For advice on data protection or if you have concerns about disclosing any information, contact the Information Governance Office who are responsible for University-wide compliance with the data protection law.
Data Protection Basics
The UK General Data Protection Regulation (GDPR) and Data Protection Act 2018 regulate the processing of personal data relating to identified or identifiable natural persons. They set out the requirements for handling personal data and give individuals rights. The aim of data protection law is to balance the rights of individuals to privacy with the legitimate interests of organisations to process personal data. The law applies equally to electronic and physical data.
We all have a duty of care regarding personal data. Good questions to ask yourself are:
- Am I treating someone else’s personal data in the way that I would want mine to be treated?
- Would someone be surprised to learn that I hold their personal data and the purpose for which I am processing it?
Key points to remember
- Individuals have the right to ask to see any information the University holds about them. We have one month to respond. If someone asks to see information that you hold about them, contact the Information Governance Office as soon as possible.
- The University must tell individuals what we do with information regarding them, including to whom it is disclosed.
- Data must be kept securely. Personal data must be kept on secure University network storage and not on PC hard drives or any kind of portable storage device (e.g. laptop, usb storage, removable hard drives) unless the file or device is encrypted.
- If you pass personal data outside of the University, follow University policies and procedures, particularly if personal information is to be published on the internet, or if contractors are allowed access to systems, or if personal data is to be shared with government agencies or other third-parties.
- Personal data should be kept in line with the University’s Records Retention Schedule.
Support and advice
The University has identified Information Governance Guardians (IGG) across all units, areas and schools. IGGs are responsible for overseeing data protection compliance in their areas, for providing a local point of contact for data protection issues, for identifying local training needs and arranging for them to be met, and for disseminating advice and guidance from the Information Governance Office. The Information Governance Office is responsible for providing policies, procedures, guidance and advice and for training staff where required.
The University’s Data Protection Officer is responsible for overseeing the University’s compliance with the data protection law.
The UK General Data Protection Regulation and Data Protection Act 2018
The UK General Data Protection Regulation works in two ways. Firstly, it sets out six principles governing the use of personal data which the University must comply with, unless an exemption applies.
Anyone who processes personal information must comply with the six principles which stipulate that:
1. personal data is processed lawfully, fairly and in a transparent manner. This includes the provision of appropriate information to individuals upon collection of their data by the University. The University must also comply with one of the conditions for processing set out in the Act whenever it collects or uses personal data. These criteria are:
- consent of the data subject
- contractual necessity
- legal obligations of the University
- vital interests of the data subject
- tasks carried out in the public interest
- legitimate interests of the University or a third party
2. personal data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
3. personal data is adequate, relevant and limited to what is necessary
4. personal data is accurate and kept up to date
5. personal data is kept in a form which permits identification of data subjects for no longer than is necessary
6. personal data is processed in a manner that ensures appropriate security of the personal data
The second area covered by the UK GDPR provides individuals with important rights, including the right to find out what personal information the University holds about them.
It is also important to note the term processing, which is a generic term used in the legislation to describe any action taken in relation to personal data and includes obtaining, recording, holding, adapting, retrieving, altering, disclosing or destroying.
Measures must also be applied to ensure that special category data (formerly known as sensitive personal data) is handled appropriately by the University. Special category data is information relating to an individual’s:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data for the purpose of uniquely identifying a natural person
- health data
- sexual life or sexual orientation
Special category data can only be processed by the University if it meets one of several conditions in addition to the conditions to processing set out above. These conditions include:
- consent of the data subject
- compliance with employment/social security/social protection law obligations
- processing is necessary to protect the vital interests of the data subject
- the data has manifestly been made public by the data subject
- processing is necessary for reasons of substantial public interest
- processing is necessary for reasons of public interest in the area of public health
The University's Data Protection Policy provides further detail.
Rights of the data subject
According to the UK General Data Protection Regulation, data subjects have the following rights:
To access their personal data
This allows individuals to find out what information is held about them by the University.
Right to be informed
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the UK GDPR.
Right to rectification
The UK GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
Right to erasure
The UK GDPR introduces the right to erasure. This is also known as the ‘the right to be forgotten’. This is not an absolute right and it will only apply in certain circumstances.
Right to restrict processing
Individuals also have a right to request the restriction or suppression of their personal data. As with the right to be forgotten, this is not an absolute right and will only apply in certain circumstances.
Right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. The right of portability only applies to information an individual has provided to the University.
Right to object
The UK GDPR gives individuals a right to object to the following:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
There are special exemptions that apply to the processing of some personal data. This means that a data controller may process personal data without the consent of the data subject, for instance, for the purposes of national security. Refer requests such as these to the Information Governance Office for advice.
Processing general personal data
Personal data is being processed throughout the University all the time by a significant proportion of University staff and in some cases students. This includes administrative, academic and pastoral data for students, staff data, research participants’ data and information on contractors and visitors.
At the beginning of an individual's relationship with the University, they should be made aware of the need and intention to process their personal data and also informed of the purposes for that processing. Consent should be obtained where necessary for data to be processed.
Once information is in the possession of the University, staff must process it in accordance with the data protection principles, paying particular attention to security, accuracy, length of time held and the purpose for which it was originally obtained.
