The General Data Protection Regulation (GDPR) GWENAN HINE H E A D O

The General Data Protection Regulation (GDPR) GWENAN HINE H E A D O F G OV E R N A N C E & C O M P L I A N C E

What is the GDPR At the end of 2015, the European Parliament and Council agreed a final draft of the General Data Protection Regulation which will apply in the UK from 25 May 2018. The GDPR lays down rules relating to the protection of fundamental rights and freedoms of natural persons, and in particular their right to the protection of personal data. It aims to improve consumer protection and general levels of privacy for individuals, includes mandatory reporting of data protection breaches and has an increased emphasis on gaining explicit consent to process information.

Data Protection Bill The UK will also replace its current Data Protection Act (1998) in the next few months, incorporating the GDPR requirements. The Data Protection Bill is currently going through the relevant parliamentary processes (it has gone through the House of Lords and is currently in the House of Commons on its 2 nd reading). The advice from the Information Commissioner’s Office is that many of the GDPR’s main concepts and principles are much the same as those in the current Act, and therefore if we are complying properly with the current law then most of our approach to compliance will remain valid under the GDPR and the new Bill, and will give us a starting point to build from. However, there are new elements and significant enhancements, so we will have to do some things for the first time and some things differently.

The GDPR - new and changed concepts from the Data Protection Act 1998 Transparency and consent issues – information to be provided to individuals, and permissions required from them Children and consent for online services Data – changes to the definitions of personal and sensitive data Breach notification Enhanced individual rights

The GDPR - new and changed concepts from the Data Protection Act 1998 Pseudoanonymisation This is a new definition which refers to the technique of processing personal data in such a way that it can no longer be attributed to a specific individual, without the use of additional information which must be kept separately and be subject to appropriate security to ensure non-attribution. Pseudoanonymised data is still a form of personal data but its use is encouraged (e.g. for extra security of the data, for historical / scientific research or for statistical purposes). Data Protection by design Under the GDPR, we have a general obligation to implement technical and organisational measures to show that we have considered and integrated data protection into our processing activities. We have to adopt “data protection by design” measures. This means that the requirements of data protection legislation must be considered at the very start of any project which involves the processing of personal data. We will need to consider how any new system, or any changes to current systems, will impact on the individuals whose data we will collect / or we already hold. e.g. are we changing how / where we store the data, are we sharing the data with third parties that we didn’t share with previously, are we processing the data differently from previously ?

Scope of the GDPR Any / all information relating to an identified or identifiable individual e.g. Information held in manual form or printed out Emails, databases, spreadsheets etc. Photographs on web sites, marketing photographs, ID Cards and Passes; CCTV images (both central CCTV system and any localised systems / webcams) Web pages Information which may be associated with online identifiers provided by devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers.

Definition of Personal Data The definition of personal data (personal information) is simplified in the GDPR: Any information relating to an identified, or identifiable natural person (the data subject). What does this mean in practice? All staff, students, research subjects, alumni, members of the public etc. where we hold their data – “identified” Also includes, for example, pseudo anonymous individuals where the University also holds the additional information to identify them - “identifiable”

Legitimate Grounds for Processing Personal Data Necessary for the performance of a contract with the data subject, or to take steps to prepare for a contract The University needs to enter into an employment contract with you to pay you in accordance with your contract, to ensure you are subject to it’s policies, regulations and rules and to administer your pension entitlements. These processes will involve the processing of your personal and special categories data. Necessary for compliance with a legal obligation This would be in relation to UK or EU law only and the action undertaken should be foreseeable to those subject to it. Common law obligations may also be sufficient. If we’re relying on a legal obligation to process we still need to draw this to the attention of the individuals. For example the University would need to process data e.g. to check an employee's entitlement to work in the UK, to deduct tax or to comply with health and safety laws. In our privacy notice, or data collection notice we need to make sure that we reference all the processing activities undertaken under a legal obligation. Remember using this ground for processing should be foreseeable to the individual.

Legitimate Grounds for Processing Personal Data Necessary to protect the vital interests of a data subject or another person where the data subject is incapable of giving consent This condition is very tightly drafted, and can only be relied upon when there is no other available grounds for processing the data, e.g. for medical emergencies. A ground for processing necessary for humanitarian purposes as well (e.g. disaster responses). Necessary for the performance of a task carried out in the public interest or as a consequence of an official authority vested in the institution (“the public task”) Only where the task is laid out in UK or EU law to which the University is subject. Necessary for the purposes of legitimate interests pursued by the University If you are relying on this you need to document your assessment of why the processing is legitimate. Have you considered the rights and freedoms of data subjects?

