Data protection has grown in importance in recent years. It focuses on the protection of an individual’s personal data. Whilst sharing personal data is often necessary and makes life easier and more convenient, it is important that the individual retains control of their information and that is it used properly and legally. This is data protection.
Given its huge importance it is unsurprising that there are a number of laws which govern the way in which personal data can be handled. These laws work together and overlap in places. They therefore need to be considered as a whole and not in isolation.
The data protection laws have recently been reviewed and updated to take account of the changing ways in which personal data is being used and shared.
Generally speaking the most important aspects of the laws governing data protection which you need to know are that:
- they are wide ranging in effect and will impact upon almost every organisation within the EU as well as any organisation doing business in the EU or which has access to the personal data of EU data subjects;
- the new laws have significantly increased the penalties for non-compliance which could now be as high as 4% of global annual turnover or €20 million (whichever is highest);
- they increase the standards for data protection and require greater openness and transparency;
- they increase an individual’s rights in respect of their personal data;
- they cover both electronic and paper records; and
- they apply to all personal data including personal data used in a business situation.
The key pieces of legislation are:
The General Data Protection Regulation 2016 – the GDPR
The GDPR is a piece of European legislation which has direct effect in the UK. When the UK leaves the EU it will continue to have effect as a result of the European Union (Withdrawal) Act 2018.
The GDPR is designed to provide increased protection for EU data subjects in respect of their personal data and provides individuals with more control over what happens to their personal data.
The GDPR sets out the key principles for processing personal data and specifies the way in which organisations should handle that data and their rights in respect of their data.
View full text of the GDPR.
The Data Protection Act 2018 – the DPA2018
The Data Protection Act 2018 is UK legislation which compliments, supports and clarifies (in places) the GDPR.
Whilst the DPA sits alongside the GDPR it provides a more detailed framework which is aligned with the UK’s criminal justice agencies and intelligence services and sets out specific guidance on how the GDPR should be applied in the UK including further details on the exemptions which UK organisations can apply.
View full text of the DPA2018.
The Privacy and Electronic Communication Regulations – PECR
PECR sits alongside the GDPR and DPA2018 and sets out specific rules in relation to:
- marketing calls, emails, texts and faxes
- cookies (and similar technologies)
- ensuring the security of electronic communications.
The biggest effect PECR has is in relation to unsolicited email marketing where it has had a huge impact essentially providing that organisations need consent to carry out unsolicited electronic marketing.
It also sets out rules to ensure customer privacy in relation to traffic and location data, itemised billing, line identification and directory listings.
View full text of PECR.
The e-Privacy Regulations
The European Commission is currently consulting on a new regulation to govern privacy and electronic communications. This will replace the current e-privacy Directive which is the basis for PECR (as to which see above).
It is anticipated that irrespective of the outcome of Brexit the E-Privacy Regulations will be adopted into UK law once they have been approved at an EU level.
The new e-Privacy Regulations are designed to extend protection for personal data in electronic communications to include technologies such as WhatsApp, Facebook Messenger and Skype. They are also designed to simplify the current rules on cookies.
One of the biggest changes which the proposed e-privacy Regulations will introduce is increased protection against spam (also known as unsolicited electronic communications including those by SMS, email, and automated calling).
The e-privacy Regulations are still in a draft format and are yet to be finalised or brought into effect. When they are this guide will be updated.
What is meant by the ‘Supervisory Authority’?
The GDPR provides that each Member State must appoint an independent public authority to be responsible for monitoring the application of the GDPR and to ensure the protection of the fundamental rights and freedoms of individuals in relation to the processing of their personal data.
In the UK the Supervisory authority is the Information Commission’s Office.
Further information on the Information Commissioner’s Office can be found at www.ico.org.uk
Controllers and Processors
Under the data protection legislation there are effectively two types of organisations handling and processing personal data. They are called ‘controllers’ and ‘processors’.
