- What is personal data?
- What is special category data?
- What are the data protection principles?
- What is processing?
- What is a lawful/legal basis for processing?
- What is consent?
- What is a privacy notice?
- Can I make a request for my own personal information?
- How long does it take to process a SAR and is there a fee payable?
- What rights do individuals have under data protection legislation?
- What is a data controller?
- What is a data processor?
‘Personal data’ is information which relates to an identified or identifiable individual.
This definition means that a wide range of identifiers can constitute personal data: including name; identification number; and location data or online identifier.
This reflects changing technology and the way organisations collect information about people.
Special category data is personal data which is more sensitive, and so needs additional protection. This is data relating to:
- ethnic origin;
- trade union membership;
- genetic data;
- biometric data (where used for ID purposes);
- sex life; or
- sexual orientation
Please note, whilst data relating to criminal conviction/offences is not classified as ‘special category data’, it is subject to similar restrictions and additional protection. Additional care should be taken whenever you are processing data which falls into any of the above categories.
The GDPR sets out six key principles. In brief, these are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
In addition, the University must be able to demonstrate its compliance with the principles. This is referred to as the accountability principle.
See the ICO website to read the principles in full.
Whenever you ‘process’ personal data you must do so in accordance with the legislation. Processing essentially covers anything you do with personal data from collection/receipt through to destruction/deletion. It is important to note that processing also covers storing data, even if you are not actively using it.
Data protection legislation applies to both paper and electronic records.
You must be able to meet a lawful basis for processing personal data and an additional lawful basis for processing special category data.
See ICO guidance on the lawful bases for processing for more information.
Staff can also read our internal data protection guidance on Sharepoint for further information.
Consent is just one of the lawful bases you can rely on when processing personal data. An individual has the right to withdraw consent and you must make it as easy to withdraw consent as it is to provide it.
It must be clear to individuals what they are providing consent for. If you are asking individuals to consent to more than one thing via a single form the consent must be granular, setting out each processing activity separately.
You must be able to evidence how consent was obtained, e.g. by keeping a record of it and have a mechanism in place to stop processing if consent is withdrawn or the individual indicates they wish to be removed from a mailing list.
Consent must be:
- explicit, specific and granular (separate consent for separate things);
- based on a positive opt-in; and
- unbundled from other terms and conditions.
NB: pre-ticked boxes, silence or inactivity do not constitute valid consent.
See the ICO guidance on consent for more detailed information.
Individuals have the right to be informed about the collection and use of their personal data, including: what you will use it for; how long you’ll keep it; and who it will be shared with.
The University has some central privacy notices which cover core activities in relation to the processing of personal data.
Staff can read our internal guidance on privacy notices on Sharepoint, for further information and templates.
You have the right to request confirmation that your data is being processed and access to your personal data. This is known as a subject access request (SAR). For information on how to exercise this right see our page on accessing your information.
A response must be provided within one month of receipt. We can extend this by a further two months where requests are complex or we have received a number of requests from the individual. The response must be provided free of charge. However, we can charge a ‘reasonable fee’ for the administrative costs of complying with a request which is manifestly unfounded or excessive or if the request is for a further copy of data, following a request.
Individuals have the following rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
A controller determines the purpose and means of processing personal data. The University is a data controller. University staff processing personal data in the line of their work are doing so on behalf of the University and are not separate data controllers.
A data processor is a third party who processes personal data on behalf of the data controller (the University). Typically, the following would be examples of data processors:
- market research companies
- cloud storage providers
- payroll companies