Frequently asked questions: the General Data Protection Regulation (the GDPR)
These frequently asked questions FAQs have been produced in response to the information we believe it is helpful for staff and students to know, and in response to questions already asked. These FAQs will be added to as and when more information becomes available, or when more questions are asked.
In 2012, the European Commission proposed reforms to European Union data protection laws “to make Europe fit for the digital age”; new technologies and globalisation have had a profound way on how peoples’ personal data are collected, analysed, disseminated, and used. In addition, EU data protection law had become fragmented; each member state had implemented and enforced the EU Data Protection Directive differently. The result is the GDPR; this places the individual at the heart of EU data protection legislation, providing in some instances more control over how their personal data are used by organisations.
The GDPR sets out legislative requirements, which are reinforced by supervisory authorities and the courts to protect the personal data of all EU citizens. GDPR applies to all organisations, companies, public authorities who process, i.e. make use of the personal details of EU citizens residing in the EU. GDPR will apply to entities outside of the EU who process EU citizen data, regardless of whether or not they themselves are located in an EU member state. This means that GDPR will apply post Brexit as the University will invariably have students and staff who are citizens of an EU member state.
While GDPR has direct effect across all EU member states, the said Regulation gives member states limited opportunities to make provisions for how it applies in their country e.g. application of a range of exemptions in how GDPR is applied, which fall out of EU law. One element of the Data Protection Act 2018 is to make provision for those variations. It is therefore important the GDPR and the Data Protection Act 2018 are read in conjunction.
The UK Information Commissioner (the supervisory authority for data protection legislation) provides the following definition*:
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised - e.g. key-coded - can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
*Available online: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/, accessed 06 May 2018.
GDPR provides the following rights to individuals:
- To be informed, i.e. when personal data is collected from individuals they must be fully and transparently informed, in writing, about how that data will be used. The University has a range of privacy notices, which explain in detail how student and staff personal data are used;
- Access to personal data, i.e. this is commonly referred to as a subject access request. This right, in addition to providing people with a copy of their personal data, is intended allow individuals to verify if their personal data are being used lawfully;
- To have inaccurate personal data corrected, or completed if it is incomplete;
- The right to erasure/right to be forgotten, i.e. to have personal data removed in certain circumstances; and
- To place restrictions on how an organisation makes use of personal data, for a limited time. For example, if the accuracy of personal data is being contested, then an individual can request that no use is made of the personal data under question, until matters are investigated further and resolved.
If you wish to exercise any of your rights, or more questions, please contact email@example.com.
Article 17 of the GDPR provides individuals with a qualified right to have their personal data [permanently] erased/removed from the information systems/records that a data controller maintains. The right to erasure is also known as the right to be forgotten. The right to erasure is relatively new and arises from the wishes of individuals to “determine the development of their life in an autonomous way, without being perpetually or periodically stigmatized as a consequence of a specific action performed in the past.”
Individuals can exercise this right in writing or verbally; the organisation receiving the request will have one month to respond. The right is not absolute; there are a number of circumstances when the right of erasure will not be available.
The right to erasure is available when:
- The personal data is no longer necessary for the purpose which it was originally collected or used for;
- Consent was the lawful basis for holding the data, and the individual withdraws their consent, (N.B. the University as a public authority can only rely on consent as a lawful basis to make use of personal data as a last resort, where there are no other appropriate legal basis for processing personal data);
- Legitimate interests was the lawful basis for making use of personal data, and an objection to the use of the associated personal data was made and that objection was accepted;
- Personal data is being used for the purposes of direct marketing, and an objection is made;
- It has been determined that personal data has been processed unlawfully, i.e. the lawful element of the first data protection principle has been breached; and
- There is a legal obligation to destroy personal data, e.g. as required by legislation or when ordered to do so by a court.
The right of erasure is not available:
- When retention of the personal data is required to exercise the right of freedom of expression and information;
- Where the personal data are required for compliance with a legal obligation, e.g. some finance records may have to be retained by the University to comply with tax legislation;
- When the personal data are required for the performance of a task carried out in the public interest or in the exercise of official authority. The Universities (Scotland) Acts 1858, 1889 and 1966 confer on the University authority to conduct a range of public tasks, including regulating and administering all aspects of teaching, research and discipline of the University; and to administer and manage the whole revenue and property of the University;
- When retention of the personal data is required for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; and
- When retention of the personal data is required for the establishment, exercise or defence of legal claims.
