Information Governance and Security
- / Information Governance and Security /
- Information Governance /
- Information Governance For The University /
- Data Protection /
- Principles for Processing
Principles for Processing
Data Protection legislation generally doesn’t lay down strict ‘do’s and don’ts’ for what you can do with people’s data but instead lays down broad principles by which all organisations who deal with peoples personal data must adhere to, and be able to demonstrate that they have given due consideration to.
The GDPR builds on very similar principles to those used in the Data Protection Act 98. It is important therefore that everyone who deals with personal data within the University (SIRO, Information Asset Owners, Information Asset Manager/Administrators) has a broad appreciation of these general principles:
1. Process Lawfully, Fairly and Transparently
The processing mustn’t be in breach of any other laws. This could be for example:
- · possible breaches of the Human Rights Act 1998 – which for example protects an individual’s right to privacy in certain circumstances; or
- · maybe in breach of the Privacy and Electronic Communications Regulations (PECR) – which may restrict direct marketing for example; or
- · a breach of the common law duty of confidentiality. i.e. were we given the information under an understanding of confidentiality.
The processing must be lawful in accordance with Article 6 & 9 of the GDPR which specifies set lawful reasons for being able to process personal data.
These reasons include ‘consent’, as part of a contract and ‘legitimate interest’ amongst others, and there are a separate set of conditions if we are dealing with Special Category (Sensitive) Personal Data. We must know, record and communicate which condition(s) we are using to process the data.
See detailed guidance on Conditions for Processing (see the link at the bottom of this page)
See detailed guidance on Consent (see the link at the bottom of this page)
We must process people’s personal data fairly i.e. above board, honestly, morally sound etc. A good check of this is to honestly consider whether if it was your data would you think we’d acted fairly?
In order to conform to the transparency requirements, we need to ensure that we have made the Data Subject aware of who we are, what we are doing with their information (the purpose), and how we are managing the data. This is one of the most important principles to get right as people are much more likely to be upset if they find out about something we are doing with their data which they knew nothing about.
It is also worth noting that Data Subject also have a right to be informed about how their data is processed.
The normal way we would look to comply with both the principle and the data subjects right is by what is commonly called a Privacy Notice or Fair Processing Notice. This could be included as part of a data collection form for instance, or as a separate document in hard copy and/or available on the website.
The GDPR specifies what should be in a Privacy Notice and when it should be given to a Data Subject, but one of the important considerations we should have is that it is written in a clear (non legal) and concise way suitable for the intended audience.
It is also important to note that we need to be able to evidence that the Data Subject got the privacy notice information – it is not sufficient to simply have it on the website somewhere for instance.
We need to put ourselves in the shoes of the data subject – would we be satisfied that we knew what was going on with or data?
It is also worth mentioning that Transparency requirements are often a core part of many best practice guides and industry Codes of Practice, for example:
- The Fundraising Regulators Code of Practice https://www.fundraisingregulator.org.uk/sites/default/files/2018-09/code-of-fundraising-practice-v1.10.pdf
- Surveillance Camera Code of Practice https://www.gov.uk/government/publications/surveillance-camera-code-of-practice
- Direct Marketing Commission – DMA Code http://www.dmcommission.com/the-dma-code/
2. Process data only for the specified purpose
The GDPR states that Personal Data should be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
This is known as the ‘Purpose limitation’ principle.
So you need to decide on the purpose (and be transparent about this as above) and then only process the data in accordance with that original purpose and not go off and do something completely new (or different) with the data.
So you need to decide on the purpose you are using (processing) the data. This can be a balancing act between being too specific and being too general.
There are specific exceptions where you may be able to use data for purposes not originally specified (and there are some exemptions applying to research which may be helpful to the University). However, please refer to the DPO before proceeding.
3. Process the minimum amount of data required for the purpose
The Personal Data you collect and use should only be that which is ‘necessary’ in or for you to fulfil the purpose as specified above. I.e. don’t collect or keep more data than you need.
This is known as the ‘Data Minimisation’ principle.
It is often tempting to try and collect extra data ‘just in case’ or because it would be nice to know. Be careful! – we must be able to justify all the data with respect to the Purpose.
Also be aware of where we receive information from either the data subject or a third party. If we don’t actually need it for the purposes we’ve defined then it is not a defence to say ‘well we were given the information so we thought we’d better keep it’.
