Definitions - What is...?

What's the GDPR?

  • GDPR  stands for the General Data Protection Regulations;
  • It replaces Data Protection Act 1998;
  • It will be effective from 25th May 2018;
  • It will happen regardless of Brexit;
  • Like the DPA, it governs how we should deal with peoples ‘Personal Data’ (see ‘What’s Personal Data?’ below) so that we respect and protect their privacy rights;
  • It applies to both Controllers and Processors (see ‘What are Controllers and Processors?’ below);
  • Because it is an EU ‘Regulation’ it is split into parts called ‘Articles’ (the law itself) and ‘Recitals’ (explanatory note within the body of GDPR). So you may see or hear references to, for example ‘Article 6’ or ‘Art. 6’ – this is just referencing the relevant section of the law. You can see a guide to the GDPR at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
  • GDPR is supplemented by a UK act of parliament (Data Protection Act 2018). This provides for areas where the GDPR allows national governments to decide on particular areas (known as derogations).

What is PECR?

PECR stands for the Privacy and Electronic Communications Regulations. They give people specific privacy rights in relation to electronic communications. There are specific rules on:

  • marketing calls, emails, texts and faxes;
  • cookies (and similar technologies);
  • keeping communications services secure; and
  • customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.

The ICO has some specific guidance on PECR at : https://ico.org.uk/for-organisations/guide-to-pecr/

See section on Direct Marketing for further details.

What’s the ICO?

The ICO is the Information Commissioner’s Office. It is the UK’s independent body set up to uphold information rights. The GDPR refers to the ‘Supervisory Authority’ and for the UK this will be the ICO.

The ICO covers legislation in the GDPR, the Data Protection Act (the 1998 Act and the expected 2018 Act), Freedom of Information Act, and Environmental Information Regulations, Privacy and Electronic Communications Regulations (PECR) and others.

The ICO will deal with complaints from the public and where necessary take action against organisations which may include criminal prosecution, non-criminal enforcement and audit. The Information Commissioner also has the power to serve a monetary penalty notice on a data controller – and this can be up to €20million under the GDPR (previously a maximum of £500k under the Data Protection Act 1998)

The ICO website has lots of useful information and guides for both organisations and the general public. Where applicable references and links to specific ICO guidance will be provided and should be read in conjunction with the information here.

See www.ico.org.uk for more information.

What’s Personal Data?

Personal Data means any information relating to an identified or identifiable natural person (living, human being).

For many situations it will be fairly obvious whether something is personal data or not. However there may be borderline situations where we may have identifiable data but we need to consider whether or not the data ‘relates’ to them. This can often come up where we are dealing with identifiable individuals but in a business to business scenario. For example if we are dealing with a Josephine Bloggs from a limited company, Acme Widgets Ltd, are we processing Josephine’s personal data?

The ICO has produced a useful guide to assessing what is personal data

https://ico.org.uk/media/for-organisations/documents/1549/determining_what_is_personal_data_quick_reference_guide.pdf

This guide starts off with the two main questions:

  • Can a living individual be identified from the data, or, from the data and other information in your possession, or likely to come into your possession?
  • Does the data ‘relate to’ the identifiable living individual, whether in personal or family life, business or profession?

There are then further questions to clarify the issue of ‘relates to’.

If you are in any doubt whether you are dealing with personal data, please refer to the ICO guidance above and/or contact the Universities Data Protection Officer for further advice.

It is also possible that the data you are intending to process may not be suitably identifiable or you could make non-identifiable (so that data protection legislation does not apply).

Who is the Data Subject?

The Data Subject is a living, human being who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an id number, location data, an online identifier (e.g. IP address, cookie identifiers etc), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

The Data Subject should be in the EU (either resident or otherwise physically in the EU – e.g. on holiday, studying etc).

What’s Special Category (Sensitive) Personal Data?

  • Racial / ethnic origin
  • Political opinions
  • Religious / Philosophical beliefs
  • Trade Union membership
  • Genetic or biometric data
  • Health
  • Sex life / sexual orientation

Criminal offences / convictions not now included but separated out and similar extra safeguards put in place at Article 10 (and as part of the proposed Data Protection Act 2018)

What are Controllers and Processors?

Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data.

If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they are joint controllers. However, they are not joint controllers if they are processing the same data for different purposes.

Processors act on behalf of, and only on the instructions of, the relevant controller.

  • Obligations under the GDPR will vary depending on whether the organisation is a controller, joint controller or processor.
  • The ICO has the power to take action against controllers and processors under the GDPR.
  • Individuals can bring claims for compensation and damages against both controllers and processors.
  • You should take the time to assess, and document, the status of each organisation you work with in respect of all the personal data and processing activities you carry out.
  • Whether you are a controller or processor for a given process depends on a number of issues. The key question is – who determines the purposes for which the data are processed and the means of processing?
  • Organisations that determine the purposes and means of processing will be controllers regardless of how they are described in any contract about processing services.

Controller Checkilist:

☐ We decided to collect or process the personal data.

☐ We decided what the purpose or outcome of the processing was to be.

☐ We decided what personal data should be collected.

☐ We decided which individuals to collect personal data about.

☐ We obtain a commercial gain or other benefit from the processing, except for any payment for services from another controller.

☐ We are processing the personal data as a result of a contract between us and the data subject.

☐ The data subjects are our employees.

☐ We make decisions about the individuals concerned as part of or as a result of the processing.

☐ We exercise professional judgement in the processing of the personal data.

☐ We have a direct relationship with the data subjects.

☐ We have complete autonomy as to how the personal data is processed.

☐ We have appointed the processors to process the personal data on our behalf.

Joint Controller Checklist:

☐ We have a common objective with others regarding the processing.

☐ We are processing the personal data for the same purpose as another controller.

☐ We are using the same set of personal data (eg one database) for this processing as another controller.

☐ We have designed this process with another controller.

☐ We have common information management rules with another controller.

Processor Checklist:

☐ We are following instructions from someone else regarding the processing of personal data.

☐ We were given the personal data by a customer or similar third party, or told what data to collect.

☐ We do not decide to collect personal data from individuals.

☐ We do not decide what personal data should be collected from individuals.

☐ We do not decide the lawful basis for the use of that data.

☐ We do not decide what purpose or purposes the data will be used for.

☐ We do not decide whether to disclose the data, or to whom.

☐ We do not decide how long to retain the data.

☐ We may make some decisions on how data is processed, but implement these decisions under a contract with someone else.

☐ We are not interested in the end result of the processing.

 

The University is a Data Controller for all the personal data it processes about its students, employees, visitors, partners, applicants, customers, alumni and so on. The University will also likely to be using other organisations as data processors – where they are processing personal data on our behalf and we are providing the precise instruction on how they do this.

It is possible that the University may be acting as a processor for another controller for specific activities.

Note: It will always be the University who is the controller for all processing activities throughout the organisation. A Keele department, school, unit, faculty or person is not the data controller within the meaning of the GDPR.

The concept of Controllers and Processor most often needs to be considered when looking at data sharing / transfer scenarios. In these circumstances it is important to understand which organisations are acting as controllers and which (if any) as processors.

 

see the ICO website for more information

What is Processing?

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.