General Data Protection Regulation - FAQ

It is any information relating to an identified or identifiable living person (known as a ‘data subject’).

Example of personal data include contact details, health data, national insurance number etc.

Names are not necessarily required in order to identify an individual; simply because you do not know the name of an individual does not mean that you cannot identify them. Similarly, a name by itself may not always be personal data, particularly if that name is particularly common e.g. John Smith. Factors other than a person’s name may reveal information about them e.g. social, cultural, genetic, physical, an ID number, biometric data.  Context may also reveal information about an individual. Where a name is combined with other information, such as an address, a physical description or a job title, this is likely to clearly identify one individual.

If you learn something about an individual from text, it is personal data regulated by the GDPR.

This was called "sensitive" personal data under the DPA. Stricter conditions apply to the processing (use) of this data. It is information relating to:

• racial or ethnic origin;
• political opinions;
• religious or philosophical beliefs;
• trade union membership;
• genetic data;
• biometric data for the purposes of uniquely identifying a person;
• data concerning health; or
• data concerning a natural person's sex life or sexual orientation.

Processing is anything that can be done to personal data from its creation to its destruction and everything in between (e.g. obtaining, disclosing, amending, storing, deleting) whether or not by automated means. 

The first principle of the GDPR requires that you process all personal data lawfully, fairly and in a transparent manner. Processing is only lawful if you have a lawful basis as prescribed by the GDPR and you must be able to show that a lawful basis applies.

The requirement to have a lawful basis in order to process personal data is not new. The six lawful bases for processing are broadly similar to the old conditions for processing, although there are some differences. You now need to review your existing processing, identify the most appropriate lawful basis, and check that it applies.

You can choose a new lawful basis if you find that your old condition for processing is no longer appropriate under the GDPR, or decide that a different basis is more appropriate. 

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:

1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.  Consent must be unambiguous and it means genuine choice and control.  Because consent can be withdrawn at any time, you should only rely on consent if no other basis applies.
   
   
2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract, e.g. monitoring academic performance is necessary to perform the tuition contract with students.
   
   
3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations), e.g. providing information when requested to do so by regulatory bodies, disclosing information in response to a court order.
   
   
4. Vital interests: the processing is necessary to protect someone’s life.
   
   
5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. 
   
   
6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks. You can rely on it for private tasks e.g. marketing.)

This means it must be a targeted and proportionate way of achieving the purpose. The lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means.

This depends on your specific purposes and the context of the processing. You should consider which lawful basis best fits the circumstances. You might consider that more than one basis applies, in which case you should identify and document all of them from the start.

For example, the University might rely on a mixture of legitimate interests and consent for alumni relations and fundraising purposes.

The University is required to issue privacy notices to individuals, which identify, amongst other information, the lawful basis for processing. You will also need to include other information in your privacy notice including the purposes for which you have obtained the personal data, the categories of recipient of that data (internal and external), the retention period, any overseas transfers and the individual’s rights.  Additional information needs to be provided when you receive personal data indirectly form a third party, e.g. the categories of personal data you hold and the source.

If your purposes change over time or you have a new purpose which you did not originally anticipate, you may not need a new lawful basis as long as your new purpose is compatible with the original purpose.

However, the GDPR specifically says this does not apply to processing based on consent. You need to either get fresh consent which specifically covers the new purpose, or find a different basis for the new purpose.

If you are processing special category data, you need to identify both a lawful basis for processing and an additional special category condition for processing set out in the GDPR. You should document both your lawful basis for processing and your special category condition so that you can demonstrate compliance and accountability.

Those bases include:

• explicit consent,
• employment law,
• vital interests,
• information made public by the individual,
• legal claims,
• substantial public interest,
• preventative/occupational medical purposes,
• public health,
• research, provided there are safeguards and it is the public interest

 

A Controller is the natural or legal person (i.e. the University), public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.

Where two or more controllers jointly determine the purposes and means of processing. The GDPR requires the joint controllers to enter into “an arrangement” that reflects their roles and relationships toward the data subjects. Whilst the word “arrangement” rather than contract is used, the reality is that this is likely to be done by way of a written data sharing agreement. Examples of joint controllers are the University and the Students’ Union, and the University and research students.

A Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller. Therefore, it is the Controller who engages the Processor. Examples include outsourced services such as organisations which conduct surveys of behalf the University, cloud services or translation services.

Controllers and Processors have different responsibilities and obligations, so it is important to know which one you are so that you know what you are responsible for.

Controllers are responsible for most aspects of compliance with the GDPR even when engaging a Processor to process personal data on their behalf.

Processors act only under the instructions of Controllers. They must keep personal data secure from unauthorised access, loss or destruction. If a Processor processes personal data, other than in accordance with the Controller’s instructions, they become a Controller.

Both the Controller and the Processor can be investigated by the ICO and fined.

Both the Controller and the Processor can be sued by the data subject and both can be held liable for the full amount of the damages.

Controllers are liable for compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected. A Controller must only use a Processor providing sufficient guarantees that it has appropriate technical and organisational measure in place in respect of data protection. This means that you should conduct a due diligence exercise on any prospective service providers who may be acting as a Processor for you.

Processing must be governed by a written contract.

Processors must only act on the documented instructions of a controller. They will however have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply.

Contracts must set out as a minimum:

• the subject matter and duration of the processing;
• the nature and purpose of the processing;
• the type of personal data and categories of data subject; and
• the obligations and rights of the controller.