The University, as part of its normal business, collects a large amount of personal data, from staff and students. The University has developed a new set of Privacy Notices, on the website and other places, to provide detailed information on what data we collect and how we use it. In addition, we are strengthening our internal processes and policies to help us become complaint with the GDPR requirements.
University privacy notices are available online.
As the University determines how the personal data of students and staff are to be collected and used, it falls within the scope of what the legislation refers to as a data controller. A data controller is responsible for upholding all of the data protection principles, of which there are 6. Where 1 or more of the principles are breached then the legislation by extension will also have been breached. The Regulator may take action against a data controller for a breach of the legislation and the University in turn may then determine whether any policy or procedures have been breached by an individual(s).
Research projects that involve the collection and use of personal data currently receive ethical approval via either a School ethics committee or, on occasion, the University Teaching and Research Ethics Committee (“UTREC”). The ethical approval process considers how people are informed as to how their personal data will be used during research, how consent is secured and that the minimum personal data are collected to support research etc. School and UTREC ethical approval processes have been revised slightly to streamline and bring together related University and data privacy requirements.
In many respects GDPR will not have any significant impact on research activities; the data protection principles essentially remain the same and these are and have always been aligned with ethical approval considerations.
Going forward, where research data are to be made available to a third party, who is undertaking work for the University that requires access to personal data gathered and created during research, e.g. where personal data are to be stored in the Cloud, then the University must first undertake some due-diligence, i.e. can that party be trusted to work with personal data? GDPR requires that a data processor contract is in place between the University and a third party processor, while that was the case with the DPA, GDPR requires that specific contractual provisions are put in place.
There are 4 simple steps to be followed, when communicating with people in a private i.e. non-business capacity:
- Provide people with a privacy notice, i.e. tell people why you are collecting their personal data and what you are going to do with it. Keep a record of how you informed people as to how their personal data will be used,. A sample privacy notice for research contacts is available from the University Website. As research is one of the University’s public tasks, consent will not be required to contact people about research activities, however, you should inform people that public task is the legal basis for making use of personal data to support research;
- Keep a record of the privacy notice, as this will confirm what people were told about how their data was going to be used;
- When contacting people, always give them a reminder that they have the right to be removed from the contacts list/database, and that you will not contact them again, until such times as they may decide otherwise; and
- When reaching out to people, please check that you are only talking to people who have not asked to be removed from a mailing list.
When a research project concludes, you should consider whether you can retain the contact details which have been collected; especially where these were collected for a specific project.
When communicating with people in a business capacity i.e. because a person works at another organisation, then (for the moment) consent is not required. However, they should have the opportunity to opt-out of receiving emails/communications where the purpose and content of an email is for marketing. If communications are business to business and these do not involve marketing e.g. they concern the administration of a project, a joint research grant application, then no opt-out is necessary.
Any new procurement process for new products and services that involve Personally Identifiable Information will have to complete a Privacy Impact Assessment process to ensure that it is compliant with the GDPR.
Yes, presently all new staff are asked to complete information security training (an online module) within their probation period; beyond that there are specific training sessions made available to staff in Units. The University has accepted a recommendation from the Internal Auditor (KPMG, November 2017) that all staff will receive basic privacy and information security awareness training. The manner in which this will be delivered is currently being planned by OSDS, HR Services, IT Services and the Information Assurance and Governance function.
Specific data privacy and information security training requirements will also be identified by colleagues in the Research and Innovation Services, and the manner and mode of delivery has still to be determined.
Training will be relevant: focused on job role and responsibilities, and to take account of changes in technology, risk and the law this is likely to be repeated up to every 3 years.
A Privacy Impact Assessment (PIA) is a tool to help the University look at any new system, process or software to make sure that it does not present a risk to an individual’s personal information. PIAs have been undertaken by the University as part of the Senate Efficiency Review programme, since 2015/16. PIAs are being extended, to all new projects and work that make use of personal data. This is a proactive and pragmatic way to address privacy and GDPR requirements, in many instances this will reduce cost and risk to the University where privacy requirements to be implemented are identified and addressed through the natural course of project planning.
The University Information Assurance and Governance function provides advice and support in all manner of information governance and assurance legislation, which includes data protection. Data protection legislation is principles led: meaning that in most instances it is the case of what steps may need to be taken to secure a solution/answer to a problem, as opposed to saying no the law does not allow for that. They can be contacted at firstname.lastname@example.org.
As part of the transparency element of the legislation, privacy notices must openly and fully set out how personal data are used; the GDPR sets out the areas that privacy notices must address, when explaining how personal data are used.
