Data at the University
Data security is a key aspect of compliance with the data protection legislation. Coventry University Group take data security very seriously and expect you to do the same.
Why is data security important?
It is a key principle of the GDPR that personal data is processed securely.
Effective data security management not only ensures compliance with the security principle it minimises the risk of breaches and the potential exposure to fines or other enforcement actions.
What are the requirements for data security?
Article 5(1)(f) GDPR provides that personal data must be processed in a manner which ensures appropriate security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
In order to ensure appropriate security appropriate technical and organisational measures should be implemented.
Article 32 GDPR gives more detail in relation to the measures which should be put in place to ensure the security of the processing of personal data and provides that risk-based approach should be adopted.
Organisations are required to ensure a level of security appropriate to the risk. It is not one sizes fits all.
When deciding what are the appropriate measures to put in place consideration has to be given to:
- The ability to ensure ongoing confidentiality, integrity, availability and resilience of the systems and services being used to process personal data;
The ability to restore access to the personal data quickly in the event of an issue;
- A process for regularly testing and evaluating the systems in place.
However, there are no specific standards set out in the GDPR or the DPA2018.
In deciding what is appropriate the state of the art and costs on implementation can be factored into the equation.
Compliance with policies, procedures and internal guidance
All staff, students and other persons handling personal data for or on behalf of Coventry University Group or who have access to Coventry university Group’s computer files or computer systems containing personal data must at all times comply with our data security policies.
Important Points to Remember
Proper security measures need to be considered and put in place whenever you hold, display or use personal data and you must take all reasonable and appropriate steps to prevent any loss, destruction or corruption of data. In particular you should:
- Ensure that paper files containing personal data are kept securely and not left visible on desks or working spaces. Files should be kept in locked filing cabinets and should not be removed from the premises unless it is absolutely essential to do so and appropriate steps to ensure their security have been put in place;
- Computers which can access personal data should not be left unattended when logged on;
- Passwords should be regularly updated and should be used to access all files containing personal data;
- Documents and print outs containing personal data should be securely shredded once finished with;
- You should never write down or tell anyone else your passwords;
- Personal data should never be saved to an unencrypted memory stick or flash drive;
- When personal data is no longer required it should be securely and completely erased from all memory sticks, flash drives and computers;
- Personal data should never be stored on the desktop of your computer;
- Only approved devices with appropriate security protections should be used to access personal data;
- Personal data should not be sent by unsecured mail such as outlook or yahoo and should only be sent through the University’s email server.
Please contact email@example.com for further information about how you should ensure the security of the personal data.
What is data sharing?
Data sharing is the process by which one organisation shares personal data which it holds with a third party (or with another part of the organisation).
It can involve:
- A reciprocal exchange of data
- One party providing personal data to another
- A number of organisations pooling their data
- Exceptional one off disclosures in unexpected or emergency situations
- Different parts of an organisation sharing personal data with each other.
Some data sharing does not involve personal data, for example where statistics or anonymised data are shared, in which case it is not governed by the General Data Protection Regulation (“GDPR”) or Data Protection Act 2018 (DPA2018).
Data sharing is most commonly used to describe the sharing of personal data between parties as data controllers. Where an organisation is engaged to process personal data on behalf of another organisation, for example to provide mailing services, they are engaged in data processing and must act on the instructions of the data controller, which in this case would be the University.
Legal requirements of data sharing
When considering data sharing you must therefore ensure that the principles of processing are complied with. This includes ensuring that there is a lawful basis for the processing and that it meets the requirements of transparency and fairness.
Where data is shared outside the EEA in addition such sharing must comply with the requirements for international transfers.
How might the University share my personal data?
Details of who the University may share your personal data with and the lawful basis for doing so can be found in the University’s Fair Processing Notices.
Whenever the University transfers or shares any personal data with any third party an appropriate contract will need to be put in place. The exact form of that contract will depend on the nature of the personal data to be shared, whether it is sharing between controllers or whether it follows the engagement of a processor.
