The new General Data Protection Regulation (GDPR) came in to force on Friday 25 May 2018.
These regulations will apply to you and your work
If you access, use, or store personal information about living people - (GDPR calls this ‘processing personal information') - you will need to understand the GDPR and how to comply with it.
If any staff you line manage (or students you teach) process this kind of data, you will all need to understand the GDPR. The regulations will also apply to mailing lists that you use to send information about College activities to individuals.
What do you mean by personal data?
- Information about or relating to a living person
- Identifiable (on its own or in combination with other information)
- Please see FoM GDPR definitions for more information.
Examples of data categories
Examples of data categories
- Clinical observation cohorts
- Population cohorts for epidemiology studies
- Tissue donors
- Clinical trial datasets
- Consent to participate in research (either electronic or hard copy)
- Participants’ personal details used for reimbursement
- Questionnaires, surveys and tests
Admin or HR data
- CVs of job applicants (could be held on laptops, PCs, emails, shared drives, paper copies, etc.)
- Information about staff performance, reviews, disciplinary hearings
- Finance FTE reports
- Expense forms
- Names and contact details used for course marketing purposes
- Students' data that could be used to help with their welfare, occupational health (eg. GP letters)
- Students' data used for examination assessment
- Supervisory reviews of students' activities
- Student CVs
Patient data (non-research)
- Emails, patient notes, records regarding Trust clinical activities
- Data stored about Trust patients on your Imperial machine (PC, iPad, laptop, Mac)
- Remember that processing of data for patient management purposes is not permitted on the College network and equipment
Key questions around GDPR
What is the Faculty of Medicine doing about GDPR?
A FoM GDPR working group, chaired by Professor Richard Reynolds, has been established to create an implementation action plan for the Faculty. The group is working closely with College legal services and ICT to align the College policies and the Faculty’s practical guidance.
View a timeline of priority actions that the Faculty is working on - FoM GDPR timeline of activities (pdf)
What can I do now?
- COMPLETE the College's Data Protection E-learning training module
- REVIEW Managing your data - good practice guide for GDPR (pdf)
- ATTEND other relevant training courses available from the College
- REVIEW this instruction from the College on existing mailing lists
- READ the information on health and social care research data if you are involved in research in this area
- CONSIDER whether you have any activities that might need their own privacy notices
Who can help me if I have questions?
The Faculty is working on a Faculty Code of Practice, which will detail roles and responsibilities within FoM.
In the interim, for any questions around GDPR in the Faculty, please contact firstname.lastname@example.org.