Data protection law regulates how colleges, universities and other learning providers collect and use information about students, staff and others. It also provides individuals with the right to access information that is held about them.
Data protection is part of the fundamental right to privacy and concerns the fair and proper use of information about people. Those who handle personal data must treat people fairly and openly.
What the law says
UK data protection law is set out in the Data Protection Act 2018 (DPA 2018), along with the General Data Protection Regulation (GDPR) (EU) 2016/679 (which also forms part of UK law).
This legislation requires accountability and transparency from all those who collect and handle any information relating to an identifiable individual (personal data).
The legislation sets out key principles which lie at the heart of the data protection regime. In brief personal data must be:
- Processed lawfully, fairly and transparently
- Collected only for specified purposes
- Limited to what is necessary for those purposes
- Kept accurate
- Held for no longer than is necessary
- Retained securely
What you need to do
Comply with the principles
Compliance with the spirit of these key principles is a fundamental building block for good data protection practice and the institution must have appropriate measures and records in place to be able to demonstrate compliance. Failure to comply with the principles can leave an institution open to substantial fines.
Provide privacy information
Students, staff and others have the right to be informed about the collection and use of their personal data. This is a key transparency requirement.
Privacy information must be provided to individuals which informs them of the purposes for processing their personal data, the retention periods for that personal data, and who it will be shared with. The information that you provide must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
Process personal data lawfully
The law prohibits the processing of personal data unless the data controller is able to identify an appropriate legal basis for that processing.
Article 6(1) of the GDPR sets out six lawful bases for processing. At least one of these must apply whenever your institution is processing personal data:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations)
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks)
Universities and colleges are classified as public authorities, so the public task basis is likely to apply to much of their processing. In addition, consent or legitimate interests will be appropriate in some circumstances.
Keep records of processing activities
A key element of accountability is maintaining records of your processing activities. This can help you to ensure (and demonstrate) your compliance and is likely to improve data governance and increase business efficiency.
Article 30(1) of the GDPR specifies areas where records must be maintained including the reasons for processing personal data, data sharing and retention. An institution may be required to make the records available to the ICO on request.
Check the conditions for transferring data internationally
Personal data may only be transferred outside of the European Economic Area (the EEA) with adequate safeguards. Detailed information on international transfers of personal data is available on the ICO website.
Brexit transition period
Now that the UK has left the EU, there is a transition period to allow time to negotiate a new relationship with the EU. During this transition period which runs until the end of December 2020, the GDPR will continue to apply in the UK and it is business as usual for data protection.
At the end of the transition period the intention is that the GDPR will be brought into UK law as the ‘UK GDPR’, and there may be time for further developments about how particular issues such as UK-EU transfers are dealt with.
What you can do now
- Ensure that staff at your institution are familiar with and adhering to the ICO Guide to Data Protection
- Use our practical resources and advice to help you understand and apply GDPR legislation
- Follow the Jisc community blog for updates on GDPR and other regulatory developments