The public task We can rely on this lawful basis if we need to process personal data: ‘in the exercise of official authority’. This covers public functions and powers that are set out in law; or to perform a specific task in the public interest that is set out in law. We don’t need a specific statutory power to process personal data, but our underlying task, function or power must have a clear basis in law; The processing must be necessary. If we could reasonably perform our tasks or exercise our powers in a less intrusive way, this lawful basis does not apply. Universities are likely to be classified as public authorities, so the public task basis is likely to apply to much of our processing, depending on the detail of our constitution and legal powers. For example, we might rely on public task for processing student personal data for teaching and research purposes; but we may need to rely on a mixture of legitimate interests and consent for alumni relations and fundraising purposes. The university needs to consider its basis carefully – we have to document our decision to help demonstrate compliance if required. We should be able to specify the relevant task, function or power, and identify its statutory or common law basis.

What is a legitimate interest basis for the University? The legitimate interest basis for processing would be most appropriate where the University is using individuals’ data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. For example in relation to members of staff the University would rely on the fact that it had legitimate interest in processing personal data before, during and after the end of the employment relationship to: run recruitment and promotion processes; maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights; operate and keep a record of disciplinary and grievance processes; plan for career development, and for succession planning and workforce management purposes; operate and keep a record of absence and absence management procedures, to allow effective workforce management; obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities and to meet its obligations under health and safety law; operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to ensure the University complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled; ensure effective general HR and business administration; provide references on request for current or former employees; and respond to and defend against legal claims.

Legitimate Grounds for Processing Personal Data Consent Consent is only one of the legitimate grounds for processing personal data under the GDPR. It should only be used where an individual is offered a genuine choice to either accept or decline what is being offered without suffering any detriment. It would not be appropriate to rely on consent if, for example, the individual had no choice but to use the service or to accept the terms. e.g. access to free wifi only if the user consents to receiving marketing materials would be unacceptable as the two things are unrelated. GDPR has a narrower view of what constitutes consent than current legislation. Consent must be a freely given, specified, informed and unambiguous indication of an individual’s wishes. There must be some form of clear affirmative action – a “positive opt in”. Consent cannot be inferred from silence, pre-ticked boxes or inactivity. Implied consent will no longer be an option. Consent must be as easily revoked as it is given, and therefore clear processes should be in place for individuals to withdraw consent. Blanket consent for a number of processing activities is now unlikely to be valid, there needs to be consent processes for each separate element of data processing

Legitimate Grounds for Processing Personal Data Things to do now if you are relying on consent to process data: Identify where you are relying on consent to process personal data / special categories data: Review how you collect the consent (information sheets, data collection notices, forms etc.) Make sure you are collecting a freely given, specified, informed and unambiguous indication of an individual’s wishes (what are you telling them?); Can you offer individuals the opportunity to consent to certain areas of the processing and utilise a “positive opt in” – e.g. a tick box process? This could be useful for research projects. Consider how individuals can revoke their consent? Is it clear from your documentation / website? It needs to be as clear as the process you utilised to collect the consent, and individuals should be able to notify you through the same medium. What do you do with consent already collected?

Special categories of personal data Special Categories of Data (previously known as “sensitive personal data”) are broadly unchanged from those listed in the current Data Protection Act. Under the GDPR they are: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; data concerning health or sex life and sexual orientation; genetic data (new); and biometric data where processed to uniquely identify a person (new).

