General Data Protection Regulation (GDPR)
The new GDPR comes into effect in May 2018. It will replace the current Directive and apply to all EU member states without the need for national legislation. The implementation will require comprehensive changes to the way in which organisations, like UCL, collect, use and transfer personal data.
Orgainsations will need to adopt policies and procedures to ensure that they will comply with the new regulation. This page will provide information about the data protection reforms and what might happen next.
Please revisit this page as further information is posted.
- The Impact of Brexit
The result of the EU referendum and the UK’s decision to leave the EU will have an impact on the GDPR in the UK. Whilst the final position is not yet clear the consensus of opinion is that the GDPR’s provisions will ultimately apply to the UK in one form or another. For example, if the UK remains a member of the Single Market/EEA the GDPR will continue to apply. If the UK leaves the Single Market it would appear likely that the UK Government will adopt GDPR provisions into national law in order to facilitate simple transfers of personal data between EU member states and the UK. The timing of the GDPR coming into effect also makes it possible that the new regulation will apply to the UK prior to any change of UK status.
Key points at a glance
- Consent must be unambiguous, freely given, specific and the data subjects should be informed for each purpose for which the data is being processed, especially if the purposes evolve overtime
- Must be ‘explicit’ for the processing of sensitive data, renamed special category data under GDPR. Explicit consent will require clear approval from the data subject e.g. a signed consent form.
- Obtained for each separate processing activity
- Data subjects will have the right to withdraw their consent at any time
- ‘Explicit’ consent must be received for transferring personal data outside the European Economic Area (EEA.
Consent within research
The GDPR will broadly replicate the current Data Protection Act 1998 (DPA). However, all researchers, will need to consider the different types of processing they carry out as part of this activity to ensure compliance.
While they can still rely on consent as a legal basis to process personal data for their research. A data subject must be given an easy way to withdraw it. Consent must still be ‘explicit’ for the processing of sensitive data, renamed special category data under GDPR. A data controller will need to demonstrate that such consent has been given.
UCL will continue to be a Data Controller under the GDPR for all personal data processed for UCL led research. In most circumstances students are responsible for ensuring that their research involving, living, identifiable individuals complies with the requirement of the DPA and from May 2018, the GDPR.
As with the DPA, the GDPR will require data controllers to have a legitimate reason for processing personal data. If researchers are to rely on the consent of the data subject, they must be able to demonstrate that it was unambiguous, freely given, specific and informed for each purpose for which the data is being processed. The consent can be given in writing (including electronically), or as an oral statement. The GDPR provides some clarity:
This could include ticking a box when visiting an Internet website, choosing technical settings for information society services or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data.
Silence, pre-ticked boxes or inactivity should therefore not constitute consent.
This could include ticking a box when visiting an Internet website, choosing technical settings for information society services or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. Silence, pre-ticked boxes or inactivity should therefore not constitute consent.
It is important to ensure that consent is obtained for each separate processing activity. Consent will not be valid if several purposes have been unnecessarily bundled together so that an individual has to accept all of them or none of them.
For example, retention of contact details to invite participants to take part in future research is a distinct processing activity to the initial research and therefore separate consent must be obtained. Likewise use of the images of participants collected as part of a research study at a conference is also a separate processing activity and individuals should not generally have to consent to this just to take part in the research study.
Under the GDPR data subjects will have the right to withdraw their consent at any time. Mechanisms should therefore be in place to ensure that the process is both simple and effective. They should also be informed of this right prior to giving their consent.
How long does consent last?
The GDPR is not specific about how long consent should last. However, any consent is likely to degrade overtime, how long it will last will be dependent upon the context of the original consent. . Some research activities may also develop over time and it will remain important to ensure that the processing of personal data is not used for purposes that go beyond the consent obtained, the consent should therefore be kept under review. There must be a clear affirmation of consent, it cannot be inferred from a failure to object, or indicate, to further uses, beyond what was originally specified. It is unlikely to be compliant to claim one-off consent remains valid several years after it was obtained if the research is continuing. Consideration should therefore be given as to how consent can be revisited.
The GDPR largely preserves the current DPA with regard to overseas transfer of personal data. For example, prohibiting transfers of personal data outside of the EEA unless certain conditions are met (adequacy).
Researchers should review their intended flows of personal data outside of the EEA, and consider what mechanisms they have in place to comply with the GDPR. For example, does the intended transfer involve a country which has an adequacy decision (deemed acceptable by the EU), or if based in the USA an organisation which has joined the EU-US Privacy Shield?
If you are intending to transfer personal data outside the EEA and the country has not been deemed to offer an adequate level of protection you will need to ensure that the transfer meets one of the other requirements of the GDPR, such as by use of standard contractual clauses or binding corporate rules (BCRs). Derogations (exemptions) are also permitted under limited additional circumstances. Explicit consent is one such derogation. If you know at the outset of your research that you intend to transfer personal data to another country you should inform data subjects of this and where necessary seek consent.
