- Tell people - what personal information you have about them, how and why you use it, what gives you the right to use it, whether they can object to how you are using it.
- Keep records of what you do with personal information, why you do it and how you tell people about it.
- Make sure your records include - where it is stored, who has access to it, how it is kept safe, how long you keep it.
What do I need to do?
- Be aware of the changes - a new Data Protection Act was passed in 2018.
- It implements the EU General Data Protection Regulation (GDPR) which updates the rules about any use (or 'processing' as it is called in the rules) of personal data. The GDPR rules apply from 25 May 2018. Here is some general information: /corporate-information/important-changes-to-data-protection-rules-and-procedures/ Here are FAQs prepared by the Information Commissioner's Office for Universities: https://ico.org.uk/for-organisations/education/education-gdpr-faqs/
- Be aware and keep a record of personal data that you hold, have access to, or use -
- what are the data
- where did they come from
- why are you holding or using them
- what is the lawful basis for holding or using them
- who are you passing them on to
- Are they secure
- are you complying with all the data protection principles in the way you deal with the data? (see note at the end of this page for details of the principles). Record the details of personal data that you process by completing a record sheet - ask the Data Protection Team in the Legal Office for an electronic template sheet - and store it safely and securely within your department so that is it available for any required audit or request from the Information Commissioner's Office.
- Privacy notices - what do you tell people about how you are using their data? Review the privacy notices that you use - they may need to be revised. Please check revised versions with the Legal Office. Information is available on the ICO website about how to write good privacy notices. Review your Privacy Notices and revise them if necessary.
- What would you tell people if they asked for their personal data to be corrected, deleted or given to them in a commonly used format? Guidelines available on ICO website. Check with the Data Protection team in the Legal Office what are the University processes for complying with the individual rights specified in the GDPR.
- Subject access request - are you aware of the procedure? Here is the link for the University procedure.
- Lawful basis for processing data. You should include this on your record of processing completed under paragraph 2 above. The lawful basis for processing may not be the same for all the data you process. Include information about the lawful basis for your processing on your record sheet.
- Consent - if you ask people for consent to collect and use their data what consent form do you use and does it comply with the new requirements for consent? **Where consent is the lawful basis for processing identified under 6. above, review your consent forms and revise if necessary.
- Children - do you hold or use data of children under 16? If so, be aware of the rules governing information provided to data subjects, and parental consent requirements. Be aware of new rules about processing children's data
- Data breaches - do you know what a data breach is and what to do if there is a data breach? Here is a link to the University Procedure. Review the procedures for dealing with any data security breach
- Data Protection by design and Data Protection Impact Assessments (DPIA) - ensure data privacy features and technologies are designed into any new project. DPIA required for any new high-risk project involving processing personal data - to identify data protection risks and minimise them as much as possible. ICO guidance, University data security policy There is a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities. Complete a formal Data Protection Impact Assessment for any new projects involving personal data processing
- Data Protection Officer - the University's Data Protection Officer is David Jolly, the Senior Legal Adviser.
- International considerations - do you transfer personal data outside the EEA, including use of cloud services that may be hosted outside the EEA? If so, what agreement do you have in place with the recipient of the data? Obtain approval from IT Security for use of any cloud-based storage and for any transfer of data outside the EEA
DATA PROTECTION PRINCIPLES
The Data Protection principles in the GDPR are similar to the old Data Protection principles in the Data Protection Act 1998. Here is a link to the principles specified in the GDPR.