What is an international transfer?
The General Data Protection Regulation (“GDPR”) governs the processing of personal data within the EU. It also governs the processing of the personal data of EU data subjects which takes place outside the EU.
An international transfer occurs when someone’s personal data is transferred from inside the European Economic Area (or EEA) to a third country or international organisation outside of the EEA.
What is the European Economic Area?
The EEA covers all member states of the EU as well as Iceland, Liechtenstein and Norway. It is essentially all countries which are part of the ‘single market’ (which is often also referred to as the ‘internal market’).
It is unclear at present whether the UK will remain within the EEA following Brexit. If it does not, transfers of personal data between the UK and the EEA member states will constitute international transfers for the purposes of the GDPR and the Data Protection Regulation 2018 (“DPA2018”).
What is meant by a third country?
For the purposes of the GDPR and the DPA2018 a third country is any country which falls outside the EEA.
What are international organisations?
An international organisation is defined as an organisation governed by international law or which is set up on the basis of any agreement between two or more countries (see Article 4(26) GDPR and Section 205(1) DPA2018).
Why are international transfers restricted?
The GDPR and the DPA2018 primarily govern how organisations in the EU handle personal data.
The key purpose of the GDPR and DPA2018 is to ensure the protection of an individual’s personal data and to protect their interests and fundamental rights and freedoms.
Organisations in third countries are not bound by the same restrictions therefore individuals risk losing the protections afforded to them by the GDPR and DPA2018 if their personal data is the subject of an international transfer.
The restrictions placed on international transfers are designed to ensure an individual receives the same protections for their personal data in a third country as they do in the EU.
When can an international transfer be made?
International transfers can only be made where expressly permitted by the GDPR or DPA2018.
International transfers can be made where one of the following is in place:
- An adequacy decision has been issued by the European Commission in relation to the specific third country which the data is to be sent to (see below).
- Appropriate safeguards are in place (see below).
- Binding corporate rules are in place (see below).
- The transfer is expressly permitted by law such as transfers of personal data for law enforcement purposes as specifically permitted by the DPA2018.
- One of the exemptions in Article 49 GDPR applies.
What is an ‘adequacy decision’?
The European Commission has the power to decide is a country outside the EU offers an adequate level of protection for personal data.
The effect of an adequacy decision is that personal data can flow freely between the EU and that third country without further safeguards being put in place.
To date adequacy decisions have been issued in respect of:
- Canada (commercial organisations only)
- Faroe Islands
- Isle of Man
- New Zealand
- USA (subject to the Privacy Shield framework as to which see below)
What is the Privacy Shield?
The Privacy Shield framework was designed so as to allow personal data to travel between the EU and the USA.
It does not automatically apply to all transfers of personal data between the EU and the USA.
Organisations based in the USA must apply to join the Privacy Shield framework before they can benefit from it.
What is meant by ‘appropriate safeguards’?
If an international transfer is to take place to a third country which does not benefit from an adequacy decision the person transferring the data must ensure that the party receiving it has provided for appropriate safeguards for the personal data and that the rights of the individuals in respect of their personal data will be respected and enforced by the party receiving the personal data.
Article 46 GDPR sets out some specific circumstances in which appropriate safeguards may be provided these include:
- Where the transfer is from a public body to another public body where both have signed a contract which is binding and enforceable and which includes the enforceable rights and effective remedies for the individuals whose data is to be transferred;
- Where binding corporate rules are in place (as to which see below);
- Where the party sending the personal data and the party receiving the personal data have entered into a contract which incorporates (in their entirety and without amendment) the standard data protection clauses adopted by the European Commission. These ‘model clauses’ can be accessed on the European Commission website.
