Data Protection

This Code of Practice is in place to make sure everyone understands the way in which data protection applies to their roles within the University. It also makes sure we meet the requirements set out in Article 24(2) of the GDPR which requires the University, as a data controller, must have in place an appropriate data protection policy to make sure we meet our obligations under the legislation.

Download Code of Practice (pdf)

A number of wide-ranging changes will be introduced by the GDPR, which will have a direct effect on how the University processes data. The consequences of breaching the GDPR will be significant, with potential fines of up to 20 million euros; it is therefore crucial that all employees of the University are aware of their obligations under the Regulations.

The key changes under the GDPR can be categorised as follows:

Transparency and accountability

The University will be required not just to comply with the GDPR but also to provide evidence to demonstrate our compliance. There will be an emphasis on being accountable and transparent about how data is collected, for what purpose and how it will be used.

Record keeping

To support this drive for greater accountability and transparency, we must also keep more comprehensive records on our data processing activities. These records should include:

1. The purpose of the processing;
2. The categories of data subjects (i.e. whose data we are processing);
3. The type of personal data that we are processing;
4. Who this personal data will be shared with;
5. The time limits that the data will be stored for;
6. Any technical or organisational security measures that have been put in place to safeguard the data.

Privacy by design

Under the GDPR, privacy and data protection must be considered at the outset of any project and in many cases, a Privacy Impact Assessment (PIA) must be carried out. The purpose of a PIA is to identify what data processing will be involved in the project and to assess, mitigate or minimise any privacy risks associated with this.

The rights of employees

The rights currently enjoyed by employees under the Data Protection Act will continue and will be enhanced under the GDPR. These new rights will include:

1. The right to be informed – the University must inform individuals of the data we collect and the purposes of processing it;
2. The right of access – individuals have the right to access the information that we hold about them by making a SAR. This right will be enhanced under the GDPR;
3. The right to be forgotten – in some circumstances an individual will have the right to request that their data be deleted when no longer needed;
4. The right to data portability – individuals have the right to re-use their data for other purposes by requesting that it be transferred across departments or to another organisation. This may take place where an individual changes job and asks us to transfer their personal data to their new employer;
5. The right to rectification – where the data held about an individual is inaccurate or incomplete, they can request that this is rectified.

Subject Access Requests (SARs)

A SAR is a written request by an individual to access personal information that an organisation holds about them.

The time limit for responding to a SAR will be reduced from 40 days to one month under the GDPR. It will also no longer be possible to charge the £10 fee currently permitted under the Data Protection Act.

Data breach notification

Strict notification requirements will be introduced under the GDPR for when organisations become aware of potential data breaches. After becoming aware of a potential data breach, organisations will have 72 hours in which to notify the Information Commissioner’s Officer. This requirement will exist where the data breach relates to personal data that is likely to result in a risk to the rights or freedoms of the data subject.

Appointment of a Data Protection Officer

It will become a legal requirement for many organisations, including the University, to appoint a Data Protection Officer under the GDPR. The function of the Data Protection Officer will be to ensure data protection compliance across the organisation and to act as a point of contact for data subjects and data protection authorities.

For further information, visit the ICO’s website or contact the University’s Legal Services team by emailing dataprotection@uws.ac.uk.

Under the GDPR, data should only be processed if there is a lawful basis for doing so. The GDPR sets out six legal bases for processing data:

1. Contractual necessity – It is necessary to process someone’s personal data to perform a contract that you have with them.
2. Legal obligation – UK or EU law requires you to process an individual’s personal data.
3. To protect life – You must process someone's personal data to save a life.
4. Official function – The processing is carried out in an official function vested in the data controller or in the public interest.
5. Legitimate interest – (private companies only) – There is a genuine and legitimate basis for processing an individual's personal data.
6. Consent – the individual has given you consent to process their personal data.

Should I rely on consent as a lawful basis for processing personal data?

Consent continues to be a lawful basis for processing an individual’s personal data under the GDPR but can we still rely upon it? Consent under the GDPR must be “freely given, specific, informed and unambiguous indication of the individual’s wishes”. This is a much higher bar than under the previous data protection regime.

The issue is further complicated by the ability of individual’s to withdraw their consent to their data being processed under the GDPR. In practice, this could cause difficulties if we are relying solely upon an individual’s consent to process their data and it is therefore advisable to explore other legal bases for processing an individuals’ data.

For further information, visit the ICO’s website or contact the University’s Legal Services team by emailing dataprotection@uws.ac.uk.

The GDPR is underpinned by the following data protection principles:

1. Lawfulness, fairness and transparency – personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject
2. Purpose limitation – personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
3. Data minimisation – personal data shall be adequate, relevant and limited to what is necessary for the purposes for which they are processed
4. Accuracy – personal data shall be accurate and where necessary, kept up to date
5. Storage limitation – personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed
6. Integrity and confidentiality – personal data shall be processed in a way that ensures appropriate security of the personal data , including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate organisational or technical measures
7. Accountability – the data controller shall be responsible for, and be able to demonstrate compliance with the GDPR

For further information, visit the ICO’s website or contact the University’s Legal Services team by emailing dataprotection@uws.uk.

A SAR is a request for personal information that your organisation may hold about you.

The purpose of a SAR is to make you aware of and allow you to verify the lawfulness of processing of your personal data. If your personal information is being processed you are entitled to access the following information:

• The reasons why your data is being processed
• The description of your personal date
• Anyone who has received or will receive their personal data
• Details of the origin of your date if it was not collected from you

No; a request for information is free unless the request is 'manifestly unfounded or excessive'. We can charge a fee if the same information is requested more than once.

We will acknowledge your request and check all the documents provided allow us to legally collect and release your data. We will request the relevant departments to provide the data requested. We will try to do this and respond to you as quickly as possible.

For students requests we will look in the following key areas for your information; Admissions, Registry, Student Services, Finance and Library. If you are requesting information from any other areas please give us the details of where to look.

Yes, there is guidance for students, staff and the public available via this webpage (the Data Protection section) on our website.

This guides you how to request information held about you or make a request on behalf of another person. As SARs must be in writing there is a form to complete and a mandate to complete if you are allowing another person to obtain information about you.

We will write to you to acknowledge receipt of your request within 5 working days. We will check that your ID documentation submitted, the form and any other information provided is sufficient to allow us to locate and release the date to you. If so we will try to get the information to you as soon as possible and in any event no later than one calendar month from when we have received your valid request.

Yes; you can speak to the Data Protection Officer on 0141 848 3577 or email dataprotection@uws.ac.uk

The requester should write and tell us the reasons why they are not happy with the response and we will review how your case was handled. We will respond to you within 5 working days.

If you are still not satisfied with the response you may seek advice from the Information Commissioner's Office.