teaching and research purposes.
If you think you may have cause to transfer personal data to a country which is not classed as ‘adequate’ you should read our International Data Transfer Framework Toolkit guide which can be found within the Guides section of the Information Governance Toolkit resource. This is a complex area, and you are not expected to undertake all of the requirements on your own. Please contact the Information Governance Team at firstname.lastname@example.org for guidance and assistance.
The Information Commissioner also has guidance on international transfers.
Which countries have been designated as ‘adequate’ for international transfers?
Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, South Korea, Spain, Sweden, Iceland, Liechtenstein, Norway, Gibraltar, Japan and EU Institutions. Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. Commercial organisations in Canada.
For any other queries, please contact the Information Governance Team at email@example.com
- Academic Research and Data Protection
Academic research is subject to data protection legislation, but its importance is recognised in several exemptions.
The UK GDPR recognises the value of the contribution research makes to knowledge-based policy, to the quality of life of people and the efficiency of social services. The legislation provides a new, explicit legal basis for processing special category data (sensitive personal data) for research as long as safeguards are in place and allows EU member states to specify many of the exemptions that apply to the use of data for research purposes. The safeguards and exemptions that apply to organisations in the UK are within the Data Protection Act 2018.
The UK GDPR places an emphasis on the legal basis for processing personal data. The legal basis determines the rights that individuals can exercise over the way their data is processed. It is important therefore that the legal basis is stated correctly in privacy information given to participants.
Consent is one of the legal bases for processing personal data, but it is not the normal justification for processing personal data for research in the University. Instead, research is part of the University’s core task: that is the legal basis. “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.” This does not affect any ethical requirements to ensure that participation in research is voluntary and that participants are informed about the use of their information.
A useful explanation on consent and the legal basis for processing personal data is available in the UK GDPR resources on the NHS Research Health Authority's website.
Safeguards are required when undertaking research with personal data. They include only processing the personal data that’s necessary (data minimisation), anonymising or pseudonymising where possible and ensuring that any processing of special category data does not cause substantial damage or distress or make impactful decisions for individuals. The research also must be deemed to be in the public interest.
Personal data should be held securely with an appropriate level of protection. More detail can be found on the Toolkit guidance
Can i approach members of the public using electronic means (phone, text, email, social media messages) to ask them to be part of my research?
The Information Commissioner (ICO) has updated their guidance on how Public Authorities can recruit participants. Direct marketing and the public sector | ICO It has now been specified more clearly that when research is being undertaken as part of an authority’s public task then any electronic communications with potential participants about this research is not classed as direct marketing. As undertaking research is one of the University’s public task, this applies to academic research undertaken by University staff. This key change means that it is now possible to make contact with potential participants without their prior consent. Previously, it was only possible to make contact with business addresses without prior consent.
This is a helpful change, which provides more flexibility and options for researchers in how they can engage with potential participants. However, it must still be considered that this might not always be your best option for recruiting participants, as there remains a difficulty in providing them with privacy Information which would inform an expectation that unsolicited contact could be made by academic researchers. Depending on the nature of the research, it may not be ideal to approach individuals where no prior relationship or expectation exists, however, it is now permissible in light of the new ICO guidance.
Where you do decide to recruit by making unsolicited electronic contact with individuals, it is important to ensure that you provide them with privacy information soon thereafter, to ensure they are fully informed and aware of the rights they have in respect of their own personal data. Usually a link to our Research Participants Privacy Notice is provided in your participant information sheet, which would achieve this.
Do I need to complete a Data Protection Impact Assessment (DPIA)
Whenever you are considering undertaking research, you need to think about whether a DPIA should be undertaken. This should be built into your considerations on every occasion. It may be that it is not ultimately not required, but working through the procedure will ensure the correct decision is made.
Under UK GDPR, it is compulsory to carry out a DPIA where the processing of personal data is likely to pose a ‘high risk’ to the rights and freedoms of individuals. Where there is no available mitigation, the matter must be referred the ICO. More detail is available here and in the GDPR for research Toolkit guide.
Do I need to update my consent forms and participant information sheets for GDPR.
Not at this stage. As the legal grounds for conducting research is based on the University’s public task, rather than individual participant consent, forms you use routinely to gather consent do not need to be revised to take account of GDPR.