Contracts must also include as a minimum the following terms, requiring the processor to:

• only act on the written instructions of the controller;
• ensure that people processing the data are subject to a duty of confidence;
• take appropriate measures to ensure the security of processing;
• only engage sub-processors with the prior consent of the controller and under a written contract;
• assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
• assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
• delete or return all personal data to the controller as requested at the end of the contract; and
• submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.

In the future, standard contract clauses may be provided by the European Commission or the ICO, and may form part of certification schemes. However at the moment no standard clauses have been drafted.

So what?

Any contracts in place with Processors on 25 May 2018 will need to meet the new GDPR requirements.

What should you do now?

You should therefore check your existing contracts with Processors to make sure they contain all the required elements. If they do not, you should get new contracts drafted and signed. You should review all template contracts you use.

Personal data is considered to be transferred internationally when:

• It is physically transferred across a border; or
• It is accessed across borders.

Transfers of personal data are not restricted within the EU.

Transfers to other countries are prohibited unless such country provides “an adequate level of data protection” as determined by the European Commission or unless certain other conditions are fulfilled.

The list is constantly being updated, but currently contains the following:

Andorra
Argentina
Canada
Faroe Islands
Guernsey
Israel
Isle of Man
Jersey
New Zealand
Switzerland
Uruguay

US - if the company is signed up to Privacy Shield - you can go on privacyshield.gov to check this.

Contractual safeguards:

• Use of EU-approved Model Contracts between the Data Exporter and Data Importer
• Binding Corporate Rules
• Codes of Conduct and Certification – an external Controller or Processor may commit to a scheme approved at EU level.

If none of these options applies, you can transfer the personal data if:

• you have the individual’s explicit consent;
• the transfer is a necessary to enter into or perform a contract perform with the individual (e.g to provide a mandatory overseas placement);
• the transfer is a necessary to enter into or perform a contract perform with another person/organisation for the benefit the individual (e.g. when the University takes out local insurance for students on overseas field trips); or
• the transfer is necessary for legal proceedings/advice.

(This is not exhaustive).

What should you do now?

Consider whether any of your arrangements necessitate the international transfer of personal data. If so:

• Is that country considered adequate?
• If not, is there a contractual safeguard is in place?
• If not, can you rely on consent, contractual necessity etc.?

This should also be set out in your privacy notice.

DPIAs (also known as privacy impact assessments or PIAs) is an assessment that is undertaken to identify potential areas of non-compliance and minimise risk.

The ICO has promoted the use of DPIAs as an integral part of taking a privacy-by-design approach (see separate FAQ).

You must carry out a DPIA when:

• using new technologies; and
• the processing is likely to result in a high risk to the rights and freedoms of individuals.

Some data-analytics technologies which monitor students’ access to learning resources in tandem with their academic performance may qualify for a DPIA.

• A description of the processing activity and the purposes, including, where applicable, the legitimate interests pursued by the University.
• An assessment of the necessity and proportionality of the processing in relation to the purpose.
• An assessment of the risks to individuals.
• The measures in place to address risk, including security and to demonstrate that you comply.
• The formal advice of the DPO.

The way a DPIA is conducted will depend on the proposed processing activity.

If unmitigated risk is identified, the University must notify the ICO.

Under the GDPR, you have a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities. 

The University is required to implement appropriate technical and organisational measures to ensure data protection principles such as data minimisation are met.

Article 32 of the GDPR gives examples of "appropriate measures", as follows:

• Pseudonymisation, i.e using personal data in a way that minimises the opportunity for identifying individual e.g. by using ID codes;
• Encryption;
• The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
• A process for regularly testing, assessing and evaluation the effectiveness of technical and organisational measures for ensuring the security of processing.

The University must ensure that, by default, only personal data which is necessary for each specific purpose of the processing is processed. It relates to the amount of personal data collected, the extent of the processing, the retention period and who has access to it. In particular, personal data should not automatically be made accessible to an indefinite number of people without the individual’s intervention. By way of practical example: counselling records should be held on separate part of the University system and accessible only to relevant members of the counselling team.

The University must only process data to an extent that is necessary, and must only store data as long as necessary.

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Some examples include:

• loss or theft of data or equipment on which data is stored, such as memory sticks and laptops;
• inappropriate access controls allowing unauthorised use, i.e. giving staff members access to all data;
• equipment failure;
• human error;
• hacking attacks; and
• inadvertent disclosure.

Complying with the requirements for privacy by design and default and conducting DPIAs where appropriate will help to prevent personal data breaches.

There is an obligation to notify the appropriate Supervisory Authority, where feasible, within 72 hours unless the breach is unlikely to result in risk to individuals.

There is a requirement to notify individuals if the breach is likely to result in a high risk to them.

Therefore, please notify the University’s Data Protection Team as soon as you become aware of a data breach, no matter how small.

You need to consider GDPR when negotiating any contracts which involve the sharing of personal data between the parties.

If the contract will still be in force following 25 May 2018, you need to think about GDPR now. Otherwise, you will need to re-negotiate the data protection provisions following that date as you may be in breach.

The type of clauses that you will need to add to the contract will depend on the relationship between the contracting parties.

They could be:

• Controller to Controller
• Controller to Processor
• Processor to Sub-Processor

As we mentioned in the FAQs “Controller vs Processor”, the GDPR requires very specific provisions to be included in a written contract between a Controller and a Processor.

Contact the Data Protection Team for guidance.

An Information Asset Register or IAR is a record of all of the personal data stores that the University holds, as well as key stores of non-personal data.