The GDPR in a nutshell.
Introduction
Within the UK, there are various data protection legislation which interplay. These include;
- The Data Protection Act 2018
- The UK General Data Protection Regulation (GDPR)
- The Privacy and Electronic Communications Regulations
- The Data (Use and Access) Act 2015
The legislation are important for a number of reasons, these include:
1. they are wide-ranging, and will impact almost every organisation that is based in the UK, as well as every organisation that does business in the UK, even if based outside the UK;
2. it substantially increases the maximum penalties for non-compliance to the greater of £17.5 million, or 4% of an organisation’s worldwide turnover;
3. it raises the bar for compliance by requiring greater openness and transparency about how organisations process personal data and it imposes tighter limits on the use of personal data; it also gives individuals more powerful rights with respect to their personal data.
4. they align to there European counterparts and support the notion of the UK being an adequate country to share data with.
The GDPR contains elements from the previous legislation (i.e. the Data Protection Act 1998), for example, the Data Protection Principles of good practice and the data subject's right to have access to his or her personal data and to correct it where inaccurate. However the GDPR imposes additional requirements.
The GDPR continues to impose stringent requirements with which the university, as an organisation holding personal data, must comply. All processing of personal data must be fair and lawful, accurate and up-to-date, and the data must be adequate, relevant, not excessive and be held for no longer than is necessary. It is mandatory that appropriate technical and procedural measures are taken to cover the security of personal information. This relates, among other things, to prevention of unauthorised or unlawful processing or disclosure of data, as well as accidental loss or destruction of, or damage to, personal data. Special conditions apply to sending personal data outside the UK, including transmitting it via the Internet.
Data held in manual or paper form (as part of a relevant filing system) is covered by the GDPR and therefore processing must comply with the GDPR.
Imperial's Data Protection Policy and Codes of Practice, detail the rights and responsibilities of staff, students and other authorised individuals who process information on behalf of the College. If you have any further queries please contact your departmental/divisional Data Protection Co-ordinator or the Data Protection Officer.
Security
Proper security measures must be applied for all methods of holding or displaying personal data and appropriate measures taken to prevent loss, destruction or corruption of data. The following general advice is given:
- Computers that can access personal data should not be left unattended when logged on and the screen should always be cleared of personal data after use
- Staff who have contact with personal data must take care that this is kept away from people not entitled to see it
- Printouts should be stored securely when not in use and shredded when no longer required
- Passwords should be changed regularly and not disclosed to unauthorised persons. Staff who are processing personal data locally should ensure that USB flash drives containing personal data are securely encrypted, removed from their machine and stored securely when not in use and are erased and reformatted when no longer required, and that personal data held on permanent hard disk have adequate protection, e.g. password access.
- Care should be taken to ensure the security of personal data, in either electronic or paper format, when the data is removed from the university, e.g. for the purpose of working at home, or for an external meeting.
- Staff and students should consult the ICT “Be Secure” webpages for more detailed information as to how electronic data can be protected and processed securely.