- Privacy Notice
The GDPR will place accountability obligations on data controllers to demonstrate compliance with the new regulations. This will introduce greater protection for individuals and give them more control over how their personal information is held, stored, used and shared.
To meet the enhanced privacy requirements, data controllers must be open and transparent about how they process a data subjects personal information.
A privacy notice is a statement, or document, that discloses the ways in which an organisation will obtain, record, hold, alter, retrieve, destroy or disclose, personal information.
UCL undertakes a wide range of processing, this is reflected in our existing privacy notices for students and alumni. In future there will be an updated alumni/supporter privacy notice covering the Office of the Vice Provost Development’s (OVPD) processing, a revised student notice detailing the overarching central uses of student personal data across UCL and a new staff privacy notice covering the uses of personal data for employment purposes. However, these won't cover all processing activities across UCL and those collecting and using personal data at the local level in departments and faculties will need to provide privacy notices of their own as will researchers processing personal data as part of a study.
The categories identified below, should provide a useful platform from which to deliver your privacy notice so they comply with the GDPR:
- details of the purpose and legal basis of the processing of the personal data;
- categories of personal data processed;
- details of how their personal information is to be used;
- information about security of their data;
- information about cookies used by a website;
- details of the recipients of the personal data;
- details of any transfers of personal data outside of the European Economic Area;
- right to complain;
- the period of time the personal data will be stored;
- individual rights – including how to make a subject access request and object to direct marketing.
The Information Commissioners’ Office (ICO) has published a revised Privacy Notices Code of Practice to assist organisations in preparing a clear and effective privacy notice.
- Data Holdings Survey
The current Data Protection Act 1998 (DPA), will be replaced with the General Data Protection Regulation (GDPR) from May 2018. While the GDPR will broadly replicate the DPA the GDPR will require data controllers, like UCL, to document the legal basis for its collection and use (processing) of personal data and to ensure this is communicated to the individuals whose personal data we are processing, the data subjects.
The GDPR defines personal data as: Any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer’s IP address.
The GDPR defines special category data (previously known as sensitive personal data) as: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; data concerning health or sex life and sexual orientation; genetic data; biometric data where processed to uniquely identify a person.
Information that does not fall within the definition of "personal data" is not subject to the data protection law.
Some of the key changes in the GDPR are listed below:
- Change to the definition of consent – Must be ‘unambiguous’ so no opt-outs or pre-ticked boxes. Has implications for the sending of marketing such as newsletters to alumni. Consent must also be obtained for each distinct use of an individual’s data (you can no longer package together multiple uses), and must be able to be withdrawn easily
- Privacy notices must be provided and must contain specific information, including details of retention periods and the legal basis for processing
- Data breaches must be reported to the Information Commissioner within 72 hours
- Data Protection Impact Assessments (risk assessments) must be completed for all new high risk processing e.g. anything with sensitive data such as health related information that identifies living people
- Personal data assets must be recorded
- Profiling requires consent e.g. Learning Analytics. This refers to use of so called ‘big data’ and using information to predict behaviours
- International transfers – Even tougher to send personal data to countries outside the European Union unless specific safeguards are in place
- The time limit for providing access to an individual’s personal data changes from 40 days to 30 days (with an extension possible in some specific cases)
- Data processors (companies or individuals providing processing personal data on behalf of a data controller) will be liable for their actions i.e. capable of being fined as well as the data controller. Contracts should reflect these new responsibilities.
- New accountability principle. Data controllers are required to document how they are compliant with the Regulation. Part of this requires the creation of a register of personal data assets held, showing what personal data is collected, how it is used, how it is secured, whether it is shared and how long it is retained.
The 2017 Data Holdings Survey will help UCL meet the new accountability requirements of the GDPR. In time we shall be working together with the Information Security Group to create more comprehensive asset registers of both personal data and business sensitive data and at that time the data holdings survey will be subsumed into that.
UCL intends to continue to undertake a similar survey each year, although the content is likely to change with the establishment of new data protection laws.
This year's survey is online which will hopefully make it easier to complete and enable us to analyse the returns and run reports.
We require one submission from each department. This is to avoid multiple responses which will prevent the collation of the wider asset register which we are required to have under the new regulation.
We have received a number of queries relating to the survey. Whilst these kind of issues will be remedied as far as possible, we will use this feedback to improve our future surveys.
Aims for the future
We welcome, expressions of interest from departments to be involved in future pilot programs and of suggested themes. Please contact us by email firstname.lastname@example.org
- Further information
The Information Commissioner’s Office (ICO) has published a number of useful guides to help orgainisations understand the new framework which may or may not be implemented in the UK as a result of a post-Brexit UK/EU relationship. If it is decided that the UK is to remain part of the EEA then the GDPR would still apply and still have an impact on UK-based companies.