Data Protection under the General Data Protection Regulation (GDPR)

The law around data protection is changing, The GDPR will apply in the UK from 25th May 2018 and will replace the current Data Protection Act (DPA). The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

The GDPR has many similarities to the DPA but technology has changed since 1998, and the GDPR reflects this to protect everyone’s privacy and personal data in today’s digital world.

The University will need to do some things differently in the way we collect, use and manage personal data and all staff will need to ensure compliance. Work is underway to prepare for the changes and these pages will continue to be updated to provide further advice and guidance.

Personal data

Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria.

Sensitive Personal data

The GDPR refers to sensitive personal data as “special categories of personal data”. These categories are broadly the same as those in the DPA, but there are some minor changes.

For example, the special categories specifically include genetic and biometric data, where processed to uniquely identify an individual.

Processing sensitive personal data has additional requirements which much be adhered to.

Under the GDPR, the data protection principles set out the main responsibilities for organisations.

The principles are similar to those in the DPA, with added detail at certain points and a new accountability requirement. The GDPR does not have principles relating to individuals’ rights or overseas transfers of personal data - these are specifically addressed in separate articles.

 

The principles in Article 5 of the GDPR requires that personal data shall be:

(a)   processed lawfully, fairly and in a transparent manner in relation to individuals;

(b)   collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

(c)   adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

(d)   accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

(e)   kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;

(f)    processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

 

Article 5(2) requires that:

“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

All processing of personal data under the GDPR needs to have a legal basis, often referred to as the “conditions for processing” under the DPA.

It is important that we determine the legal basis for processing as under the GDPR this has an effect on individuals rights. For example, if we rely on consent they will generally have stronger rights such as having data deleted.

Processing Conditions

  • Consent of the data subject
  • Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
  • Processing is necessary for compliance with a legal obligation
  • Processing is  necessary to protect the vital interests of a data subject or another person
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

There is a further condition but this is not available to processing carried out by public authorities in the performance of their tasks. Therefore any personal data processed by the University under the DPA Legitimate Interest condition will need to be reviewed.

  • Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

Sensitive personal data

There are additional requirements when processing sensitive personal data.

Consent under the GDPR has more specific requirements than DPA.

  • Consent must be freely given, specific, informed and unambiguous
  • Consent requires some form of clear affirmative action. Opt out or silence does not constitute consent
  • Consent must be demonstrable. Some form of record must be kept of how and when consent was given.
  • Individuals have the right to withdraw consent at any time.

Where we already use consent under the DPA we will not need to obtain fresh consent, as long as it meets the standard required by the GDPR. Therefore all current processing that uses consent should be reviewed to ensure it meets the GDPR requirements.

The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA.

The GDPR provides the following rights for individuals:

  1. The right to be informed – usually via Privacy notices
  2. The right of access – known as subject access requests (SAR)
  3. The right to rectification
  4. The right to erasure – also known as the right to be forgotten
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object – includes profiling, direct marketing and processing for research
  8. Rights in relation to automated decision making and profiling.

 

These are not absolute rights and do not always apply. There continues to be a number of exemptions to all these rights to ensure for example, legal requirements can be met and to protect public interest.

Under current DPA it is recommended that a Privacy Impact Assessment is carried out to ensure all projects / new systems are built with appropriate security measures and compliance with DPA. Under the GDPR this will become a legal requirement and for high-risk situations we will be required to consult with the ICO to seek its opinion as to whether the processing operation complies with the GDPR.

Carrying out an impact assessment at the start of a project ensures privacy by design, compliance with legislation and that systems are built with security from outset and risks are managed. This often results in better and cheaper solutions as adding in good security at a later date can be costly.

Further information and templates are available from the Information Governance team, if you are starting a new project or system that uses personal data please get in touch.

The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected.

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.

A breach that is likely to result in a risk to the rights and freedoms of individuals will need to be reported to the ICO and individuals notified directly.

A notifiable breach has to be reported to the ICO within 72 hours of the University becoming aware of it as well as, when appropriate, notification to the data subject within the same tight timescale.

Fines have increased and the maximum fines can be up to 20 million Euros or 4% Global Turnover for a breach, depending on a number of factors. Failure to report a breach can also result in fines.

The University requires all incidents and breaches to be reported so we can assess and reduce the risks and where possible prevent incidents from becoming breaches.

For further information please see the Reporting a data breach / incident page.