Processing personal data
"Any information relating to an identified or identifiable natural person i.e. one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person."
Information which falls within this definition is always subject to the GDPR.
Sensitive personal data
"Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data."
This is a special category of personal data subject to additional protections due it its sensitive nature.
For the purposes of providing some student and staff support services (for example, providing reasonable adjustments for disabilities or counselling services), to comply with some legal obligations or due to the type of research activities carried out at the College, this type of data is relevant to us.
As defined by the GDPR, this is a very wide concept. It essentially means anything that is done to, or with, personal data including simply collecting, storing and deleting it.
"The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. The College will be a controller in respect of most of the personal data it processes."
"A natural or legal person, public authority, agency or any other body which processes personal data on behalf of a controller. "
Can I process personal data?
Under the GDPR, you are allowed to process personal data only when you have a lawful basis, of which there are six. These are:
When processing is necessary for the entry into, or performance of, a contract with the data subjects (or at their request prior to the entry into a contract).
Compliance with legal obligations
When processing is necessary for compliance with a legal obligation under EU law or the laws of a Member State.
When processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the College. This includes teaching and research in the public interest.
Legitimate interest (unless a public authority)
When processing is necessary for the purposes of legitimate interests pursued by the College except whether overridden by the interests, fundamental rights or freedoms of the affected data subjects which require protection. This does not apply to processing carried out by public authorities such as our teaching activities or research in the public interest.
When processing is necessary to protect the ‘vital interests’ of the data subject or of another natural person.
When processing has been consented to by the data subject. Please see below for clarification on what consent means.
This is relatively unchanged from the previous law, but consent should now be considered last as a higher standard of consent is required under the GDPR. The ICO has produced an interactive guidance tool which you can use to assess whether you are able to process personal data.
Consent needs to be:
- Freely given (a performance of a contract must not be made conditional on the data subject consenting to processing activities that are not necessary for the performance of that contract)
- Able to be evidenced
- Able to be withdrawn
- Opt-in rather than opt-out
- Provided by an appropriate method
- Distinguishable from other matters
Can I process sensitive personal data?
You can process sensitive personal data when, in addition to having fulfilled one of the previously given lawful bases for processing, one of the following conditions is also satisfied:
The processing is necessary for the establishment, exercise or defence of legal claims, or for courts acting in their judicial capacity.
Employment or social security laws
The processing is necessary in the context of employment law, or laws relating to social security and social protection.
Substantial public interest
The processing is necessary for reasons of substantial public interest, and occurs on the basis of a law that is, inter alia, proportionate to the aim pursued and protects the rights of data subjects.
The processing is necessary to protect vital interests of the data subject (or another person) where the data subject is incapable of giving consent.
Medical diagnosis and treatment
The processing is necessary for the purpose of medical treatment undertaken by health professionals, including assessing the working capacity of employees and the management of health or social care systems and services.
Charity or not for profit bodies with respect to their own members
The processing is in the course of the legitimate activities of a charity or not-for-profit body, with respect to its own members, former members, or persons with whom it has regular contact in connection with its purposes.
The processing is necessary for reasons of public interest in the area of public health (e.g., ensuring the safety of medicinal products).
Data manifestly made public by the data subject
The processing relates to personal data which have been manifestly made public by the data subject.
Archiving in the public interest, for historical, scientific, research or statistical purposes
The processing is necessary for archiving purposes in the public interest, for historical, scientific, research or statistical purposes, subject to appropriate safeguards.
The processing is carried out with the explicit consent of the data subject
What do I need to tell people about their data?
You should provide data subjects with information about their rights and your responsibilities regarding the processing of their personal data. This will typically be in the form of a privacy notice and must be in a concise, transparent, intelligible and easily accessible form. Any information provided to children must be especially plain and clear.
This should be done at the time the data are obtained or at a minimum, within a reasonable time (not exceeding one month) after collecting the data.
If you wish to process personal data (including to collect it for the first time from individuals), you should check whether the proposed processing is already covered under one of the College-wide privacy notices.
If it is: you should provide a link to that policy at the point of collection.
If it is not and you are proposing to collect data for the first time: you should use the Privacy Notice Template [Word] and prepare a standalone privacy notice. This should be displayed at the point of data collection. You can contact the Data Protection Officer if you require assistance.
If it is not and you are proposing to use data already collected for a purpose that data subjects were not told about when they gave their data (the further processing of data): you should contact the Data Protection Officer. You and the Data Protection Officer will need to consider if such further processing is compatible with the original purpose and is therefore lawful. We will also have to consider if data subjects ought to be informed again of the proposed further processing of their data. If so, this will involve giving them the required information in the Privacy Notice Template [Word]. The communication method may be post or email, but will depend on what is most likely to be received and read.