skip to content
 
Please note that the information provided on this page is being updated regularly to reflect changes to data protection legislation arising from the introduction of the General Data Protection Regulation. It is accordingly skeletal in places and, at times, links to standalone guidance documents issued as part of the University's GDPR preparations.  Over time the content of those documents will be adapted and added to this page in a consistent format.
  1. What is data protection legislation?
  2. Legal bases for processing personal data
  3. Legal bases for processing special category (sensitive) personal data
  4. Privacy notices
  5. Rights
  6. Data quality
  7. Data protection by design
  8. Data Protection Impact Assessments
  9. Data sharing and user data processors
  10. Records of data processing
  11. Security and data breaches
  12. Direct marketing
  13. Research
  14. References
  15. Disclosure requests

 


1. What is data protection legislation?

Basic information about data protection legislation - principally the General Data Protection Regulation (GDPR) as supplemented by the Data Protection Act 2018 (DPA 2018) - is supplied in the legislation section of the data protection overview page.

Data protection legislation sets out rules and standards for the use and handling ('processing') of information ('personal data') about living identifiable individuals ('data subjects') by organisations ('data controllers'). The law applies to organisations in all sectors, both public and private.  It applies to all electronic records as well as many paper records

Data protection legislation doesn’t apply to anonymous information or to information about the deceased.  The law is binary with regard to anonymised information - if it is not possible to link the information back to a living individual (whether using solely the information to hand or after coupling it with other information held by the data controller or in the public domain) then the legislation does not apply at all.  In reality, of course, anonymisation is a grey scale.  The test of anonymisation in binding UK case law is whether the risk of re-identification is 'reasonably likely', taking into account the normal (non-criminal) tools and public sources available to a motivated person who is trying to re-identify the individuals from the anonymised information in question.

Data protection legislation is based around the notions of principles, individual rights and the accountability obligations of organisations.

 


2. Legal bases for processing personal data

The first data protection principle states that personal data must be processed fairly, lawfully and transparently - and only if there is a valid 'legal basis' for doing so.  The legal bases are set out in Article 6 of the GDPR.  Identifying the right legal basis matters because:

  • It affects some of the rights that data subjects have with regard to their personal data.

  • Those data subjects have to be told up-front about the legal basis or bases being relied upon.

There are six possible legal bases:

  • Article 6(1)(a): with the consent of the data subject.  Consent must be freely given, specific, informed, demonstrable and easily revocable. This is a very high standard and, as such, this legal basis should be relied upon sparingly and usually only when the data processing relates to an ancillary function (e.g. the sending of direct marketing) that can be stopped without causing knock-on problems.  Consent is not an appropriate legal basis for any core processing (e.g. of student or staff data for the purposes of administering studies or employment.)  When offering online-only services to children under the age of 13 and relying on consent as the legal basis, a parental consent is required - but this will apply very rarely in a University context.

  • Article 6(1)(b): the processing is necessary to operate a contractual relationship with a data subject, or to prepare for such a contractual relationship at the initiation of the data subject.  This legal basis applies to much student and staff data processing - it's necessary to fulfil the student or employment contract in the sense of delivering teaching, marking exams, administering HR processes, paying staff, and so on.

  • Article 6(1)(c): the processing is necessary to comply with a legal obligation.  This legal basis applies to the University's compliance with statutory obligations (e.g. with regard to the administration of income tax).

  • Article 6(1)(d): the processing is necessary to protect the vital (life or death) interests of the data subject.  This legal basis applies rarely and usually in specific circumstances (e.g. a medical emergency).

  • Article 6(1)(e): where allowed for under law, the processing is necessary 'for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller'.  Processing under this legal basis relates primarily to personal data processed in pursuit of the core statutory public functions of an organisation - so, for the University, some of our student outreach activities, our teaching and most of our research fall under this basis.

