Introduction to GDPR
Introduction to GDPR widget
Why has the law changed?
The EU’s General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 are new laws which have replaced the 1998 Data Protection Act. The reason for the new laws is to harmonize data privacy laws across the EU and give greater protection rights to individuals. Since the implementation of the previous data protection laws there have been technological advances which affect the way in which data can be used. These processing activities weren’t previously accounted for, however, under the new laws they are.
You can read more about the differences on the College’s GDPR page.
Do I have to comply with the new legislation?
Yes. Anybody who processes personal data, as the majority of us do in our day to day work, is responsible for complying with the new legislation. It is therefore important that you familiarise yourself with your responsibilities.
As a member of Imperial College London, you have consented to adhering to relevant policies as part of your contractual obligations, and this encompasses data protection responsibilities.
What are the consequences of non-compliance?
The main risks of non-compliance are lack of confidence from the public and organisation’s in the College. Individuals can also complain to the UK data protection regulator - the Information Commissioners Office - and non-adherence could lead to fines of up to €20 million or 4% of global turnover for the preceding year (whichever is greater).
Key concepts widget
What is personal data?
Simply put, personal data is any information relating to an individual which can be used to identify them. Examples include a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Pseudonomised data is also classified as personal data.
Personal data may also include ‘special categories’ of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances and subject to additional controls.
For full definitions, please see the College’s guidance on Processing personal data.
What is a data breach?
A data breach is a breach in security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. You should report a data breach as soon as you suspect one.
When is the College a data controller and when is it a data processor? What is the difference between the two?
A data controller is the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. In contrast, a data processor is the natural or legal person, public authority, agency or any other body which processes personal data on behalf of a controller and only on the data controller’s instruction.
In respect of most of the personal data processed by the College, the College will be a controller in the majority of cases. However, there are some cases in which the College is a processor such as when processing data on the instructions from another organisation for a research project and when supplying a service to another organisation.
Data controllers have a greater number of responsibilities under the data protection laws than data processors.
What policies and procedures are relevant to me?
What is consent? How do I record it?
The GDPR sets a new, higher standard of consent for data processing. There are a number of requirements for consent – consent must be:
- Freely given (a performance of a contract must not be made conditional on the data subject consenting to processing activities that are not necessary for the performance of that contract)
- Able to be evidenced
- Able to be withdrawn
- Opt-in rather than opt-out
- Provided by an appropriate method
- Distinguishable from other matters
In order to assist the following tools and guidance are available:
What is a legitimate interest? How do I record it?
Under the GDPR, one of the six lawful bases for processing personal data is where legitimate interests apply. It is the most flexible basis for processing and could, in principle, apply to almost any type of processing for any reasonable purpose other than where the College is performing a task in the public interest or exercising any official authority vested in the College e.g. teaching and carrying out research in the public interest.
In order to record data processing under the legitimate interests basis, you must complete a Legitimate Interest Assessment Template [Word]. Guidance from the Information Commissioners Office regarding the Legitimate Interests legal basis is available here
Safeguarding measures widget
When is personal data anonymised?
Data is anonymised when it can no longer be attributed to an individual, this is usually accomplished by aggregation of data or by removal of all identifiers. Be aware however that pseudonomised data (for example changing personal identifiers to codes or figures) is still classed as personal data due to the likely presence of a related key.
The Information Commissioner's Office has produced Anonymisation guidance.
What is privacy by design and default?
Privacy by design and default are mandatory requirements to ensure data protection is built into processing activities. This is accomplished by ensuring we place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights by considering data protection and privacy issues upfront in everything we do.
In order to assist the following tools and guidance are available:
How can I keep data secure?
What training can I do?
TheCollege has developed an e-Learning training course which all staff are strongly encouraged to complete. For information on how to access the training, please visit the Training page.
Where can I find more information about the GDPR?
I have identified a data protection training need in my team/department. Who can help?
Privacy notices widget
When is a privacy notice necessary?
Data subjects must be provided certain minimum information, usually within a privacy notice, at the time when data is collected from them or within one month from when the personal data is received from a third party.
What existing privacy notices does the College have?
Current privacy notices for the College are as follows:
- Privacy Notice for staff and prospective staff [PDF]
- Privacy notice for students and prospective students [PDF]
- Privacy Notice for Events [PDF] relates to all College activities relating to event management (including Advancement events)
- Privacy Notice for Advancement Activities relating to alumni, friends and supporters’ personal data
- Privacy Notice for agency and contractors' staff relates to individuals engaged by third parties that contract with the College to provide services to the College.
There are also various local privacy notices such as a privacy notice for the Library.
If you are proposing to process any personal data, you must check if it is expressly covered by one of the existing privacy notices. If it is covered, clearly draw the attention of the data subject from whom personal data is being collected to the relevant notice at the point at which information is collected or within 1 month from when the information is provided to the College by a third party.
If I need a bespoke privacy notice, is there a template I can use as a starting point?
