Corporate Governance

The General Data Protection Regulation

‌The Legislation

The General Data Protection Regulation (GDPR) came into effect on 25th May 2018. The GDPR, which has many similarities to the Data Protection Act 1998 which it replaced, is designed to improve transparency in data processing and to protect the rights and freedoms of individuals, in particular their right to privacy with respect to the processing of their personal data. The GDPR is technologically neutral and therefore applies to personal and special category data in whichever form it is held, for example, in electronic or paper documents.

The following sections include information on some of the changes in the GDPR:

For the full text of the General Data Protection Regulation, go to the following link.

Definitions used in the GDPR

Personal Data

Personal data is any information that can identify a living person either by itself e.g. a person's name, or when linked with other information e.g. an address plus a name, and includes unique reference numbers, location data and online identifiers.

Special Category Data

The GDPR defines some personal data as special category data. Special category data must be processed more securely with respect to the purposes for which it is collected and who will have access to that information, than other data collected.

Special category data is defined in the legislation as data referring to:

  1. the racial or ethnic origin of the data subject,
  2. his/her political opinions,
  3. his/her religious or philosophical beliefs,
  4. membership of a trade union,
  5. genetic or biometric data for the purpose of uniquely identifying an individual
  6. his/her health,
  7. his/her sexual life or sexual orientation,
  8. criminal convictions and offences.

Processing

'Processing' is the inclusive term given to the collection, recording, organisation, use, storage, adaptation or alteration, retrieval, disclosure, restriction and ultimate destruction of any personal data.

Data Subject

A data subject is the individual to whom the information relates.

Data Controller

The data controller is the organisation that processes the personal data.

Data Processor

A data processor is a third party that processes personal data on behalf of the data controller, but responsibility for that processing remains with the data controller.

Subject Access Request

Anyone can make a request to find out what information is held about them.  This is known as a Subject Access Request.

 

The Principles relating to processing

Anyone processing personal data must take into account of 6 principles when processing personal data to ensure the data is handled properly.

The 6 principles are that:

  1. Personal data shall be processed lawfully, fairly and in a transparent manner;
  2. Personal data shall only be processed for the purposes for which it was collected and not for any other purpose(s);
  3. Personal data shall be adequate, relevant and limited to what is necessary for the purpose for which it is processed;
  4. Personal data shall be accurate and, where necessary, kept up to date;
  5. Personal data shall not be kept in a manner that identifies an individual for longer than is necessary for the purposes for which it is processed;
  6. Personal data shall be processed in a way that ensures appropriate security of the data, including taking appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

The Rights of the Data Subject

In addition to the data principles, a data subject - that is the individual to whom the information relates - has several rights in relation to the processing of their personal data, as outlined below; these are subject to a number of exceptions and may not always apply in all circumstances:

There is the right of access to personal data (a Subject Access Request), where the individual is entitled:

  1. To be told if a data controller is processing any information about that individual,
  2. If that is the case, to be given a description of that information, why it is being kept and to whom it may be disclosed,
  3. To have that information given to them as well as details about how that information was received, and
  4. Where the processing is carried out automatically for the purpose of evaluating matters relevant to that person, to have the logic involved in the decision taking explained.

An individual has the right to rectification of any inaccurate personal data concerning him or her, including the completion of incomplete personal data.

An individual has the right to erasure of personal data supplied to a data controller in certain circumstances.

An individual has the right to restrict processing where the accuracy of the data is contested, where the processing is unlawful, where the personal data is no longer needed by the data controller or where theindividual is contesting the grounds on which the processing is taking place. 

An individual has the right to data portability, that is, to receive the data they have provided to the data controller, in a machine-readable format, as well as to have that data transmitted to another controller.

An individual has the right to object to processing carried out on the grounds of public or legitimate interests, or where the processing relates to direct marketing or where the processing is in relation to automated decision-taking. The individual can ask the data controller to ensure that no decision that could significantly affect the individual is based solely on processing by automatic means.

Finally, an individual has the right to receive compensation for damage caused by processing which infringes the GDPR. An individual who suffers damage as a result of failure by the data controller to comply with the GDPR is entitled to compensation, and in cases where a court decides that personal data is inaccurate, the court can order the data controller to block, rectify, erase or destroy any personal data that is inaccurate, including any expression of opinion.

When are we allowed to process personal data?

The GDPR requires a legal basis for the processing of data, examples of this are shown below:

  • Consent of the data subject
  • Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
  • Processing is necessary for compliance with a legal obligation
  • Processing is necessary to protect the vital interests of a data subject or another person
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

The GDPR expressly states that a public authority (which the University is) cannot claim that the data processing is in the 'legitimate interests' of the data controller (in this case, the University) as a legal basis for processing (Article 6.1.f of the GDPR).  However, section 7(2) of the Data Protection Act 2018 states that an organisation is "...only a 'public authority' ... when performing a task carried out in the public interest or in the exercise of official authority vested in it."  Therefore, it is possible that the University may be able to use the legal basis that is within the Unversity's legitimate interests to process personal data in situations which are not part of the core work of the University, that is, the direct educationof students and employment of staff.  Please contact the University's Data Protection Officer on information-matters@port.ac.uk for further information.

There are additional requirements when processing sensitive personal data.

What is Privacy by Design?

Privacy by Design is the concept of only processing the personal data that you need to in order to complete a task.  When you are setting up a new system, think about the work you need to do and the data you need for it.  For example, do you need to collect a full date of birth when all you need to know is the year in which an individual was born? And even then, if you only actually need to know whether a person is a mature student, can you give a definition of what we consider a mature student to be and then ask the individual to tick a Yes/No box?  Whatever you decide, make sure you record your decision so that others can understand why we collect what we collect.

Another way of ensuring privacy by design is by carrying out a Privacy Impact Assessment to ensure all projects / new systems are built with appropriate security measures and data protection compliance.  Carrying out an impact assessment at the start of a project ensures not only privacy by design, but also compliance with the data protection legislation and that systems are built with security from the outset and risks are managed.  This often results in better and cheaper solutions as adding in good security at a later date can be costly.

The importance of dealing with data breaches under the GDPR

The GDPR introduces a duty on all organisations to report certain types of data breach to the relevant supervisory authority - in the UK the Information Commissiner's Office (ICO) - and in some cases to the individuals affected by the data breach.  A personal data breach is a security incident which results in the loss, alteration, compromise, unauthorised disclosure of, or access to, personal data held by the University.  The breach may be accidental or deliberate, regardless of the format in which the data is held.  This means that a breach is more than just losing personal data.  A notifiable breach has to be reported to the ICO within 72 hours of the University becoming aware of it as well as, when appropriate, notification to the data subject within the same tight timescale.  Fines have increased and the maximum fines can be up to 20 million Euros or a 4% global turnover for a breac, depending on a number of factors.  Failure to report a breach can also result in fines.  The University requires all incidents and breaches to be reported so we can assess and reduce the risks and where possible prevent incidents from becoming breaches.  Further details on identifying and notifying a data security breach can be found in the Data Breach Notification policy.