General Data Protection Regulation (GDPR)
General Data Protection Regulation
The General Data Protection Regulation (GDPR) will come into force on 25 May 2018, replacing the current Data Protection Act. The new regulation, whilst not radically different from the existing law, does introduce a number of new elements and enhancements that we need to implement to ensure that we remain compliant.
We’ll be updating these pages and adding a range of guidance over the coming months so please check back for further information.
If you have any questions applying the principles, please contact a member of the Compliance and Casework team.
When the Data Protection Act was being developed over 20 years ago, many of the uses of personal data, and the platforms available, that we now take for granted either hadn’t even been thought of or weren’t as widely used as they are now. The way in which the Act was introduced also meant that there was no consistency across European Union member states. GDPR aims to tackle both of those issues.
The GDPR Steering Group which is made up of representatives from across the University, is overseeing progress towards compliance across our Schools and Services. We’ve completed detailed inventories of personal data, capturing what we hold and how we’re using it, and are in the process of auditing those registers to identify any issues and areas of risk that we need to address.
Compliance with data protection law is not the sole responsibility of one department or senior individual. All of us need to understand our obligations and be mindful of how we treat personal data. To support this, every member of staff will be required to complete an updated online data protection training module which will be rolled out over the next few months. In addition to this, some staff (approximately 600) will be required to attend a more in depth, face to face, training session. Managers have identified those colleagues and Governance & Legal Services are contacting them with details of how to book a place at a session.
GDPR applies to personal data that the University processes. Just as is currently the case under the Data Protection Act, processing is any use of personal data throughout its life cycle, from collection, analysis, evaluation and storage, right through to destruction and how we deal with personal data that is no longer required.
The main objectives of GDPR are (i) to make sure that we use other people’s personal information properly and (ii) to give individuals more control over how their personal data is used. Their rights will be enhanced, enabling them to restrict and object to processing and, if they wish, to be forgotten by organisations with whom they no longer want to be associated.
We’ll still be able to collect and use personal data for our core purposes as a university, but we’ll have to be better at documenting how we comply with the law and make sure that our processes for recording data breaches and obtaining and recording consent from individuals are robust. We also need to be absolutely clear about why we’re holding someone’s personal data and what we’re doing with it.
GDPR is based on a set of principles, most of which are very similar to those under the current Data Protection Act. However, there are some significant differences, including:
- a new accountability principle which will mean that we must be able to show how we comply with the law;
- more stringent requirements around obtaining and recording individuals’ consent for using their personal data (where we’re relying on consent to use that personal data);
- strict timescales for reporting breaches to the Information Commissioner’s Office where a breach is a threat to the rights and freedoms of individuals;
- that we demonstrate that “data protection by design and default” is a core consideration when we’re planning and operating data processing systems and activities;
- more severe penalties for non-compliance including fines of up to €20 million or 4% of an organisation’s global turnover.
The Information Commissioner’s Office (ICO) is the statutory authority for the UK on matters relating to data protection. It has powers of investigation and enforcement, including the issuing of fines, and produces a range of guidance on best practice. The ICO website is the most reliable source of information about the implementation of GDPR: www.ico.org.uk.
The UK will still be a member of the EU when GDPR comes into force on 25 May so we do need to adopt the Regulation. Should we leave the EU in March 2019, we’ll be regarded as a third country, which means that we won’t automatically be considered by the EU to have “adequate” measures in relation to our data processing activities. It’s in our interests, then, to maintain the high standards set by GDPR to try and minimise any disruption to sharing personal data with EU member states post-Brexit.
