This is an introduction to data protection legislation and how it is interpreted and implemented at UCL to help all staff and students.
Data protection is the fair and proper use of information about people. It is part of the fundamental right to privacy and is also about individual's trusting that their personal data is safe and secure when handled by organisations. It is about treating people fairly and openly, recognising their right to have control over their own identity and their interactions with others
Data protection is also about removing unnecessary barriers to trade and co-operation. It exists in part because of international treaties for common standards that enable the free flow of data across borders. The UK has been actively involved in developing these standards.
Data protection is essential to innovation. Good practice in data protection is vital to ensure public trust in, engagement with and support for innovative uses of data in both the public and private sectors.
The UK data protection legislation is set out in the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR) (which also forms part of UK law).
Difference between a regulation and a directive in law
A regulation is a binding legislation that applies directly to all European Union (EU) member states. A directive sets out a legislative objective that all EU member states must achieve through their own national legislation. The GDPR is a regulation within EU law and it replaces a directive. However, this Regulation does allow Member States to legislate on data protection matters e.g. where the processing of personal data is required to comply with a legal obligation, is carried out by a body with official authority, or relates to a public interest task.
The introduction of GDPR in May 2018 brought with it significantly increased penalties for non-compliance – twenty million Euros or four percent of worldwide turnover. Errors could result in UCLs' ability to collect and interrogate research data, being curtailed or stopped altogether. Not least, the reputation of UCL is at stake.
- Increased territorial scope (extraterritorial applicability)
- Data subject rights requests:
- Your right to be informed if your personal data is being used.
- Your right to get copies of your data.
- Your right to get your data corrected.
- Your right to get your data deleted.
- Your right to limit how organisations use your data.
- Your right to data portability.
- The right to object to the use of your data.
- Your rights relating to decisions being made about you without human involvement (automation/profiling).
- Your right to raise a concern with an organisation.
Your right to access information from a public body.
There are time limits for responding to data protection rights requests.
Since 1995 new technologies such as mobile devices, social media and pervasive use of the internet have fundamentally changed the way we use personal data. The previous 1995 EC Directive, upon which the Data Protection Act 1998 was based, proved to be inadequate in terms of protecting personal data. New legislation was required to meet the challenges that these new technologies posed.
- Complete the online training.
- Recognise a Subject Access Request (SAR) and know what to do with it.
- Know how to report a security data breach or loss of data.
- Know how to share personal data securely.
- Know how to store personal data securely.
- Know what to do when you are away from the office.
- Stay informed.
- Activities which fall outside the scope of EU law (e.g. activities concerning national security).
- Activities are undertaken as part of a “purely personal or household activity”.
- Deceased persons.
- Non-persons (e.g., corporations).
- The data being processed is anonymous; e.g. does not relate to an identified or identifiable individual or rendered in such a manner that the data subject is not or no longer identifiable.
- The organisation processing the data is located outside of the European Economic Area (EEA) and is not processing any personal data originating from within the EEA.
Personal data is any information relating to an identified or identifiable living person (known as a ‘data subject’). The ‘identifiable’ element to this definition makes it broad and covers direct identifiers such as names but also indirect identifiers such as an IP addresses or online tracking data. Further examples include contact details, health data and national insurance number.
The term ‘identifiable’ broadens the scope of ‘personal data’. In practice, it means that names are not necessarily required in order to identify an individual. Other factors may reveal information e.g. social, cultural, genetic, physical, an ID number, biometric data. Context may also reveal information about an individual.
Where a name is combined with other information, such as an address, a physical description or a job title, this is likely to clearly identify an individual.
Information that relates to an individual. That individual must be identified or identifiable either directly or indirectly from one or more identifiers or from factors specific to the individual.
Pseudonymisation is a technique that replaces or removes information in a data set that identifies an individual.
Pseudonymising personal data can reduce the risks to the data subjects and help you meet your data protection obligations. But it is effectively only a security measure. It does not change the status of the data as personal data.
Anonymised data which does not relate to an identified or identifiable natural person or personal data that has been rendered anonymous in such a manner that the data subject is not or no longer identifiable.
