FAQs about GDPR

  1. What is GDPR?

General Data Protection Regulation - an extension, and replaces, the Data Protection Act.

The GDPR applies to ‘controllers’ and ‘processors’. A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller and is required to maintain records of personal data and processing activities.

Controllers and processors have legal liability if there is a breach.

  1. When does GDPR take effect?

25 May 2018.

  1. As the UK voted to leave the EU, will GDPR still apply?

Yes.

  1. What are the main responsibilities under GDPR?

Under the GDPR, the data protection principles set out the main responsibilities for organisations.

The GDPR requires that personal data shall be:

  • Processed lawfully, fairly and in a transparent manner.
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Accurate and, where necessary, kept up to date.
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  1. What is the definition of ‘personal data’ under GDPR?

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria.

Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

  1. What is ‘sensitive data’ under GDPR?

The GDPR refers to sensitive personal data as “special categories of personal data”. This includes genetic data, and biometric data where processed to uniquely identify an individual.

  1. How is data of children captured under GDPR?

Children need particular protection when collecting and processing their personal data because they may be less aware of the risks involved.

There needs to be a lawful basis for processing a child’s personal data. Consent is one possible lawful basis for processing, but it is not the only option. Child protection data is above any lawful basis for processing.

If relying on consent as the lawful basis for processing personal data, only children aged 13 or over are able provide their own consent.

For children under this age consent is required from whoever holds parental responsibility for the child.

Children merit specific protection when using their personal data for marketing purposes or creating personality or user profiles.

There should be clear privacy notices for children so that they are able to understand what will happen to their personal data, and what rights they have.

  1. What are the key things to consider when processing personal data?
  • What data do I process?
  • What is the lawful basis that I process the data?
  • Have I told the individual why I need the personal data and how I will process the data?
  • Do I have consent from the individual to process the data?
  • Is the data accurate?
  • Is the data up to date?
  • Who do I share the information with and why?
  • How long do I keep the data?
  • How secure is the data?
  • Can I easily respond to a request from an individual to see their data?
  1. What is the lawful basis for processing data under GDPR?

There must be a valid lawful basis in order to process personal data. There are six lawful bases for processing:

(a)Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b)Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c)Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d)Vital interests: the processing is necessary to protect someone’s life.

(e)Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f)Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.) Make it easy for people to withdraw consent and tell them how.

No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on the purpose and relationship with the individual.

The lawful basis must be determined before beginning processing, and it should be documented. The privacy notice should include the lawful basis for processing as well as the purposes of the processing.

If the purpose changes, you may be able to continue processing under the original lawful basis if the new purpose is compatible with your initial purpose (unless the original lawful basis was consent).

If processing special category data you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.

If processing criminal conviction data or data about offences you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.

  1. What rights to individuals have under GDPR?
  • Right to be Informed - encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice.
  • Subject Access Right – to enable an individual to have free access to their own data and a response to the request must be must be given within 1 month (this does not exclude holiday periods for schools)
  • Right to Rectification – to enable an individual to correct data for accuracy.
  • Right to be Forgotten –to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
  • Right to Restrict Processing - Individuals have a right to ‘block’ or suppress processing of personal data. When processing is restricted, you are permitted to store the personal data, but not further process it.
  • Right to Data Portability – allows individuals to obtain and reuse their personal data for their own purposes across different services.
  • Right to Object - Individuals have the right to object to processing based on legitimate interests or direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics.
  1. What is a privacy notice and consent under GDPR?

The starting point of a privacy notice should be to tell people:

  • what you are going to do with their information; and
  • who it will be shared with.

This enables the individual to make an information decision to give consent.

When relying on consent as the legal basis to process data a tick box for ‘I agree” with no supporting information will be considered not valid consent.

  1. What happens when personal data is breached under GDPR?

The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority (ICO). This must be done within 72 hours of becoming aware of the breach, where feasible.

If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, individuals must be informed without undue delay. Records must be kept of any personal data breaches, regardless of whether it is notifiable.

There can be fines issued of up to 4% of annual turnover of an organisation.

  1. Are there any areas where GDPR does not apply?

The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.

  1. How does GDPR affect our external SLAs?

A privacy notice and consent will be included in the SLA. For any SLAs that have already been issued and signed, an Appendix will be issued to ensure compliance with GDPR.

  1. What information will we provide schools with regarding to GDPR?

Information has been provided to schools through the SLG with links to the ICO and templates available for them to commence their audit of data.

Privacy notices and consent has been drafted for pupil admission forms for schools to use.

GDPR awareness sessions have been given to primary administration group and further workshops are scheduled for Heads at primary and secondary schools.

1.6 What are we doing to comply with GDPR?

A cross team project group has been reviewing GDPR compliance since November 2017. A project plan has been developed with key milestones and an audit of all data across the teams is being carried out. Privacy notices/consents are being drafted for the relevant documents.

The project group comprises:

Sam Collins-Lafferty

Louise Smith

Claire Allen

Tracy Donovan

Kevin Jarman

Helen Short

Katie Dawson

Darren Edwards

Phil Wilson

Emma Price

Helen Woodbridge

Progress against the key milestones of the project plan can be seen below:

Area of Compliance / Item from plan / Action
Staff processing personal data are aware of and understand GDPR principles. / CPD sessions diarised for Workforce and Transformation teams outlining GDPR principles and responsibilities. /
  • Provisionally been arranged for 25 April.
  • FAQs being drafted.
  • Presentation being drafted.

Personal data processed is only used in a lawful manner. (Using the lawful reasons within GDPR) / Teams started to audit personal data and pupil data at the end of 2017 and this will continue to the end of February. /
  • Data audit spreadsheet developed.
  • STaR have refined this spreadsheet as they have gone through the process of auditing the data they use.

Data controller/processor responsibilities / SLAs to be compliant with GDPR.
Recruitment activity and contracts of employment are compliant /
  • SLAs being identified to send an annex to their contract if the contract end date is beyond 25 May.
  • Privacy Notice being developed to include in new SLA.
  • Reviewing recruitment application forms and contracts of employment to ensure compliance.

Data controller/processor responsibilities / Information and support to Schools /
  • SLG page prepared which includes:
  • Information on the principles of GDPR.
  • FAQs.
  • Links to templates for auditing data and further information.
  • Shropshire’s Privacy Notice - primary/infant and junior registration form has been drafted and will be placed on SLG at the appropriate time.
  • Privacy Notice – How we use children and young person’s information – drafted ready for SLG.
  • Leaders to deliver awareness sessions to schools are being identified for training and then schools will be informed of the dates of workshops via SLG.