The Data Protection Act
Even if you read nothing else, please read the sections on ‘Our advice’ and possibly ‘DPA intuitions’, below.
There is significantly more detail below, than anyone would be expected to care about – no-one should have to digest the DPA in order to get on with their work. However I believe the following notes are consistent with a small number of key points of information, and intuitions that we should all develop.
The text below refers to the UK Data Protection Act (DPA), but is consistent with both that and the GDPR (see below) which will replace it next year.
Our advice §
- Laptops, and other mobile devices, must be full-disk encrypted (instructions) if they have any personal data on them.
- ‘Other mobile devices’ includes smartphones and USB sticks, and portable backup drives. These first two points are consistent with University policy on information security, and policy on laptop encryption in particular.
- We can escrow keys (in case you accidentally lock yourself out), but won't insist.
- Use the University's OneDrive service (staff are allocated 1TB or so).
- Any servers with personal data: talk to us now.
- Any data breach: talk to us. Immediately.
There is more information at the University's Freedom of Information office, including the University's DP/FOI guidance.
Ask us questions!
DPA intuitions §
We can sustain an analogy with the good practices of handling radioactive materials, which are also backed by legislation. We don’t need to have read that legislation to know, for example, that all radioactive materials are deemed to be hazards in principle, whether or not we would regard them as a practically worrying danger; that sources would not be left lying around in a lab or corridor; and that both staff and students would be supported in acquiring the right intuitions and practices.
As with radioactivity, so with data:
-
There exists the (legally defined) concept of ‘personal data’, with a possibly surprisingly wide scope; a subset of that is ‘sensitive personal data.’ You should be able to recognise these when you see them.
-
The transfer or processing of personal data from one person or system to another should always be a conscious act at some level. The DPA is not there to stop such transfers if they have a legitimate purpose within the organisation, but that purpose must be identifiable and stated.
-
It follows that losing any personal data – which necessarily was not done on purpose – is Bad.
-
A purpose can have a time limit.
-
Yes, handling personal data is a low-grade hassle – making this processing non-casual is I think part of the point of the DPA. Ideally you’d limit your, and your computer’s, exposure to it as much as feasible: this is the direct analogue of the radiation protection world’s ALARA – ‘as low as reasonably achievable’.
-
If you regard (sensitive) personal data as a bit of mildly radioactive crud that’s got on to your computer, you probably won’t go far wrong in your behaviour thereafter.
As with broader HSE regulations, the threshold for legitimising a particular practice isn't necessarily high; one does, however, have to demonstrate that one has recognised the hazard and taken broadly appropriate action in response.
GDPR intuitions §
Do you really have to keep this personal data at all? How have you documented your response to the hazard to which you've exposed your staff's or students' data? Wouldn't it be better to find a way of not storing that data?
Our School §
We don't have a massive problem in this department.
- Data protection’ refers only to personal data
- refers to data on paper as well as on disk.
- We process very little research personal data
- ...but a lot of administrative personal data
- ...and some ‘sensitive personal data’.
But we do have to respect a number of obligations, on academic and administrative staff, and on PG students who do any demonstrating.
For further details, see:
-
presentation to research and teaching staff forum on 2017 June 29 (2016 June 17 is older, but with marginally more detail);
-
University calendar Sect. 3, ‘Personal Data’. This represents students’ consent to the University holding and processing various types of personal data.
We have assembled a collection of illustrative scenarios which are intended to illuminate ways in which the DPA is applied. These have been discussed in general terms with the University's DP office.
Definitions §
The Data Protection Act 1998 requires that any personal data which you manage must be handled appropriately.
The Act, in s.1(1) includes the following definition:
“personal data” means data which relate to a living individual who can be identified—
- from those data, or
- from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
This is a very broad definition. It would include, for example, a list of marks associated with matriculation numbers, since these relate to individuals. Note that the data need not be in any way sensitive before it is classified as ‘personal data’.
The act goes on to identify a separate category of ‘sensitive personal data’, which includes eight types of information (DPA s.2):
- ethnicity,
- political opinions,
- religious beliefs,
- trade union membership,
- physical or mental health,
- sexual life,
- criminal offences (alleged or proven), or
- court proceedings.
There are additional constraints on how one may process ‘sensitive personal data’, and more severe penalties for disclosing it.
All personal data must be processed in accordance with the Data Protection Principles (DPA Sch. 1). It must be:
- fairly and lawfully processed;
- processed for limited purposes;
- adequate, relevant and not excessive;
- accurate;
- not kept for longer than is necessary;
- processed in line with users’ rights;
- secure; and
- not transferred outwith the EEA.
The last point is important – it precludes putting any personal data on a cloud service, such as Dropbox, which is stored outside the EEA.
The category influences what processing is permitted:
personal data | sensitive personal data |
---|---|
Implicit or explicit consent | Explicit consent |
Protect vital interests of individual | |
Necessary for performance of contract | Required by employment legislation |
Legal obligation | In connection with legal proceedings |
To carry out public functions | Information already made public by individual |
In the legitimate interests of data controller | Medical reasons |
Necessary for ethnic monitoring |
Scenario §
Suppose:
An undergraduate student emails a postgraduate lab demonstrator explaining that their lab report is late because they'd recently come out as gay to their very religious parents, and that they are as a result being medically treated for stress.
This email would be classed as ‘sensitive personal information’ under at least three headings simultaneously. This and other scenarios are discussed in a separate list.
Regulations – UK – DPA §
UK Information Commissioner: fines up to £500,000, and prison for deliberate breaches.
Regulations – EU – GDPR §
The EU's General Data Protection Regulation will come into force on 25 May 2018.
The GDPR harmonises data protection legislation across the EU, and will be more robust than the current UK DPA. It has the same conceptual basis, while adjusting many definitions.
DP and privacy implications will have to be taken more seriously than they are now in all ‘business systems’, and the repercussions for breaches will be more severe. This document defines a ‘personal data breach’ as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’ (Article 3, definition 9, of the current draft regulation and suggests ‘administrative fines up to 20 000 000 EUR, or in case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.’ (Article 79, paragraph 3).
The global context, including the pervasive growth of online services such as Google and Facebook in the last decade, and the revelations by the previous Lord Rector, mean that there is very widespread awareness of data protection issues in the UK and across Europe. There is unlikely to be much sympathy or clemency for a University inadvertently releasing personal data.
Brexit: the GDPR will become UK law, superseding the DPA, on 25 May 2018 (ie, before the brexit date). Even presuming brexit goes ahead, the UK will be obliged for commercial reasons to implement DP legislation which is ‘compatible’ with the GDPR (ie, it'll effectively be the GDPR).
Breaches §
These include
- email going astray
- loss of portable disks, USB sticks, CDs, laptops
- unauthorised access to servers, email, or anything
- sharing with third parties (any); discuss first
Report breaches promptly (to us or to dp@gla.ac.uk
). Reporting
breaches is a legal obligation, and displaces liability from you.
Though they are separate concepts, there is an overlap in concerns between Data Protection legislation and the Freedom of Information Act.
Links §
foi@gla.ac.uk
,dp@gla.ac.uk
, x2523 and x3111- GU DP/FOI office
- Scottish Information Commissioner
- Information Commissioner’s Office ICO