  • Article 6(1)(f): the processing is necessary to pursue the legitimate interests of the data controller, where those are not overridden by the data subject’s own interests.  This legal basis is not available 'to processing carried out by public authorities in the performance of their tasks'.  The University is defined as a UK public authority for GDPR purposes, but only insofar as the data processing relates to our core statutory public functions as allowed for under law.  So this legal basis does apply to data processing in the context of many subsidiary functions of the University, such as alumni and supporter relations, routine business correspondence, IT security, and so on.

 


3. Legal bases for processing special category (sensitive) personal data

The GDPR defines certain types of personal data as more sensitive than others.  These are known as special category personal data and relate to personal data about:

  • Racial or ethnic origin.

  • Political opinions.

  • Religious or philosophical beliefs.

  • Trade Union membership.

  • Genetic data.

  • Biometric data.

  • Health data.

  • Sex life or sexual orientation.

Personal data about (alleged or proven) criminal convictions and offences are not technically defined as special category personal data but are afforded similar protections.

The processing of special category personal data requires another legal bases to be identified.  There are numerous legal bases, both set out in Article 9 of the GDPR and in Schedule 1 to the DPA 2018. Some of the more relevant of these are as follows:

  • Article 9(2)(a): with the explicit consent of the data subject.

  • Article 9(2)(c): the processing is necessary to protect the vital (life or death) interests of the data subject.

  • Article 9(2)(g): the processing is necessary for reasons of substantial public interest.  The various permissible reasons are set out in Schedule 1 to the DPA 2018, and include matters such as equalities monitoring, the prevention and detection of crime or fraud, the provision of counselling, the safeguarding of children and vulnerable individuals, and the progression of legal claims and judicial proceedings.  Many of these necessarily have to take place without the data subject's explicit consent.  Data controllers have to implement certain safeguards if relying on these reasons.

  • Article 9(2)(h): the processing is necessary for medical purposes (including occupational health).

  • Article 9(2)(j): the processing is necessary for research purposes under certain safeguards.

As well as equalities monitoring, academic research and the provision of welfare and support services to staff and students, many of the occasions when special category personal data might need to be processed by the University will relate to requests about individuals from third parties, such as the police.

 


4. Privacy notices

Whichever legal basis is being relied upon, data subjects need to be informed about how their personal data will be processed.  This is done through statements that usually are known as privacy notices.  These normally have to be supplied information at the time of collecting the data, though there are different timeframes where the personal data have not been directly collected from the data subject; in some such circumstances, the requirement to supply a privacy notice is waived.  In accordance with the second data protection principle, data collected for stated purpose(s) can only legitimately be processed for those purpose(s) - and not for others of which the data subject has not been informed (e.g. information collected on job application forms should be used for the recruitment process, and not to send the applicants general information about forthcoming University events).

The University has a number of core privacy notices aimed at different types of data subject: pre-applicants (whether undergraduate or graduate), applicants, students, alumni and supporters, and job applicants and staff.  These are supplied to individuals at the relevant time as part of centrally managed processes (e.g. application or registration).

The University also has a general privacy notice, which can be used by Institutions, offices, services to supplement the specific information that they will need to supply locally with regard to any particular event, initiative, service or function that they run.  Guidance on writing such 'local privacy notices' is available, as is similar guidance on writing 'local privacy policies' in connection with websites and guidance on CCTV signage (in section 6.4 of the GDPR Toolkit).

The University also has a generic privacy notice aimed at research participants, the use of which is described in the research exemptions page of this guidance.

 


5. Rights

The GDPR gives individuals various rights with regard to their personal data.  A response to a rights request needs to be sent within one month.  However, nearly all of these rights are qualified in various ways and there are numerous specific exemptions.  The most important thing for staff to note is that such requests can be submitted to anyone working within the University.  Many items of correspondence that technically are basic rights requests can be fulfilled in the normal course of business and of course should continue to be so (e.g. 'please correct my home address'; 'please send me a copy of my exam timetable for this summer').  For anything else, or if you are unsure, the request may need to be handled formally and staff should contact the Information Compliance Office.