Participant information sheets (PIS) will form part of the University’s layered approach to providing privacy information to research participants. It is important that PIS align with the overall University approach, and signpost overarching privacy information provided on the University website. Template PIS are under development as part of the University review of ethical approval procedures.
Further guidance will be published here when available
How can I ensure personal data is being processed fairly and transparently?
The rights of research participants should be respected, and their personal data only used in line with their expectations. Transparency and fairness are intrinsically linked and therefore, personal data should not be used in ways unexpected by the data subject.
To ensure this is the case Information must be provided to participants. It should be concise and easy to understand. More information on this can be found in the Data Protection for Research Toolkit guide. In addition, a link should also be provided to the University’s overarching privacy notice on the website:
Data obtained direct from participants
When you are collecting personal data from the individuals concerned, you need to be clear, open and transparent with those individuals. You must set out what you intend to do with their data. Specifically:
- The purpose for which the personal data will be used. This might include use of the personal data in future research studies.
- Any organisations or recipients outside the University to whom you intend to disclose the personal data. (NB: this does not apply if sharing or publishing anonymised data.)
- The safeguards that will apply to any international data sharing arrangements. See checklist point 5 and contact the Information Governance team if this applies to your project.
- Information about any automated decision-making that will affect participants. Contact the Information Governance team for assistance if this applies to your project.
- How long the personal data will be kept. This may be a the storage period until the data is deleted, or a review period after which the research value of the data will be assessed.
This information must be provided at the time you collect information from the participants. It can be provided within your correspondence/communications with participants.
Data obtained from a third party
Research projects do not always collect personal data directly from the individual participants. Where this is the case, you still need to provide the individual participants with the information, as detailed above, together with the following additional information:
- The categories of personal data to be processed;
- the source of the personal data, and whether it came from public sources.
This needs to be provided within one month.
You do not need to provide the prescribed information if the participants already have it or to do so would involve a disproportionate effort or prevent or seriously impair the achievement of the research objectives. Even where this applies, you still must make the information publicly available.
Participants’ personal data rights
Data protection legislation provides individuals with the following data subject rights:
- The right of transparency.
- The right of access to their personal data.
- The right to rectification of their personal data, i.e. correction of inaccurate data.
- The right to restriction of processing, i.e. to limit the way in which their personal data is used.
- The right to portability, ie. to have their personal data transmitted to a different organisation.
- The right to object to their personal data being processed.
- The right not to be subject to a decision based on automated processing of their personal data.
- The right to erasure of their personal data, otherwise known as the right to be forgotten.
Individuals can exercise these rights verbally or in writing. The legislation recognises that it may not be appropriate to uphold these rights for personal data used in research, but this is not a blanket exemption. The University can restrict some of these rights if granting them would prevent or seriously impair the outcome of the research purpose. Each case must be judged on its own terms.
Try to ensure you can recognise any requests where participants are exercising their rights and refer formal requests to the Information Governance team. They will ensure any exemptions are applied appropriately and that the response meets statutory requirements.
Can an individual request that their data is removed from a research dataset under the right to be forgotten?
The right to erasure of personal data, known as the right to be forgotten, only applies to data processed in certain circumstances. It is unlikely that these circumstances will apply to personal data processed for research purposes.
The circumstances are,
- the data are no longer required for the purposes for which they were collected
- the legal basis for processing data was consent, and there is no other available legal basis
- the data subject has objected, and there are no legitimate grounds for continuing to process the data
- the data were processed unlawfully
- it is a legal obligation to erase the data
- the data was collected in relation to the offer of information society services
Even where one of the above conditions applies, there is a UK GDPR exemption where erasing the personal data would render impossible or seriously impair achieving the objectives of the research.
What are the requirements for sharing research data?
There are no specific exemptions from data sharing and data processing requirements for research purposes. If the information you are transferring is personally identifiable information to a third party, data protection requirements still apply. You need to consider whether you are transferring the data to another controller or a data processor, and then put in place any necessary documentation. If the data is being transferred abroad, additional safeguards may also be required depending on the destination country.
Data protection legislation requires that any external organisations engaged to process personal data on behalf of the University are capable of processing the data securely, and that their processing operations are governed by a written contract.