Grounds for Processing Special Categories of Data Explicit Consent The same stringent consent threshold is required as with personal data – freely given, specific, informed and unambiguous indication of an individual’s wishes. Necessary for obligations under employment, social security or social protection law, or a collective agreement - This is a wider definition than within current legislation and is allowed in so far as it is justified by UK or EU law, or by collective agreement. Providing there are appropriate safeguards for the rights and interests of the individual. Necessary to protect the vital interests of a data subject or another person where the data subject is incapable of giving consent This condition is very tightly drafted, and can only be relied upon when there is no other available grounds for processing the data, e.g. for medical emergencies Data made public by the data subject Necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity - This is a wider definition than within current legislation

Grounds for Processing Special Categories of Data Necessary for reasons of substantial public interest Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care This provision provides a formal legal justification for regulatory uses of healthcare data in the health and pharmaceutical sectors, and by providing for the sharing of health data with providers of social care Necessary for reasons of public interest in the area of public health Necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes This is a new condition under the GDPR and provides that special categories data can be processed for the purposes of archiving, research and statistics. Pseudoanonymisation procedures would very likely need to be considered if we were relying on using this ground for processing.

Criminal Convictions and Offences Data in relation to criminal convictions and offences are not categorised as “sensitive” under the GDPR, which they were under the Data Protection Act 1998 However, they have not lost their sensitivity and the GDPR states that this type of data can only be processed under the control of an official authority or where the processing is authorised by UK or EU law, which provides appropriate safeguards. There will be a specific section within the Data Protection Bill relating to law enforcement which will deal with processing for the prevention, detection, investigation, or prosecution of criminal offences or the execution of criminal penalties.

Data Protection Principles 1. Data processed lawfully, fairly and in a transparent manner ('lawfulness, fairness and transparency') The inclusion of the principle of transparency is a new provision within the GDPR. 2. Data obtained for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes The current DPA 1998 has similar restrictions on the processing of data. The GDPR provisions include processing for public interest and/or scientific purposes, widening the scope for further processing. Archiving, scientific / historical research or statistical purposes would not been seen as incompatible with this purpose. However there would be a need to consider pseudo anonymising the data. 3. Data processed is adequate, relevant and limited to what is necessary Current DPA 1998 uses the term excessive, the GDPR requirements take the opposite view and only permits processing of data that is necessary. 4. Data is accurate and, where necessary, kept up to date There are new rights for individuals in the GDPR e.g. data erasure, data correction etc. which will impact on this principle

Data Protection Principles 5. Data should not to be kept longer than is necessary for the purpose The GDPR expands the list of exceptions permitting the storage of data for longer periods where the data is being processed for archiving purposes in the public interest and/or scientific purposes, and in addition for statistical or historical purposes. 6. Appropriate technical and organisational measures against unauthorised or unlawful processing, loss, damage or destruction Accountability The University is responsible for demonstrating that we comply with the six principles

Data processed lawfully, fairly and in a transparent manner Lawfulness What are your grounds for processing both personal data and special categories data? There are no grounds for “it may be useful”. Remember consent is only one of the grounds you can rely on there may be others that are relevant. If you are relying on consent ensure the quality of this consent – does it meet the new requirements? Fairness If you are relying on consent it must be a freely given, specified, informed and unambiguous indication of an individual’s wishes. Ensure there is a form of clear affirmative action – a “positive opt in”. What information are you giving individuals in order for them to make the choice. Transparency The University’s privacy notice will be updated, however consider whether you need your own privacy notice for specific processing activities. Make sure that any notices you use are comprehensive and clear, written in plain language, in an easily accessible format. Where is the information located? Can the individual reasonably be expected to locate the privacy notice, and to make an informed decision to grant consent (where necessary)? Are you informing the individual why you are collecting the data, and what grounds you are relying on? (i.e. if you are not relying on consent what are you relying on, make this clear) Make a decision up front on issues such as archiving so that you can inform the individuals how long you will be keeping their data for.

Data obtained for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes Purpose Limitation Decide what your basis is for collecting the personal information / special categories information and make this known to the individuals concerned e.g. in any T&Cs, on your website, in any literature. Make sure you consider whether you need to draft your own privacy policy for the processing, or whether you link to the University policy. Have a clear data collection statement which is explicit with regard to use of the data. This is essential in order to ensure specified, informed and unambiguous consent. Make sure you include the retention period for the data. The GDPR also sets out rules on factors to be taken into account to asses whether a new processing purposes fits with the purpose originally communicated to the individual: - Is there any link between the original and proposed new purpose? - The context in which the data was collected - The nature of the data (is it special category or criminal offence data) - The possible consequence of the new processing - The existence of safeguards such as pseudoanonymisation / encryption Processing for archival purposes in the public interest, for scientific and historical research purpose or statistical purposes should be considered compatible with the original purpose.

