General Data Protection Regulation (GDPR) – a new data protection law

Introduction

From 25 May 2018, the current legislation in the UK (Data Protection Act 1998)  will be replaced by the EU General Data Protection Regulation (GDPR).

Data protection legislation sets out rules and standards for the use and handling (‘processing’) of information (‘personal data’) about living identifiable individuals (‘data subjects’) by organisations (‘data controllers’).

The law applies to organisations in all sectors, both public and private.  It applies to all electronic records as well as many paper records. It doesn’t apply to anonymous information or to information about the deceased.

All of the legislation is based around the notions of principles, rights and accountability obligations. The legislation is regulated in the UK by the Information Commissioner’s Office (ICO) as well as the courts.

Whether you are a staff member or a student, you have rights and responsibilities in relation to Data Protection and you should be aware of them.

Your role in Data Protection

As employees of the University, we all have a responsibility to inform ourselves of the upcoming changes to the law.  There are several places you can go to learn more about GDPR and what it means for you.

• Through an online course
• On the current data protection guidance page of the University, where there are also links to sources of additional guidance provided by other parts of the University
• In the short Data Protection Quick Guide leaflet
• Find out more about data protection and research on the research guidance page
• If you have a data protection query please contact the Department of Engineering Data Protection Contact dpa-enquiries@eng.cam.ac.uk

The University and Data Protection

The University’s Information Compliance Office maintains a web site covering information on Data Protection, Freedom of Information, and guidance on Records Management related to both Acts.

Engineering Department and GDPR

GDPR is substantially more prescriptive than the Data Protection Act in describing how organisations should implement the principles and uphold the rights of individuals – and how they should demonstrate that they are doing so.  In preparation, we have a GDPR Working Group reviewing policies and procedures to ensure these will comply with the new law. The Working Group is chaired by Philip Guildford and comprises administrators from across the department that are responsible for and or regularly work with personal data.

In order to assist with the implementation of GDPR,  the Department has a Data Protection Contact who is responsible for Data Protection in the Department. Currently this is Derek Matthews dpa-enquiries@eng.cam.ac.uk.

The Data Protection Contact’s role is to:

1. Assist the University Data Protection Officer to implement Subject Access Requests by locating the necessary data in the Department.
2. Raise awareness of data protection and its implications for staff and students
3. Advise and help members of staff
4. Support the Department with good data protection practices.

What are the new prescriptive requirements?

In short, there are changes to the following:

• The existing data protection principles have been reinforced and an accountability principle has been introduced.
• The legal bases under which organisations can use an individual’s personal data have been subtly changed, and the conditions under which an individual’s consent can be valid are more stringent.
• Much more detailed information needs to be supplied to individuals about how their personal data is used (via what are usually termed ‘privacy notices’).
• Individuals can exercise their rights for free. The GDPR both boosts existing rights (e.g. the right to access the personal data or the right to have inaccurate data corrected) and introduces new ones (e.g. the right to be forgotten).
• Organisations are required to promote a culture of ‘privacy by design and default’ through measures such as Data Protection Impact Assessments, security assessments, the maintenance of registers setting out how personal data is used, and mandatory terms in legal agreements with other organisations with whom data is shared.
• Certain types of personal data breach must be notified to the ICO within 72 hours, as well as to the affected individuals.

The changes will have a wide-ranging impact on how all organisations, including the University, can hold and use information about living identifiable individuals.

Privacy Notices

An important aspect of complying with data protection legislation is being open and transparent with individuals about how their personal data will be used by the organisation.  The supply of this information – through documents variously known as ‘privacy notices’, ‘data protection statements’, ‘data collection notices’, ‘privacy policies’ and numerous other interchangeable terms – takes places in numerous targeted ways depending on the context of the interaction with the individual.  The University’s core privacy notices – each titled ‘How we use your personal information (for …)’ – are available from the menu on the Data Protection page. If the core notices do not meet your needs, you need to create a local privacy notice, you should follow the procedures and guidance available and, if necessary, seek advice from the Department’s Data Protection Contact  dpa-enquiries@eng.cam.ac.uk. Below is an example of a privacy notice for an event.

Privacy notice template

Rights and Subject Access Requests

Under data protection legislation an individual has the right, subject to certain exemptions, to access the personal information that an organisation holds about them. Accessing personal data in this way is known as making a ‘subject access request‘. Members of staff may occasionally receive requests from Data Subjects for access to documents and/or data. Staff receiving such requests should follow the procedures and guidance available, and, if necessary, seek advice from the Department’s Data Protection Contact dpa-enquiries@eng.cam.ac.uk

Individuals have other rights under the Data Protection Act 1998, such as the right to prevent data processing which is likely to cause substantial and unwarranted damage or distress, the right to prevent processing for the purpose of direct marketing, and the right to correct inaccurate personal data. These existing rights are enhanced and supplemented in the GDPR.

Accountability obligations

Data protection legislation imposes certain responsibilities on all those who process personal data at the University, whether members of staff holding, using, sharing or destroying personal data in their teaching, research or administration, or students accessing and recording personal data in their studies or other activities.  The responsibilities apply to the handling of all personal data, but are strengthened when using more sensitive types of information about individuals.

These obligations include holding and using data in a secure manner, making sure that data is handled in line with what individuals have been told in the privacy notices, having appropriate arrangements in place for the access to (and sharing of) data, and making sure that data is accurate and retained for a suitable period.

Under the GDPR, greater emphasis is placed on an organisation’s accountability for its data protection compliance.  Certain record-keeping and policy/procedural requirements become mandatory in some circumstances.  An example is the requirement to compile and maintain documentation or registers about all the personal data that you hold. Key departmental assets have been added to the University Information Asset Register in preparation for GDPR.

Data breaches

One of the most important accountability obligations concerns personal data breaches – that is, personal data held by the University is lost, stolen, inadvertently disclosed to an external party, or accidentally published.  If a personal data breach occurs, this should be reported immediately to Data Protection Contact dpa-enquiries@eng.cam.ac.uk, who should then inform:

• The Information Compliance Office and/or
• If the breach is IT-related in any way, University Information Services

Remedial work can then be done so that the breach can be contained. On occasion, we need to report breaches to relevant external authorities, including the ICO, within a short timeframe.

Retention Schedules

Efficient management of the Departments records and information is necessary to support its core functions, to comply with its legal and regulatory obligations, and to contribute to the effective management of its activities.

The Information Compliance Office has issued a Statement of Records Management Practice and Master Records Retention Schedule.  The Statement sets out the University’s framework for the management of its records.  The Schedule provides recommendations to University Institutions on minimum retention periods for various classes of records, including an indication of those records that are or might be suitable for permanent preservation within the University Archives at the University Library.  We are strongly encouraged to follow these recommendations which have been formulated in the context of existing University policies and guidelines, national legislation and sector-wide best practice standards.

Statement of Records Management Practice and Master Records Retention Schedule

Cyber Security and GDPR

Make sure your procedures for the management of personal data are secure, and bear in mind some key points of advice.

Take the online training modules Stay Safe Online provided by UIS