Overview of the GDPR
The General Data Protection Regulation (GDPR) came into force in the UK on the 25th of May 2018 and replaced the Data Protection Act 1998.
The purpose of the GDPR is to harmonise data protection laws across Europe and to take account of advances in technology. The UK Government has confirmed that it will adopt the GDPR despite the vote to leave the European Union.
Member states are entitled to introduce legislation setting out how the GDPR will apply in their country. The UK Government have introduced the Data Protection Bill to achieve this. This GDPR and the Data Protection Bill must be read side by side to fully understand our obligations.
Data Protection Code of Practice
This Code of Practice is in place to make sure everyone understands the way in which data protection applies to their roles within the University. It also makes sure we meet the requirements set out in Article 24(2) of the GDPR which requires the University, as a data controller, must have in place an appropriate data protection policy to make sure we meet our obligations under the legislation.
A number of wide-ranging changes will be introduced by the GDPR, which will have a direct effect on how the University processes data. The consequences of breaching the GDPR will be significant, with potential fines of up to 20 million euros; it is therefore crucial that all employees of the University are aware of their obligations under the Regulations.
The key changes under the GDPR can be categorised as follows:
1/ Transparency and accountability
The University will be required not just to comply with the GDPR but also to provide evidence to demonstrate our compliance. There will be an emphasis on being accountable and transparent about how data is collected, for what purpose and how it will be used.
2/ Record keeping
To support this drive for greater accountability and transparency, we must also keep more comprehensive records on our data processing activities. These records should include:
- The purpose of the processing;
- The categories of data subjects (i.e. whose data we are processing);
- The type of personal data that we are processing;
- Who this personal data will be shared with;
- The time limits that the data will be stored for;
- Any technical or organisational security measures that have been put in place to safeguard the data.
3/ Privacy by design
Under the GDPR, privacy and data protection must be considered at the outset of any project and in many cases, a Privacy Impact Assessment (PIA) must be carried out. The purpose of a PIA is to identify what data processing will be involved in the project and to assess, mitigate or minimise any privacy risks associated with this.
4/ The rights of employees
The rights currently enjoyed by employees under the Data Protection Act will continue and will be enhanced under the GDPR. These new rights will include:
- The right to be informed – the University must inform individuals of the data we collect and the purposes of processing it;
- The right of access – individuals have the right to access the information that we hold about them by making a SAR. This right will be enhanced under the GDPR;
- The right to be forgotten – in some circumstances an individual will have the right to request that their data be deleted when no longer needed;
- The right to data portability – individuals have the right to re-use their data for other purposes by requesting that it be transferred across departments or to another organisation. This may take place where an individual changes job and asks us to transfer their personal data to their new employer;
- The right to rectification – where the data held about an individual is inaccurate or incomplete, they can request that this is rectified.
5/ Subject Access Requests (SARs)
A SAR is a written request by an individual to access personal information that an organisation holds about them.
The time limit for responding to a SAR will be reduced from 40 days to one month under the GDPR. It will also no longer be possible to charge the £10 fee currently permitted under the Data Protection Act.
6/ Data breach notification
Strict notification requirements will be introduced under the GDPR for when organisations become aware of potential data breaches. After becoming aware of a potential data breach, organisations will have 72 hours in which to notify the Information Commissioner’s Officer. This requirement will exist where the data breach relates to personal data that is likely to result in a risk to the rights or freedoms of the data subject.
7/ Appointment of a Data Protection Officer
It will become a legal requirement for many organisations, including the University, to appoint a Data Protection Officer under the GDPR. The function of the Data Protection Officer will be to ensure data protection compliance across the organisation and to act as a point of contact for data subjects and data protection authorities.
Under the GDPR, data should only be processed if there is a lawful basis for doing so. The GDPR sets out six legal bases for processing data:
- Contractual necessity – It is necessary to process someone’s personal data to perform a contract that you have with them.
- Legal obligation – UK or EU law requires you to process an individual’s personal data.
- To protect life – You must process someone’s personal data to save a life.
- Official function – The processing is carried out in an official function vested in the data controller or in the public interest.
- Legitimate interest – (private companies only) – There is a genuine and legitimate basis for processing an individual’s personal data.
- Consent – the individual has given you consent to process their personal data.
Should I rely on consent as a lawful basis for processing personal data?
Consent continues to be a lawful basis for processing an individual’s personal data under the GDPR but can we still rely upon it? Consent under the GDPR must be “freely given, specific, informed and unambiguous indication of the individual’s wishes”. This is a much higher bar than under the current data protection regime.
The issue is further complicated by the ability of individual’s to withdraw their consent to their data being processed under the GDPR. In practice, this could cause difficulties if we are relying solely upon an individual’s consent to process their data and it is therefore advisable to explore other legal bases for processing an individuals’ data.