Upon receipt of a formal request (whether directly or forwarded from another part of the University), the Information Compliance Office:

  • Will send an acknowledgement to the requester, seek proof of their identity where required, and advise them of the statutory deadline.

  • Will handle all internal processes by coordinating searches (and/or other activities e.g. making investigations as to the accuracy of personal data or the technicalities of data deletion) with those staff in University Institutions who may have direct access to the personal data in question.

  • Will liaise with any third parties, apply any relevant exemptions, and make any necessary redactions, before replying directly to the requester.

 


6. Data quality

The third, fourth and fifth data protection principles are relevant in this regard.

The requirement to not hold data for longer than necessary does not mean that all data need to be destroyed. Suitably weeded staff and student records (or other historically valuable records) can be transferred to the University Archives, where they can be managed in a way which conforms to the requirements of data protection legislation.  Guidance on records management and retention is published separately.

 


7. Data protection by design

The concept of 'data protection by design' means embedding data protection considerations at an early stage of any new process, project or procedure. It most obviously applies if you are initiating an IT project, such as the implementation of a new system or database, which will involve the processing of personal data, especially special category (sensitive) personal data.  On occasion, adopting a privacy by design approach can trigger the need for a full Data Protection Impact Assessment to assess and document the risks to data subjects and the mitigation measures you might implement.

The following questions should assist staff in taking a data protection by design approach to any new process, project or procedure.

  • Make a note of all the personal data you plan to collect or use.  Are you collecting/using some of the personal data only because you have done so in the past?  Are you collecting/using more than you really need?

  • What does the University’s standard privacy notice say you will do with these data subjects' personal data?  Are your proposed uses included there?  If not, would people be surprised that you were using their personal data in those ways, and how do you plan to tell them about those uses?

  • Are you clear on what legal basis your proposed data processing takes place?  If you will be relying on the consent of the data subjects (which may be unlikely), how will you collect their consent?  How will you record it?  How easy would it be for you to stop processing if they withdrew their consent?  How could/would you delete their personal data if you needed to?

  • How do you plan to check that the personal data you are collecting/using remains up-to-date and accurate?  Could there be an opportunity for people to check or update their own personal data?

  • What physical security do you plan to make sure the personal data are not copied, lost or stolen?  What technical security do you plan?  How will you know it is effective?

  • Who will you share the personal data with?  Is the way you plan to share personal information secure?  Will people know that you share their personal data in this way (check the privacy notice again)?  Will you have a written agreement with the organisation you are sharing the personal data with?

  • How long will you need to use the personal data for?  What will you do after that point - delete it, anonymise it, archive it?

 


8. Data Protection Impact Assessments

A Data Protection Impact Assessment (DPIA) is legally required where (proposed) data processing is likely to result in a high risk to the interests of data subjects, in particular where there is planned large-scale profiling, or processing of special category data, or monitoring of public areas.  In short, a DPIA takes the form of a document, completed following consultation with relevant stakeholders including the Data Protection Officer and a sample of the data subjects themselves, that:

  • Describes the nature, scope, context and purposes of the (proposed) processing.

  • Assesses the necessity and proportionality of the (proposed) processing.

  • Identifies and assesses risks to individuals.

  • Identifies any additional measures to mitigate those risks.

If a completed DPIA reveals that the risks to data subjects cannot be adequately mitigated, the ICO must be consulted for a formal opinion.

The University has developed a standard DPIA template.  The template explains when a DPIA is needed, who should complete it, and what should be done with it.

 


9. Data sharing and using data processors

Guidance on data sharing and using data processors - including the use of contracts and transfers outside the EEA - is published separately.  The below section on disclosure requests also refers.

 


10. Records of data processing

The GDPR requires large data controllers to maintain records of all the personal processed across the organisation.  The University primarily fulfils this requirement through its Information Asset Register, about which guidance is published separately.

