Key definitions and changes
View all Close all
A privacy notice is a statement detailing what personal data someone collects about you, why they collect it and what they do with it. Transparency in the use of personal data has always been an important aspect of the Data Protection Act and it continues to be so with the GDPR. However, the GDPR now sets out a ‘checklist’ of the information that must be included within a privacy notice, as well as indicating how and when the privacy notice must be made available to the individual whose personal data is being collected.
St George’s will be providing more comprehensive guidance on how and when to draft a privacy notice in due course.
The Data Protection Act dictates that processing of personal data must be ‘lawful’ and must meet one of the criteria listed in the Act.
The same applies with the GDPR. So if you are processing personal data then you must meet one of the conditions laid out in the regulation, these being:
a) the data subject has given their consent to this processing
b) the processing is necessary for the performance of a contract with the data subject
c) the processing is necessary for compliance with a legal obligation
d) the processing is necessary in order to protect the vital interests of the data subject or another living individual
e) the processing is necessary for the performance of a task carried out in the public interest
f) the processing is necessary or the legitimate interests of the data controller.
The GDPR places an additional requirement that you must be able to demonstrate the lawful basis for all of your data processing activities, and that these lawful bases be made known to the individual whose personal data is being processed, ie via the relevant privacy notice.
The GDPR also stipulates that public authorities (including universities) may only rely on using the final condition, ‘legitimate interests’, where it does not apply to one of our core tasks, ie education and research.
Consent should only really be relied on where no other option is available as consent can always be withdrawn by the individual.
Under the GDPR, the mechanisms used for obtaining consent must adhere to certain rules. For example, consent must be ‘explicit’ meaning it must be absolutely clear to the individual what it is they are consenting to; consent must involve an affirmative action by using opt-in (not opt-out) boxes and should not involve the use of pre-ticked boxes; consent for different uses of personal data should be dealt with as separate indications of consent, not grouped together under a single tick box. It will be important to review your consent mechanisms every so often, and keep records of when/how you change your consent forms.
You will also need to pay special attention to the type of language you use when obtaining consent from children. Any explanation of what you will be doing with children’s personal data must be phrased in a way that will be easily understandable to them. Where a child is below the relevant age of consent you will need to include parental (or guardian) consent. The GDPR sets the age of consent as 16, but the regulation provides scope for member states to lower this as far as 13. It is possible that the new Data Protection Bill will set the age of consent for data protection purposes in the UK as 13.
More detailed guidance on drafting a consent form under GDPR can be found on the ICO’s website.
A data protection impact assessment (DPIA) is a way of helping to identify and minimise the privacy risks associated with a project involving personal data. It also helps identify the best ways to ensure compliance with data protection obligations. A DPIA should be carried out at the start of a new project, before you actually start doing anything with personal data. It may also be necessary to do a DPIA when you make significant changes to existing systems, or when you want to change the way you will be using personal data you already have.
Under the Data Protection Act there is no obligation to do a DPIA. The GDPR makes it mandatory to carry out a DPIA in certain circumstances, when there is likely to be a ‘high risk’ to the individuals whose personal data is being processed, for example research projects involving the use of health-related data.
St George’s will be producing a policy on how and when to carry out a DPIA.
There will be a new duty to report a data breach, whether accidental or deliberate, within 72 hours of becoming aware of it.
The GDPR also sees a significant increase in the size of the fines that the ICO will be able to impose. Under the Data Protection Act, the maximum fine the ICO can levy is £500,000. Under the GDPR there are two tiers of fines, with the ICO having the power to impose fines of up to €10 million or 2% of global turnover (whichever is higher) or €20 million or 4% of global turnover (whichever is higher).
So every member of the university will need to make sure they are aware of their responsibilities to help prevent breaches, and also of the importance of reporting a breach as soon as they are aware that there has been one.
St George’s will be producing a policy on the process for reporting breaches.
Individuals have the right to request a copy of the personal data an organisation holds on them. The Data Protection Act allows 40 calendar days for complying with such requests. This is reduced to one month under the GDPR. The GDPR also removes the ability to charge an individual for providing them with a copy of their information.
The GDPR introduces some new rights for the individual, such as the right to erasure (also referred to as the right to be forgotten) and the right of data portability. The right to erasure allows an individual to request that their personal data be deleted, so long as there isn’t a compelling reason to continue processing it, eg that there isn’t a legal obligation for an organisation to retain the personal data. The right of data portability means that an individual has the right to request a copy of their personal data in a format that will allow them to reuse it, eg if they want to transfer their data to a different service provider or to use it for a completely different purpose.
Further clarification of what the ‘rights of the individual’ are can be found on the ICO website.