A ‘controller’ is the person or organisation who decides what personal data is collected, how it is collected, what it is used for and what happens to it.
A ‘processor’ is a person or organisation who handles personal data for a controller and uses it only on the controller’s instructions.
It is important to be very clear at the outset whether Coventry University Group is a controller or a processor of any particular piece of personal data as this affects the obligations which it has in relation to the processing of that data.
For a vast majority of the personal data which Coventry University Group processes it is a controller. This includes student, staff and visitor data. However, on some occasions the University Group may be asked to process personal data on behalf of a third party, in which case it would be the processor.
The key principles
The GDPR sets out 7 key principles for processing personal information these are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
The principles are central to the GDPR and compliance with their spirit is key.
1. Lawfulness, fairness and transparency
Personal data has to be processed fairly and lawfully. It also requires organisations to be transparent about what they are doing with an individual’s personal data.
There GDPR sets out 6 lawful bases for processing personal data. Before processing Coventry University Group need to establish which lawful basis applies in each instance. More stringent rules apply to special category and criminal conviction data.
If no lawful basis applies, the processing of personal data will be unlawful. Processing will also be ‘unlawful’ if it is unlawful more generally and, for example, constitutes a breach of confidence or breach of an individual’s human rights.
In addition to being lawful, processing must be fair. For processing to be fair it must be in line with what the individual would reasonably expect. If an individual is misled or deceived when their personal data is collected any subsequent processing is unlikely to be fair.
For processing to be transparent it must be clear what is going to happen to the individuals personal data and Coventry University Group must be open and honest with the individual from the outset.
2. Purpose limitation
Coventry University Group must be clear about why it is collecting personal data and what it will be used for. It should only then be used for those purposes (or a compatible purpose) unless the individual has given their consent or there is some other clear basis in law for using it in that way.
Importantly for the University Group and much of its research work is that further processing for the purpose of scientific or historical research or producing statistics is permitted even where the personal data was collected for a different purpose.
3. Data Minimisation
Coventry University Group are required to process the minimum amount of personal data necessary for the purpose. This means it should not hold more personal data than is necessary and imposes an obligation on the University Group to delete any personal data that is no longer required.
The personal data which the University Group holds should be accurate and up to date.
5. Storage limitation
Personal data should be stored only for as long as it is needed, unless it is subsequently used for scientific or historical research or statistical analysis.
The Coventry University Group has considered how long specific types of personal data should be kept and has included recommended retention periods in its Article 30 data processing Record.
6. Integrity and confidentiality (security)
Organisations are required to have in place ‘appropriate technical and organisational measures’ to ensure the security of the personal data which they process.
The specific measures required will depend on the organisation, the nature of the personal data being processed and the purpose for which it is being processed.
What is ‘accountability’?
One of the biggest changes introduced by the General Data Protection Regulation (“GDPR”) was that of accountability.
Organisations now not only need to ensure that personal data is treated in accordance with the provisions of the GDPR and Data Protection Act 2018 (“DPA2018”) they also need to be able to evidence this.
Organisations are responsible for complying with the GDPR and for showing compliance.
Why is accountability important?
Accountability is not only a specific requirement of the GDPR. Keeping proper records also enables organisations to better comply with the legislation and to protect themselves against claims made against them.
It can be extremely helpful to have proper records if something goes wrong so that the organisation can demonstrate what steps it took to protect the individual’s data and can help to mitigate any enforcement action or fines.
What records of processing should we keep?
Coventry University Group utilises records of processing activities to document its data processing activities. These registers aim to map the different types of data which we hold and what happens to it and provide a record of the University’s data processing activities. They also help the University Group to better manage the personal data which it holds and to increase accountability within departments in respect of the personal data which they process.
The records of processing activities include such things as:
- the types of data we hold
- whose data we hold
- why we hold that data
- what retention policy applies to that data
- who has access to the data
- whether it is shared with any third parties
- the lawful basis for our processing.
