The General Data Protection Regulation (GDPR) came in to force on Friday 25 May 2018.
The Data Protection regulations apply to you and your work
If you access, use, or store personal information about living people - (GDPR calls this ‘processing personal information') - you will need to understand the GDPR and how to comply with it.
If any staff you line manage (or students you teach) process this kind of data, you will all need to understand the GDPR. The regulations will also apply to mailing lists that you use to send information about College activities to individuals.
What do you mean by personal data?
- Information about or relating to a living person
- Identifiable (on its own or in combination with other information)
- Please see FoM GDPR definitions (SharePoint) for more information.
Examples of data categories
Examples of data categories
- Clinical observation cohorts
- Population cohorts for epidemiology studies
- Tissue donors
- Clinical trial datasets
- Consent to participate in research (either electronic or hard copy)
- Participants’ personal details used for reimbursement
- Questionnaires, surveys and tests
Admin or HR data
- CVs of job applicants (could be held on laptops, PCs, emails, shared drives, paper copies, etc.)
- Information about staff performance, reviews, disciplinary hearings
- Finance FTE reports
- Expense forms
- Names and contact details used for course marketing purposes
- Students' data that could be used to help with their welfare, occupational health (eg. GP letters)
- Students' data used for examination assessment
- Supervisory reviews of students' activities
- Student CVs
Patient data (non-research)
- Emails, patient notes, records regarding Trust clinical activities
- Data stored about Trust patients on your Imperial machine (PC, iPad, laptop, Mac)
- Remember that processing of data for patient management purposes is not permitted on the College network and equipment
Key questions around GDPR
What is the Faculty of Medicine doing about GDPR?
A FoM GDPR working group, chaired by Professor Richard Reynolds, was established to create an implementation action plan for the Faculty. The group worked closely with College legal services and ICT to align the College policies and the Faculty’s practical guidance.
As a result, the Faculty has a dedicated FoM Information Governance SharePoint site that provides practical guidance for the Faculty specific activities.
The Faculty Established the Information Governance & Strategy Committee to take forward IG enhancement programme. The SharePoint site will be continuously updated as a result of their work.
What can I do now?
- FoM GDPR Definitions
- Managing your data – good practice guide
- How to manage personal data at the Faculty of Medicine – core roles and responsibilities and Faculty-specific mechanisms to facilitate implementation
- How to manage personal data for research purposes - key principles and practical guidance for handling of health and social care data when conducting research activities
- Data Asset Registration Tool (DART) - Completion of DART Registrations will appease two legal requirements as defined under GDPR:
- create Data Protection Impact Assessments (DPIA), which can be downloaded as a PDF, as defined under Article 35 of the UK GDPR
- populate the College’s Records of Processing Activity (RoPA) and ensure personal data is being recorded and managed in an effective manner
Who can help me if I have questions?
The Faculty Information Governance SharePoint site is designed to help you navigate through data protection legislation.
FAQ - frequently asked questions regarding personal data processing.
The Faculty Information Governance and Strategy Committee has published guidance for risk management in sharing and publishing genomic data (college logon required)