Data protection law regulates how colleges, universities and other learning providers collect and use information about students, staff and others. It also provides individuals with the right to see information that is held about them.
What you can do
Comply with the law
The law (currently the Data Protection Act 1998) is designed to encourage those that process personal information to uphold a privacy-aware culture and to have accountable practices in place.
Your institution must:
- Process personal data fairly and lawfully in accordance with students/staff/third parties’ rights
- Use appropriate measures to keep it safe
- Only transfer it to a country outside the European Economic Area (EEA) which provides adequate protection
Provide privacy information
It is always necessary to have a lawful basis for processing individuals’ personal data and providing accessible information to individuals about how their personal data will be used is a key element of fair processing. This is most commonly done by means of a privacy notice and the Information Commissioner's office (ICO) has detailed guidance on what privacy notices should contain.
Have an effective policy in place
A data protection policy ensures clarity about how your institution collects, uses and protects personal data. The policy should also act to inform and reassure students, staff and anyone whose data is being used.
Any policy will be unique to an organisation’s needs, and some key elements that should make it an informative and effective document include:
- Examples of best practice
- Definitions of terms used
- Clarity with regard to roles and responsibilities
- Data subjects' rights
- Commitments in terms of access, security, portability
- Privacy statement
- Links to related policies
- Complaints procedures
- Reviewing processes and practices
International transfers of data
Each institution must ensure that there is in place an adequate level of protection for the rights and freedoms of data subjects when personal data is being transferred to a country or territory outside the EEA. The ICO has produced guidance on transferring data internationally.
For international transfers of data to the United States (US) a number of different mechanisms are available such as contractual clauses, binding corporate rules and the Privacy Shield1 . If the Privacy Shield is to be used, US companies must first be signed up to the Privacy Shield framework with the US Department of Commerce. Read more on the Privacy Shield website.
New data protection law (GDPR (General Data Protection Regulation)) comes into force on 25 May 2018. All organisations that collect and handle the personal data of European residents will be required to comply with the GDPR.
What implications will the GDPR have for colleges and universities?
The biggest change is that institutions will be held far more accountable for the data they process. As well as records of what personal data exist within the organisation, the GDPR requires a documented understanding of why information is held, how it is collected, when it will be deleted or anonymised, and who may gain access to it.
What you can do now
Prepare for the GDPR by adhering to the ICO guidance: GDPR 12 steps to take now:
“Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are new elements and significant enhancements, so you will have to do some things for the first time and some things differently.”
Keep up to date with the GDPR by reading Jisc’s regulatory developments blog.
- Read our blog on how universities and colleges should be preparing for new data regulations
- Read our specific guidance on security, mobile devices and data protection and on data protection and research data
- Take a look at our consultancy service, offering expert, targeted support and practical assistance to help you to transform your university or college through digital technologies
- Join the data protection JiscMail mailing list
- 1 Commenced 1 August 2016 and replaced Safe Harbour