In addition, Coventry University Group has a Data Protection Policy which sets out further details of what the University expect from its staff in respect of the handling of personal data.
Records are also required to be kept of all data breaches as well as of all Data Protection Impact Assessments (DPIAs).
Accountability and third party contracts
Whenever the University transfers or shares any personal data with any third party an appropriate contract will need to be put in place. The exact form of that contract will depend on the nature of the personal data to be shared, whether it is sharing between controllers or whether it follows the engagement of a processor (see definitions).
If the third party receiving is based outside the EEA it is important that any contract with them meets the requirements for international transfers.
See also the University Group’s Guidance on Data Sharing.
The role of the DPO
The University is required to appoint a Data Protection Officer or DPO.
It is the role of the DPO to advise the University in relation to its compliance with the General Data Protection Regulation 2016 (GDPR), Data Protection Act 2018 (DPA), Privacy and Electronic Communications Regulation 2003 (PECR), Freedom of Information Act 2000 (FOIA) and any other related legislation.
When can personal information be processed?
Personal information can only be processed where there is a lawful basis to do so. There are 6 lawful bases for processing personal data. One of these conditions must be present before any personal data is processed.
No one lawful basis is better or worse than any other. The most appropriate one should be relied upon.
If the personal information which is to be processed is special category personal data an additional condition for processing must be present (see an explanation of what is meant by special category personal data).
Similarly, additional restrictions apply when any information in relation to criminal convictions or offences is to be processed.
What are the conditions for processing personal data?
For the processing of any personal data to be lawful it must be carried out pursuant to one of the lawful bases set out below:
- The individual concerned has provided their consent to the processing.
- The information needs to be processed for the performance of a contract with the individual (or as a step prior to entering into a contract with the individual).
- It is necessary to comply with the law.
- The processing is necessary to protect someone’s life.
- The processing is necessary for a task which is carried out in the public interest or for an official function where there is a clear basis in law for this.
- The processing is necessary for the legitimate interests of the organisation processing it or a third party unless the individual’s interests or rights outweigh that interest.
What is meant by ‘necessary’?
Necessary does not mean essential but should be a proportional and reasonable way to achieve the desired purpose.
What is valid ‘consent’?
The threshold for valid consent is a high one. Consent must be freely given, specific, informed and unambiguous and should involve a clear statement of consent or some other form of clear affirmative action showing that the individual agrees to the processing of their personal information.
Consent cannot be implied and ‘opt outs’ are no longer acceptable to show consent. It can be withdrawn at any time.
In most instances consent is unlikely to be the most appropriate lawful bases and one of the other lawful bases will most likely be relied upon.
What does ‘legitimate interest’ cover?
This is a very flexible term. It is for organisations to decide what their legitimate interests are, and then to decide if the processing of the personal data falls within those interests.
Legitimate interests cannot be relied upon where the University Group is carrying out functions in the public interest. However where it is acting outside its public interest tasks it can still rely on legitimate interest.
Legitimate interests need to be assessed against an individual’s interests, rights and freedoms. This is a balancing act.
Legitimate interests will commonly arise where the organisation is using people’s personal data in a way which they would expect and which is having a minimal impact on their privacy.
What about ‘special category’ data?
Where any information to be processed includes special category data (as to which see here), the processing will only be lawful if one of the additional conditions set out below also applies:
The additional conditions 9 are:
- The individual has given explicit consent.
- It is necessary for the special category data to be processed for the purpose of obligations or rights in the field of employment, social security or social protection law.
- The processing is necessary to protect someone’s life and they are physically or legally incapable of giving consent.
- It is processed for the legitimate activities of a foundation, association or not-for profit body with political, philosophical, religious or trade union aims (provided it relates to a member or former member of that organisation and subject to some additional restrictions).
- The individual has already made that information public.
It is necessary for the information to be processed for the purpose of a legal claim;
- The processing is necessary for reasons of substantial public interest.
- The processing is necessary for the purpose of preventative or occupational medicine, assessment of working capacity, medical diagnosis, health or social care or treatment or the management of health or social care systems or services.
