General Data Protection Regulation (GDPR)
General Data Protection Regulation
We’ll be updating these pages and adding a range of guidance over the coming months so please check back for further information.
If you have any questions applying the principles, please contact a member of the Compliance and Casework team.
Compliance with data protection law is not the sole responsibility of one department or senior individual. All of us need to understand our obligations and be mindful of how we treat personal data. To support this, every member of staff will be required to complete an updated online data protection training module which will be rolled out over the next few months. In addition to this, some staff (approximately 600) will be required to attend a more in depth, face to face, training session. Managers have identified those colleagues and Governance & Legal Services are contacting them with details of how to book a place at a session.
The main objectives of GDPR are (i) to make sure that we use other people’s personal information properly and (ii) to give individuals more control over how their personal data is used. Their rights will be enhanced, enabling them to restrict and object to processing and, if they wish, to be forgotten by organisations with whom they no longer want to be associated.
We’ll still be able to collect and use personal data for our core purposes as a university, but we’ll have to be better at documenting how we comply with the law and make sure that our processes for recording data breaches and obtaining and recording consent from individuals are robust. We also need to be absolutely clear about why we’re holding someone’s personal data and what we’re doing with it.
GDPR is based on a set of principles, most of which are very similar to those under the current Data Protection Act. However, there are some significant differences, including:
• a new accountability principle which will mean that we must be able to show how we comply with the law;
• more stringent requirements around obtaining and recording individuals’ consent for using their personal data (where we’re relying on consent to use that personal data);
• strict timescales for reporting breaches to the Information Commissioner’s Office where a breach is a threat to the rights and freedoms of individuals;
• that we demonstrate that “data protection by design and default” is a core consideration when we’re planning and operating data processing systems and activities;
• more severe penalties for non-compliance including fines of up to €20 million or 4% of an organisation’s global turnover.
The Information Commissioner’s Office (ICO) is the statutory authority for the UK on matters relating to data protection. It has powers of investigation and enforcement, including the issuing of fines, and produces a range of guidance on best practice. The ICO website is the most reliable source of information about the implementation of GDPR: www.ico.org.uk
The principles that form the basis for processing personal data are very similar under GDPR to those that we’re familiar with under the current Data Protection Act. The table below sets out how they differ:
|Data Protection Act Principles||General Data Protection Regulation principles|
|1. Lawfulness||Personal data shall be processed fairly and lawfully and according to conditions||Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject|
|2. Purpose||Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes||Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
|3.Data minimisation||Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed||Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed|
|4. Accuracy||Personal data shall be accurate and, where necessary, kept up to date||Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay|
|5.Storage||Personal data are processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes||Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes|
|6. Access||Personal data shall be processed in accordance with the rights of data subjects||No equivalent principle. Access rights are addressed separately under GDPR (Chapter III)|
|7. Security||Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data||Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures|
|8.Overseas transfer||Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data||No equivalent principle under GDPR. Overseas transfers of personal data are addressed separately in Chapter IV|
|9.Accountability||No equivalent principle under DPA||Controller shall be responsible for, and be able to demonstrate, compliance with the principles|
Individuals have the right to be informed about how their personal data is collected, stored and used. The easiest way to do this is to provide a privacy notice at the point that you collect personal data detailing this. The overarching Leeds Beckett University privacy notice sets this out for most situations, but there will be situations in which you may need to tell individuals in greater detail why you are collecting their personal data and what you are doing with it. This allows individuals to have choice and control over how their personal data is used and allows us to demonstrate that we are using personal data fairly and transparently. Where you have existing privacy notices in place, you need to review and update these using the guidance steps below. If you are already collecting personal data but are not telling individuals what you are doing with it, you should now put a privacy notice in place using the same guidance steps below which are as follows:
1. Create a data flow map – map out what data you are collecting, where this data is going and if you are sharing any data with third parties. This will help you understand your data flows and therefore what you need to include in your privacy notice.
2. Draft your privacy notice - the notice should be clear and transparent giving information on the ways in which you will collect, store, use and share the data. You also need to tell individuals who to speak to if they have a query with the use of their personal data. Ensure you give a detailed explanation as to how personal data will be used beyond describing a generic purpose i.e. you need to be specific. The areas you need to cover are:
• Identity and contact information of the company collecting the data (Data Controller) and what and how data is collected e.g. “The organisation responsible for looking after your personal data (Data Controller) is Leeds Beckett University. Leeds Beckett University will collect the following categories of personal data; [personal details, staff/student ID number, visual images, video, education details, student records, age, ethnicity, gender, disability] relating to [describe categories of data subject] obtained from [participating in the [survey] and give details].”