‘Processing’ activities that could be subject to this requirement include collection of personal data by a third party, outsourcing analysis or transcription of personal data, or engaging a supplier to store data.
The UK GDPR is prescriptive of what such a written agreement must say. Where you are engaging a third party, you should seek advice from the Information Governance Team on 01224 273175 or firstname.lastname@example.org
- Using Data for Marketing and Contact Lists
Are you involved in direct marketing? Either by contacting potential students to engage with and encourage them to study here, or by contacting potential research participants?
If so, then you need to be aware of the Privacy & Electronic Communications Regulations (PECR)2003.
This is the legislation which governs how you can conduct direct marketing. Marketing by electronic means, including marketing calls, texts, video messages, emails, internet messaging and faxes are included.
The Information Commissioner has issued guidance on obtaining and recording consent.
There are specific rules about the use of personal data for marketing purposes.
When sending direct marketing messages by email or text, and for making marketing telephone calls you must follow specific rules. These are set out in PECR. UK GDPR sets a high standard for the consent required to send marketing messages electronically.
You need specific consent to send direct marketing communications. The best way to obtain valid consent is to ask that people tick opt-in boxes confirming they are happy to receive marketing communication from you as part of your initial interaction.
See the Information Commissioner's Direct Marketing guidance for more details.
Can I use personal data held by the University to send marketing messages?
Yes, as long as you comply with the Data Protection Principles and PECR. In practice this means
- making sure the marketing activity is included in the University’s privacy notices (see the Providing Privacy tab above)
- only using contact details obtained by the University for related purposes
- making sure the personal data is accurate and up-to-date
- giving individuals the right to prevent direct marketing, usually by providing an opt out.
Do I need consent from the individual before sending marketing messages?
Consent is required before sending unsolicited direct marketing texts, emails or faxes, or for making calls to a number registered with the Telephone Preference Service (TPS). The University must keep a clear record of what an individual has consented to receive, and when and how consent was obtained. Providing an opt-out box is not sufficient evidence to demonstrate consent.
Frequently asked questions (FAQ’s)
When is a communication ‘direct marketing’?
“The communication (by whatever means) of advertising or marketing material which is directed to particular individuals.”
This covers all advertising or promotional material, including that promoting the aims or ideals of not-for-profit organisations.
The marketing must be directed to particular individuals and as all electronic messages are directed to someone (whether it is calls, faxes, texts or emails) they all fall within this definition.
When is it just a communication?
Routine customer service messages that the sender has a legal obligation to send, or the customer would be at a disadvantage if they did not receive (but it isn't a marketing email) are classed as service messages.
What is the difference between direct and indirect marketing?
Indirect marketing is a communication which is not intended for a specific individual and may not be specifically addressed and could be ‘To the Occupier’ or have no addressee at all. As a specific individual is not being targeted, this is not classed as direct marketing.
When do you not need specific consent and can act based on a previous provision of consent (soft opt-in)?
If an individual purchased something from you recently, gave you their details, and did not opt out of marketing messages, they are likely happy to receive marketing messages from you about similar products or services even if they haven’t specifically consented. However, you must give them a clear chance to opt out – both when you first collected their details, and in every message you send. This means you may be able to email or text your own customers, but it does not apply to prospective customers or new contacts. This does not apply to non-commercial promotions (charity fundraising or political campaigning).
What should your consent form say?
Your form should achieve consent which is fully informed and freely given. To achieve this, you must allow the individual real choice and allow them to opt-in by ticking a box or some other way of showing an affirmative action, but also ensure that there is no detriment from refusing to provide consent.
Your consent form should be granular and specific, with detail of what the individual is consenting to. If you need consent for another, unrelated matter, this should be on a separate form. We must also tell the individual that they can withdraw consent and how to do so.
You must also retain a record of the consent, so that you have an audit trail.
How often should you refresh consent previously gained?
This depends on the relationship, the processing and whether the purposes have changed. If there have been no changes, it is likely to be acceptable to leave a longer gap in between refreshing consent (such as annually). However, if there has been a change to the processing, the purposes or relationship, then this should act as your prompt to refresh consent.
Does the relationship between the sender matter?
Yes - there are different rules for marketing to companies than exist for marketing to individuals. In general, the rules for marketing to companies are not as strict.
What are the rules on Business to Business Marketing?