Data processed is adequate, relevant and limited to what is necessary Data minimisation Only collect and use what you actually need in order to carry out the purpose, and importantly, only what is compatible with the reasons and purposes which the individuals were informed of, or the purposes for which you are legally entitled to hold the information.* *Always refer back to your privacy notice / data collection notice Importantly don’t collect (or hold) any data “in case it might come in handy”

Data is accurate and, where necessary, kept up to date Accuracy Make sure that any personal data, or special categories data, collected is recorded accurately. Every reasonable step must be taken to ensure that any data found to be inaccurate is erased or rectified without delay, and in any event within a month of receiving a request from the individual. The individual needs to notify us of any change in their data. However we should also check periodically to make sure the data is still up to date.

Data should not to be kept longer than is necessary for the purpose Storage Limitation We cannot hold data which permits identification of individuals any longer than is necessary for the purpose notified to the individual in our privacy notice / data collection notice etc. Data can be held for longer as long as this is for the purpose of archiving, or for scientific or historical research, or for statistical purposes. Remember that when you have archived the data, or if you are using it for scientific /historical research or for statistical purposes it still comes under the principle requiring appropriate technical and organisational measures to be in place. Consider pseudoanonymisation at this stage. Once the purpose for holding the data is no longer valid or the assigned retention date has passed you should not continue to hold the information (see also principle 6) We have a legal responsibility to make sure that the information is held securely, and that it is securely disposed of at the end of the retention period

Appropriate technical and organisational measures against unauthorised or unlawful processing, loss, damage or destruction Integrity and confidentiality This principle applies to both personal and special categories data which must be kept secure. The data must be processed in a manner that ensures appropriate security, including protection against unlawful processing, accidental loss, destruction or damage. The information must only be available to those with a right to see it. Matters to consider: Transferring information from one section / function / department to another, or transferring externally – it’s often essential to do this – but consider what information actually needs to be transferred, to whom and how is it possible to ensure the confidentiality and the security of the information. Remember even if we are transferring data it is still our responsibility to ensure its safety. Information is disclosed to members of staff in order for them to carry out their specific roles. This information should not under any circumstances be disclosed or handed over to anyone other than those with a need to see it. Staff must be careful with memory sticks, laptops and other portable media – use encryption / passwords etc. Consult the University’s Information Security Policy.

Information Security Paper records Appropriate storage for paper / manual records would include: Locked metal cabinets with keys limited to authorised staff only; Locked drawer in a desk (or other storage area) with keys limited to authorised staff only; Locked room accessed by key or coded lock where access to the key/code is limited to authorised staff only. Does your School / Department have a clear desk policy? If not are there any risks to having paperwork out on the desk overnight / at weekends? Appropriate disposal for paper / manual records would either be: Secure disposal via an accredited confidential waste disposal company Or Shredding (best practice would suggest use of a cross-cut shredder)

Information Security Electronic records and Database Systems Never disclose your password Ensure your password is robust – change it regularly Always log off, or lock a workstation before leaving it When working on confidential work and / or on work involving personal data make sure no one else can read your screen Protect equipment from physical theft (especially laptops and memory sticks) Store all data on the University network so that it is backed up regularly Remember to back up and secure work mobile devices (laptop / phone) as well When sending emails internally or externally it is essential to check that the appropriate recipient has been selected, before sending the message Be careful with attachments – check they are the right ones before pressing “send”. Before forwarding attachments at all check that the information is not available to the recipient by other secure means e.g. “One Drive” Particular care is required when forwarding emails, in particular ones with attachments so that information is only sent to people with a real ‘need to know’.

Accountability The University is responsible for and should be able to demonstrate compliance with the six principles. What does this mean in practice? 1. Adherence to approved policies and codes – how can we measure this? 2. Robust “paper trails” of decisions relating to data processing. Good records management is essential. 3. Staff Training – ensure all staff know about data protection legislation and encourage attendance 4. Where appropriate use Privacy Impact Assessments which is an assessment carried out to identify and minimise non-compliance risks, especially on “high risk” processing (e.g. substantial processing of special categories data) 5. Audits of compliance though internal / external auditors 6. Use of Data Protection by Design measures (e.g. use of pseudoanonymisation) 7. Regular reports to the Compliance Task Group