The University is responsible for protecting personal data from accidental loss; which may include the theft of personal data, or the accidental transmission of personal data to a third party, who has no right to see such data, e.g. sending an email to the wrong person.
A data breach may have arisen where personal data are exposed to any entity or individual who is not authorised by the University, or through law, to have access to those data.
During Office hours, please call or email the IT Service desk. Out of hours, please call the IT Services Out of Hours Service (01334) 462780.
Details of how to contact the IT Service Desk are available from: https://www.st-andrews.ac.uk/itservicedesk/.
Personal data contained within emails does fall within the scope of current and future data protection legislation. Please remember that the information within emails will in many instances be personal data, and as a result requires a degree of management; as all of the data protection principles and many of the rights of individuals will apply, notably the right of subject access. As a reminder, personal data should be accurate, relevant and factually correct.
The University Information Classification Policy and the accompanying implementation guide provide guidance on how to work safely with personal data. If you have not previously read these, you may find them useful.
It is important to consider where and how personal data are being stored; equipment and services provided by IT Services are considered to be safe, for example laptops and other devices are encrypted and antivirus and malware software will be installed. Buying IT kit from ‘the high street’ is risky, as those devices will not be protected.
Storing personal data on personal devices introduces elements of privacy risk, as the University cannot protect those data. It is important that personal data are stored on the University network; secure and flexible access to those data can be made by using the University Virtual Private Network service. Additionally, some personal data can be stored in the Microsoft Office 365 service, which the University has a subscription to. The University does not have a subscription to other Cloud services such as Dropbox, and personal data should not be stored there.
21. I keep getting emails from companies, charities and other organisations asking me to update my consent; otherwise they cannot keep in touch with me. Do I need to do the same with the people I want to keep in touch with about?
The short answer is no; in terms of legality and practicality.
In most instances the ‘can we keep in touch emails’ ask people for their consent to receive future emails. There are specific regulations governing the use of personal details for direct marketing i.e. the Privacy and Electronic Communications Regulations 2003 (“the PECR”). PECR requires that before you send a marketing email, you must first have a person’s consent. In most instances reaching out to people will fall into the definition of direct marketing. Thus if you need to send an email asking for someone consent to keep in touch, then you probably do not have consent to send that request by email.
Most of these ‘can we stay in touch emails?’ are structured along the lines of ‘we need your permission, otherwise we cannot continue to communicate with you.’ Where a null response is made that then equates to no consent i.e. a refusal; response rates to such campaigns are very low circa 10 – 20%, subsequently, by default, people who have sought consent on this basis will have backed themselves into a corner.
If you have managed your mailing/contact lists as per the points set out, at FAQ 11, above, then you will have consent and can continue to reach out to people as normal. If you find that you need consent to keep in touch, you can ask people by post; as PECR only applies to electronic communications. If you have any questions or concerns please email email@example.com.
Special categories of personal data are defined as:
“Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.”
Previous data protection laws referred to sensitive personal data, the inclusion of genetic and biometric data to uniquely identify individuals is new.
Additional details on special category personal data are available from the Information Commissioner’s Office website.
23. When can I make use of Blind Carbon Copy “bcc” to distribute the same email to several recipients?
The ‘bcc’ field is often used to send a single email to multiple recipients. To reduce the risk of a personal data breach, the following steps must now be implemented with immediate effect by Schools and Units, prior to sending a single email to multiple recipients:
- Consider the content of the message.
If the message contains details that could allow inferences about highly sensitive elements of a person’s life to be made e.g. a medical condition, details of their sex life, religious or other beliefs, then an email must be sent individually to each person. For example, if people have signed up to a wellbeing session to help deal with anxiety then use of ‘bcc’ to alert attendees to a change of venue would be a high risk.
Bcc can be used, without any of the safeguards noted herein, to send a single message to several people where there is no need to hide email addresses and the message does not intrude on privacy i.e. the communication does not reveal anything about a person’s life that requires protection. For example, an email to students and staff announcing that a School Office will close early. Use of Bcc in that instance can be helpful as of a person replies, their response is then directed to the sender of the email, alone.
- If use of ‘bcc’ is judged to be appropriate, e.g. a message requesting that conference delegates arrange for an invoice to be settled, such emails must be sent of batches of less than 50 addresses.
- A ‘four eyes’ peer review system must be in place i.e. 2 people (one of whom may be the author) should supervise and check that all of the safeguards, as described herein are in place before any ‘bulk’ emails are sent. A record of the checks undertaken should be made and retained.