Data protection: top 5 tips for all University staff
|
This page provides an overview of the following data protection topics and links to sources of further information.
-
Rights (including recognising and passing on rights requests)
-
Personal data breaches (including reporting personal data breaches)
Legislation
Purpose of the legislation
Data protection legislation sets out rules and standards for the use and handling ('processing') of information ('personal data') about living identifiable individuals ('data subjects') by organisations ('data controllers'). It is based around the notions of principles, rights and accountability obligations.
The law applies to organisations in all sectors, both public and private. It applies to all electronic records as well as many paper records. It doesn’t apply to anonymous information or to information about the deceased.
Current legislation
Since 1 January 2021, the principal legislation has been:
-
The UK General Data Protection Regulation (the UK GDPR).
-
The Data Protection Act 2018 (DPA 2018), which supplements the UK GDPR in specific ways.
The UK GDPR is almost identical to the EU-wide GDPR that applied from 25 May 2018 to 31 December 2020, with minor technical changes to allow its provisions to work within a UK-only context.
The EU GDPR itself replaced the Data Protection Act 1998 (DPA 1998) and the numerous Statutory Instruments issued pursuant to it.
There is also supplementary data protection legislation covering specific topics, such as direct marketing.
Regulation and offences
The legislation is regulated in the UK by the Information Commissioner's Office (ICO) as well as the courts, through which individuals can pursue civil claims for damages. The DPA 2018 delineates the regulatory powers of the ICO as well as introducing various criminal offences.
The University (like most UK data controllers) is required to pay an annual fee to the ICO and to be included in its register of fee payers (the University's register entry number is Z6641083). It should be stressed that the University of Cambridge - although a large, complex and devolved organisation that includes a major trading department (Cambridge University Press & Assessment) and various cultural attractions (including libraries, museums and a theatre) as well as 'standard' academic departments and administrative offices - is a single legal entity and so is a single data controller. Each of the 31 Colleges of the University, however, is a separate legal entity and data controller for the purposes of data protection legislation.
Proposed legislative changes
In October 2024, the Government introduced various data protection reforms as part of a wider Data (Use and Access) Bill which remains subject to Parliamentary debate. (This followed various attempts at reform by the previous Government, including a consultation exercise in late 2021 leading to the Data Protection and Digital Information Bill which was then withdrawn before being replaced by another Bill of the same name that did not complete its passage through Parliament.) The proposed changes in the Data (Use and Access) Bill - like those in the previous Bills - primarily are 'technical' and do not significantly alter the underlying legal framework of principles, rights and accountability obligations.
Principles
Data controllers processing personal data must follow the data protection principles.
There are six principles. Personal data must be processed following these principles so that the data are:
-
Processed fairly, lawfully and transparently - and only if there is a valid 'legal basis' for doing so.
-
Processed only for specified, explicit and legitimate purposes.
-
Adequate, relevant and limited.
-
Accurate (and rectified if inaccurate).
-
Not kept for longer than necessary.
-
Processed securely - to preserve the confidentiality, integrity and availability of the personal data.
Data controllers must also be able to demonstrate that they are following the principles.
Depending on the context, there are full or partial exemptions from the principles when processing personal data for specific purposes, including different types of academic research.
Privacy notices
An important aspect of complying with data protection legislation is being open and transparent with individuals about how their personal data will be used. The supply of this information - through documents variously known as 'privacy notices', 'data protection statements', 'data collection notices', 'privacy policies' and numerous other interchangeable terms - takes places in numerous targeted ways depending on the context of the interaction with the individual.
The University's core privacy notices are as follows:
-
For those engaged with, or attending, undergraduate or postgraduate outreach, widening participation and student recruitment events and activities
-
For research participants (this notice is used to supplement the specific information supplied via a participant information sheet or consent form, or equivalent documentation, issued by a particular research project)
-
For third parties whose personal data is used for academic and research purposes
The University also has a wide variety of more specific privacy notices that are supplied when people engage with particular University websites, services, facilities, events or initiatives. Many of these more specific notices link to the general privacy notice, which provides certain statutory information that is the same in all such contexts.
Rights
Data subjects are given various rights, which are free to exercise:
-
The right to be informed of how their personal data are being used - this right is usually fulfilled by the provision of 'privacy notices' as described above.
-
The right of access to their personal data - accessing personal data in this way is usually known as making a 'subject access request'.
-
The right to have their inaccurate personal data rectified.
-
The right to have their personal data erased where appropriate - also known as the right to be forgotten or the right to deletion.
-
The right to restrict the processing of their personal data pending its verification or correction.
-
The right to receive copies of their personal data in a machine-readable and commonly-used format - known as the right to data portability.
-
The right to object: to processing (including profiling) of their personal data that proceeds under particular legal bases; to direct marketing; and to processing of their data for research purposes where that research is not in the public interest.
-
The right not to be subject to a significant decision based solely on automated decision-making using their personal data.
A response to a rights request normally needs to be sent within one month. However, nearly all of these rights are qualified in various ways and there are numerous specific exemptions (for example, nearly all the rights may not apply if the personal data are being processed solely in an academic research context).
