- Tell people - what personal information you have about them, how and why you use it, what gives you the right to use it, whether they can object to how you are using it.
- Keep records of what you do with personal information, why you do it and how you tell people about it.
- Make sure your records include - where it is stored, who has access to it, how it is kept safe, how long you keep it.
What do I need to do?
- Prepare for some changes - there will be a new Data Protection Act in 2018.
- It will implement the EU General Data Protection Act (GDPR) which is updating the rules about any use (or 'processing' as it is called in the rules) of personal data. The GDPR rules apply from 25 May 2018. Here is some general information: http://preview.bath.ac.uk/corporate-information/important-changes-to-data-protection-rules-and-procedures/ Here are FAQs prepared by the Information Commissioner's Office for Universities: https://ico.org.uk/for-organisations/education/education-gdpr-faqs/
- Be aware and keep a record of personal data that you hold, have access to, or use -
- what is it
- where did it come from
- why are you holding or using it
- what is the lawful basis for holding or using it
- who are you passing it on it
- is it secure
- are you complying with all the data protection principles in the way you deal with it? (see note at the end of this page for details of the principles). Record the details of personal data that you process by completing the attached record sheet - as the Data Protection Team in the Legal Office for an electronic copy - and store it safely and securely within your department so that is it available for any required audit or request from the Information Commissioner's Office.
- Privacy notices - what do you tell people about how you are using their data? Review the privacy notices that you use - they may need to be revised. Please check revised versions with the Legal Office. Information about how to write good privacy notices. Review your Privacy Notices and revise them is necessary.
- What would you tell people if they asked for their personal data to be corrected, deleted or given to them in a commonly used format? Guidelines available on ICO website. Check with the Data Protection team in the Legal Office what are the University processes for complying with the individual rights specified in the GDPR.
- Subject access request - are you aware of the procedure? Here is the link for the University procedure.
- Lawful basis for processing date. You should include this on your record of processing completed under paragraph 2 above. The lawful basis for processing may not be the same for all the data you process. Include information about the lawful basis for your processing of your record sheet.
- Consent - if you ask people for consent to collect and use their data what consent form do you use and does it comply with the new requirements for consent? **Where consent is the lawful basis for processing identified under 6. above, review your consent forms and revise if necessary.
- Children - do you hold or use data of children under 16? If so, be aware of the rules governing information provided to data subjects, and parental consent requirements. Be aware of new rules about processing children's data
- Data breaches - do you know what a data breach is and what to do if there is a data breach? Here is a link to the University Procedure. Review the procedures for dealing with any data security breach
- Data Protection by design and Data Protection Impact Assessments (DPIA) - ensure data privacy features and technologies are designed into any new project. DPIA required for any new high-risk project involving processing personal data - to identify data protection risks and minimise them as much as possible. ICO guidance, University data security policy There is a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities. Complete a formal Data Protection Impact Assessment for any new projects involving personal data processing
- Data Protection Officer - Our Data Protection Office is David Jolly, the Senior Legal Adviser.
- International considerations - do you transfer personal data outside the EEA, including use of cloud services that may be hosted outside the EEA? If so, what agreement do you have in place with the recipient of the data? Obtain approval from IT Security for use of any cloud-based storage and for any transfer to data outside the EEA
DATA PROTECTION PRINCIPLES
The Data Protection principles in the GDPR are similar to the existing Data Protection principles in the Data Protection Act 1998. Here is a link to the principles specified in the GDPR.