GDPR: Individual Rights The right to be informed (privacy notice / data collection notice) The right of access (subject access request) The right to rectification (if data is inaccurate or incomplete) We must respond to a request for rectification of data within a month, if rectification isn’t possible the individual must receive an explanation as to why that is The right to erasure (previously known as the right to be forgotten) This does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances: Where the personal data is no longer necessary for the purpose for which it was originally collected/processed Where the individual withdraws consent, or objects to the processing and there is no overriding legitimate interest for continuing the processing. Where the data is being processed on the basis of the University’s legitimate interest, the individual objects, and the University cannot demonstrate that there are overriding legitimate grounds for the processing If the information has been shared with others it is the University’s responsibility to inform them of the individuals request for data erasure. The right to erasure does not apply For the exercise of the right of freedom of expression and information; For compliance with a UK or EU legal obligation For the performance of a public interest task or exercise of official authority For public health reasons For archival, research or statistical purposes If required for to establish, exercise or defend legal claims

GDPR: Individual Rights The right to restrict processing Where an individual contests the accuracy of the personal data, where an individual has objected to the processing and the organisation is considering their legal reason for processing, where processing is unlawful and the individual opposes erasure and requests restriction instead, where the organisation no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim. The University can store the data, but cannot process it any further unless the individual consents or the processing is necessary to establish e.g. a legal claim, to protect another person The right to data portability The University must respond within a month. Allows individuals to move, copy or transfer personal data in order to obtain and reuse for their own purposes across different services. Information must be provided in a structured, commonly used, machine readable form. The right to data portability does not apply to paper only records. The right to object to direct marketing : this is an absolute right To processing for scientific / historical research / statistical purposes : there must be grounds which specifically relate to the individuals situation To processing for legitimate interests / public interest : important that the University is able to justify why we are relying on these grounds for processing Rights in relation to automated decision making and profiling Establishes safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. We must identify whether any processing operations constitute automated decision making and consider whether appropriate procedures are needed to deal with the requirements of the GDPR.

The right to be informed The GDPR requires us to be transparent and to provide accessible information to individuals about how we use their information. The usual way in which to provide this information is through the use of a “privacy notice”. The term “privacy notice” is used to describe all the different ways in which an organisation can provide privacy information to individuals – on the web, in any literature etc. The privacy notice needs to be comprehensive. The starting point of a privacy notice should be: Who is “Bangor University”; and if it is a specific notice, then it should also include who is the school / department; What is the University going to do with individuals’ information – the purpose for collecting it Who will it be shared with – important to include everything; Details of any transfers outside the EU (as we are an international University this may be relevant); The retention period for the data (consult the records retention schedule); The individuals right to access the data and to rectify, erase and restrict its use; The Complaints process (including to the Information Commissioner’s Office) Whether there’s a statutory or contractual requirement to provide the data and the consequences of not providing it; If there is any automated decision making; What is the source of the data (including if it is from a third party source who they are). The Privacy Notice must be provided at the point in which the individual hands over the data. We can’t assume because someone engages with one service that they would be happy for their data to be transferred to another service. If the data isn’t obtained directly from the individual, the University should provide the Privacy Notice to the individual within a month of receiving the data

The right of access Individuals have the right to be told whether the University is processing their personal data, and to receive a copy of that data. The individual also has the right to be provided with supplemental information about the processing (purpose of processing, categories of data processed, recipients, retention period, their right to erasure / rectification, the source of the data) In order to make a request to see / obtain a copy of the information an individual should make a request in writing. Within the University the request should be made to [email protected] or by post to Lynette Hunter in Corporate Services. There is no charge for making the request, and the request must be dealt without delay, and at the latest within one month of receipt of the request. Matters to consider - Can we make data more accessible to individuals so they can see the information themselves without needing to use the right of access procedure. - Are we making students aware that they can see and amend data within MyBangor? - Can we deal with a request for portability of data – which data can be easily exported in structured, machine readable formats?