Special category personal data (sensitive)
This is personal data about an individual’s: race; ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data (where this is used for identification purposes); health data; sex life; or sexual orientation. It is data that is seen as being particularly sensitive and that needs to be processed with extra care and attention
Special category: criminal records & DBS checks
These types of data warrant a higher degree of sensitivity when handling.
- Special category: children and vulnerable adults
- Vulnerable adults: individuals, who for whatever reason, may find it difficult to understand how their information is used.
- Special category: criminal records & DBS checks
- This type of data warrants a higher degree of sensitivity when processing.
Lawfulness. Fairness and transparency: this means personal data should be processed lawfully, fairly and in a transparent manner in relation to the individual. The transparency and fairness provisions are usually met through privacy notices, which are explained in greater detail in the “Fair Processing?” FAQs below
Purpose Limitation. This means personal data should only be collected for specified, explicit and legitimate purposes and not be further processed in a manner that is incompatible with those purposes. You should specify the purpose in your privacy notice.
Data Minimisation. This means personal data should be limited to what is necessary in relation to the purpose for they are being processed, e.g. if you are only sending a newsletter by email, you will probably only need an individual’s name and email address.
Accuracy. This means that you should take reasonable steps to keep personal data up to date and ensure that personal data that is inaccurate, having regard to the purpose for which they are processed, are erased or rectified without delay.
Storage Limitation. This means personal data should be kept in a form which permits identification of data subjects for no longer than is necessary. This means you should decide how long it is necessary to retain information give the purposes that it was collected for and securely delete information when it is no longer needed for those purposes.
Integrity and Confidentiality. This means personal data should be processed in a manner that ensures appropriate security of that personal data, such as protection against unauthorised processing, accidental loss, destruction or damage.
Accountability. This means that controllers shall be responsible for, and be able to demonstrate compliance with, the above six principles.
Processing is any action performed on personal data from the point of creation to destruction and everything in between (e.g. obtaining, disclosing, amending, storing, deleting).
It´s important to know key data protection terms since they are used: In policies, when writing and receiving privacy notices, when assessing risk with a data protection impact assessment (DPIA).
The first principle of the data protection legislation requires that you process all personal data lawfully, fairly and in a transparent manner. Fairness means that you should only handle personal data in ways that people would reasonably expect and not use it in ways that have unjustified adverse effects on them.
Assessing whether you are processing information fairly depends partly on how you obtain it. In particular, if anyone is deceived or misled when the personal data is obtained, then this is unlikely to be fair.
A controller is a legal person (i.e. the University), public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data. Controllers are responsible for most aspects of compliance with the GDPR even when engaging a processor to process personal data on their behalf.
Where two or more controllers jointly determine the purposes and means of processing. Data protection legislation requires the joint controllers to enter into “an arrangement” that reflects their roles and relationships toward the data subjects. Whilst the word “arrangement” rather than contract is used, the reality is that this is likely to be done by way of a written data sharing agreement.
A processor is a legal person, public authority, agency or other bodies which processes personal data on behalf of the controller. Therefore, it is the controller who engages the processor. Examples include outsourced services such as organisations which conduct surveys of behalf the university, cloud services or translation services.
Processors act only under the instructions of controllers. They must keep personal data secure from unauthorised access, loss or destruction. If a Processor processes personal data, other than in accordance with the controller’s instructions, they become a controller.
Controllers and processors have different responsibilities and obligations, so it is important to know which one you are so that you know what you are responsible for.
Both the controller and the processor can be investigated by the ICO and fined.
Both the controller and the processor can be sued by the data subject and both can be held liable for the full amount of the damages.
The relationship between controllers and processors.
Controllers are liable for compliance with data protection legislation and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the data protection legislation will be met and the rights of data subjects protected. A controller must only use a processor providing sufficient guarantees that it has appropriate technical and organisational measure in place in respect of data protection. This means that you should conduct a due diligence exercise on any prospective service providers who may be acting as a processor for you. Processing must be governed by a written contract. Processors must only act on the documented instructions of a controller. They will, however, have some direct responsibilities under data protection legislation and may be subject to fines or other sanctions if they don’t comply.
When you are processing personal data, you must establish your ‘lawful basis' to do so. Please be aware that under GDPR you need a lawful basis for processing each of the data categories i.e. 'a lawful basis' to process 'personal data' and a separate lawful basis to process 'special category' data (these can sometimes be the same lawful basis).