• The purpose for processing (processing essentially means any use of the data e.g. “We will process your personal data for the purposes of [give purpose]”.
• The legal basis for processing e.g. “We will process your personal data in accordance with the Data Protection Act 1998 (“DPA”) until 25 May 2018, thereafter in accordance with the General Data Protection Regulations (“GDPR”) or any successor legislation to the GDPR or the DPA. The legal basis under which processing of personal data may take place is [give legal basis for processing].” [Where the processing is based on legitimate interests, you must describe the interests pursued by the Data Controller or third party].
• The recipients of the information and if you are sharing with any third parties e.g. “The recipients of the data collected are [state recipients]. The data will be shared with [describe any third parties you are sharing data with] for the purposes of [outline why you are sharing personal data with third parties] [and whether it will be anonymised]”.
• Details of any transfers of the information to another country outside of the EEA and the legal basis for doing so. “We are not permitted to transfer information overseas unless there is adequate protection in place. The data will be transferred outside of the EEA to [state countries] under the protection of [state adequate protections to be able to transfer personal data outside of the EEA]”.
• How you will store data securely.
• The period for which the data will be stored or, where this is not possible, the criteria used to determine that period.
• The individual’s rights to the data e.g. “As a person whose personal data we are processing, you have certain rights in respect of that personal data; you have the right:
o To withdraw consent [if consent is the lawful basis for processing];
o To access your personal data that we process;
o To rectify inaccuracies in personal data that we hold about you if it is inaccurate or incomplete;
o To request the deletion or removal of your personal data where there is no compelling reason for its continued processing;
o To restrict the processing of your personal data in certain ways;
o To obtain your personal data for reuse;
o To object certain processing of your personal data;
o To complain to the Information Commissioner’s Office about the way in which we process your personal data.
• Refer to institution’s data protection policy e.g. “Leeds Beckett University’s data protection policy and privacy notice which are updated from time to time are publically accessible at http://www.leedsbeckett.ac.uk/public-information/data-protection/ “.
• Where data is collected for a statutory or contractual requirement, detail if the provision of data is voluntary or mandatory as well as the consequences of failing to provide the data.
• Whether the data collected will be used for automated decision making, including profiling, and the reasoning and consequences of such processing.
• Any other pertinent information.
• How to invoke individuals’ right and point of contact e.g. “For more information on any of this information, your rights or if you have a query please contact [name and person in team responsible for data collection]”.
3. If you are relying on consent as the legal basis for processing, you should ask individuals to positively opt-in giving sufficient information at the end of the privacy notice. If your privacy notice covers more than one purpose, you should provide positive opt-ins for each purpose. NB: if you are collecting any ‘special’ categories of personal data (e.g. race, ethnic origin, trade union membership, health information, religious beliefs, political opinions, biometric data, genetic data, sexual orientation, sex life information etc) you will need to obtain explicit consent via positive opt-in unless you can rely on another legal basis for processing this type of personal data.
4. Consider a “layered” approach to providing privacy notice information. A layered approach can be useful as it allows you to provide the key privacy information immediately and have more detailed information available elsewhere for those that want it. You might do this if there is not enough space to provide all of the detail or if you need to explain a particularly complicated information system to people. It should consist of a short notice containing the key information, such as who you are, what information you are collecting, why you need it and the way you will use it. What else goes into which layer will depend on the type of processing that you undertake. It may contain links that expand each section to its full version, or a single link to a second, longer notice which provides more detailed information.
5. If you would like your draft privacy notice to be checked please send to email@example.com
6. For further information on privacy notices check out the ICO’s website at: https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/
If the University is entering into an agreement with an external organisation or business and, as part of the work involved in the agreement, it’s necessary to share personal data about our students or staff with them, we should always put a Data Processing Agreement in place with that third party. A Data Processing Agreement sets out what we’re allowing them to do with the personal data that we transfer to them and helps to provide assurance that it’s going to be kept safe and secure.
There are two ways we can do this:
1) If the data sharing is incidental to the main purpose of the agreement, we can insert data processing clauses which are sufficient for the scope and extent of the processing and are GDPR compliant; or
2) If the purpose of the agreement is to share personal data, put a separate Data Processing Agreement in place.
If you’re already sharing personal data with a third party, we need to check that the data protection clauses are GDPR compliant. If they aren’t, we may need to vary the contract with the provider so that they are. Please see the ‘Contract’ section of this webpage for further information on how to do this.
Please contact firstname.lastname@example.org if you have any queries about an existing or new Data Processing Agreement. We’ll be happy to provide support and guidance.