The General Data Protection Regulation (GDPR) came into force in the UK on the 25th of May 2018 and replaced the Data Protection Act 1998.
The purpose of the GDPR is to harmonise data protection laws across Europe and to take account of advances in technology. The UK Government has confirmed that it will adopt the GDPR despite the vote to leave the European Union.
Member states are entitled to introduce legislation setting out how the GDPR will apply in their country. The UK Government have introduced the Data Protection Bill to achieve this. This GDPR and the Data Protection Bill must be read side by side to fully understand our obligations.
This Code of Practice is in place to make sure everyone understands the way in which data protection applies to their roles within the University. It also makes sure we meet the requirements set out in Article 24(2) of the GDPR which requires the University, as a data controller, must have in place an appropriate data protection policy to make sure we meet our obligations under the legislation.
A number of wide-ranging changes will be introduced by the GDPR, which will have a direct effect on how the University processes data. The consequences of breaching the GDPR will be significant, with potential fines of up to 20 million euros; it is therefore crucial that all employees of the University are aware of their obligations under the Regulations.
The key changes under the GDPR can be categorised as follows:
The University will be required not just to comply with the GDPR but also to provide evidence to demonstrate our compliance. There will be an emphasis on being accountable and transparent about how data is collected, for what purpose and how it will be used.
To support this drive for greater accountability and transparency, we must also keep more comprehensive records on our data processing activities. These records should include:
Under the GDPR, privacy and data protection must be considered at the outset of any project and in many cases, a Privacy Impact Assessment (PIA) must be carried out. The purpose of a PIA is to identify what data processing will be involved in the project and to assess, mitigate or minimise any privacy risks associated with this.
The rights currently enjoyed by employees under the Data Protection Act will continue and will be enhanced under the GDPR. These new rights will include:
A SAR is a written request by an individual to access personal information that an organisation holds about them.
The time limit for responding to a SAR will be reduced from 40 days to one month under the GDPR. It will also no longer be possible to charge the £10 fee currently permitted under the Data Protection Act.
Strict notification requirements will be introduced under the GDPR for when organisations become aware of potential data breaches. After becoming aware of a potential data breach, organisations will have 72 hours in which to notify the Information Commissioner’s Officer. This requirement will exist where the data breach relates to personal data that is likely to result in a risk to the rights or freedoms of the data subject.
It will become a legal requirement for many organisations, including the University, to appoint a Data Protection Officer under the GDPR. The function of the Data Protection Officer will be to ensure data protection compliance across the organisation and to act as a point of contact for data subjects and data protection authorities.
Under the GDPR, data should only be processed if there is a lawful basis for doing so. The GDPR sets out six legal bases for processing data:
Consent continues to be a lawful basis for processing an individual’s personal data under the GDPR but can we still rely upon it? Consent under the GDPR must be “freely given, specific, informed and unambiguous indication of the individual’s wishes”. This is a much higher bar than under the current data protection regime.
The issue is further complicated by the ability of individual’s to withdraw their consent to their data being processed under the GDPR. In practice, this could cause difficulties if we are relying solely upon an individual’s consent to process their data and it is therefore advisable to explore other legal bases for processing an individuals’ data.
The GDPR is underpinned by the following data protection principles:
The General Data Protection Regulations (GDPR) grant individuals new rights in relation to their personal data and strengthen some existing rights already available under the Data Protection Act.
The purpose of this guidance is to help you to understand your rights under the GDPR and to inform you of how to make requests in relation to your personal data to UWS.
The University will not respond to any requests from third party SAR platforms.
If you wish to make a request to obtain information held by us about you, please read this guidance note and then complete the Subject Access Request form.
When making a request for information held about you, you must:
You must provide 2 documents to show proof of your identity, one from each of the lists below:-
Proof of your ID – 1 document required:
Proof of address – 1 document required:
If you would prefer to send us copies of your documentation, please provide us with ‘certified’ copies. A professional person or someone well respected within your community, such as a solicitor, social worker, doctor, teacher or police officer (they must not be related to you or your partner), can certify documents by doing all of the following on each copy of the documents to be certified:Other forms of ID may be acceptable. At least one form of identification should contain the same signature that is on your application form or letter and one with a photograph. Please note we cannot release your data to you unless satisfactory proof of identification is provided.
Once we receive your request, we will acknowledge your request and try to respond as quickly as possible. In any event, you will receive all the information that has been located and can be released to you within one calendar month and an explanation for any information that cannot be provided at that time.
Upon receipt of a request, we must provide:
We must respond to Subject Access Requests within one calendar month from receiving the request.
The following sections identifies some of the most commonly asked questions and corresponding answers in relation to Data Subject Access Requests that individuals have asked in the past.
A SAR is a request for personal information that your organisation may hold about you.
The purpose of a SAR is to make you aware of and allow you to verify the lawfulness of processing of your personal data. If your personal information is being processed you are entitled to access the following information:
No, a request for information is free unless the request is ‘manifestly unfounded or excessive’. We can charge a fee if the same information is requested more than once.
We will acknowledge your request and check all the documents provided allow us to legally collect and release your data. We will request the relevant departments to provide the data requested. We will try to do this and respond to you as quickly as possible.
For students requests we will look in the following key areas for your information; Admissions, Registry, Student Services, Finance and Library. If you are requesting information from any other areas please give us the details of where to look.
Yes, there is guidance for students, staff and the public available via the Data Protection section on our website.
This guides you how to request information held about you or make a request on behalf of another person. As SARs must be in writing there is a form to complete and a mandate to complete if you are allowing another person to obtain information about you.
We will write to you to acknowledge receipt of your request within 5 working days. We will check that your ID documentation submitted, the form and any other information provided is sufficient to allow us to locate and release the date to you. If so we will try to get the information to you as soon as possible and in any event no later than one calendar month from when we have received your valid request.
The requester should write and tell us the reasons why they are not happy with the response and we will review how your case was handled. We will respond to you within 5 working days.
If you are still not satisfied with the response you may seek advice from the Scottish Information Commissioner.