In the UK, an individual’s personal data is protected by law under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. The GDPR framework offers greater protection for the personal data of individuals and tougher punishments for non-compliance than previous data protection regulation.
The University is currently working to ensure all Schools and departments understand their responsibilities under GDPR. Please remember that GDPR builds upon the existing data protection measures that staff and information processes and systems should already be compliant with.
For more information please see our GDPR FAQs and the privacy pages.
The General Data Protection Regulation (GDPR) is a new, Europe-wide law that replaces the Data Protection Act 1998 in the UK. It is part of the wider package of reform to the data protection landscape that includes the Data Protection Bill. The GDPR sets out requirements for how organisations will need to handle personal data from 25 May 2018. The change provides organisations with an opportunity to review how they handle personal data, encouraging transparency in processes.
The University has formed a task group chaired by Andrew Hartley, Director of Legal and Information Governance and the University of Salford Data Protection Officer. The task group will oversee the way in which GDPR requirements are implemented. Work completed to date includes:
Your task group representative will be able to help you with any initial questions. Please speak to them in the first instance.
We are all responsible for the safe use of personal data. It is your responsibility to check that your work is in line with guidance issued by the ICO, the Legal and Information Governance team and local procedures. There is an e-learning toolkit available to staff. If, once you’ve completed this training, you think you need additional training, please email firstname.lastname@example.org. There is work underway within most areas of the University. Check with your GDPR Task Group representative to see what is going on in your area.
The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
We will still keep this regulation once the UK leaves the EU for two reasons:
The main changes in the GDPR are:
The good news is that most of the data processed by the university falls within our public task, or form part of our obligations under contract with the student. Consent needs to be managed carefully. The GDPR requires consent to be ‘specific, explicit, informed and freely given’. In order for the consent to be ‘specific’, the request for consent must be distinguishable from any other parts of a form.
Similarly, for the consent to be ‘explicit’ the individual must sign/agree to the request to provide the information separately from any other part of the form. For example, where a student agrees to be part of a research project, they agree/sign once to agree to be part of the research and then sign/agree a second time to the actual data processing that is involved. This consent must be retained for as long as the data to which it refers is held.
Having, and making available a fair processing notice (see FAQ 7) means that when a person consents to their data being processed, their consent is informed by the information provided in the fair processing notice.
The final element of consent, that it is ‘freely given’, may be the hardest to achieve. If there is any element of the processing of the personal data that cannot be started, or continue without the individual’s consent to it, then the consent cannot be freely given and it will be necessary to find another legal basis for the data processing.
Under the GDPR data breach notification is now compulsory whereas it was voluntary under the DPA 1998. The ICO will issue guidelines for when it is necessary to report a breach (similar to those in existence under the DPA, but the GDPR requires that the data controller shall report a data breach without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
This depends. If consent has been used as the legal basis for processing, then an individual has the right to withdraw consent at any time, and the information must be deleted. However, for other legal bases of processing, the right to erasure is not an absolute right and a test needs to be applied to see if the information should be retained. In each case or request, a log should be kept of the request, the decision, and any documents to support the justification for the decision.
We should certainly think about how much data we record and whether we need all of it to complete our activities, but if it is necessary and we have adhered to all the GDPR recommendations you should not stop recording it or remove it from documents or systems
There are many things you can do to look after data effectively, listed below are some best practice approaches which we will update regularly.
Always carry in hand luggage when travelling & use a privacy screen when in a public place
Computers at Work:
Lock your screen whenever you are away from your desk
These should be a mixture of upper & lower case, numbers and symbols. If you use a PIN make it longer than the standard 4 digits. And never use a password that you use elsewhere
When sending to third parties you should encrypt the file and use secure data transfer systems
If you have to send data to another person within your organisation you don’t have to encrypt but you should password protect and then send the password in a separate email
These should be carried with you at all times and PIN/Facial recognition protected
Operate a clear desk policy – not only will it make you more organised it will ensure that all paper files are secured at all times
We should digitalise files wherever possible; making it easier to store and search, but if you have to keep a hard-copy this should be under lock and key.
|GDPR||General Data Protection Regulation|
|DPIA||Data Protection Impact Assessment|
|SAR||Subject Access Request|