The GDPR is underpinned by the following data protection principles:
- Lawfulness, fairness and transparency – personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject;
- Purpose limitation – personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Data minimisation – personal data shall be adequate, relevant and limited to what is necessary for the purposes for which they are processed;
- Accuracy – personal data shall be accurate and where necessary, kept up to date;
- Storage limitation – personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed;
- Integrity and confidentiality – personal data shall be processed in a way that ensures appropriate security of the personal data , including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate organisational or technical measures;
- Accountability – the data controller shall be responsible for, and be able to demonstrate compliance with the GDPR.
The General Data Protection Regulations (GDPR) grant individuals new rights in relation to their personal data and strengthen some existing rights already available under the Data Protection Act.
The purpose of this guidance is to help you to understand your rights under the GDPR and to inform you of how to make requests in relation to your personal data to UWS.
The University will not respond to any requests from third party SAR platforms.
Subject Access Requests
Guidance for Individuals requesting data held about them
If you wish to make a request to obtain information held by us about you, please read this guidance note and then complete the Subject Access Request form.
When making a request for information held about you, you must:
- Make the request in writing
- Supply proof of who you are (see acceptable ID documents below)
- Provide as much detail as possible regarding the information you wish to access (who holds the information, where it is held if known, any specific details about the information required)
- You do not need to tell us why you wish to access the information
You must provide 2 documents to show proof of your identity, one from each of the lists below:-
Proof of your ID – 1 document required:
- Full or provisional driving licence
- Birth Certificate
Proof of address – 1 document required:
- Electricity or gas bill
- Council tax bill
- Bank statement
- P45 or P60
If you would prefer to send us copies of your documentation, please provide us with ‘certified’ copies. A professional person or someone well respected within your community, such as a solicitor, social worker, doctor, teacher or police officer (they must not be related to you or your partner), can certify documents by doing all of the following on each copy of the documents to be certified:Other forms of ID may be acceptable. At least one form of identification should contain the same signature that is on your application form or letter and one with a photograph. Please note we cannot release your data to you unless satisfactory proof of identification is provided.
- writing ‘certified to be a true copy of the original seen by me’ on the document;
- signing and dating with their name printed underneath the signature;
- adding in their occupation, address and telephone number.
Once we receive your request, we will acknowledge your request and try to respond as quickly as possible. In any event, you will receive all the information that has been located and can be released to you within one calendar month and an explanation for any information that cannot be provided at that time.
Upon receipt of a request, we must provide:
- information on whether or not the personal data are processed (processed means collecting, using, disclosing, retaining or disposing of personal data)
- a description of the data, purposes and who was given that data
- a copy of the data and, if necessary, an explanation of any codes/jargon contained within the data.
We must respond to Subject Access Requests within one calendar month from receiving the request.
Frequently Asked Questions
The following sections identifies some of the most commonly asked questions and corresponding answers in relation to Data Subject Access Requests that individuals have asked in the past.
What is a Subject Access Request (SAR)?
A SAR is a request for personal information that your organisation may hold about you.
What is the purpose of a SAR?
The purpose of a SAR is to make you aware of and allow you to verify the lawfulness of processing of your personal data. If your personal information is being processed you are entitled to access the following information:
- The reasons why your data is being processed
- The description of your personal date
- Anyone who has received or will receive their personal data
- Details of the origin of your date if it was not collected from you
Is there a charge for requesting information?
No, a request for information is free unless the request is ‘manifestly unfounded or excessive’. We can charge a fee if the same information is requested more than once.
How will my request be dealt with?
We will acknowledge your request and check all the documents provided allow us to legally collect and release your data. We will request the relevant departments to provide the data requested. We will try to do this and respond to you as quickly as possible.
For students requests we will look in the following key areas for your information; Admissions, Registry, Student Services, Finance and Library. If you are requesting information from any other areas please give us the details of where to look.
Is there guidance to help a requester?
Yes, there is guidance for students, staff and the public available via the Data Protection section on our website.
This guides you how to request information held about you or make a request on behalf of another person. As SARs must be in writing there is a form to complete and a mandate to complete if you are allowing another person to obtain information about you.
When will you get back to me about my request?
We will write to you to acknowledge receipt of your request within 5 working days. We will check that your ID documentation submitted, the form and any other information provided is sufficient to allow us to locate and release the date to you. If so we will try to get the information to you as soon as possible and in any event no later than one calendar month from when we have received your valid request.
Can I speak to someone about my request?
What if I am not happy with the response?
The requester should write and tell us the reasons why they are not happy with the response and we will review how your case was handled. We will respond to you within 5 working days.
If you are still not satisfied with the response you may seek advice from the Scottish Information Commissioner.