XClose

Data Protection

Menu

Handling personal data responsibly

Content
Personal data
Special category personal data
Determining the lawful basis for processing
What to do if you find that you have retained personal data which you no longer require? 

Personal data

Under the UK GDPR, personal data is defined as any information relating to an identified or identifiable natural person (referred to as a "data subject"). This means that personal data includes any information that can directly or indirectly identify an individual. Examples of identifiers include:

  • Name
  • Identification number
  • Location data
  • Online identifier
  • Physical, physiological, genetic, mental, economic, cultural, or social identity factors

In essence, if the information can be used to identify a person, either on its own or when combined with other data, it is considered personal data.

Special category personal data

The special categories specifically include health, trade union membership, ethnic origin, religious / philosophical belief, sexual orientation, genetic data, and biometric data where processed to uniquely identify an individual.

Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.

Under the UK GDPR, special category personal data refers to data that is more sensitive and requires extra protection. This includes information that reveals:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data (when used for identification purposes)
  • Health data
  • Data concerning a person's sex life
  • Data concerning a person's sexual orientation

Processing this type of data requires both a lawful basis under Article 6 and a separate condition under Article 9 of the UK GDPR.

Determining the lawful basis for processing

Under the UK GDPR, you must have a lawful basis to process personal data. There are six lawful bases for processing, as outlined in Article 6 of the UK GDPR.

  • Consent: The individual has given clear consent for you to process their personal data for a specific purpose.
  • Contractual Necessity: Processing is necessary for the performance of a contract with the individual or to take steps at their request before entering into a contract.
  • Legal Obligation: Processing is necessary for compliance with a legal obligation to which the data controller is subject.
  • Vital Interests: Processing is necessary to protect the vital interests of the data subject or another natural person.
  • Public Task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
  • Legitimate Interests: Processing is necessary for the purposes of the legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Universities are classed as public authorities, so much of the processing UCL undertakes uses "public task" as its lawful basis in order to help operate the university. Please see ths link for further guidance.   

What to do if you find that you have retained personal data which you no longer require? 

If you find that you have retained personal data which you no longer require, it's important to follow the UK GDPR guidelines to ensure proper handling and deletion. Here are the steps you should take:

  • Review UCL Data Retention Schedule: This outlines how long different types of data should be kept and the process for securely deleting data that is no longer needed.
  • Identify the Data: Determine which personal data is no longer necessary for the purposes for which it was collected. This includes data that has exceeded its retention period or is no longer relevant.
  • Secure Deletion: Delete the data securely to prevent unauthorised access. This may involve: Permanently deleting electronic records from all systems and backups. Shredding physical documents containing personal data.
  • Document the Process: Keep records of the data deletion process, including what data was deleted, when, and by whom. This helps demonstrate compliance with the UK GDPR.
  • Inform Relevant Parties: If the data was shared with third parties, inform them of the deletion and ensure they also delete the data.
  • Regular Audits: Conduct regular audits of your data to ensure that you are not retaining unnecessary personal data and that your deletion processes are effective.

By following these steps, you can ensure that you handle personal data responsibly and in compliance with the UK GDPR.