- The processing is necessary for reasons of public interest in relation to public health such as serious cross border threats to health.
- It is necessary for the information to be processed for the archiving purposes in the public interest or for scientific or historical research or statistical purposes.
What about information relating to criminal convictions and offences?
Before the University Group can use information about criminal convictions it must make sure that it has one of the 6 lawful bases for processing in place (as to which see above). However, in addition, it must be able to show that the processing is authorised by a specific law.
The Data Protection Act 2018 provides further information as to what is and is not permitted in relation to criminal conviction data and authorises processing in certain limited circumstances.
Whilst email is a fantastic communication tool it brings with it certain potential issues from a data protection perspective.
Emails are not a secure way of sending personal data as they can, in theory, be read by any of the many servers which they pass through or by someone intercepting them as they pass through the system.
Emails are also a frequent cause of data breaches due to the ease by which emails can be sent to the wrong email address and/or incorrect attachments can be added to emails. This means that people may receive personal data about other individuals which is not intended for them.
How can I minimise the risk?
Sending emails which are encrypted is one of the best ways to minimise the risk of them being accessed by third parties. However, encryption is not always easy and may require you to provide the recipient with a security code so that they can decrypt the email.
When sending high volumes of personal data, personal data which includes special category data or where the recipient of your email is based overseas you should use encryption where ever possible.
Adding a delay to the sending of your emails of 1 or 2 minutes can be a useful tool in ensuring that misaddressed emails and email with incorrect attachments never leave your outbox. Often people realise almost immediately after pressing send that their email is incorrectly addressed or includes an attachment it was not means to include. If a delay has been implemented this gives the sender the opportunity to recall the email before it even leaves.
In reality nothing can entirely remove the risk of sending personal data by email but you can help minimise the risk by being alert to the issues and being diligent and observant when sending your emails. You should also consider password protecting the attachments to your emails and using encryption wherever possible.
Coventry University Group has put in place reasonable security measures for information sent via its email system. It is for this reason that you should not sent any University Group related emails through or to your personal email accounts which will not have the same security protections in place.
Adding a disclaimer to your email will not allow you to escape liability for a data breach. Although disclaimers are widely used by the time the recipient receives the email the data breach has already occurred.
How long can I keep my emails for?
Emails, like all other documents containing personal data, should be kept only for as long as is necessary having regard to the purpose for which they were provided.
Simply holding emails in your inbox constitutes processing for the purpose of the data protection legislation. You should therefore ensure that you are regularly deleting your emails and that you keep only those which you can reasonably justify retaining.
Personal data held in emails forms part of the personal data held by Coventry University Group and, if a data subject makes a request, for example to access their personal data, the personal data which you hold in your emails will be subject to that request.
It is important to remember that even where you delete a copy of an email it may still be retained in the University Group’s back up files and a copy may need to be provided to the individual if they make a data subject access request.
Who else can look at my emails?
The laws surrounding data protection do not give any third party a right to access your emails, although they do require you to provide access to emails containing personal data belonging to a third party if that third party makes a Data Subject Access Request under the GDPR. View further information on Data subject Access Requests.
This does not change the position in relation to access to your University Group email account under other legislation such as the Lawful Business Practice Regulations 2000 which allow Coventry University Group to intercept and monitor your emails to detect criminal or unauthorised use of the University Group email system.
What about my personal information contained in emails sent from my University email account?
You should only use your Coventry University Group email account to send emails relating to or required by your role in the Group. You should not use your Coventry University Group email account for personal emails. It is important that the Group maintains the integrity and security of its email system. It is often difficult to distinguish between personal emails and University Group related emails and as a result your personal emails may be monitored or intercepted by the University Group if you use your University Group email account. They may also need to be disclosed in response to a data subject access request.
What about using my personal email account for University related emails?
