GDPR Online training: Update and Refresh
21 October 2020
It has been two and a half years since the GDPR and Data Protection Act (2018) were introduced to the UK – UCL staff should now refresh and update their training, writes Fiona Ryland, UCL's Chief Operating Officer.
It has been two and half years since the General Data Protection Regulation (GDPR) and the Data Protection Act (2018) were introduced in the UK. Since the introduction of this legislation, UCL has made a number of key efforts and changes to ensure our compliance with the law, including the provision of all staff training on data protection. When we rolled out the all staff training in October 2018, we achieved a rate of 100% completion of the training which has put UCL on a very good footing in meeting its compliance responsibilities. It is now time for all staff to undertake a refresher course to ensure we are all up to date on the principles of data protection.
The UCL GDPR Programme has developed a staff refresher course, which consists of a series of questions on data protection, for which you are required to achieve a pass mark of 70%. An accessible version is also available for those that require one.
We need to be able to demonstrate that all staff are continuing the training in data protection, therefore, successful completion of this training will be a mandatory requirement for all part-time and full-time staff, as well as UCL Honorary role holders and PhD students, who have completed the full GDPR online training in the past two years. This training is available now – please go to this page and select the refresher training course. There are additional training courses for Researchers and Students which you may wish to explore further. Once you have completed the training, this will be logged in your MyLearning platform.
Unfortunately, we are not able to accept information compliance training from other institutions.
‘Schrems II’ – Privacy Shield
Data protection is a constantly evolving area and there have been two important recent developments which I would like to update you on. The European Court of Justice has invalidated the EU - U.S. Privacy Shield, the mechanism that allowed the transfer of personal data between the two regions, stating that personal data protection and its judicial protection in the U.S. is not in keeping with requirements of EU law. The impact of this decision is significant for any contractual relationships including research and operational contracts where personal data is transferred to the US under Privacy Shield. For any new contracts which will include the transfer personal data to the US please contact the Data Protection Officer (email@example.com) for further assistance. A guidance note has been produced for staff.
Age appropriate design: a code of practice for online services:
The Information Commissioners Office (ICO) has identified that one in five UK internet users are children, but they are using an internet that was not designed for them. For all the benefits the digital economy can offer children, the ICO is concerned that it is not currently creating a safe space for children to learn, explore and play. The Age appropriate design code came into force on 2 September 2020, to address this concern, with a 12-month implementation period; organisations are therefore required to achieve compliance by 2 September 2021.
The Code applies to ‘information society services’ likely to be accessed by children in the UK. In simple terms, that means many apps, online games, connected toys and devices, search engines, social media platforms and websites that offer goods, news or education services. It is not limited to services specifically directed at children.
The Code is a set of 15 flexible standards – they do not ban or specifically prescribe – that provides built-in protection to allow children to explore, learn and play online by ensuring that the best interests of the child are the primary consideration when designing and developing online services.
The key requirements the ICO highlights with the code are:
- Settings must be “high privacy” by default (unless there’s a compelling reason not to);
- only the minimum amount of personal data should be collected and retained;
- children’s data should not usually be shared;
- geolocation services should be switched off by default; and
- nudge techniques should not be used to encourage children to provide unnecessary personal data, weaken or turn off their privacy settings.
The UCL GDPR Programme and the DPO will be preparing guidance notes to assist the university in meeting compliance on this matter, and further updates will be announced as these are launched in the coming months.
I ask that you please begin to raise these matters at your management meetings and/or departmental meetings to help raise awareness of the training. It is crucial that our staff are adequately managing to keep up to date in data protection and information governance.
If you have any queries about the training please contact the GDPR programme using firstname.lastname@example.org
Chief Operating Officer