Quick guide

A practical introduction to data protection

Last updated:

Data protection law regulates how colleges, universities and other learning providers collect and use information about students, staff and others. It also provides individuals with the right to access information held about them.

Data protection is part of the fundamental right to privacy and concerns the fair and proper use of information about people. Those who handle personal data must treat people fairly and openly.

What the law says

UK data protection law is set out in the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (GDPR) (EU) 2016/679.

Key principles

The legislation sets out key principles which govern how personal data should be handled and processed. They are designed to ensure that individuals have control over their personal information and that institutions responsibly manage and protect it. The principles are:

  • Lawfulness, fairness, and transparency - personal data must be processed lawfully, fairly, and in a transparent manner. Individuals should be informed about how their data are being used.
  • Purpose limitation - personal data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Data minimisation - institutions should only collect and process personal data that are necessary for the purposes for which they were collected. Data should be adequate, relevant, and limited to what is necessary.
  • Accuracy - personal data should be accurate and, where necessary, kept up to date. Institutions should take reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
  • Storage limitation - personal data should not be kept in a form that allows identification of individuals for longer than is necessary for the purposes for which it was collected.
  • Integrity and confidentiality - personal data should be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
  • Accountability -institutions are responsible for complying with the data protection principles and must be able to demonstrate compliance. This includes implementing appropriate measures and maintaining records of processing activities.

What you need to do

Compliance with the spirit of these key principles is a fundamental building block for good data protection practice and institutions must have appropriate measures and records in place to be able to demonstrate compliance.

Failure to comply with the principles can leave an institution open to regulatory investigation resulting in enforcement actions ranging from warnings to substantial fines.

Key takeaways

Provide privacy information

Be transparent. Not only is transparency a key data protection principle which enables the exercise of individuals’ rights but by being open and honest about what you’re doing with their data, their confidence in you as an institution will increase. It’s also likely to have a positive effect upon potential customers and other business organisations.

Have a privacy notice or policy readily available on your website or where it will be seen and read. This notice is best written with the help of the record of processing activities, so that nothing is missed and it is easy to understand. A privacy notice shouldn’t be written in legalese, it should be easy to understand by the persons who will be reading it; your customers. Consider their needs and adjust your privacy notice accordingly; which may mean delivering it through a recording, using braille or gamified.

No one wants to be faced with innumerable options on cookie banners; keep it simple. Give the user ‘accept all’ or ‘decline all’ options and stay away from nudge behaviour (encouraging the user to select one option over another). Again, clearly explain what cookies you’d like to drop and why. Letting the user know what the cookies do and why gives them greater control and creates trust.

Process personal data lawfully

An easy way to keep track of the data you are processing including why you're storing it, where it is stored, how it is collected and with whom it is shared is by keeping your record of processing activity up to date. Not only does this help show accountability (and is available when requested by the ICO) but It's also a really practical record to make sure you have recorded all the processes which process personal data and the lawful basis as to why.

It's worth noting that just because personal data are available online, it doesn’t mean that it can be scraped, collected, stored and then used. Such activities will need to be recorded and have a lawful basis too.

There are six lawful bases for processing. At least one of these must apply whenever your institution is processing personal data:

  • Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  • Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  • Vital interests: the processing is necessary to protect someone’s life.
  • Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  • Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks).
  • Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

Don’t forget to include your rationale for selecting one of the six bases.

Protect the data

This covers a whole range of areas as the security principle is woven into data protection.

An institution is required to process data securely through ‘appropriate technical and organisational measures’ so will be tailored to an institution and the data it processes.

There are lots of elements to consider; policies, risk analysis as well as physical and technical measures. These measures need to be integrated into business practices from inception onwards to make sure that data protection is considered at the start of everything an institution does. This is more commonly known as ‘data protection by design and by default’.

The same considerations will flow down to suppliers too, who also must have certain contractual obligations in place.

This will lead onto personal data breach procedures and ensuring that everyone within an institution has data protection training so that they are able to not only recognise a personal data breach but know how and whom to report it to.

Inadequate information security leaves your services, systems and customers at risk which may cause real harm and distress to them.

This guide is made available under Creative Commons License (CC BY-NC-ND).