You should not use your personal email account for any University Group related emails. The University Group operates strict security measures in respect of its email system. These security measures may not be present in your personal email accounts and so the University Group cannot guarantee the integrity or security of information sent from such accounts.
It is a key principle of the data protection legislation that the University Group put in place appropriate organisational and technical measures to ensure the security of the personal data which we process. This is not possible where personal data is sent through unsecure systems such as personal email accounts.
Individuals have an absolute right to object to their personal data being used for marketing purposes. Individuals need to be informed that their personal data will be used for marketing and given the option to opt out. In some circumstances, they must opt in, for example, for most fax, email and text marketing an opt-in will be required. Recipients who are individuals should be provided with an easy way to opt out.
Further information and guidance on the implications of the data protection laws on marketing can be found on the Direct Marketing Association’s website at www.dma.org.uk and in the University Group’s Data Protection and Marketing Guide.
What is direct marketing?
The scope of ‘direct marketing’ is wide. It is defined as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”.
It is not limited to marketing for profit and includes promoting ideals and aims of not for profit organisations.
For marketing to fall within the scope of direct marketing it must be directed at an individual but in reality this will cover all calls, faxes, texts and emails.
Genuine market research is not direct marketing however if the communication includes any promotional material it will become marketing. Similarly routine customer care messages would not normally constitute marketing provided they do not include any promotion of new products or services.
Promoting the University Group’s courses or ancillary services is direct marketing. As would be seeking financial contributions from third parties such as alumni should the University Group decide to do this.
It is also likely that communications such as newsletters or magazines issued by the University Group will constitute direct marketing communications where they include any promotion of the University Group, its courses, events or the services which it offers.
Where any direct marketing is carried out it is essential that the data protection laws are carefully considered.
Solicited and unsolicited marketing.
For the purposes of the data protection laws it is important to determine whether any marketing communications are solicited or unsolicited as many of the restrictions which they impose only relate to unsolicited marketing.
A solicited message is one that is actively requested, for example where a potential student telephones the University Group to request that we send them a prospectus. Where a communication is solicited you can respond to it accordingly without risk of being in breach of laws (provided that you say who you are, display your number when making a call and provide a contact address).
An unsolicited communication is essentially everything else. It is any message which has not been specifically requested. Where an opt-in has been provided the communication will still constitute an unsolicited communication as you are not responding to a specific request.
Unsolicited marketing communications are not necessarily unlawful provided they are conducted in accordance with the data protection laws.
The rules governing marketing by post and telephone
Whilst the GDPR and Data Protection Act 2018 apply to all forms of unsolicited marketing, the Privacy and Electronic Communications Regulations provide enhanced restrictions on marketing using electronic means.
Marketing by way of live unsolicited telephone call or by post is not prohibited by the data protection legislation and can be conducted on the basis that it is in the sender’s legitimate interest to do so provided that that interest is not overridden by the interests or fundamental rights and freedoms of the recipient. Alternatively they can be sent where the recipient has expressly given their consent to receive them such as by way of an opt-in.
Where consent is the legal basis for processing, the data protection laws impose a very high standard. Consent must be freely given, specific, informed and constitute an unambiguous indication of the individuals agreement to their personal data being processed.
Consent requires affirmative action such as for a specific opt-in box to be checked or an email address to be provided for that purpose. It is also required to be freely given i.e. it cannot be a condition for another action or agreement. Finally consent must be specific and informed. This means that you must state exactly what the information provided will be used for, by whom and why.
In most circumstances, consent will not be relied upon for marketing communications sent by post or by telephone as legitimate interest will be a more suitable basis.
Prior to making any marketing calls all telephone lists must be cleared against the telephone preference service. If an individual has subscribed to the telephone preference service then to make a marketing call to them would be in breach of the legislation unless they have specifically notified the University Group that they do not object to being contacted in this way. The telephone preference service acts as a general opt-out to all telephone marketing. The telephone preference service should be checked prior to each marketing call being made as even if an individual has been happy to receive calls form the University Group in the past, if they have subsequently registered with the telephone preference service this acts as a de facto opt-out.