You can email or text any company or Government body.
The rules on consent, the soft opt-in and the right to opt-out do not apply for companies and Government bodies. However, the Information Commissioner (ICO) recommends that where companies have asked not to be contacted, that this should be respected.
Many employees have personal corporate email addresses, which they can be identified from - they have the right to individually object to receiving marketing emails.
- Lawful Basis
The lawful basis for processing data must be cited in the corporate-level record of processing activities and provided as privacy information. Many of the University’s core activities are undertaken in pursuit of our public tasks or for statutory purposes, rather than on consent.
What are the lawful bases for processing?
These are set out in Article 6 of UK GDPR. At least one must apply whenever processing personal data:
(a) Consent: the individual has given clear consent for the processing of their personal data for a specified purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because you need to take steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law.
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for a task in the public interest or for official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for our or a third party's legitimate interests, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This lawful basis cannot apply for a public authority using data to perform their public tasks).
More information on each of the lawful bases can be found on the Information Comissioner's website at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
When you are processing a special category of personal data, you must also find an additional lawful basis for such processing https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/
Consent must be a freely given, specific, informed and an unambiguous indication of a person’s wishes. It must be opt-in rather than opt-out and a simple means of withdrawal of consent must be provided. It is not good enough to rely on implicit consent.
The standard for consent under GDPR is high, but for much of the University’s processing of personal data, consent isn’t the lawful basis for processing. So, where there is an option other than consent, this should be considered.
Where you do need to rely on consent, this requires a positive opt-in and we should never use pre-ticked boxes or any other method of default consent.
Where explicit consent is required, a very clear and specific statement of consent is required, as explicit consent is only required when the information being processed is special category data, which requires further protections. The information which is classed as special category data is: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Please be aware that Consent as a lawful basis is different to ethical consent, which is still required for research purposes.
Key things to remember when you are processing information based on consent:
- The consent statement should be separate to other terms and conditions, so that it is not hidden with other information.
- We specify why we want the data and what we’re going to do with it.
- We are specific and granular and get separate consent for separate things. A non-specific blanket consent is not good enough.
- The statement must be clear and easy to understand.
- Make it clear that people can withdraw consent and how to do so.
- When you receive consent, you must keep a copy of this, including when the consent was given, by who, how this was provided and what they were told and what to expect.
- Be sure to review consent and refresh it if anything changes.
- Consent is not appropriate as a precondition of a service.
- As a public authority and an employer, we need to be careful to show that consent is freely given. We should only rely on consent when we must.
When is it appropriate for consent to be used as your lawful basis for processing personal data?
Consent is appropriate if you can offer people real choice and control over how you use people's data. If genuine choice cannot be offered, then consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading.
If you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis.
Public authorities, employers and other organisations in a position of power over individuals should avoid relying on consent unless they are confident that they can demonstrate it is freely given.
Consent must be a freely given, specific, informed and unambiguous indication of a person’s wishes. It must be opt-in rather than opt-out and a simple means of withdrawal of consent must be provided.
When data processing is based on consent, such as for some student support services or for electronic direct marketing, the quality must meet this standard. Please see the Using data for marketing tab below for more information.
If you have any questions about using consent as your lawful basis for processing information, please contact the Information Governance Team on 01224 27(3175) or at email@example.com
- Data Protection Offences
There are a number of offences which exist under data protection legislation. They cover different aspects of processing personal data and they are described below:
Section 170 of the Act relates to occasions where an individual knowingly or recklessly obtains, discloses, procures, sells or offers for sale, personal data without the consent of the data controller. The Controller is the person/organisation who decides on the purposes for processing personal data.
An additional section is that it is an offence to knowingly or recklessly retain personal data (which may have been lawfully obtained) without the consent of the controller.
Section 173 relates to the processing of requests for data from individuals for their personal data, and makes it a criminal offence for organisations to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure.
Section 171 criminalises the re-identification of personal data that has been ‘de-identified’ to remove/conceal personal data;
What these offences mean on a practical, day-to-day basis is that you should only process personal data for a work purpose, and if you are inclined or asked to do so for any other reason, you should stop and take advice from your line manager or the Information Governance Team
Data protection legislation can allow proceedings against individuals, body corporates and those associated with them. Courts may impose unlimited fines.
The other offences which exist are perhaps either less likely to occur or relate specifically to the staff of the Information Commissioner's Office (ICO), but are listed below for information:
Section 184 of the Act relates to Subject Access Requests. It is designed to prevent organisations from using such requests as background checks. It is an offence to require relevant records as a requirement for employment or a contract for the provision of services. Organisations are expected to run the necessary background checks without compelling people to obtain and disclose their personal data.
Section 144 relates to the provision of false statements in response to an information notice (a demand from the ICO to produce information within a certain timeframe);
Section 148 (2) (a) makes it an offence for a person to destroy or otherwise dispose of, conceal, block or falsify all or part of the information, document, equipment or material in the circumstances of being served with an information notice. Section 148 (2) (b) makes to cause or permit the actions set out in the previous subsection an offence.
Para 15 of Schedule 15 relates to obstructing a warrant or making a false statement in response to a request for information connected to a warrant
Section 119 criminalises the obstruction of the ICO’s inspection of European information systems.
Section 132 criminalises an action by former or current ICO member of staff to unlawfully disclose data obtained during the course of their duties.
If you have any questions about any of the offences listed above, please make contact with the Information Governance Team at firstname.lastname@example.org or call 01224 27(3175)
- Record of Processing Activities
Description of processing:
The following is a broad description of the way we process personal data. To understand how your own personal information is processed you may need to refer to any personal communications you have received, check any relevant privacy notices or contact us to ask what information is held about you.
Reasons/purposes for processing information:
We process personal information to enable us to provide education and support services to our students and staff; advertising and promoting the university and the services we offer; publication of the university magazine and alumni relations, undertaking research and fundraising; managing our accounts and records and providing commercial activities to our clients. We also process personal information for the use of CCTV systems to monitor and collect visual images for the purposes of security and the prevention and detection of crime.
Type/classes of information processed
We process information relevant to the above reasons/purposes. This may include:
- personal details
- family details
- lifestyle and social circumstances
- education details and student records
- education and employment details
- financial details
- disciplinary and attendance records
- vetting checks;
- goods or services provided
- visual images, personal appearance and behaviour
- information held in order to publish university publications
- We also process sensitive classes of information that may include:
- racial or ethnic origin
- trade union membership
- religious or other similar beliefs
- physical or mental health details
- sexual life
We also process details of criminal offences and alleged offences, criminal proceedings, outcomes and sentences
Who the information is processed about:
- contracted personnel
- professional advisers and consultants
- business contacts
- donors and friends of the University
- authors, publishers and other creators
- persons who may be the subject of enquiry
- third parties participating in course work
- health, welfare and social organisations
- friends of the University
- individuals captured by CCTV images
Who the information may be shared with:
We sometimes need to share the personal information we process with the individual themself and also with other organisations. Where this is necessary we are required to comply with all aspects of the General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.
Where necessary or required we share information with:
- family, associates and representatives of the person whose personal data we are processing ‡ current, past or prospective employers
- healthcare, social and welfare organisations
- educators and examining bodies
- suppliers and service providers
- student union
- financial organisations
- debt collection and tracing agencies
- police forces, security organisations
- courts and tribunals
- prison and probation services legal representatives
- local and central government
- consultants and professional advisers
- trade union and staff associations
- survey and research organisations
- press and the media
- voluntary and charitable organisations
Personal information is also processed in order to undertake research involving volunteers and NHS patients. For this reason the information processed may include name, contact details, family details, lifestyle and social circumstances, financial details, good and services. The sensitive types of information may include physical or mental health details, racial or ethnic origin and religious or other beliefs. This information is about survey respondents. Where necessary or required this information may be shared with customers and clients, agents, service providers, survey and research organisations.
It may sometimes be necessary to transfer personal information overseas. When this is needed, information may be transferred to countries or territories around the world. Any transfers made will be in full compliance with all aspects of the General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
- Use of Messaging Apps
For guidance on use of messaging apps, such as WhatsApp or WeChat, please see our guidance document below (staff and student access only).
- Information Champions
All Schools and Directorates have an Information Champion, and their role is to work with the Information Governance and Information Security teams to help ensure that the University handles its data securely and lawfully.
As the legislative frameworks around information handling become ever more complex, and the threats to the digital working environment ever more real, there is a need to make sure that knowledge about these issues is spread across the University.