 


11. Security and data breaches

The sixth data protection principle states that personal data should be processed securely to preserve its confidentiality, integrity and availability.  This principle is explicitly risk-based, meaning that different types of security measure are appropriate for different types of personal data.  A database of medical research data with identifiable participants clearly needs stronger technical (e.g. anti-virus protections and access controls) and organisational (e.g. internal policies about usage) protections than a list of staff members in an academic department.

Examples of security measures include:

  • Anti-virus and anti-malware software, regularly patched and updated.

  • The encryption or password protection of files and folders - whether 'at rest' (i.e. on a University system) or 'in transit' (i.e. on a mobile device or when being sent by email or other means).

  • Access controls - these form an important aspect of 'data protection by default' and can be both:

    • Technical - i.e. a system or shared drive/filestore is set up so that only certain staff can see and/or use it or parts of it.

    • Organisational - i.e. within reason, staff may be able to see more personal data than they strictly need in order to perform their duties, for example through their access to a shared office drive, but there are policy controls to state they should not try to read or use it - including the University's main Data Protection Policy as well as specific access control forms to systems and drives.

  • Backups and business continuity/emergency management plans.

  • The testing of technical protections - often known as 'friendly probing'.

  • Pseudonymisation - this means removing the 'key' to a dataset and storing it separately and securely: although the individual data subjects could still be identified if the key is matched back to the pseudonymised dataset, that dataset can be used more freely (this is a common technique in many research disciplines).

  • Technical security controls - such as card-accessed buildings, locked rooms, locked filing cabinets.

Further guidance on information security is available from UIS.

If security is breached and personal data is lost, stolen, inadvertently disclosed to an external party, or accidentally published, staff should report it internally as soon as possible.  Some types of data breach have to be reported to the ICO within 72 hours.

 


12. Direct marketing

Direct marketing is defined as the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.  This is a broad definition that is not restricted to commercial organisations offering goods for sale.  The term direct marketing also applies to communications addressed to individuals that promote an organisation's aims and ideals, including advertising events, offering benefits or appealing for funds and support.

The term direct marketing does not apply to:

  • Normal postal or email correspondence and phone calls.

  • Postal or email correspondence that is not directed at individuals (e.g. advertising brochures sent for the attention of an organisation, without a named recipient, or 'business-to-business' marketing emails sent to generic organisational addresses).

  • Purely informational or 'housekeeping' communications (e.g. newsletters that really are limited to news items or factual emails about the downtimes for an online service).

  • Communications sent directly in relation to a particular product or event that an individual has requested/signed up for (including any follow-up surveys, which class instead as market research). 

  • On the whole, internal communications, by email and other means, advising current staff and students of University/departmental information, news, opportunities and events.

Many communications sent to alumni and supporters do class as direct marketing, as do various mailing lists maintained both centrally and by departments to advertise events, activities or initiatives to members of the public (including, for example, attendees at public events or academics at other universities).  Note that initial communications directed to particular individuals inviting them to join such mailing lists themselves can class as direct marketing.  Furthermore, post or emails sent by 'political' societies or other campaigning groups to particular individuals promoting or soliciting support for their views will normally class as direct marketing from those societies/groups.  Data subjects have the right to object to the receipt of direct marketing - this is an absolute right and opt-outs must be respected.

Separate but related legislation, called the Privacy and Electronic Communications Regulations 2003 (as amended, PECR), furthermore states that:

  • Direct marketing by email (or text) should normally only take place with the individual recipient's prior consent.  The exception (which will apply rarely in a University context) is known as the 'soft opt-in' - this applies when an individual has bought a product or service, and supplied their email address, and was given but did not take the opportunity to opt out of marketing messages; it only applies to the future marketing of similar products or services.

  • Before direct marketing by phone, numbers should first be screened against the Telephone Preference Service unless the individual recipients have already consented.

  • There should be a clear unsubscribe opportunity in each email, text or phone communication.

PECR consents to direct electronic marketing need to be to a GDPR standard (i.e. freely given, specific, informed, demonstrable and easily revocable).  A template form of words for the collection of new direct electronic marketing consents is provided in section 3.5 of the GDPR Toolkit.