The principles that form the basis for processing personal data are very similar under GDPR to those that we’re familiar with under the current Data Protection Act. The table below sets out how they differ:
|Data Protection Act Principles||General Data Protection Regulation principles|
|1. Lawfulness||Personal data shall be processed fairly and lawfully and according to conditions||Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject|
|2. Purpose||Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes||Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
|3.Data minimisation||Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed||Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed|
|4. Accuracy||Personal data shall be accurate and, where necessary, kept up to date||Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay|
|5.Storage||Personal data are processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes||Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes|
|6. Access||Personal data shall be processed in accordance with the rights of data subjects||No equivalent principle. Access rights are addressed separately under GDPR (Chapter III)|
|7. Security||Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data||Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures|
|8.Overseas transfer||Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data||No equivalent principle under GDPR. Overseas transfers of personal data are addressed separately in Chapter IV|
|9.Accountability||No equivalent principle under DPA||Controller shall be responsible for, and be able to demonstrate, compliance with the principles|
Individuals have the right to be informed about how their personal data is collected, stored and used. The easiest way to do this is to provide a privacy notice at the point that you collect personal data detailing this. The overarching Leeds Beckett University privacy notice sets this out for most situations, but there will be situations in which you may need to tell individuals in greater detail why you are collecting their personal data and what you are doing with it. This allows individuals to have choice and control over how their personal data is used and allows us to demonstrate that we are using personal data fairly and transparently. Where you have existing privacy notices in place, you need to review and update these using the guidance steps below. If you are already collecting personal data but are not telling individuals what you are doing with it, you should now put a privacy notice in place using the same guidance steps below which are as follows:
- Create a data flow map – map out what data you are collecting, where this data is going and if you are sharing any data with third parties. This will help you understand your data flows and therefore what you need to include in your privacy notice.
- Draft your privacy notice - the notice should be clear and transparent giving information on the ways in which you will collect, store, use and share the data. You also need to tell individuals who to speak to if they have a query with the use of their personal data. Ensure you give a detailed explanation as to how personal data will be used beyond describing a generic purpose i.e. you need to be specific. The areas you need to cover are:
- Identity and contact information of the company collecting the data (Data Controller) and what and how data is collected e.g. “The organisation responsible for looking after your personal data (Data Controller) is Leeds Beckett University. Leeds Beckett University will collect the following categories of personal data; [personal details, staff/student ID number, visual images, video, education details, student records, age, ethnicity, gender, disability] relating to [describe categories of data subject] obtained from [participating in the [survey] and give details].”
- The purpose for processing (processing essentially means any use of the data e.g. “We will process your personal data for the purposes of [give purpose]”.
- The legal basis for processing e.g. “We will process your personal data in accordance with the Data Protection Act 1998 (“DPA”) until 25 May 2018, thereafter in accordance with the General Data Protection Regulations (“GDPR”) or any successor legislation to the GDPR or the DPA. The legal basis under which processing of personal data may take place is [give legal basis for processing].” [Where the processing is based on legitimate interests, you must describe the interests pursued by the Data Controller or third party].
- The recipients of the information and if you are sharing with any third parties e.g. “The recipients of the data collected are [state recipients]. The data will be shared with [describe any third parties you are sharing data with] for the purposes of [outline why you are sharing personal data with third parties] [and whether it will be anonymised]”.
- Details of any transfers of the information to another country outside of the EEA and the legal basis for doing so. “We are not permitted to transfer information overseas unless there is adequate protection in place. The data will be transferred outside of the EEA to [state countries] under the protection of [state adequate protections to be able to transfer personal data outside of the EEA]”.
- How you will store data securely.
- The period for which the data will be stored or, where this is not possible, the criteria used to determine that period.
- The individual’s rights to the data e.g. “As a person whose personal data we are processing, you have certain rights in respect of that personal data; you have the right:
- To withdraw consent [if consent is the lawful basis for processing];
- To access your personal data that we process;
- To rectify inaccuracies in personal data that we hold about you if it is inaccurate or incomplete;
- To request the deletion or removal of your personal data where there is no compelling reason for its continued processing;
- To restrict the processing of your personal data in certain ways;
- To obtain your personal data for reuse;
- To object certain processing of your personal data;
- To complain to the Information Commissioner’s Office about the way in which we process your personal data.
- Refer to institution’s data protection policy e.g. “Leeds Beckett University’s data protection policy and privacy notice which are updated from time to time are publically accessible at leedsbeckett.ac.uk/public-information/data-protection/.
- Where data is collected for a statutory or contractual requirement, detail if the provision of data is voluntary or mandatory as well as the consequences of failing to provide the data.
- Whether the data collected will be used for automated decision making, including profiling, and the reasoning and consequences of such processing.
- Any other pertinent information
- How to invoke individuals’ right and point of contact e.g. “If you have a query please contact [name and person in the team responsible for data collection]”.