Children’s Personal Data in the digital environment The GDPR contains new provisions intended to enhance the protection of children’s personal data in the digital environment. In the GDPR children are identified as those who require specific protection under the regulations. Will the rules in relation to children affect you? Proposals in relation to online services would mean children aged 13 years old or above would be able to consent to their data being processed. For children under 13 years old their parents or guardians would need to consent. Withdrawing consent will also be simplified for children. Privacy notices for children Where services are offered directly to a child, organisations must ensure that the relevant privacy notice is written in a clear, plain way that a child will understand. Children’s personal data for all other circumstances For all other data protection issues, children can make their own decisions if they have capacity or Gillick competency: ".whether or not a child is capable of giving the necessary consent will depend on the child’s maturity and understanding and the nature of the consent required. The child must be capable of making a reasonable assessment of the advantages so the consent, if given, can be properly and fairly described as true consent”

Transfer of data outside the European Union Transfers of personal data outside the EU continue to be regulated and restricted in certain circumstances. The University can transfer data outside the European Union where the receiving organisation has provided adequate safeguards. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer. Examples of adequate safeguards would be: a legally binding agreement between public authorities or bodies; binding corporate rules (agreements governing transfers made between organisations within in a corporate group); standard data protection clauses in the form of template transfer clauses adopted by the Commission; standard data protection clauses in the form of template transfer clauses adopted by a supervisory authority and approved by the Commission; compliance with an approved code of conduct approved by a supervisory authority; certification under an approved certification mechanism as provided for in the GDPR; contractual clauses agreed authorised by the competent supervisory authority; or provisions inserted in to administrative arrangements between public authorities or bodies authorised by the competent supervisory authority.

Transfer of data outside the European Union Any current data protection clauses which are put into contracts will need to be updated to ensure they remain compliant with the GDPR requirements and new data protection legislation. To do now: review and map key international data flows, consider what data transfer mechanisms you have in place and whether these will continue to be appropriate, review contract clauses to ensure the requirements remain compliant

Personal or Special Categories Data Breach The GDPR will introduce a duty on all organisations to report certain types of data breach to the Information Commissioner’s Office (ICO), and in most cases also to the individuals affected. A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data / special categories data. The University will have to notify the ICO where the breach is likely to result in a risk to the rights and freedoms of individuals, and must do so within 72 hours. Failing to notify a breach when required to do so can result in a fine, in addition there will be a significant fine for the breach itself up to 10 million Euros or 2 per cent of an organisation’s global turnover. The University will be expected to keep an Internal Breach Register noting all personal / special categories data breaches

When should we notify the ICO? We should notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals. The individuals themselves will also need to be notified in most cases. Whether to notify or not has to be assessed by the University on a case by case basis, and all staff will be made aware of the University’s internal breach reporting procedures. Issues to consider when assessing Would the breach have a significant detrimental effect on the individuals affected – e.g. result in discrimination, damage to reputation, financial loss, loss of confidentiality, identify theft or any other significant disadvantage? The ICO guidance states they would expect the following information to be shared: The nature of the personal data breach including, where possible the categories and approximate number of individuals concerned; and the categories and approximate number of personal data records concerned; The name and contact details of the data protection officer or other contact point where more information can be obtained; A description of the likely consequences of the personal data breach; and A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.

Staff Responsibilities Staff (including volunteers working at the University, external members of committees and contractors) have a responsibility to ensure that personal and special categories data: is kept on a need to know basis, treated sensitively and disposed of securely; is not disclosed, orally or in writing, intentionally, or accidentally, to any unauthorised member of staff or external third party If you need to share personal or special categories data with another member of staff, or with an external third party, make sure that you have satisfied yourself that they have the right to know the information, and if they have that you have made them aware of the need for confidentiality. Don’t hesitate to ask questions e.g. “why do you need it”, “what powers do you have to request it”? Compliance with data protection legislation is both a personal and an organisational responsibility

Final thoughts . Things to do now 1. Raise awareness of the changes with your colleagues, encourage them to attend training 2. Consider what information you hold, and identify your lawful basis for processing the information 3. Look at your Privacy Notices, and include all the required information 4. Are you set up to be able to deal with the changes to individuals’ rights? 5. Make sure you know who handles subject access requests 6. Do you rely on consent to process information, and if so how will you ensure you comply with the more stringent requirements? Think about what needs doing both for current information and for the future 7. Do children use your services? Consider what information needs to be provided to them 8. Familiarise yourself with the University’s data breach procedure 9. Data Protection by Design – build this into your processes especially with new technology projects

Further information? Gwenan Hine Lynette Hunter Head of Governance and Compliance Compliance & Records Assistant [email protected] Ext: 2413 [email protected] Ext: 8530