4. The Personal Data you use for the purpose should be accurate
The GDPR requires (not unreasonably) that the Personal Data you use (process) should be accurate, and where necessary* kept up to date.
* if you don’t need the particular data item to be up to date then this doesn’t apply. But if for example you’re using postal addresses to communicate with people then you should ensure that if you are advised of a change of address – all instances of that address are updated.
- how can you ensure that the data you collect is accurate – when data is input (either manually or automatic transfer), how is this cross-checked to minimise errors?
- how can you make it as easy as possible for the Data Subjects to inform you of changes (e.g. address changes etc)? Consider specific forms and contacts or whether a ‘self-service’ facility could be available.
- How do you ensure all instances of the data can be maintained up-to-date. If you change an address (for example) in one system, how is it updated in all other systems (electronic or manual). The Asset Register should help you identify all the other registered homes for copies of the core data.
- Do you have a system to regularly audit the data in question to check for accuracy?
5. You should only keep the Personal Data for as long as is necessary for the purpose
This is the ‘Retention Schedule’ requirement.
For each set of Personal Data we should determine how long we need to keep that data and/or how much of the data we need keep.
The criteria we might use to define each retention period may be determined by a legal requirement to keep the data for a set length of time, or we may wish to keep the data for the period in which any potential civil claim may be issued (usually 6 years from the date of the incident)
Otherwise we can choose any reasonable period as long as we can reasonably justify that period.
We must keep a record of this retention period (and have adequate procedures to ensure we comply with it), and we must tell the Data Subjects what it is as part of the Transparency requirements above.
The retention period should be recorded on the asset register.
What if I anonymise the data?
If desirable we could keep anonymised data for longer than this period (perhaps indefinitely if required).
REMEMBER – Data Protection requirements only apply to Personal Data – and Personal Data is data which is related to living individuals. If you reliably anonymise the data – it ceases to be Personal Data, so Data Protection laws (ie. The GDPR and DPA) do not apply.
BE AWARE though that anonymisation can be more than just removing obvious identifiers like names and is sometimes quite difficult to achieve.
See Anonymisation / Pseudonymisation for further details
6. Personal Data should be processed securely
A breach of security can be the cause of many data protection problems.
Data must be processed (captured, stored, transferred, used, etc) in such a way as to prevent it being processed by anyone not authorised to do so, or processed unlawfully. We must also ensure that we protect the data against accidental or intentional loss, destruction or damage.
We should get in to the mindset of understanding the concept of data at rest (i.e. stored) and data which is in transit.
For example a set of data sitting in a filing cabinet in an office has one level of risk, but if I send a photocopy of that data to a colleague via the internal post, then that process will have a different risk level/assessment.
All data sets should be categorised so as to identify the correct base level of security provision. This would identify a risk level of the data ‘at rest’ (i.e. data being stored). But also it is important that individual processing activities are risk assessed so as to identify what reasonable risk mitigation procedures should be put in place to keep the data secure during processing (data in transit).
We should also take great care in our day-to-day dealing with personal data that we are dealing with the data securely. This means for example:
- Ensuring we adequately protect personal data when we are transferring it (e.g. encrypt files)
- Securely delete personal information when no longer needed;
- Ensure data is stored securely (e.g. information left on desks?, network folders adequately restricted?, Google drive/docs properly shared?, access control on systems controlled?)
- Protect vital suystems with good password habits and awareness of external threats (e.g. phishing attacks)
- Ensure you have completed the Information Security online training module
- Do risk assessments on your key (at least) information assets;
- Ensure you are aware of all the Information Security guidance/requirements as detailed on the Information Security webpages – https://www.keele.ac.uk/it/informationsecurity/
the '7th' principle - Accountability
Accountability is often referred to as the 7th principle (although it is listed separately in the GDPR).
The GDPR states that "The controller shall be responsible for, and be able to demonstrate compliance with" the other principles.
The accountability principle requires us to take responsibility for what we do with personal data and how we comply with the other principles.
We must have appropriate measures and records in place to be able to demonstrate our compliance.
Please see Accountability for more info.
Conditions for Processing
Detailed guidance on how to decide on the correct 'Condition for Processing' under GDPR
Data Subject Consent
Detailed guidance on how to obtain and record consent to process personal data under GDPR