Frequently Asked Questions

General

What’s new?

The data protection and privacy laws were updated in 2018 when the General Data Protection Regulation 2016 and the Data Protection Act 2018 came into force.

Why were new laws introduced?

The update in 2018 of data protection and privacy laws was the first such substantial update since 1998 and was designed to reflect changes in technology and the way in which organisations use personal data.

Does the University have to comply?

Yes

What if the University does not comply?

Non-compliance can have serious implications for the University both reputationally and financially.

Fines can be as high as €20 million or 4% of the University’s worldwide annual turnover (whichever is the higher at the time).

Why does data protection matter?

Aside from the penalties for non-compliance, an individual’s personal data belongs to them. It is important that in this data driven world their personal data is only used in ways they would reasonably expect and that it stays safe.

Whilst data sharing has become increasingly common and sharing data helps make life easier and brings lots of benefits it is important that it is handled correctly and that individuals trust the University to respect their personal data.

What can I do?

Make sure you are aware of and follow the University’s policies relating to data protection and privacy, copies of which can be found here.

If you are unsure you can contact the University’s DPO or the Information Governance Unit.

What is a DPO?

DPO stands for Data Protection Officer. A Data Protection Officer is a person appointed by an organisation to monitor its compliance with the data protection legislation and to inform and advise the organisation of their data responsibilities and obligations.

Coventry University Group’s DPO?

The DPO can be contacted at Coventry University, Alan Berry, Priory Street Coventry, CV1 5FB or by email at enquiry.igu@coventry.ac.uk

Where can I find out more?

You can find further information on the GDPR and Data Protection pages of this website including our Jargon Buster, FAQ for Data Subjects.

Further information can also be obtained from:

The information commissioner’s office at www.ico.org.uk

The Government’s Guide to the General Data Protection Regulation

The European Data Protection Board at www.edpb.europa.eu


Key Terms

What is personal data?

Information about a living, identifiable individual.

What is a data breach?

A data breach is more than just when personal data is hacked or lost.

It is a breach of security which leads to personal data being destroyed, lost, altered, disclosed or accessed without permission, whether or not this is accidental or deliberate.

What is meant by controller and processor?

A controller (or data controller) is the person or organisation who decides what personal data is collected, how it is collected, what it is used and what happens to it.

A processor (or data processor) is a person or organisation who handles personal data for a controller and on the controller’s instructions.

What is meant by special category data?

Special category data is very similar to what was previously known as ‘sensitive personal data’.

It includes information about an individual’s:

  • Race
  • ethnic origin
  • politics
  • religion
  • trade union membership
  • genetics
  • biometrics (if it is used for identification)
  • health
  • sex life
  • sexual orientation
     
Do I have to treat special category data differently?

Yes. There are additional controls and restrictions as to how special category data can be collected and used.

What about information about criminal offences?

Information about criminal offences and convictions can only be used where there is specific legal authority permitting this.

What is meant by consent?

Consent means offering a real and genuine choice. It must be unambiguous and involve a positive step. Pre-ticked boxes do not constitute a valid consent.

What is ‘legitimate interest’?

Where the University is using personal data for a purpose not related to its public interest functions of education and research, it can handle and use personal data where it has a legitimate interest to do so. A legitimate interest could be pretty much anything provided it is reasonable and justifiable. However, before using any personal data based on legitimate interest the University has to weigh this up against the individual’s rights and freedoms

What is meant by privacy by design and privacy by default?

This means putting in place appropriate measures to ensure the protection of personal data. These could be technical or organisational measures (such as the implementation of new processes or procedures).

Privacy by design and default is about ensuring an organisation has data protection at the forefront of its thoughts and plans at all times and that it is fully integrated into everything that organisation does.

What are Data Protection Impact Assessments?

Data Protection Impact Assessments allow an organisation to think about and document the potential data protection risks of a project and to minimise those risks.


Individual’s rights

What is a privacy notice for?

To tell you what is happening to your personal data and that this is transparent.

Where can I find Coventry University Group’s privacy notices?
How can I get a copy of my personal data?

Individuals can ask for access to the personal data which an organisation holds about them at any time. This is known as a Data Subject Access Request. Please see our guide for making Subject Access Requests.

What if the information you hold about me is incorrect?

If you think the information we hold about you is incorrect please let us know and we will arrange for it to be updated.

Can I ask you to delete information you hold about me?

Yes absolutely and, unless the University still needs your personal data for the purpose we originally got it for, we will arrange for it to be deleted.

What if I want to limit what you can do with my personal data?

Please just let us know how you would like us to limit it and why and we will normally action your request.

What if I don’t like what you are doing with my personal data?

You can tell us that you are unhappy with what we are doing and unless we have a compelling reason to carry on using your information in the manner you complained of, we will stop using it.

You can also make a complaint to the Information Commissioner’s Office at any time, although we would appreciate the opportunity to deal with your concerns before you do this.


Policies and Fair Processing Notices

What policies does Coventry University Group have in place in relation to data protection?