- If you are relying on consent as the legal basis for processing, you should ask individuals to positively opt-in giving sufficient information at the end of the privacy notice. If your privacy notice covers more than one purpose, you should provide positive opt-ins for each purpose. NB: if you are collecting any ‘special’ categories of personal data (e.g. race, ethnic origin, trade union membership, health information, religious beliefs, political opinions, biometric data, genetic data, sexual orientation, sex life information etc) you will need to obtain explicit consent via positive opt-in unless you can rely on another legal basis for processing this type of personal data.
- Consider a “layered” approach to providing privacy notice information. A layered approach can be useful as it allows you to provide the key privacy information immediately and have more detailed information available elsewhere for those that want it. You might do this if there is not enough space to provide all of the detail or if you need to explain a particularly complicated information system to people. It should consist of a short notice containing the key information, such as who you are, what information you are collecting, why you need it and the way you will use it. What else goes into which layer will depend on the type of processing that you undertake. It may contain links that expand each section to its full version, or a single link to a second, longer notice which provides more detailed information.
- If you would like your draft privacy notice to be checked please send to firstname.lastname@example.org
- For further information on privacy notices check out the ICO’s website
If the University is entering into an agreement with an external organisation or business and, as part of the work involved in the agreement, it’s necessary to share personal data about our students or staff with them, we should always put a Data Processing Agreement in place with that third party. A Data Processing Agreement sets out what we’re allowing them to do with the personal data that we transfer to them and helps to provide assurance that it’s going to be kept safe and secure.
There are two ways we can do this:
- If the data sharing is incidental to the main purpose of the agreement, we can insert data processing clauses which are sufficient for the scope and extent of the processing and are GDPR compliant; or
- If the purpose of the agreement is to share personal data, put a separate Data Processing Agreement in place.
- If you’re already sharing personal data with a third party, we need to check that the data protection clauses are GDPR compliant. If they aren’t, we may need to vary the contract with the provider so that they are. Please see the ‘Contract’ section of this webpage for further information on how to do this.
Please contact email@example.com if you have any queries about an existing or new Data Processing Agreement. We’ll be happy to provide support and guidance
When we’re planning new systems that will contain personal data, or we’re intending to use personal data in very different way, it may be necessary to carry out a Data Protection Impact Assessment (DPIA). DPIAs help organisations to identify the risks associated with a project and what the effect will be on individuals.
Under GDPR, if a project poses a high level of risk to the rights and freedoms of individuals, a DPIA must be completed. The ICO has a screening checklist to help us determine whether a project requires a DPIA.
It’s good practice to build DPIAs into the planning stages of new projects that involve the use of personal data. They help us to ensure that privacy issues are addressed early, any risks identified and appropriate measures put in place to protect the data and the rights of individuals. Carrying out a DPIA also helps the University to meet its wider accountability obligations under GDPR as it provides evidence that we’ve considered the implications of a project and have taken steps to address them.
For some high risk activities that involve personal data, a DPIA is mandatory. These include:
- Systematic and extensive profiling that has significant effects on individuals
- Large scale use of sensitive data
- Monitoring of a publicly accessible area on a large scale
- The use of new technologies or the novel application of existing technologies
- Decisions about an individual’s access to a product, service, opportunity or benefit where those decisions are based in any way on automated decision making (including profiling) or involve the processing of special category data
- Large scale profiling of individuals
- Any processing of biometric data
- Any processing of genetic data (except by health professionals for the provision of health care to the data subject)
- Data matching, which is combining, comparing or matching personal data obtained from multiple sources
- Invisible processing, where personal data has not been obtained directly from the data subject
- Tracking an individual’s location or behaviour, including online
- Targeting children or other vulnerable individuals
- Where the physical health or safety of individuals could be at risk in the event of a data breach.
If you’re embarking on a project that involves any of these activities, please contact Governance & Legal Services at firstname.lastname@example.orgWe can provide guidance on the process and a checklist for conducting a DPIA.
If a decision is taken not to carry out a DPIA when a high risk activity is proposed, this must be documented. In the event of a complaint to the ICO or a data breach related to the project, we must be able to demonstrate that we considered the risks associated with the activity and record the reasons why we concluded that a DPIA was not necessary.