Recognising and passing on data protection rights requests While the vast majority of data protection rights requests are submitted through the standard central procedure, staff should note that such requests can be submitted to anyone working within the University and do not need to mention data protection or cite any specific legislation. Many items of correspondence that technically are basic rights requests can and should be fulfilled in the normal course of business (e.g. 'please correct my home address'; 'please send me a copy of my exam timetable for this summer'). For anything else, or if you are unsure, the request may need to be handled formally and staff should contact the Information Compliance Office. |
Accountability obligations
Data protection legislation imposes certain accountability obligations on all data controllers. The main obligations for large data controllers include:
-
Implementing policies, procedures, processes and training to promote data protection by design and by default.
-
Where necessary, carrying out systematic Data Protection Impact Assessments (DPIAs) on 'high risk' processing activities.
-
Having appropriate contracts in place when sharing personal data - especially when outsourcing functions that involve the processing of personal data and/or transferring the personal data outside the UK.
-
Maintaining records of the data processing activities that are carried out across the organisation.
-
Deploying appropriate technical and organisational measures to keep personal data secure depending on the level of risk.
-
Documenting and handling personal data breaches, and reporting them as necessary to the ICO and the affected data subjects.
-
Where necessary, appointing an independent Data Protection Officer to advise on and monitor compliance - the University has outsourced this statutory DPO function.
Personal data breaches
One of the University's most important accountability obligations under data protection legislation concerns personal data breaches - that is, personal data held by the University is lost, stolen, inadvertently disclosed to an external party, or accidentally published. Some typical examples of a personal data breach are:
-
Sending an email or letter containing personal data to the wrong recipient.
-
Accidentally disclosing personal email addresses (e.g. by using cc instead of bcc or a mailing list management system).
-
Inadvertently publishing University records containing personal data, or login credentials allowing access to them, on the internet.
-
Losing an unsecured laptop or other personal device storing University records containing personal data.
-
Having a University website, email account or drive hacked, with personal data stolen or 'locked down' by the hacker.
Personal data breaches may arise from IT security incidents, but not all IT security incidents are personal data breaches, and vice versa. Some types of personal data breach have to reported to the ICO and the affected data subjects within short timeframes, so recognising and reporting them internally is crucial.
With many staff now working remotely (at least in part), and more University activity taking place online, there are escalated information security and data handling risks that have the potential to lead to IT security incidents and/or personal data breaches. Staff should familiarise themselves with the University guidance on this topic.
Reporting personal data breaches If an actual or potential personal data breach occurs, this should be reported urgently as follows:
Separately, or in addition, if an IT security incident occurs, this should be reported urgently using the procedures outlined on the UIS Incident Reporting webpage. Please do not delay and please do not worry about reporting to the wrong place - the specialist staff who receive reports will liaise and coordinate as necessary to ensure that the personal data breach and/or the IT security incident are handled under the correct procedures. |
Policy
The University's Data Protection Policy was first approved by the University Council in March 2018. Minor revisions were implemented in March 2023 and the policy was re-approved by the Council. Section 3.6 outlines the responsibilities of individual members of University staff.
The Policy explains how it relates to associated information governance and information security policies and procedures. Links to further policies are included on the main guidance page of this website.
Guidance and training
Guidance
More detailed guidance for University staff on data protection is published:
-
In the short Data Protection Quick Guide leaflet.
-
On the guidance pages of this website, where there are also links to sources of additional guidance provided by other parts of the University.
-
In the Annual Compliance Checklist, which sets out a number of practical 'housekeeping' actions to be completed on an annual basis by individual University departments to help ensure their ongoing compliance with data protection law.
-
On the standalone GDPR preparations page of this website, which is retained for reference though relevant content has been integrated into the rest of this website.
Training
Data protection training for University staff is available:
-
Through an online course. Departmental Administrators (and equivalents) can monitor completions within their Institution via University Training Booking System (UTBS) logs. All staff using personal data in some way in their role are expected, as a baseline, to complete this online course as part of their induction and thereafter once every two years. Supplementary expectations about data protection training in different areas of the University are set by Heads of Department (and equivalents). While the online course primarily is aimed at staff, it is also suitable for students needing or wishing to complete basic data protection training.
-
Through a face-to-face course that is run regularly throughout the year. This can be used to supplement the online course for those staff for whom data protection knowledge is a more important part of their role.
-
On request to the Information Compliance Office, through bespoke training sessions, presentations or briefings for different groups of staff, both academic and non-academic, across all parts of the University.
-
Through specific training courses or activities managed and run locally by individual departments or offices (for example, there is specific training on data protection for users of Amicus, the University's central alumni relations and fundraising system). Departmental Administrators (or equivalents) should be able to advise on any such courses or activities.
Data protection and Brexit
As explained in the Legislation section of this webpage, from 1 January 2021 (i.e. the end of the Brexit transition period), all the substantive provisions of the EU-wide GDPR about principles, rights and accountability obligations continue to apply in the UK through the UK GDPR (as supplemented by the DPA 2018).
On 28 June 2021, the UK was granted a data protection 'adequacy decision' from the European Commission, meaning that personal data transfers from EEA-based organisations to UK-based organisations can continue without any additional safeguards or revised contractual mechanisms. (This formal decision followed 'bridging' provisions in the December 2020 EU-UK Trade and Cooperation Agreement that had the same effect for the first six months of 2021.)
Wider information on this topic has been published by the ICO.
Complaints
If you have a complaint about the way your personal data has been handled by the University, please contact the Information Compliance Office explaining the nature of your concerns. The Information Compliance Office will consider your complaint, where necessary in consultation with the Data Protection Officer, and normally will reply within one month (the timeframe recommended by the ICO). You also have the right of complaint to the ICO.