This page outlines the General Data Protection Regime that applies in the UK. The General Data Protection Regulation (UK GDPR) has been tailored and incorporated into UK legislation by the Data Protection Act 2018.
The Data Protection Act 2018 ("the Act") applies to 'personal data', which is information which relates to individuals. It gives individuals the right to access their own personal data through subject access requests and contains rules which must be followed when personal data is processed.
The Act works in two ways:
- it provides individuals with rights, including the right to know what information is held about them and the right to access that information.
- it states that anyone who processes personal information must comply with the principles in the Act.
You should assume that any personal data relating to an identifiable living individual, held by the University, in any form, are covered by the Data Protection Act.
If you have access to personal data you must familiarise yourself with, and comply with, the following University resources:
- Data Protection Policy
- Data Protection guidance
- Data Security information
If you are going to be working remotely or using a mobile device please also see data security off-campus.
Data covered by the Act
The Data Protection Act covers the processing of all 'Personal Data'. This is data which constitutes information relating to a living individual, (a 'Data Subject') and from which (either on its own or together with other information held) the individual is identifiable, so data held purely in an anonymised form is not covered.
The Data Protection Act covers data held electronically and in hard copy, regardless of where data is held. It covers data held on and off campus, and on employees' or students' mobile devices, so long as it is held for University purposes, regardless of the ownership of the device on which it is stored.
'Processing' is widely defined and includes every possible form of action that can be taken in relation to data including:
- obtaining data
- recording data
- keeping data
- using data in any way
- sharing or disclosing data
- erasing and/or destroying data.
Lawful basis for processing personal data
The University must have a valid lawful basis in order to process personal data and, in most cases, will also need to be satisfied that it is ‘necessary’ to process personal data to achieve the relevant purpose.
There are only six potential lawful bases for processing personal data:
- Public task – this applies when the processing is necessary for the University to perform a task in the public interest or as part of its official functions.
- Legitimate interests - this applies when the processing is necessary for the legitimate interests of the University or a third party, (unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests).
- Contract – this applies when the processing is necessary for a contract the University has with the individual, (any processing of personal data under this category must be targeted and proportionate).
- Legal obligation – this applies when the processing is necessary for the University to comply with the law. This can relate to legal, regulatory and other compliance obligations, as well as matters such as the prevention or detection of crime.
- Vital interests – the processing is necessary to protect the vital interest of someone, normally this means to protect their life.
- Consent – the individual has freely given clear, informed consent for the University to process their personal data (this will always be for a specific purpose).
Additional conditions for special category data
Special Category Data (which used to be called 'Sensitive Personal Data') are personal data that is more sensitive and needs more protection. In order to lawfully process any such special category data, in addition to having a lawful basis for its processing, the University will need an additional condition for processing.
There are ten such potential additional conditions which permit Special Category Data to be processed. The most relevant in the context of the University are set out below:
- The individual has given explicit consent to processing for one or more specified purposes.
- Processing is necessary in relation to employment, social security and social protection law;
- Processing is necessary to protect the vital interests of a person, where they are physically or legally incapable of giving consent;
- Processing relates to personal data which is already in the public domain;
- Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
- Processing is necessary for preventive or occupational medicine, for example, assessment the working capacity of an employee and providing health or social case.
Further information about the legal basis for processing personal data and the conditions for processing special categories of data can be found on the Information Commissioner’s Office’s website.
Six legal principles of Data Protection
The Data Protection Act sets out the six legal principles with which the University must comply whenever it processes personal data. These stipulate that the data must:
1 - Be processed fairly, lawfully and transparently
In order for us to process data 'fairly', we should:
- ensure that we have a lawful reason to obtain or process the data
- the Data Subject must never be deceived or misled - they must normally have a clear understanding of the reasons for which it is proposed that their data be used
- care needs to be taken to ensure that personal data is only ever obtained from a person who is legally authorised to supply it.
2 - Be processed only for specific, explicit and legitimate purposes and shall not be further processed in any manner incompatible with that purpose or those purposes
The main issues raised by the principle are:
- all personal data which is processed by the University must be covered by our registration with the Information Commissioner. Most routine uses of personal data by staff will be covered by our registration. However, if you are processing any data (for example, maintaining a database or running a research project involving the use of personal data) and think it may involve us handling new personal data for the first time or using personal data for a new purpose, please email the Data Protection team at firstname.lastname@example.org for advice.
- personal data held for one purpose should not be used for another
- personal data must not be disclosed to any third person (other than those described in the University's registration in certain circumstances), so take great care when you receive a request for data from a third party (see guidance on disclosing data).
3 - Be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are held
To ensure compliance:
- you should not collect any personal data not strictly necessary for the specified purpose. If you are obtaining or holding any special category data take special care to properly consider its necessity
- records should also be unambiguous, accurate and professionally worded. Abbreviations should be widely agreed. Opinions should be clearly distinguishable from facts.
4 - Be accurate and, where necessary, be kept up to date
Personal data must not be inaccurate or misleading to any matter of fact. This applies to information from a third party. The source of information should always be included on records.
5 - Be kept for no longer than is necessary for the specified purpose
As the University needs to hold and process personal data for a variety of different legitimate reasons, it is not always possible to stipulate how long particular data should be retained.
The university has a set of policies on the retention and disposal of different types of records. For other types of data, it is often necessary to decide on a case-by-case basis when they should be destroyed.
6 - Be processed in a secure manner, taking appropriate security measures with regard to rights of accidental or unauthorised access to personal data, or accidental or unauthorised destruction, lose, use modification or disclosure of personal data
Access to personal data will only be granted to staff insofar as is necessary for legitimate operational purposes. The personal or private use of personal data held by the university is strictly forbidden.
All staff with access to personal data must be mindful that they play a role in ensuring that it is always kept securely. They must familiarize themselves with the University's Data Protection Policy and follow our guidance on data security.