If you are considering refreshing consents for any existing email lists, which are likely to be those aimed at alumni or members of the public, check:

  • Whether you really are sending direct marketing emails in the first place - if you're not, there's no need for consent.

  • Whether you hold adequate consent already - if people actively signed up to your list in the first place, or took another positive action to indicate their desire to receive the emails, the standard of consent is likely to be adequate and there's no need to refresh it.  In a small number of cases, you may also be able to rely on the 'soft opt-in' as described above.

  • If you conclude you do need to refresh your consents, you will need to ask people to opt-in to the continued receipt of the emails.  If you do not hear back, you cannot contact them again by email (though you can by post).  So make sure you really do need to take this approach before you embark upon it.

 


13. Research

Guidance on the research exemptions, explaining how and where the standard data protection provisions do and don't apply in an academic research context, is published separately.

 


14. References

Providing references about staff or students clearly involves the processing of their personal data.  Detailed guidance on providing references is available from the HR Division - although this page refers to staff and employees, the guidance there applies equally to the provision of references about students.

The following specific data protection issues should be borne in mind when providing references:

  • Data subjects may request copies of references about them.  The DPA 2018 contains a wide-ranging exemption from disclosing these under the right of subject access.  Under previous legislation (the Data Protection Act 1998), handling an access request for a reference involved balancing the referee's desire for confidentiality against the rights of the data subject and it was accepted that the data subject would be able to access their reference from the recipient organisation in most circumstances.  The new legislative regime ostensibly removes the requirement to consider the rights of the data subject and it may become commonplace for copies of references to be withheld.  This said, referees are advised to write their references on the assumption that the data subject may one day see a copy.

  • References should be accurate, up to date and evidence-based.  They should distinguish between statements of fact and statements of opinion.

  • Referees should avoid including any special category personal data in their reference (e.g. about sickness absence) without the explicit consent of the data subject.

  • A copy should be retained of any reference provided - ideally on the data subject's departmental personnel/student file, though it is recognised that copies will often be kept by individual referees.  In general, copies of references should not normally be retained for more than 6 years after the departure of the data subject from the University.  However, if a new reference request is received in relation to the data subject within that 6-year period, it is acceptable to keep a copy of that new reference for a further six years, and so on.

  • There may be variations to the above norms in the case of references given in relation to individuals working towards or in regulated professions (e.g. medicine).

 


15. Disclosure requests

Many staff will receive requests from third party organisations to disclose information comprising the personal data of students, employees, alumni and so on.  Many such disclosures - whether in relation to single individuals or groups/cohorts - are part of the normal functioning of the University.

If a disclosure request is received that is outside the course of normal University business, the key points to consider are as follows:

  • Is urgent disclosure required to protect the vital (life-or-death) interests of the data subject?  If so, it is permissible to disclose.

  • Is there a pre-existing process that, while not forming part of your own role, represents a formal/standard route for the information (which may include personal data) to be requested or accessed?  If so, it should be followed.  Examples include:

  • If the disclosure is not urgent and a pre-existing process for handling the enquiry does not exist, has the data subject been told that such a disclosure of their personal data might be made, whether as part of the University's core privacy notices or otherwise?  If not, as a rule of thumb, you should consider contacting the data subject in advance to seek their consent to the disclosure or at least forewarn them of it.

However:

  • Some disclosures are required by law without necessarily informing the data subject or seeking their consent (e.g. if the third party has a court order or statutory authority to compel the provision of information).

  • Some disclosures are discretionary but permitted by law without necessarily informing the data subject or seeking their consent (e.g. requests from the police, other law enforcement agencies or taxation authorities).

Staff are strongly advised to seek help with any unusual disclosure request - especially one involving a court order or from the police - from the Information Compliance Office.  They will liaise as necessary with the Legal Services Office and other relevant offices as necessary to ensure the request is dealt with appropriately and legally.