Data protection law regulates how colleges, universities and other learning providers collect and use information about students, staff and others. It also provides individuals with the right to access information that is held about them.
What the law says
Data protection law in the UK was updated on 25 May 2018 by the General Data Protection Regulation (GDPR) (EU) 2016/679 and demands increased accountability and transparency from all those that collect and handle any information relating to an identifiable individual (personal data).
Article 5 of the GDPR sets out key principles which lie at the heart of the general data protection regime. In brief personal data must be:
- Processed lawfully, fairly and transparently
- Collected only for specified purposes
- Limited to what is necessary for those purposes
- Kept accurate
- Held for no longer than is necessary
- Retained securely
What you need to do
Comply with the principles
Compliance with the spirit of these key principles is a fundamental building block for good data protection practice and the institution must have appropriate measures and records in place to be able to demonstrate compliance. Failure to comply with the principles can leave an institution open to substantial fines.
Provide privacy information
Students, staff and others have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
Privacy information must be provided to individuals which informs them of the purposes for processing their personal data, the retention periods for that personal data, and who it will be shared with. The information provided must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
Process personal data lawfully
The lawful basis for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever your institution is processing personal data:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations)
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks)
Universities and colleges are classified as public authorities, so the public task basis is likely to apply to much of their processing. In addition, consent or legitimate interests will be appropriate in some circumstances.
Keep records of processing activities
Article 30(1) of the GDPR contains explicit provisions about documenting processing activities. Maintaining records on processing purposes, data sharing and retention is essential and an institution may be required to make the records available to the ICO on request.
Check the conditions for transferring data internationally
Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR. Further detail on international transfers of personal data is available on the ICO website.
What you can do now
- Ensure that staff at your institution are familiar with and adhering to the ICO Guide to the General Data Protection Regulation (GDPR)
- Use our practical resources and advice to help you understand and apply GDPR legislation
- Follow the community blog for updates on GDPR and other regulatory developments