Champions will provide advice to colleagues and to their Head of School / Director and will signpost staff with more complex issues to the Information Governance or Information Security teams. They will also highlight emerging or recurring issues on which guidance and direction is required.
Below is the list of Information Champions
School/Directorate Champion Contact details Biological Sciences Mel McCann email@example.com 01224 273603 Business School Thereza Raquel DeAguiar Thereza.firstname.lastname@example.org 01224 274357 Divinity, History, Philosophy Kate A Smith email@example.com 01224 273158 Education Sharon Smith Sharon.firstname.lastname@example.org 01224 274526 Engineering Alireza Bagheri Sabbagh Alireza.email@example.com 01224 274289 Zaib McNeilly firstname.lastname@example.org 01224 274289 Geosciences Nick Schofield email@example.com 01224 272096 Languages, Literature Music Euan Crabb firstname.lastname@example.org Law Rossana Ducato email@example.com Medical Service & Nutrition Janice Forsyth Janice.firstname.lastname@example.org 01224 437505/438133 Natural & Computing Sciences Markus Upmeier Psychology Mauro Manassi email@example.com 01224 272240 Social Sciences Dimitrios Anagnostakis Dimitrios.firstname.lastname@example.org 01224 272735 Academic & Student Services Lisa Hall email@example.com 01224 272324 Alumni Relations Chloe Bruce firstname.lastname@example.org 01224 274571 Development Trust Frieda Strachan email@example.com Digital & Information Services Joanna Adams firstname.lastname@example.org Estates & Facilities Kris Glodek email@example.com 01224 272177 Finance Martin Phillips firstname.lastname@example.org 01224 274057 Marketing & Student Recruitment Nicol Mellis email@example.com 01224 273870 People Andrew Mackie firstname.lastname@example.org 01224 272107 Planning Linda Murdoch email@example.com 01224 272109 Research & Innovation Vacant
Information from which no individual can be identified.
Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a person, which allow or confirm the unique identification of that person, such as facial images or dactyloscopic data.
Any freely-given, specific, informed and unambiguous indication of a data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of his or her personal data.
Criminal offence data
Personal data relating to criminal convictions and offences, or related security measures
see Personal data breach
Data concerning health
Personal data related to the physical or mental health of a person, including the provision of health services, which reveal information about his or her health status.
A person, public authority or body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
A person, public authority or body which processes personal data on behalf of the data controller.
The disclosure of data from one or more organisations to a third party organisation or organisation, or the sharing of data between difference parts of an organisation.
Data sharing agreement
A document that sets out a common set of rules to be adopted by organisations involved in a data sharing operation.
The identified or identifiable living individual to whom personal data relates.
The communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.
The Data Protection Act 1998. Superseded by the UK GDPR and the DPA 2018.
The Data Protection Act 2018
Data protection impact assessment
Data Protection Officer
Any structured set of personal data which is accessible according to specific criteria, whether held by automated means or manually and whether centralised, decentralised or dispersed on a functional or geographical basis.
The UK General Data Protection Regulation.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Personal data relating to the inherited or acquired genetic characteristics of a person which give unique information about the physiology or the health of that person and which result, in particular, from an analysis of a biological sample from the person in question.
Information Commissioner’s Office. The regulator for data protection legislation in the United Kingdom. www.ico.org.uk
A person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Information society services
A service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. See Directive (EU) 2015/1535 for an indicative list of services excluded from this definition.
The Privacy & Electronic Communications (EC Directive) Regulations 2003 - 2016
Any information relating to an identified or identifiable living person.
Personal data breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Any operation which is performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Any form of automated processing personal data consisting of the use of personal data to evaluate certain personal aspects relating to that person, in particular to analyse or predict aspects concerning that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movement.
The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable person.
An organisation in Scotland as defined by the Freedom of Information (Scotland) Act 2002.
Sensitive personal data
Personal data consisting of information relating to the data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or sexual life; offences committed or allegedly committed by the data subject, or proceedings for any offence.
Replaced under GDPR by ‘Special categories of personal data’.
Special categories of personal data
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data or biometric data when processed to identify a person; or data concerning a person’s health, sex life or sexual orientation.
Telephone Preference Service