To find your lawful basis, please use the ICO lawful basis interactive guidance tool.
Declaring lawful basis for processing personal data
Privacy notices are the standard way to document the lawful basis for processing. You will also need to include other information in your privacy notice including the purposes for which you have obtained the personal data, the categories of recipient of that data (internal and external), the retention period, any overseas transfers and the individual’s rights.
Additional information needs to be provided when you receive personal data indirectly form a third party, e.g. the categories of personal data you hold and the source.
If your purposes change over time or you have a new purpose which you did not originally anticipate, you may not need a new lawful basis as long as your new purpose is compatible with the original purpose.
However, the data protection legislation specifically says this does not apply to 'processing' based on consent. You need to either get fresh consent which specifically covers the new purpose, or find a different basis for the new purpose.
If you are processing special category personal data, you need to identify both a lawful basis for processing personal data and an additional lawful basis for special category condition as set out in Article 9 of the GDPR. You should document both your lawful bases for processing and your special category condition so that you can demonstrate compliance and accountability.
Those bases include:
- explicit consent;
- employment law;
- vital interests;
- information made public by the individual;
- legal claims;
- substantial public interest;
- preventative/occupational medical purposes;
- public health;
- research, provided there are safeguards and it is the public interest.
If you are processing data about criminal convictions, criminal offences or related security measures, you also need both a lawful basis for processing, which are set out in the data protection legislation and which are similar to the bases above. You should document both your lawful bases for processing and your criminal offence data condition so that you can demonstrate compliance and accountability.
Follow best practices and our guidance to minimise security risks.
Data Protection Impact Assessment (DPIA)
DPIAs (also known as privacy impact assessments or PIAs) is an assessment that is undertaken to identify potential areas of non-compliance and minimise risk. The ICO has promoted the use of DPIAs as an integral part of taking a privacy-by-design approach (see below).
When to conduct an assessment.
You must complete a DPIA before you begin any type of processing that is “likely to result in a high risk”. This means that although you have not yet assessed the actual level of risk, you need to screen for factors that point to the potential for a widespread or serious impact on individuals.
In particular, according to data protection legislation, you must do a DPIA if you plan to: use systematic and extensive profiling with significant effects; process special category or criminal offence data on a large scale; or systematically monitor publicly accessible places on a large scale.
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Loss or theft of data or equipment on which data is stored, such as memory sticks and laptops; inappropriate access controls allowing unauthorised use, i.e. giving staff members access to all data; equipment failure; human error; hacking attacks; and inadvertent disclosure.
How to prevent
Complying with the requirements for privacy by design and default and conducting DPIAs where appropriate will help to prevent personal data breaches.
While privacy can be separate consideration, it overlaps with data protection in the matter of data privacy. Due considerations must be made and explicitly communicated.
UCL is covered by its general privacy notices but in some cases, it is necessary to write local privacy notices.
Privacy by design is an approach to projects that promotes privacy and data protection compliance from the start. The current data protection legislation contains provisions to ensure privacy by design embeds data protection into new systems.
Under data protection legislation, you have a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities.
UCL is required to implement appropriate technical and organisational measures to ensure data protection principles such as data minimisation are met.
Article 32 of the data protection legislation (GDPR) gives examples of "appropriate measures", as follows:
Pseudonymisation, i.e. using personal data in a way that minimises the opportunity for identifying individual e.g.
- By using ID codes; encryption.
- The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- A process for regularly testing, assessing and evaluation the effectiveness of technical and organisational measures for ensuring the security of processing.
UCL must ensure that, by default, only personal data which is necessary for each specific purpose of the processing is processed. It relates to the amount of personal data collected, the extent of the processing, the retention period and who has access to it. In particular, personal data should not automatically be made accessible to an indefinite number of people without the individual’s intervention. By way of practical example: counselling records should be held on separate part of the University system and accessible only to relevant members of the counselling team.
UCL must only process data to an extent that is necessary, and must only store data as long as necessary by referring to the records retention schedule.
What should you do now?
Regularly assess privacy compliance, by, for example, conducting regular data privacy impact assessments (DPIAs).
The practical steps that need to be taken will depend on the likelihood and severity of the risks to privacy, the state of the art and the costs of implementation