Introduction to GDPR widget

Key concepts

Key concepts widget

What is personal data?

Simply put, personal data is any information relating to an individual which can be used to identify them. Examples include a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Pseudonomised data is also classified as personal data.

Personal data may also include ‘special categories’ of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances and subject to additional controls.

For full definitions, please see the College’s guidance on Processing personal data.

What is a data breach?

 A data breach is a breach in security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. You should report a data breach as soon as you suspect one.

When is the College a data controller and when is it a data processor? What is the difference between the two?

A data controller is the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. In contrast, a data processor is the natural or legal person, public authority, agency or any other body which processes personal data on behalf of a controller and only on the data controller’s instruction.

In respect of most of the personal data processed by the College, the College will be a controller in the majority of cases. However, there are some cases in which the College is a processor such as when processing data on the instructions from another organisation for a research project and when supplying a service to another organisation.

Data controllers have a greater number of responsibilities under the data protection laws than data processors.

What policies and procedures are relevant to me?

The College has a number of policies and procedures which all staff are required to comply with.  The key policies and procedures which relate to data protection are listed below:

What is consent? How do I record it?

The GDPR sets a new, higher standard of consent for data processing. There are a number of requirements for consent – consent must be:

  • Specific
  • Informed
  • Freely given (a performance of a contract must not be made conditional on the data subject consenting to processing activities that are not necessary for the performance of that contract)
  • Able to be evidenced
  • Able to be withdrawn
  • Opt-in rather than opt-out
  • Provided by an appropriate method
  • Distinguishable from other matters

In order to assist the following tools and guidance are available:

Processing Personal Data

Consent checklist [Word]

What is a legitimate interest? How do I record it?

Under the GDPR, one of the six lawful bases for processing personal data is where legitimate interests apply. It is the most flexible basis for processing and could, in principle, apply to almost any type of processing for any reasonable purpose other than where the College is performing a task in the public interest or exercising any official authority vested in the College e.g. teaching and carrying out research in the public interest. 

In order to record data processing under the legitimate interests basis, you must complete a Legitimate Interest Assessment Template [Word]. Guidance from the Information Commissioners Office regarding the Legitimate Interests legal basis is available here

Who is the College's DPO?

Robert Scott is the College’s Data Protection Officer. His contact details are as follows:

Email: robert.scott@imperial.ac.uk or dpo@imperial.ac.uk

Phone: +44 (0)20 7594 3502

Find other useful contacts.

Safeguarding measures

Safeguarding measures widget

When is personal data anonymised?

Data is anonymised when it can no longer be attributed to an individual, this is usually accomplished by aggregation of data or by removal of all identifiers. Be aware however that pseudonomised data (for example changing personal identifiers to codes or figures) is still classed as personal data due to the likely presence of a related key.

The Information Commissioner's Office has produced Anonymisation guidance.

What is privacy by design and default?

Privacy by design and default are mandatory requirements to ensure data protection is built into processing activities. This is accomplished by ensuring we place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights by considering data protection and privacy issues upfront in everything we do.

In order to assist the following tools and guidance are available:

How can I keep data secure?

If you are looking at how best to keep digital data secure the College provides guidance and solutions as follows:

Be Secure (ICT Security)

For more information please contact the ICT helpdesk.

How can I share information securely?

Depending on whether data is being shared internally or externally the College provides guidance and solutions.

 For more information please contact the ICT helpdesk.

Training

Training widget

What training can I do?

TheCollege has developed an e-Learning training course which all staff are strongly encouraged to complete. For information on how to access the training, please visit the Training page.

All staff should also complete the Information Security Awareness training, Records Management – e-Learning course  and Freedom of Information - e-Learning course

Where can I find more information about the GDPR?

The College’s Data Protection web pages have comprehensive information about GDPR so you should familiarise yourself with them -

To explore external resources recommended by the College, please visit our external guidance pages.

I have identified a data protection training need in my team/department. Who can help?

The Data Protection Officer is able to run dedicated training sessions which are specific to the needs of a team or department. Please contact Robert Scott to discuss further:

Email: robert.scott@imperial.ac.uk or dpo@imperial.ac.uk

Phone: +44 (0)20 7594 3502

Privacy notices

Privacy notices widget

When is a privacy notice necessary?

Data subjects must be provided certain minimum information, usually within a privacy notice, at the time when data is collected from them or within one month from when the personal data is received from a third party.

What existing privacy notices does the College have?

Current privacy notices for the College are as follows:

 There are also various local privacy notices such as a privacy notice for the Library.

If you are proposing to process any personal data, you must check if it is expressly covered by one of the existing privacy notices. If it is covered, clearly draw the attention of the data subject from whom personal data is being collected to the relevant notice at the point at which information is collected or within 1 month from when the information is provided to the College by a third party.

If I need a bespoke privacy notice, is there a template I can use as a starting point?

Yes, there are several templates and which one would be a suitable starting point will depend on the nature of the proposed processing.

Once a new privacy notice is prepared, please forward the final draft you are happy with to the Data Protection Officer to sign it off.