Yes, there are several templates and which one would be a suitable starting point will depend on the nature of the proposed processing.
- Privacy Notice Template [Word]: this is a generic long form template that can be used as a starting point for all types of processing
- Newsletter privacy notice template [Word]: this is a shorter form template suitable for use where personal data is being collected for email newsletters subscription and distribution purposes
- Medical Research Privacy Notice template [Word]: this is a template that is intended to comply with both the GDPR/DPA and with HRA requirements
- Non-medical research privacy notice template [Word]: this template is designed for other research (i.e. not medical/health research) that involves processing personal data
Once a new privacy notice is prepared, please forward the final draft you are happy with to the Data Protection Officer to sign it off.
Individual rights widget
Can I get a copy of my personal data?
Yes, you can. The legislation grants you the right to access your personal data held by Imperial College. These requests are known as subject access requests and in accordance with Section 45 of the Data Protection Act 2018, we will provide you (where applicable) with confirmation that we are processing your personal data, provide you with information pertaining to the processing of your personal data and provide you with a copy of the personal data we hold.
To find out more please visit our page on Subject Access Requests.
Can I get my information rectified?
Yes, if you believe the information held about you by Imperial College is incorrect please contact either the relevant team where the information is held or contact the Data Protection Officer and state clearly what you believe is inaccurate and or incomplete, explain how we should correct the information and, where available, provide evidence of the inaccuracy. The DPO can be contacted as follows:
Phone: +44 (0)20 7594 3502
Can I get my data deleted?
Yes, you can request that the College deletes your information and, in some circumstances (since there are conditions to the availability of this right), we will do so. This is known as the right to erasure. You may sometimes hear it called the ‘right to be forgotten’. To make such a request please contact the Data Protection Officer. His contact details are as follows:
Phone: +44 (0)20 7594 3502
What is a marketing communication?
Direct marketing covers the promotion of aims and ideals as well as the sale of products and services. This will include all types of communications including email, fax, telephone, post and texts.
Is a newsletter a marketing communication?
Very likely. Unless the content pertains to information required to be provided as a service communication, such as part of an agreed contract or activity. For the majority however, if they are used to advertise events, news, products, fundraising campaigns etc. then this would be classed as marketing.
What if a communication is both a service communication and a marketing communication?
If an email contains information classed as both marketing and service communications then they should be separated and sent individually to ensure data subject rights can be adhered to in cases where someone objects to receiving such correspondence plus the College remains able to contact them regarding service communications.
When can I send people marketing emails?
Generally, we can only contact individuals by email or text messages regarding marketing activities if the individual has given consent for the College to do so. This can be done via someone signing up to such communications, requesting information relating to College activities, completing a consent form and/or opting in as part of a separate process.
In order to assist the following tools and guidance are available:
Soft opt in / Legitimate interest
Whilst we can generally only send marketing texts or emails with specific consent, there is an exception to this rule for existing customers, known as the ‘soft opt-in’.
The ‘soft opt-in’ allows marketing texts or emails to be sent without express consent if:
- the details of the recipient have been obtained through the course of a sale/contract (or negotiations for a sale/contract) of a product or service to that person;
- the marketing relates to the College’s own similar products or services; and
- the individual was/is given an opportunity to refuse or opt out of the marketing, both when first providing their details to the College and in every subsequent correspondence.
Business to Business
Rules on consent, the soft opt-in and the right to opt out do not apply to electronic marketing messages sent to ‘corporate subscribers’ which means companies and other corporate bodies e.g. limited liability partnerships, Scottish partnerships, and government bodies where an individual cannot be identified, for example firstname.lastname@example.org. The only requirement is that the College must identify itself as the sender and provide contact details.
In addition employees who have personal corporate email addresses, for example email@example.com) can also be contacted as representatives of their corporation, however, the individual employees will have a Right to Object and to stop any marketing being sent to that type of email address which, if received, must be adhered to.
The Right to Object
Whilst the above provides a brief overview of when marketing communications can be sent, the legislation gives individuals the right to object at any time to such processing with the Right to Object to marketing being absolute so you must stop processing if such a request is received and, whilst it may not be possible to stop immediately (in cases where mass communications are already in transit), a period not exceeding 28 days to comply is expected, if not sooner.
When can I phone people to market College services or for fundraising?
Organisations can make live unsolicited marketing calls, but must not call any number registered with the Telephone Preference Service (TPS) unless the subscriber (i.e. the person who gets the telephone bill) has specifically told them that they do not object to their calls via proactively opting in to such communications. In effect, TPS registration acts as a general opt-out of receiving any marketing calls except for those which the subscriber has specifically requested/allowed.
When making calls, the recipient must always be made aware of who is calling and from where, allow their number (or an alternative contact number) to be displayed to the person receiving the call, and provide a contact address or freephone number if asked.
When can I send letters to people that contain marketing communications?
