An Introduction to the General Data Protection Regulation Intro slide - If your presentation does not relate solely to student recruitment, please use this version

General Data Protection Regulation Single set of rules for all EU nations Supersedes the Data Protection Act 1998 Applies to international organisations that offer goods or services to or monitor EU citizens Sits with newly passed UK Data Protection Act Requires Data Protection by Design & Default and documented accountability

Think about it… Are you familiar with the previous Data Protection Act 1998? Do you know anything already about the GDPR? What are your expectations from this training?

Data protection principles 1. Personal data shall be: processed lawfully, fairly and in a transparent manner; collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; accurate and, where necessary, kept up to date; kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; processed in a manner that ensures appropriate security of the personal data. 2. The controller shall be responsible for and be able to demonstrate compliance with the above. Accountability Principle

Think about it… How might you demonstrate accountability with the principles? What procedures does your team, Service, School, Institute, or College have in place to comply with any of the principles?

Personal data Any information relating to a natural person who can be identified, directly or indirectly, by that information Name Identification number Location data Online identifier Pseudonymised data Factors specific to physical, physiological, genetic, mental, economic, cultural or social identity

Special categories of personal data Personal data relating to: racial or ethnic origin political opinions religious or philosophical beliefs trade union membership genetic or biometric data processed for purpose of identification health sex life or sexual orientation

Think about it… Can you identify the different types of personal data and special categories of personal data that you work with or store? Include the data processed by your team, Service, School, Institute, or College

What is processing? Any operation or set of operations performed on personal data or on sets of personal data collection, recording, receipt storage, backup, filing, retention display, scanning, review deletion, destruction editing, updating, modification copying, transmission, transfer, release loss, mislaying, misdirection

SPECIAL CATEGORIES OF PD When can you process personal data? PERSONAL DATA SPECIAL CATEGORIES OF PD Consent Explicit consent Necessary for performance of contract Required to comply with employment, social security, or social protection legislation Necessary for compliance with legal obligation Protect vital interests of individual Protect vital interests of individual In connection with legal proceedings and administration of justice Necessary for performance of a task in the public interest Information already made public by data subject Necessary for the purposes of legitimate interests Necessary for medical reasons or public interest in relation to public health Necessary for archiving, scientific or historical research, or statistical purposes What are you telling students on your first interactions? What sort of agreement is presented to them, and what are they “signing” up for? Is it a contract for service? Is it legitimate interests?

Think about it… Based on the personal data you previously identified, what are your legal bases for processing those different types of data?

Conditions for consent Implied consent is unacceptable for processing Demonstrable by a statement or clear affirmative action Freely given, specific, informed, unambiguous Consent must be obtained for every processing scenario Consent can be withdrawn at any time

New and expanded rights Right to be informed Right of access Right to rectification Right to erasure Right to restriction Right to data portability Right to object Right to prevent automated processing, including profiling Talk about profiling, cos of work Planning does? All Rights issues must be shared with any organisation we’ve shared with, e.g. rectifications must be relayed to HESA

New and expanded rights Data subjects must be aware of their rights Responses must be provided within one calendar month Systems and procedures must be in place to adhere to rights Documentation of adherence required If a right is exercised, we must notify any third party we’ve shared the relevant data with

Think about it… If someone exercised any one of their rights, how would you or your team go about providing a response? Do you know how to find and access the data? Can you erase it, correct it, or restrict it?

Privacy notices under GDPR Presented to data subject whenever new processing is undertaken Consider a layered approach to notification Must explain: personal data being processed, purpose of processing, intended retention, subject rights, source of data, conditions of processing, intended sharing or international transfer existence of automated decision making, including profiling Layered approach – just in time notices, Uni calendar, etc

Think about it… University staff have a number of responsibilities that help the University to uphold and demonstrate compliance with the GDPR. The next few slides detail how we can meet these responsibilities.

Your responsibilities: Data Protection by Design Maintain documentation and implement measures to demonstrate compliance with principles Internal audits, reviews, training Document processing activities to ensure transparency Employ data minimisation and pseudonymisation Do you need the data?

Your responsibilities: Data Protection by Design Data Protection Impact Assessments Description of intended processing and purposes Risk assessment and detail of risk avoidance measures Required when: using new technologies, profiling, surveilling, processing of special categories of personal data processing is likely to result in risk to rights and freedoms of individuals

Your responsibilities: data sharing agreements Contract laying out multiple party commitments to personal data Required for sharing personal data with processors or any other third parties outwith the University Ensures compliance with GDPR Principles and international or third party transfer requirements Ensures you are working with a GDPR compliant processor Drafted by Contracts team within Finance

Your responsibilities: data security Appropriate and secure storage for paper and electronic records Encrypt data on laptops, tablets, memory sticks, etc. Authorised access only, no password sharing Double-check your correspondence addresses and attachments Do not share information with 3rd parties without data sharing agreements Destroy records appropriately and securely Be aware of your cloud usage

Think about it… How do you meet the requirements of these various responsibilities? Do you know all of the personal data that you process? Can you conduct an information audit within your work area or with your team? Are you embarking on any projects or purchasing any products that may require a DPIA? Do you share data with any third parties, and if so, do you have appropriate agreements or contracts in place? How can you demonstrate and ensure appropriate data security?

All exemptions must be determined and exercised by DP & FOI Office. Crime – we can share personal data in order to aid the prevention or detection of crime or the apprehension and prosecution of offenders Any requests from law enforcement should be handled by DP Office Research and statistics– if you’re using personal data for research or statistical purposes, you may be exempt from access, rectification, restriction and objection rights Exam scripts – personal data recorded by candidates during an exam are not subject to right of access or privacy notice requirements Confidential references – personal data in references created or given by GU are not subject to right of access or privacy notice requirements All exemptions must be determined and exercised by DP & FOI Office.

Personal data breaches A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed Breaches must be reported immediately to the DP & FOI Office, and to the ICO within 72 hours Sanctions vary depending on severity and extent of breach and organisation’s response Max fines = €20 million or 4% of annual worldwide turnover READ SLIDE Common breaches include sending an email to the wrong individuals or including email addresses in the “TO:” line rather than the “BCC:”, sharing a spreadsheet with personal data on it, losing a mobile device (such as a memory stick or laptop). As we said, get in touch with our office asap in the event of any data breach. If you do accidentally send an email to the wrong recipients, also get in touch with IT Services immediately – they may be able to recall the message before it is open and/or read. We want to stress here the importance of urgency in breach responses. Responding promptly to a breach enables us to limit damage, to contain the breach and its impact, and it puts us in better stead with the Information Commissioner if they are notified or investigate. Additionally, the incoming General Data Protection Regulation mandates timescales for breach reporting – but you’ll hear more about that later in the presentation. So, the bottom line to remember is that as soon you are made aware of a breach (or commit one yourself), notify our office and we will get the ball rolling.

Get in touch: https://www.gla.ac.uk/myglasgow/dpfoioffice/ Email: dp@glasgow.ac.uk Phone: 0141 330 3111 /glasgowuniversity @UofGlasgow @UofGlasgow UofGlasgow Search: University of Glasgow