Frequently Asked Questions
A: The GDPR defines personal data as: "any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity." Examples of personal data could include, names, addresses, photos, video, ID numbers, DNA, IP addresses, job titles and so on.
A: The GDPR defines data processing as: "any operation or set of operations performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction."
A: The GDPR requires us to "protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and against all other unlawful forms of processing" a failure to do so is a data breach.
A: Sometimes, if you have any concerns about disposal you should raise them.
A: No, we need to be able to tell people which condition of processing we are using but consent is only one of the five available to us.
A: There are exemptions which we will be able to apply to ensure that we meet our legal obligations.
A: Yes this should be included in the relevant privacy notice.
A: It depends how the data is being gathered and provided to us. It is likely that the processes and access will need to be reviewed as part of a department's action plan.
A: They aren't mandatory but it may help to have one in order to identify potential risks.
A: Secondary processing must be included in the privacy notice for the data. If you are processing data with the consent of the data subject then specific consent should be sought for any secondary processing.
A: Personal data in email is a very particular problem. Assets which incorporate an element of email use for processing personal data should be reported on the asset register for consideration.
A: Technical Security is managed by Exeter IT so the first thing to do is to make sure that the data is held on the managed estate.
A: Fully anonymised data is not personal data and can therefore be held for as long as necessary. Pseudonomised data however is personal and should follow standard retention guidelines.
A: The University has a published retention schedule on the Information Governance website. It will be updated based on the outcome of the Information Audit.
A: It is likely that many older contracts will need to be updated with new wording even if the substance of the terms does not change. This is especially true where The Data Protection Act is specifically referenced or where data is shared with third parties.
A: It needs to cover everything you currently process regardless of how old it is. Remember processing includes simply storing.
A: Yes, after 25 May 2018 all processing of personal data will be covered by the GDPR.
A: The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA.
The GDPR provides the following rights for individuals:
- The right to be informed – usually via Privacy notices
- The right of access – known as subject access requests (SAR)
- The right to rectification
- The right to erasure – also known as the right to be forgotten
- The right to restrict processing
- The right to data portability
- The right to object – includes profiling, direct marketing and processing for research
- Rights in relation to automated decision making and profiling.
These are not absolute rights and do not always apply. There continues to be a number of exemptions to all these rights to ensure for example, legal requirements can be met and to protect public interest.
A: Under current DPA it is recommended that a Privacy Impact Assessment is carried out to ensure all projects / new systems are built with appropriate security measures and compliance with DPA. Under the GDPR this will become a legal requirement and for high-risk situations we will be required to consult with the ICO to seek its opinion as to whether the processing operation complies with the GDPR.
Carrying out an impact assessment at the start of a project ensures privacy by design, compliance with legislation and that systems are built with security from outset and risks are managed. This often results in better and cheaper solutions as adding in good security at a later date can be costly.
Further information and templates are available from the Information Governance team, if you are starting a new project or system that uses personal data please get in touch.
FAQs relating to Consent
A: There are no plans at present but this is something the University intends to investigate.
A: Yes if it meets all the required criteria. It is very likely that this will require a recording to provide the evidence component.
A: If the existing consent is not GDPR compliant then yes. This will be the case if there is no evidence on file or it opt out was used for example.
A: All personal data about that individual which is being processed using their consent must be disposed of. Any data being processed using another condition is unaffected.
A: Consent under the GDPR has more specific requirements than DPA.
- Consent must be freely given, specific, informed and unambiguous
- Consent requires some form of clear affirmative action. Opt out or silence does not constitute consent
- Consent must be demonstrable. Some form of record must be kept of how and when consent was given.
- Individuals have the right to withdraw consent at any time.
Where we already use consent under the DPA we will not need to obtain fresh consent, as long as it meets the standard required by the GDPR. Therefore all current processing that uses consent should be reviewed to ensure it meets the GDPR requirements.