Does personal data include data in archives of my email?
| The legal definition of personal data is: “Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
So, if you’re holding information in your email archive that includes any of the above, you’re holding personal data.
|I have personal data in a number of archive files – do I have to check them all?||You need to review what you’re retaining and consider whether you should still be keeping it. If you haven’t accessed it for some time, do you really need it? Can you access it via centrally held files?|
|What about old emails where I have sent a colleague a copy of student results for moderation purposes?||If there’s no reason to hold onto it, you should delete it. This kind of information will still be accessible centrally if you need to get to it at a later date, so there shouldn’t be a need for you to keep it yourself.|
|What should I do with emails from 5 years ago about a student's support contract?||You’d need to have a valid reason for storing information about old Reasonable Adjustment Plans locally. Presumably the student has long since left. Disability Advice will maintain records centrally and that’s the safest place for them. Obviously, if you have a current student with a RAP, you’ll need it to refer to for the duration of their study. RAPs contain “special category personal data” which we must handle particularly carefully because of its sensitive nature|
I keep past student references as I am often asked for a number of references for the same student. Is this okay? Is there a limit to the amount of time I am allowed to keep data for?
|It isn’t good practice to retain information “just in case” because it might come in handy. You need to think about whether you really need to hang onto it. For references, details of a student’s marks, their award etc, will be held centrally so consider whether it would be better to access that rather than hold onto a lot of personal data about a lot of students about whom you may never be asked for a reference. Retention must be for a legitimate reason and be proportionate. In terms of how long to keep personal data, see the records retention schedule for guidance: http://www.leedsbeckett.ac.uk/records-retention/|
|Do feedback sheets to students count? Should I get rid of them?||Feedback sheets will contain personal data – comments on a student’s work constitute personal data. See the records retention schedule for guidance http://www.leedsbeckett.ac.uk/records-retention/ on how long to keep them. They’ll be held centrally on the student’s file for a standard period in accordance with the schedule.|
|Can I keep lists of past students? How am I allowed to use these lists?||Information about students is held centrally and there shouldn’t be any need to retain lists locally. What are you intending to do with those lists? Is it something that the former students have been notified about and given consent to? The External Relations team holds records of former students and applies best practice in its communications with them. It would be advisable to check with them that they have records of the students that you have lists of and allow communications with them to be channelled by them. You could potentially be contacting individuals who have expressed a wish not to be contacted and that may constitute a breach of data protection law.|
|I have pictures of students on residential. Can I keep them?||Photographs are personal data so you need to consider how you got hold of them and what you’re intending to do with them. Is it something that the students have been notified about and given consent to? Corporate Communications hold a database of images and have an up to date consent form for use when they’re taking photographs and videos.|
|I think there might be some records of students on Google drive web. It isn't on my work PC so it doesn't count if it is kept in the cloud – does it?||Yes it does. The University is the Data Controller for that student data and, therefore, has responsibility for it wherever it’s held. Platforms that are supported by the University will comply with our legal requirements. You should check what the position is in relation to platforms that the University may not support.|
|What about student details kept on MyBeckett? Does this include things like their presentation schedules?||This is personal data, but you have a legitimate reason for putting information like this on MyBeckett as it’s part of the delivery of the course and is limited to those who need to access it so it’s fine.|
|I keep my work data on my own backup hard disk – surely this doesn't count as it isn't the university's hard disk?||If it’s the personal data of staff or students it should be held in accordance with the University’s requirements. The University is the Data Controller and is, therefore, responsible for it. You must ensure that adequate safeguards are in place to protect it from loss, damage and unauthorised access. The IT Security policies provide guidance on this issue and you should familiarise yourself with them.|
|I have data on a series of memory sticks at home. What is the situation?||If it’s personal data relating to students or staff, you need to identify what it is and consider why you’re holding it at home. If you can’t access it in any other way, via the VLE for example, you need to make sure that you have adequate measures in place to protect it. See the IT Security policies for more details.|
|A former member of staff shared documents online with other colleagues but has since left the university. The documents are still available to those with whom it was shared but they do not have the ability to delete as they are not the owner of the documents. What should I do?||You should seek advice from IT Services. We need to know what’s in those documents and, if it’s personal data, whether it’s secure and/or should be removed. Holding personal data on old microsites, websites or external networks that we no longer use, maintain or control increases the risk of cyber attacks and personal data breaches|