- Where both parties have entered into an agreement which incorporates standard clauses adopted by the Information Commissioner (although no such clauses have yet been issued);
- If the receiving party has signed up to an approved code of conduct (again no approved codes of conduct have yet been issued);
- If the receiving party has a certification under a scheme approved by the Information Commissioner or another supervisory authority (no certification schemes have yet been approved either);
- If a Supervisory Authority has specifically authorised the transfer of personal data pursuant to an agreement which the sending party has with the receiving party; or
- The transfer is made pursuant to an administrative arrangement between public authorities which has been authorised by a Supervisory Authority.
What are ‘binding corporate’ rules?
Binding corporate rules govern the transfer of personal data between companies within the same group.
They are an internal code of conduct.
Binding corporate rules must be submitted to a supervisory authority and approved before they can be relied upon.
Article 47 GDPR sets out the requirements for the approval of binding corporate rules by a Supervisory Authority.
What exceptions are there to the restrictions on international transfers?
If the country to which the personal data is going to be transferred is not the subject of an adequacy decision and none of the appropriate safeguards are in place any transfer of personal data to that country will be unlawful unless one of the exemptions applies.
Article 49 GDPR sets out 8 specific exemptions to the restrictions on international transfers. It provides that transfers can be made in the following circumstances:
- Where the individual has expressly consented to the transfer (and was aware when giving consent that no adequacy decision or appropriate safeguards are in place);
- Where it is necessary for the performance of a contract to which the individual is a party;
- Where it is necessary for the performance of a contract which is concluded in the interests of the individual;
- Where it is necessary for reasons of important public interest;
- Where it is necessary for the purpose of legal claims;
- Where it is necessary to protect the vital interest of the individual or another person and the individual is incapable of giving consent;
- The transfer is of information from a register which is intended to provide public information; or
If the transfer is not repetitive, concerns a limited number of individuals’ data and is necessary for the compelling legitimate interests of the controller and where the Information Commissioner or other Supervisory Authority and the individual(s) concerned have been informed.
What is data protection by design and default?
Article 25 GDPR essentially provides that organisations are required to make data protection core to their business.
Data protection by design means that at the earliest stage of an organisation considering a new system which will process personal data it must ensure that the data protection principles are taken into account and that this frames the system. Therefore it should consider things like appropriate safeguards, data minimisation and tools such as pseudonymisation.
Data protection by default means the default position in everything an organisation does should provide the highest level of protection for personal data. This means only data which is necessary should be processed (and forms should only request that which is necessary), storage periods should be as short as possible and access should be as limited as is practicable.
What does this mean for the University?
This is not a case of going through the motions. Data protection is central to everything the University does and must be a constant consideration.
Where the University is putting in place any new systems, polices or procedures which involve in any way the processing of personal data it will ensure they incorporate and reflect the principles of processing.
What is a DPIA?
A Data Protection Impact Assessment or DPIA involves going through a process to help identify and assess the data protection risk of a particular project or activity using personal data.
When is a DPIA required?
Article 35 GDPR requires that a DPIA is completed each time the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals.
When assessing the risk to individuals it is necessary to consider the likelihood and severity of any impact on individuals.
It is good practice to complete a DPIA for all major projects or activities involving the processing of personal data.
There are certain circumstances in which a DPIA must be completed, including where the project or activity involves:
- The systematic and extensive evaluation of personal data by an automated process and where decision which have a legal effect will be based on the outcome;
- Large scale processing of special category data or data relating to criminal convictions or offences;
- A systematic monitoring of a public area on a large scale.
If a high risk is identified which cannot be mitigated the project the Data Protection Officer (DPO) will refer it to the Information Commissioner’s Office (ICO) for approval.
What does a DPIA contain?
A DPIA will set out:
- the nature, scope, context and purpose of the processing to be carried out;
- an assessment of the necessity, proportionality and compliance measures which are in place for the project;
- it will identify any risks which the project possess to individuals rights and freedoms;
- it will identify steps which can be taken to mitigate any risks which are identified.
What does this mean for the Coventry University Group?
The University uses a screening questionnaire based upon the ICO’s guidance to help determine if a DPIA is required to be completed.
Records of completed DPIAs are kept by the University.