In the UK, an individual’s personal data is protected by law under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. The GDPR framework offers greater protection for the personal data of individuals and tougher punishments for non-compliance than previous data protection regulation.
The University is currently working to ensure all Schools and departments understand their responsibilities under GDPR. Please remember that GDPR builds upon the existing data protection measures that staff and information processes and systems should already be compliant with.
For more information please see our GDPR FAQs and the privacy pages.
The General Data Protection Regulation (GDPR) is a new, Europe-wide law that replaces the Data Protection Act 1998 in the UK. It is part of the wider package of reform to the data protection landscape that includes the Data Protection Bill. The GDPR sets out requirements for how organisations will need to handle personal data from 25 May 2018. The change provides organisations with an opportunity to review how they handle personal data, encouraging transparency in processes.
The University has formed a task group chaired by Andrew Hartley, Director of Legal and Information Governance and the University of Salford Data Protection Officer. The task group will oversee the way in which GDPR requirements are implemented. Work completed to date includes:
Your task group representative will be able to help you with any initial questions. Please speak to them in the first instance.
We are all responsible for the safe use of personal data. It is your responsibility to check that your work is in line with guidance issued by the ICO, the Legal and Information Governance team and local procedures. There is an e-learning toolkit available to staff. If, once you’ve completed this training, you think you need additional training, please email firstname.lastname@example.org. There is work underway within most areas of the University. Check with your GDPR Task Group representative to see what is going on in your area.
The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
We will still keep this regulation once the UK leaves the EU for two reasons:
The main changes in the GDPR are:
The good news is that most of the data processed by the university falls within our public task, or form part of our obligations under contract with the student. Consent needs to be managed carefully. The GDPR requires consent to be ‘specific, explicit, informed and freely given’. In order for the consent to be ‘specific’, the request for consent must be distinguishable from any other parts of a form.
Similarly, for the consent to be ‘explicit’ the individual must sign/agree to the request to provide the information separately from any other part of the form. For example, where a student agrees to be part of a research project, they agree/sign once to agree to be part of the research and then sign/agree a second time to the actual data processing that is involved. This consent must be retained for as long as the data to which it refers is held.
Having, and making available a fair processing notice (see FAQ 7) means that when a person consents to their data being processed, their consent is informed by the information provided in the fair processing notice.
The final element of consent, that it is ‘freely given’, may be the hardest to achieve. If there is any element of the processing of the personal data that cannot be started, or continue without the individual’s consent to it, then the consent cannot be freely given and it will be necessary to find another legal basis for the data processing.
Under the GDPR data breach notification is now compulsory whereas it was voluntary under the DPA 1998. The ICO will issue guidelines for when it is necessary to report a breach (similar to those in existence under the DPA, but the GDPR requires that the data controller shall report a data breach without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
This depends. If consent has been used as the legal basis for processing, then an individual has the right to withdraw consent at any time, and the information must be deleted. However, for other legal bases of processing, the right to erasure is not an absolute right and a test needs to be applied to see if the information should be retained. In each case or request, a log should be kept of the request, the decision, and any documents to support the justification for the decision.
We should certainly think about how much data we record and whether we need all of it to complete our activities, but if it is necessary and we have adhered to all the GDPR recommendations you should not stop recording it or remove it from documents or systems
There are many things you can do to look after data effectively, listed below are some best practice approaches which we will update regularly.
Always carry in hand luggage when travelling & use a privacy screen when in a public place
Computers at Work:
Lock your screen whenever you are away from your desk
These should be a mixture of upper & lower case, numbers and symbols. If you use a PIN make it longer than the standard 4 digits. And never use a password that you use elsewhere
When sending to third parties you should encrypt the file and use secure data transfer systems
If you have to send data to another person within your organisation you don’t have to encrypt but you should password protect and then send the password in a separate email
These should be carried with you at all times and PIN/Facial recognition protected
Operate a clear desk policy – not only will it make you more organised it will ensure that all paper files are secured at all times
We should digitalise files wherever possible; making it easier to store and search, but if you have to keep a hard-copy this should be under lock and key.
|GDPR||General Data Protection Regulation|
|DPIA||Data Protection Impact Assessment|
|SAR||Subject Access Request|
The Freedom of Information Act 2000 came into force in 2005 and its purpose is to promote transparency and accountability by allowing individuals the right to access “recorded” information held by public organisations.
In accordance with the Act the University has made available a Publication Scheme. This document details the types of information the University routinely publishes and how to access it.
A considerable amount of information can also be found on the University webpages. Please consult the University webpages and the University Publication Scheme for information you require.
If you are unable to locate the information you require, you may submit a formal request for information. Please submit your request in writing to email@example.com, stating your name, address and information you require.
Alternatively if you wish to submit your request by post, please send to:
Information Governance Officer
Legal and Governance Directorate
Maxwell 6th floor
University of Salford
Access to information and IT systems is essential for the University to function competitively in the higher education environment. Information Security is the corporate framework of culture, policies, organisational structure and operating environments used to ensure confidentiality, integrity and availability of our information.
The Senior Information Security Officer based with Legal & Governance Directorate works together with all University departments and Schools to develop policy, advice and guidance on information security issues – whether new information systems, projects to share information with external partners or major revisions to existing information systems and procedures that hold personal information i.e. confidential information.
This can be achieved by implementing controls in:
Responsibility of Estates with each resident School and department
Personnel and training security
Responsibility of Human Resources
Responsibility of Senior Information Security Officer and Business Owners
Responsibility of Digital IT and System Owners (outside DIT)
All these measures must be implemented in tandem rather than being a one-off, as you can see in the diagram below.
The University needs to know about incidents involving:
The Information Governance Team are part of a co-ordinated team across Legal & Governance and Digital IT called the IT Security Emergency Response Team (ITSERT) who respond to and manage investigations into data breaches and security incidents.
Please report any data breaches or security incidents to the Digital IT Service Desk on 0161 295 2444. The Service Desk will refer the case to the relevant teams.
You should always report your concerns because misuse could damage the University network, be illegal or have a negative impact on the University's reputation. All of these can have a negative effect on your studies or job with the University. By reporting your concerns, you are providing the best opportunity to prevent any recurrence and to limit damage to the University and its data subjects as quickly as possible.
Under the forthcoming General Data Protection Regulation there will be a strict time limit for the University to notify the Information Commissioner about serious personal data breaches – we can only meet the time frame, if you tell us about the incident or breach immediately!
Records management is the process by which the University manages all the elements of records whether externally or internally generated and in any format or media type, from their inception/receipt, all the way through to their disposal. Good records management:
All staff can help implement good records management by:
Additional guidance is available from the Information Governance Team.