General Data Protection Regulation
What is it?
New European legislation which will replace the Data Protection Act in May 2018. After the UK leaves Europe we will still need to comply with this regulation through a new Data Protection Act (currently a Bill).
How is it different from the Data Protection Act?
The basic principles for looking after personal data are the same but there are stricter standards to adhere to. The maximum penalty for non-compliance is increasing from £500,000 to €20,000,000.
What should I do?
- Continue to meet our obligations by complying with the Data Protection Act (see below).
- Follow good practice guidance published by the Information Commissioner.
- See the Universities updated information for staff webpage.
Where can I find out more?
The Data Protection Act 1998
The Data Protection Act 1998 establishes a framework of rights and duties which are designed to safeguard personal data. This framework balances the legitimate needs of organisations to collect and use personal data for business and other purposes against the right of individuals to respect the privacy of their personal details.
The legislation itself is complex and, in places, hard to understand. However, it is underpinned by a set of eight straightforward principles.
The Act covers information contained in a ‘relevant filing system’ in a structured format. It is good practice to assume that all manual/paper records of personal data are covered. Manual/paper records must be kept securely.
The Eight Data Protection Principles
The Act requires that the following eight principles should apply to personal data collected, held and stored:
1 Processed fairly
Personal data shall be processed fairly and lawfully.
In practice, it means that you must:
- have legitimate grounds for collecting and using the personal data,
- not use the data in ways that have unjustified adverse effects on the individuals concerned,
- be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data,
- handle people’s personal data only in ways they would reasonably expect,
- make sure you do not do anything unlawful with the data.