Data protection is part of the fundamental right to privacy and concerns the fair and proper use of information about people. Those who handle personal data must treat people fairly and openly.
What the law says
UK data protection law is set out in the Data Protection Act 2018 (DPA 2018), along with the General Data Protection Regulation (GDPR) (EU) 2016/679 (which also forms part of UK law).
This legislation requires accountability and transparency from all those who collect and handle any information relating to an identifiable individual (personal data).
The legislation sets out key principles which lie at the heart of the data protection regime. In brief personal data must be:
- Processed lawfully, fairly and transparently
- Collected only for specified purposes
- Limited to what is necessary for those purposes
- Kept accurate
- Held for no longer than is necessary
- Retained securely
What you need to do
Comply with the principles
Compliance with the spirit of these key principles is a fundamental building block for good data protection practice and the institution must have appropriate measures and records in place to be able to demonstrate compliance. Failure to comply with the principles can leave an institution open to substantial fines.
Provide privacy information
Students, staff and others have the right to be informed about the collection and use of their personal data. This is a key transparency requirement.
Privacy information must be provided to individuals which informs them of the purposes for processing their personal data, the retention periods for that personal data, and who it will be shared with. The information that you provide must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
Process personal data lawfully
The law prohibits the processing of personal data unless the data controller is able to identify an appropriate legal basis for that processing.
Article 6(1) of the GDPR sets out six lawful bases for processing. At least one of these must apply whenever your institution is processing personal data:
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations)
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks)
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose
Universities and colleges are classified as public authorities, so the public task basis is likely to apply to much of their processing. In addition, consent or legitimate interests will be appropriate in some circumstances.
Keep records of processing activities
A key element of accountability is maintaining records of your processing activities. This can help you to ensure (and demonstrate) your compliance and is likely to improve data governance and increase business efficiency.
Article 30(1) of the GDPR specifies areas where records must be maintained including the reasons for processing personal data, data sharing and retention. An institution may be required to make the records available to the ICO on request.
The UK has left the EU – what has changed?
The UK has completed a trade deal with the EU and the GDPR (now retitled as “UK GDPR”) has been retained in UK law. EU data protection law has been converted into UK domestic law, with some minor technical amendments to ensure it is operable in the UK. In practice there is little change to the core data protection principles, rights and obligations now found in the UK GDPR. The DPA 2018, which supplements and tailors the UK GDPR continues to apply.
Check the conditions for transferring data internationally
On 1 January 2021, the UK became a third country for the purposes of international data transfers under the EU GDPR. Personal data may only be transferred overseas with adequate safeguards. There is currently no change to the way that personal data is sent to the EU/EEA, and other countries deemed adequate by the EU.
Receiving personal data from the EU/EEA
In addition, the EU-UK Trade and Cooperation Agreement contains a bridging mechanism that allows the continued free flow of personal data from the EU/EEA to the UK after the transition period. This lasts for up to six months, which gives time for the EU Commission to consider making an adequacy decision. An EU adequacy decision for the UK would allow for the ongoing free flow of data from the EEA to the UK. In the event of no EU adequacy decision for the UK, new as yet undecided procedures will be needed.
For up-to-date information on international data transfers now that the UK has left the EU, see the UK government guidance.
On 16 July 2020 the Court of Justice of the European Union (CJEU or ECJ) upheld Standard Contract Clauses as a valid tool for the international transfer of personal data where they (together with appropriate additional measures) provide for “essentially equivalent” protection as in the EU. Find out more about the ICO website.
What you can do now
- Ensure that staff at your institution are familiar with and adhering to the ICO Guide to Data Protection
- Use our practical resources and advice to help you understand and apply GDPR legislation
- Follow the Jisc involve blog for updates on GDPR and other regulatory developments