Consent is normally required from individuals to enable the University to process their data fairly and lawfully. However, the UK General Data Protection Regulation does allow the processing of personal data without consent for the following purposes:
- For the performance of a contract;
- For compliance with any legal obligation to which the University is subject;
- To protect the vital interests of the data subject or of another natural person;
- For the performance of a task carried out in the public interest; and
- For the purposes of the legitimate interests pursued by the controller or by a third party.
Personal data must never be kept on laptops or portable storage (such as USB drives) unless the device or the file has been encrypted.
Processing special category data
The UK General Data Protection Regulation (GDPR) provides a separate definition for 'special category personal data'. This includes information concerning an individual’s ethnicity, sexual orientation, gender identity (specifically whether gender identity is the same as the gender originally assigned at birth), religious beliefs or health data. Other special category information includes information about past criminal convictions.
As with general personal information, there are a number of conditions that enable the processing of special category personal data without consent. However, if consent is used as a way to process such data, this should be rare at the University, it is important to note that the GDPR requires specific requirements to ensure validity of consent. Circumstances that enable special category data to be processed lawfully, other than consent, include:
- compliance with employment legislation;
- protecting the vital interests of an individual where consent cannot be given (such as a life threatening medical emergency);
- where the data has manifestly been made public by the data subject;
- where it is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; and
- where it is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
Special category information must be protected with a higher level of security. It is recommended that special category records are kept separately in a locked drawer or filing cabinet. Special category personal data must never be kept on laptops or portable storage (such as USB drives) unless the device or the file has been encrypted.
Records of Processing Activities
The General Data Protection Regulation requires the University to maintain a record of processing activities.
For each activity, we must list:
- The purposes of the processing;
- A description of the categories of data subjects e.g. ‘students’ and of the categories of personal data;
- The categories of recipients to whom the personal data have been or will be disclosed e.g. ‘the data subjects themselves’, including recipients in third countries or international organisations;
- Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation;
- Where possible, the envisaged time limits for erasure of the different categories of data;
- Where possible, a general description of the technical and organisational security measures the data is subject to.
Inform us of anything not covered
It is important that the University's record of processing activities is kept up to date. If you are going to be using personal data for a purpose not already recorded please let the University's Data Protection Officer know by sending an email to the Information Governance Office.
If you are carrying out any processing of personal data and are unsure as to whether or not it is recorded please contact the Information Governance Office.
Definitions of terms used in the General Data Protection Regulation
Who is the Controller?
The Controller is the public authority, agency or other body, in our case The University of Manchester, which, alone or jointly with others, determines the purposes and means of the processing of personal data.
What are Processors?
A Processor is anyone who is not an employee of the University but who processes personal data on the University’s behalf.
Examples include couriers, cleaning contractors, recruitment agencies, storage and hosting companies, waste disposal firms.
Responsibility for the security of data and the rights of data subjects remains with the University as Controller even when it is being processed on the University’s behalf by a Processor.
The University must hold a contract with any third party who processes personal data on its behalf, with which it shares personal data or to whom it transfers personal data. This contract should state the data protection responsibilities of each party.
Processing is any action taken with personal data and is very widely defined. It covers almost any action involving personal data.
Examples include the collection, use, disclosure, recording, destruction and holding of data.
What is a data subject?
A data subject is an identified or identifiable natural person to whom the personal data relates. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What is personal data?
The General Data Protection Regulation applies to personal data about an identified or identifiable natural person. Personal data is information where an individual is the main focus and it is of biographical significance. This includes opinions about them and other peoples' intentions towards them.
All computerised personal data falls within the data protection law, such as computer files, data bases, email, CCTV, pictures, web pages, photographs.
All manual personal data is included too, such as paper files, card index, microfiche.
It is best to assume that all information about a living individual is personal data. This may include:
- factual information about an individual such as date of birth, national insurance number, bank account, name and address;
- sensitive information such as health, sexuality, criminal record, ethnicity, religion;
- opinions expressed, for example in staff development reviews or email comments, personal images, audio recordings and text.
Other examples of personal and confidential data are listed in the Information Security Categories document.
Who is a recipient?
A recipient is a natural or legal person, public authority, agency or another body to which the personal data is disclosed, whether a third party or not (such as an employee of the data controller, a data processor or an employee or agent of the data processor).
What is special category personal data?
Some personal data is classed as special category personal data. This type of data is subject to further regulations and can only be processed under certain circumstances. Personal data becomes special category if it includes any of the following types of information about an identified or identifiable natural person:
- racial or ethnic origin
- political opinions
- religious or similar philosophical beliefs
- trade union membership
- genetic data
- biometric data
- health data
- sexual life
- sexual orientation
What is a Right of Access request?
The General Data Protection Regulation (GDPR) gives individuals a right to access their personal information (formerly known as Subject Access under the Data Protection Act 1998).
This means that individuals can exercise the right of access to see what information the University holds on them, thereby allowing individuals to be aware of what data is being processed and to verify the lawfulness of this processing.
They do this by making a data subject access request which might be received by any member of staff.
What is a third party?
A third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data. Examples include external examiners, local authorities, taxation and immigration bodies, marketing companies and the police.
If there are any other terms used on this site that you are unclear about, please contact the Information Governance Office.