skip to content

Information Compliance

 

This page provides an overview of the following data protection topics and links to sources of further information.

 

Legislation

Data protection legislation sets out rules and standards for the use and handling ('processing') of information ('personal data') about living identifiable individuals ('data subjects') by organisations ('data controllers').

The law applies to organisations in all sectors, both public and private.  It applies to all electronic records as well as many paper records. It doesn’t apply to anonymous information or to information about the deceased.

Until 24 May 2018, the legislation in the UK is the Data Protection Act 1998 (DPA 1998).  From 25 May 2018, this will be replaced by the EU General Data Protection Regulation (GDPR), coupled with a new Data Protection Act that supplements the GDPR in specific ways and which is currently being debated by the UK Parliament. All of the legislation is based around the notions of principles, rights and accountability obligations. The legislation is regulated in the UK by the Information Commissioner's Office (ICO) as well as the courts.

Under the DPA 1998, the University maintains a data protection registration (also known as a notification) with the ICO. This outlines, in very general terms, the personal data being processed by the University. The University's register entry number is Z6641083 and may be found by searching the Information Commissioner's public register.  (The registration system will cease when the GDPR applies.)  Each of the 31 Colleges of the University is a separate legal entity and data controller for the purposes of data protection legislation.

 

Principles

Data controllers processing personal data must follow - and be able to demonstrate that they are following - the data protection principles.

Under the GDPR, there are six principles.  Personal data must be processed following these principles so that the data are:

  1. Processed fairly, lawfully and transparently - and only if there is a valid 'legal basis' for doing so

  2. Processed only for specified, explicit and legitimate purposes

  3. Adequate, relevant and limited

  4. Accurate (and rectified if inaccurate)

  5. Not kept for longer than necessary

  6. Processed securely - to preserve the confidentiality, integrity and availability of the personal data

Under the DPA 1998 there were eight principles but two of these (about the rights of data subjects and transfers of personal data outside the European Economic Area) are covered in different ways in the GDPR.  Depending on the context, there are full or partial exemptions from the principles when processing personal data for specific purposes, including academic research.

 

Privacy notices

An important aspect of complying with data protection legislation is being open and transparent with individuals about how their personal data will be used.  The supply of this information - through documents variously known as 'privacy notices', 'data protection statements', 'data collection notices', 'privacy policies' and numerous other interchangeable terms - takes places in numerous targeted ways depending on the context of the interaction with the individual.  The University's core privacy notices - each titled 'How we use your personal information (for ...)' - are available from the menu on this page.

 

Rights

Under the GDPR, data subjects are given various rights:

  • The right to be informed of how their personal data are being used - this right is usually fulfilled by the provision of 'privacy notices' as described above

  • The right of access to their personal data - accessing personal data in this way is usually known as making a 'subject access request'

  • The right to have their inaccurate personal data rectified

  • The right to have their personal data erased where appropriate - known as the right to be forgotten

  • The right to restrict the processing of their personal data pending its verification or correction

  • The right to receive copies of their personal data in a machine-readable and commonly-used format - known as the right to data portability

  • The right to object: to processing (including profiling) of their personal data that proceeds under particular legal bases; to direct marketing; and to processing of their data for research purposes where that research is not in the public interest

  • The right not to be subject to a decision based solely on automated decision-making using their personal data

A response to a rights request needs to be sent within one month.  However, nearly all of these rights are qualified in various ways and there are numerous specific exemptions (for example, nearly all the rights do not apply if the personal data are being porecessed solely in an academic research context). These rights build upon and strengthen rights given to data subjects under the DPA 1998.

 

Accountability obligations

Data protection legislation imposes certain accountability obligations on all data controllers. Under the GDPR, the main obligations for large data controllers include:

  • Implementing policies, procedures, processes and training to promote 'data protection by design and by default'

  • Where necessary, carrying out systematic Data Protection Impact Assessments (DPIAs) on 'high risk' processing activities

  • Having appropriate contracts in place when sharing personal data - especially when outsourcing functions that involve the processing of personal data and/or transferring the personal data outside the EEA

  • Maintaining records of the data processing that is carried out across the organisation

  • Documenting and reporting personal data breaches both to the ICO and the affected data subjects

  • Where necessary, appointing an independent Data Protection Officer to advise on and monitor compliance

 

Data breaches

One of the most important accountability obligations concerns personal data breaches - that is, personal data held by the University is lost, stolen, inadvertently disclosed to an external party, or accidentally published.  If a personal data breach occurs, this should be reported immediately to approrpriate staff within your University Institution (e.g. senior administrative or IT staff), who should then inform:

Remedial work can then be done so that the breach can be contained. On occasion, we need to report breaches to relevant external authorities, including the ICO, within a short timeframe.

 

Policy

The Unversity's Data Protection Policy was approved by the University Council at its meeting on 19 March 2018.

 

Guidance and training

More detailed guidance for University staff on data protection is published:

Data protection training for University staff is available: