uog logo
School of Physics and Astronomy – computing
phas it logo

Contents

The Data Protection Act

Even if you read nothing else, please read the sections on ‘Our advice’ and possibly ‘DPA intuitions’, below.

There is significantly more detail below, than anyone would be expected to care about – no-one should have to digest the DPA in order to get on with their work. However I believe the following notes are consistent with a small number of key points of information, and intuitions that we should all develop.

The text below refers to the UK Data Protection Act (DPA), but is consistent with both that and the GDPR (see below) which will replace it next year.

Our advice §

There is more information at the University's Freedom of Information office, including the University's DP/FOI guidance.

Ask us questions!

DPA intuitions §

We can sustain an analogy with the good practices of handling radioactive materials, which are also backed by legislation. We don’t need to have read that legislation to know, for example, that all radioactive materials are deemed to be hazards in principle, whether or not we would regard them as a practically worrying danger; that sources would not be left lying around in a lab or corridor; and that both staff and students would be supported in acquiring the right intuitions and practices.

As with radioactivity, so with data:

As with broader HSE regulations, the threshold for legitimising a particular practice isn't necessarily high; one does, however, have to demonstrate that one has recognised the hazard and taken broadly appropriate action in response.

GDPR intuitions §

Do you really have to keep this personal data at all? How have you documented your response to the hazard to which you've exposed your staff's or students' data? Wouldn't it be better to find a way of not storing that data?


Our School §

We don't have a massive problem in this department.

But we do have to respect a number of obligations, on academic and administrative staff, and on PG students who do any demonstrating.

For further details, see:

We have assembled a collection of illustrative scenarios which are intended to illuminate ways in which the DPA is applied. These have been discussed in general terms with the University's DP office.


Definitions §

The Data Protection Act 1998 requires that any personal data which you manage must be handled appropriately.

The Act, in s.1(1) includes the following definition:

“personal data” means data which relate to a living individual who can be identified—

  1. from those data, or
  2. from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

This is a very broad definition. It would include, for example, a list of marks associated with matriculation numbers, since these relate to individuals. Note that the data need not be in any way sensitive before it is classified as ‘personal data’.

The act goes on to identify a separate category of ‘sensitive personal data’, which includes eight types of information (DPA s.2):

There are additional constraints on how one may process ‘sensitive personal data’, and more severe penalties for disclosing it.

All personal data must be processed in accordance with the Data Protection Principles (DPA Sch. 1). It must be:

  1. fairly and lawfully processed;
  2. processed for limited purposes;
  3. adequate, relevant and not excessive;
  4. accurate;
  5. not kept for longer than is necessary;
  6. processed in line with users’ rights;
  7. secure; and
  8. not transferred outwith the EEA.

The last point is important – it precludes putting any personal data on a cloud service, such as Dropbox, which is stored outside the EEA.

The category influences what processing is permitted:

personal datasensitive personal data
Implicit or explicit consentExplicit consent
Protect vital interests of individual
Necessary for performance of contractRequired by employment legislation
Legal obligationIn connection with legal proceedings
To carry out public functionsInformation already made public by individual
In the legitimate interests of data controllerMedical reasons
Necessary for ethnic monitoring

Scenario §

Suppose:

An undergraduate student emails a postgraduate lab demonstrator explaining that their lab report is late because they'd recently come out as gay to their very religious parents, and that they are as a result being medically treated for stress.

This email would be classed as ‘sensitive personal information’ under at least three headings simultaneously. This and other scenarios are discussed in a separate list.

Regulations – UK – DPA §

UK Information Commissioner: fines up to £500,000, and prison for deliberate breaches.

Regulations – EU – GDPR §

The EU's General Data Protection Regulation will come into force on 25 May 2018.

The GDPR harmonises data protection legislation across the EU, and will be more robust than the current UK DPA. It has the same conceptual basis, while adjusting many definitions.

DP and privacy implications will have to be taken more seriously than they are now in all ‘business systems’, and the repercussions for breaches will be more severe. This document defines a ‘personal data breach’ as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’ (Article 3, definition 9, of the current draft regulation and suggests ‘administrative fines up to 20 000 000 EUR, or in case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.’ (Article 79, paragraph 3).

The global context, including the pervasive growth of online services such as Google and Facebook in the last decade, and the revelations by the previous Lord Rector, mean that there is very widespread awareness of data protection issues in the UK and across Europe. There is unlikely to be much sympathy or clemency for a University inadvertently releasing personal data.

Brexit: the GDPR will become UK law, superseding the DPA, on 25 May 2018 (ie, before the brexit date). Even presuming brexit goes ahead, the UK will be obliged for commercial reasons to implement DP legislation which is ‘compatible’ with the GDPR (ie, it'll effectively be the GDPR).

Breaches §

These include

Report breaches promptly (to us or to dp@gla.ac.uk). Reporting breaches is a legal obligation, and displaces liability from you.

Though they are separate concepts, there is an overlap in concerns between Data Protection legislation and the Freedom of Information Act.

Links §