Coventry University Group has a number of policies in place in relation to data protection including the following which can be accessed by clicking the links:

Where can I find Coventry University Group’s privacy notices?
What do I do if I need to share someone else’s personal data with a third party?

You need to make sure that any sharing of personal data is lawful and in compliance with the data protection legislation. If you are in any doubt you should contact the Information Governance Unit at enquiry.igu@coventry.ac.uk

When do I need a data processing agreement?

Whenever you ask any third party to carry out any activity on behalf of the Coventry University Group which will mean they have access to or are asked to use personal data in any way whatsoever.

If you have any doubts or questions please contact the Information Governance Unit at enquiry.igu@coventry.ac.uk


Accountability

Does Coventry University Group need to keep a record of what we do with personal data?

Yes, this record is maintained and administered by the Information Governance Unit.

Is it necessary to keep a record of any consent the Coventry University Group obtains?

Yes.


Security

What measures are in place to keep personal data secure?

The Coventry University Group has put in place numerous technical and organisational measures to ensure the security of the personal data we handle. These include obtaining key data security accreditations such as ISO 27001.

What do I need to do to ensure I keep other people’s data secure?

Be mindful of data security at all times.

Read and comply with the University’s relevant policies and procedures and avoid for example sending personal data by unsecured email, or storing it on external storage devices such as memory sticks which can be easily lost.

Make sure that whenever you use personal data you know where that data has come from and why it was provided.

Do I need to do anything special when sending personal data overseas?

Yes, there are special rules which govern the sending of personal data overseas (particularly outside the European Economic Area).

If you are planning to send any personal data oversees further information can be found in the international data transfers guidance section.


Breaches

What is a data breach?

A data breach is more than just when personal data is hacked or lost.

It is a breach of security which leads to personal data being destroyed, lost, altered, disclosed or accessed without permission, whether or not this is accidental or deliberate.

Further information can be found in the data breaches guidance section.

What do I do if I discover a data breach?

Immediately report it the Information Governance Unit at enquiry.igu@coventry.ac.uk

Controller

  • A controller is the organisation which determines the purposes and means by which personal data is processed (see below for definitions of personal data and processing).
  • It is the organisation which decides what happens to your personal information including what it is used for, who it is shared with and how long it is kept.

Processor

  • A processor is any organisation which is responsible for processing personal data on behalf of the controller.
  • A processor can only act on the written instructions of the controller.
  • It does not make any substantive decisions about the way in which your personal information is handled or what happens to it.

Personal Data

  • Has a really wide definition under the General Data Protection Regulation (“GDPR”) and Data Protection Act 2018 (“DPA2018”).
  • Personal Data includes any information from which you can be identified either on the basis of that information alone or when that information is combined with some further information.

It can include for example:

  • your name
  • your address
  • your phone number and email address
  • your student, employee or UCAS number
  • your social media names and handles.
  • If information about you is anonymised, then so long as you can no longer be identified from it, will no longer be personal data.
  • The definition of personal data is important as the GDPR and DPA2018 only apply to personal data.

Special Category Data

This was formerly known as ‘sensitive personal data’ under the previous data protection legislation.

It includes personal information relating to:

  • your racial or ethnic origin
  • your political opinions
  • your religious or philosophical beliefs
  • your trade union membership
  • your health
  • your sex life or sexual orientation
  • Special category data also includes genetic and biometric data from which an individual can be identified.
  • Bank account and other financial details do not fall within the definition of special category data.
  • Enhanced protections apply when any special category data is processed.
  • Information about criminal convictions and offences is not special category data but is subject to similar more stringent rules.

Processing

  • The term ‘processing’ under the GDPR and DPA2018 is extremely broad. Simply speaking it includes anything that is done to, or with personal data.
  • Processing includes collecting, recording, organising, structuring, storing, adapting or altering the data, retrieving, consulting or using the data in any way as well as sending it to others or otherwise making it available and deleting personal data.
  • The definition of ‘processing’ makes it clear that the GDPR and DPA2018 is likely to apply wherever an organisation does anything that involves or affects personal information.

Consent

  • The definition of ‘consent’ is central to the GDPR and DPA2018 and represents one of the biggest changes to the old legislation.
  • To constitute valid consent under the GDPR (and therefore also under the DPA2018) the consent must be freely given, specific and informed. It must be a clear indication of what the individual wants you to do with their data.
  • Under the GDPR and DPA2018 consent can no longer be assumed unless an opt out is exercised. Consent requires a positive affirmative action.
  • The GDPR makes it much harder for organisations to rely on consent.
  • Most consents which were given prior to 25 May 2018 will no longer be valid.

Data Breach or Breach

  • This is a term which is commonly used to describe personal information being handled in any way which is not permitted by the GDPR or DPA2018.
  • It is often referred to in the context of a breach of security which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to any personal data. This is defined under the GDPR as a ‘personal data breach’. It is important to note that breach and data breach may also on occasion be used to refer more widely as any breach of the data protection legislation such as the GDPR or DPA2018.