Data Protection Statement and Policy
On 25 May 2018, the General Data Protection Regulation (GDPR) and Data Protection Act 2018 replaced the Data Protection Act 1998 (DPA) as the law governing the processing of personal data.
The new regulation gave individuals more control and rights over the processing of their personal data. In addition, it introduces more accountability on data controllers like the University to demonstrate compliance with data protection law. At the University, we prepared for some time to ensure our systems and processes are compliant with GDPR.
Some of the highlights in GDPR are as follows:
All personal data must be processed lawfully, fairly and transparently. It must be collected for a specific and lawful purpose, limited to what is necessary to fulfil the purpose, kept accurate and for no longer in time than is necessary as well as processed in a secure way. The University must be able to demonstrate compliance with these principles.
Data subjects (e.g. staff members and students) must be provided with detailed information (usually through privacy notices) including an explanation as to the purpose and legal basis for processing.
Data subjects have increased rights in relation to the processing of their personal data. Some operate in only certain circumstances.
The rights include:
- the right to access to their personal data (eg via a subject access request, free of charge to be dealt with within one month of request)
- the right to rectification of inaccurate personal data
- the right to data portability (ie made available in a portable format in order to move it from one controller to another)
- the right to erasure (ie deletion of personal data)
- the right to object to processing
- the right to restrict processing and
- rights in relation to automated decision-making, including profiling.
Greater safeguards exist when processing 'special category' personal data. This includes data relating to health, religion, race, sexual orientation, genetics and biometrics.
The University must ensure data protection 'by design' and 'by default' which means it must ensure there are appropriate technical and organisational controls in place to process personal data securely.
It must also ensure that major projects and developments are subject, where appropriate, to Data Protection Impact Assessments (DPIAs).
Safeguards must be in place if personal data is to be transferred outside of the EEA.
The University must notify the regulator, the ICO, of any data protection breach 72 hours, at the latest, after becoming aware of it unless it does not pose a risk to the rights and freedoms of the individuals concerned.
Fines that can be imposed for data protection breaches have increased up to, in some cases, 4% of annual turnover or €20 million (whichever is greater).