Where you intend to send any marketing materials by post or make any marketing calls you must consider whether it is in the University Group’s legitimate interest to do so and if so what impact, if any, you think it will have on the individual’s rights and freedoms. You must also always give the recipient the opportunity to opt out of future marketing communications and where the marketing is by telephone you must ensure that you tell the individual who you are, that you display the number you are calling from and that you provide a contact address or Freephone number if asked to do so.
It is important to remember that even though marketing by telephone or by post may be in the University Group’s legitimate interest the University is obliged to comply with the other provisions of the data protection laws such as those relating to privacy notices.
The rules governing electronic marketing
Electronic marketing includes marketing by way of email, texts and social media.
Whilst the same rules apply to marketing by email and social media as apply to marketing by post or telephone, additional restrictions apply as a result of the Privacy and Electronic Communication Regulations.
The general rule is that electronic marketing can only be carried out with the individual’s consent.
The only exception to the requirement to obtain consent relates to existing customers and is often referred to as the ‘soft opt in’. This allows organisations to send electronic marketing messages, without express opt-in consent, to existing customers where they have obtained the individual’s contact details in the course of a sale (or the negotiation of a sale) of a product or service to that person and the marketing materials relate to similar products or services.
In any electronic marketing communication whether sent pursuant to express consent or ‘soft opt-in’ consent the individual receiving the communication must have the opportunity to opt out in each communication. Where the communication is sent pursuant to a ‘soft opt-in’ the individual must also have been given the ability to opt-out when their personal information was first collected.
Before engaging in any electronic marketing campaign you must carefully check to confirm consent has been received and documented. You must also ensure that there is a clear mechanism for opting out and recording those who have opted out so that they do not receive any further communications. If you are in any doubt you should contact the Information Governance Unit at email@example.com
Where consent is the legal basis for processing, the data protection laws impose a very high standard. Consent must be freely given, specific, informed and constitute an unambiguous indication of the individuals agreement to their personal data being processed.
Consent requires affirmative action such as for a specific opt-in box to be checked or an email address to be provided for that purpose. It is also required to be freely given i.e. it cannot be a condition for another action or agreement. Finally consent must be specific and informed. This means that you must state exactly what the personal data provided will be used for, by whom and why.
Consent under the data protection laws is difficult to obtain and data processed on the basis of consent can only be processed until such time as that consent is withdrawn. This means that you should follow the essential steps set out below when relying on consent:
- Ensure that your consent is valid (if you are in any doubt please refer to the Information and Privacy Unit for guidance).
- Record how and when that consent was obtained.
Ensure all future marketing communications set out clearly how that consent can be withdrawn.
- Keep a detailed record of all those who have withdrawn their consent and ensure that this is cross referenced before any future marketing materials are sent.
There is no fixed period for which consent remains valid although this will not be indefinitely. How long the consent is valid for will depend on the particular circumstances in which it was give and whether it is still reasonable to treat it as an ongoing indication of the individual’s wishes.
The right to object
Individuals have the right to object at any time to receiving marketing communications irrespective of whether those messages are sent on the basis of consent or legitimate interest and whatever format they are sent. This right is absolute and if you receive such a request you must action it with as quickly as possible and at the very latest within 28 days of receipt.
If you receive such an objection please can you inform the Information Governance Unit at firstname.lastname@example.org so that this can be recorded for future reference.
What if someone else is sending marketing communications on our behalf?
If a third party is engaged to send marketing communications on the University Group’s behalf a formal data processing agreement is required. Please contact the Information Governance Unit at email@example.com for a draft agreement.
Where a third party is engaged with the University Group, that third party is responsible for ensuring compliance with the data protection laws and this does not absolve the University Group of any responsibility or liability in this regard. It is your responsibility to check carefully any third parties with whom you engage, so as to ensure they are familiar with the requirements of the data protection legislation.