The Privacy and Electronic Communications Regulation (PECR) does not cover marketing by mail, however, if mail is being sent to named individuals then it must still comply with the DPA and the GDPR and have a legal basis identified for the processing to occur. Furthermore, if we know the name of the person being contacted, we cannot avoid our obligations by simply addressing the mail to ‘the occupier’, as we will still be processing an individual’s personal data behind the scenes meaning they have a right to be made aware of this.
Where can I find out more?
For more information regarding Marketing under GDPR please visit the College's Marketing pages and utilise the Direct Marketing Checklist below. There is also guidance available from the Information Commissioner's Office.
Sharing personal data
Sharing personal data widget
When is a data processing agreement mandatory?
A data processing agreement is mandatory where a controller wishes to appoint a processor to process personal data on behalf of the controller. In such circumstances, both the controller and the processor are responsible to ensure that such an agreement is put into place.
Therefore, this scenario will be relevant in numerous cases in the case of the College – for example, where the College gives access to College systems holding personal data to an IT services provider, where the College uses a third party platform to do newsletter mailings, where the College commissions a third party (e.g. a consultant) to analyse some personal data on the College’s behalf, where the College outsources invoicing functions to a third party platform provider.
As a controller the College must only use processors that guarantee compliance with the GDPR and the College is obliged to appoint such processors in the form of a binding agreement in writing – typically, this takes the form of a data processing agreement, but it can also take the form of data processing clauses or a data processing addendum inserted into the agreement for services with the processor.
Are data processing agreements and data sharing agreements the same thing?
Many people use the titles ‘data processing agreement’ and ‘data sharing agreement’ interchangeably. However, data protection specialists refer to ‘data sharing agreements’ where personal data is being shared between two or more data controllers i.e. no party is processing the data on the instructions of the other, each party is using the data as determined by it.
Data sharing agreements are not mandatory but are a good practice to put into place so that it is beyond doubt what each party’s responsibilities and obligations are, what security measures will be in place when the data is shared, who the relevant contacts are at each organisations etc.
There may be instances where the parties sharing personal data are each a controller for most of the data and a processor for some of the data of the other party. In this scenario, a data processing agreement will be necessary to put in place.
What provisions are mandatory for data processing agreements?
Data Processing Agreements must say that the processor must:
- Only act on the controller’s documented instructions;
- Impose confidentiality obligations on all personnel who process the relevant data;
- Abide by the rules regarding appointment of sub-processors and the rules about transfers of personal data outside the EEA;
- Implement measures to assist the controller in complying with the rights of data subjects;
- Assist the controller in obtaining approval from data protection authorities (the ICO in the UK) where required;
- At the controller’s election, either return or destroy the personal data at the end of the relationship (except as required by EU or member state law);
- Ensure the security of the personal data it processes;
- Provide the controller with all information necessary to demonstrate compliance with the GDPR and allow for and contribute to audits (including inspections) conducted by the controller or another auditor mandated by the controller;
- Assist the controller in ensuring compliance with the controller’s security, notification of data breaches, communication of data breaches to individuals, data protection impact assessments and, when necessary, consultation with the data protection authorities, taking into account the nature of processing and the information available to the processor;
- Inform the controller if an instruction from the controller infringes EU data protection law.
Data Processing Agreements must also contain the following details (which will be specific to each individual case):
- The name and contact details of the processor and the controller and, where applicable, of their data protection officers;
- The subject matter, nature and purpose, or purposes, of the data processing;
- The duration of the processing;
- The types of personal data to be processed and categories of data subjects;
- Where possible, a general description of the technical and organisational security measures protecting the personal data.
Indemnities, caps of liability in the event of breach of data processing obligations and mandatory insurance may also be found in some Data Processing Agreements but they are optional.
- The Data Processing Agreement [Word] template is available for use where the College (Data Controller) is sharing personal data with a supplier (Data Processor) within the EEA.
- The Data sharing agreement [Word] template is available for use where the College (Data Controller) is sharing personal data with another party (also Data Controller) within the EEA.
Please contact the Data Protection Officer or legal team for advice on how to arrange and document the transfer. For more information please see the following
Transfers of personal data, or access to personal data from, outside the European Economic Area
Am I allowed to use service providers who will have access to personal data owned by the College outside the European Economic Area?
Yes, data can be transferred to countries outside of the EEA when the following occurs:
- If data is transferred to a country with an Adequacy Decision from the EU Commission
- When standard EU model clauses are signed by the recipient
- If, to the US, the recipient has self-certified under the EU-US Privacy Shield (or the recipient signs the standard EU model clauses)
- When binding corporate rules are in place (rarely encountered in practice by the College)
- Explicit consent is given from the data subject – but this is not an option where the College is exercising public functions
- It is necessary for the performance of a contract – but this is not an option where the College is exercising its public functions or has simply chosen to structure its activities in that manner
If data sharing to a country outside of the EEA is deemed necessary, please contact the Data Protection Officer or legal team for advice on how to arrange and document the transfer. For more information please see the following: