This article will provide the transcript for the Data Protection module of the Information Governance training offered for University Staff, Postgraduate Researchers, Contractors and Visitors who have access to University information.
The transcript available in this article is also available for download in both PDF and DOCX (Word) formats; they can both be found under Attachments.
The Information Governance Training also includes the Information Security module. The transcript for the Information Security module can be found in the knowledge base article KB0016915 or by clicking on this link.
Welcome to the University of Leeds Data Protection module. This is for staff, postgraduate researchers, contractors and visitors who have access to University information.
The module should take approximately 30-40 minutes to complete.
In its role as an educational provider, an employer and a research-intensive organisation, the University holds and processes a significant volume of personal data relating to numerous cohorts of individuals. Everybody who processes personal data has a responsibility to do so safely and responsibly.
If the University was to lose or otherwise compromise someone's personal data it could not only have a serious effect on the rights and privacy of the individual, but also on the reputation of the University as a safe partner for data sharing and use.
It is important that everybody remains focused on how we use and protect data.
You are required to complete this training within 4 weeks of joining the University, and on an annual basis thereafter. If you do not complete the training your access to the University's systems may be suspended.
Completing the learning is a key step in ensuring that the University remains compliant with all data protection legislation, and that we keep our data secure.
Let’s start by making sure that we all have a shared understanding of what is meant by data protection and how we define personal data.
We will then move on to review the six principles of data protection, consider individuals’ rights and finally, learn who enforces data protection in the UK.
Data protection means:
Data protection rules specify:
The General Data Protection Regulation (GDPR) applies to all countries within the European Economic Area (EEA). The EEA comprises all countries in the EU plus Iceland, Norway and Lichtenstein. The UK is no longer one of those countries but our domestic Data Protection law (the Data Protection Act 2018) is equal to the GDPR.
This means that we can continue to send data to our EEA partners, and they can send it back to us. Where we want to share data with partners and collaborators outside the EEA we might need to include extra conditions and clauses in our contracts to provide added assurance that their data protection practices are adequate.
The legislation gives individuals more rights to control and check how organisations use their personal information.
The legislation means that organisations could face higher fines for breaches in data protection.
Organisations will have even stricter obligations to keep the personal information that they hold safe and secure from loss and theft etc.
Organisations need to provide evidence of the measures they take to comply with the GDPR and the DPA 2018.
There is more information and useful resources such as document templates on the University’s data protection website.
The data protection legislation controls the use of personal data. But how do we define ‘personal data'?
The data protection legislation describes personal data as such:
“Personal data is a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
A simpler definition might be:
Personal data means any information relating to an identified or identifiable natural person.
The data protection legislation applies to data stored digitally, as a hard copy, or in visual or audio format. Any details that can be used to identify a person or which can be related to an identifiable person are classed as personal data and are covered by the Act.
Data Subject is the term used to describe the individual whose personal data is being collected and used.
The Data Controller determines the purposes and means of processing personal data.
Data Processor means any person or organisation who processes the data on behalf of the Data Controller.
The data protection legislation classifies some personal data as being particularly sensitive.
Special category data refers to any details which could be more detrimental to the individual if the data is misused.
Special category data is defined as:
Note that the legislation puts additional safeguards in place around the use of what it classes as special category data.
Credit references and bank details are not classed as special category data. Sensitive financial data is subject to different safeguards, within financial services regulations.
Take a few minutes to review the six principles of the GDPR. These may be familiar to you, as they have formed the core principles of all data protection legislation in the UK. These principles relate to the collection, use, storage and disposal of personal information and are the foundation of good data protection practice.
The six principles are:
Organisations must be able to demonstrate how they comply with these 6 principles.
Personal information must be processed lawfully, fairly and in a transparent manner. This means that data subjects must be kept informed about how and why their personal data is processed as well as requiring the processing to be lawful.
Data must be collected for a specified, explicit and legitimate purpose. It should not be further processed in a manner that is incompatible with this purpose.
Personal information must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is being processed.
Personal data should never be recorded simply on the basis that it might be useful in the future. There must be a clear link between what the purpose of the processing is and what data is actually processed.
The data must be accurate and, where necessary, kept up to date.
Personal information must not be kept for longer than is necessary.
The data must be processed in a manner that ensures appropriate security of the personal information. This includes using appropriate technical or organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Data protection legislation gives rights to individuals relating to the personal data that organisations hold about them.
The University has a classification system for all the data it processes, which includes commercially sensitive as well as personal data. Whilst this training focuses on personal data it is important to understand the principles for protecting other classified data as well. Refer to the Information Protection Policy for more detail.
Let’s look at an example of an individual who has concerns about how their personal data is being used.
Which of the following do you think apply to Kazia? (Tip: Consider the rights that data subjects have.)
How did you answer? In this scenario, Kazia is the data subject and she has the right to:
The University cannot charge for providing Kazia with this information.
You can revisit this section if you want to refresh your knowledge on any of the following topics.
Everyone who accesses information has some responsibility for ensuring that we comply with the legislation and with the University's policies.
The University is the data controller. This means that the University is legally responsible for ensuring that its use of personal and sensitive information complies with all aspects of the legislation.
This includes a requirement for the University to ensure that all staff who have access to, or handle, personal or sensitive information know how to do so safely and legally.
Line managers are responsible for ensuring that their staff receive appropriate training and are provided with appropriate equipment to enable them to comply with the legislation.
All employees have a responsibility to comply with the legislation and with University procedures. They can do this by following our data protection policies and procedures and reporting any concerns or data breaches.
Employees who deliberately or negligently fail to follow policies and procedures could be subject to disciplinary action. Any misuse of information for personal gain may result in a criminal investigation.
This component is an accordion comprised of collapsible content panels containing display text.
Relevant policies and data protection training play a key role in ensuring that the University remains compliant with the legislation. The University's Data Protection website is a good source of information.
The University has key people who have specific responsibilities relating to data protection compliance. In addition to your line manager, these are people who can provide guidance on data protection issues.
The Data Protection Officer advises the University about, and monitors compliance. The University's Data Protection Office can be reached at dpo@leeds.ac.uk.
The Senior Information Risk Owner ensures that the University identifies, addresses and manages risks to personal and sensitive information. Responsibility is shared between the University Secretary and the Chief Operating Officer.
All classified data should have a designated information asset owner. All staff members are responsible for complying with data protection policies.
All classified data should have a designated information asset owner. All staff members are responsible for complying with data protection policies.
The University's Information Governance Team addresses day to day compliance with legislation and University policies, including responding to requests made in accordance with individuals' rights; managing incidents; providing guidance and advice; maintaining policies and procedures and risk assessments.
When working to tight deadlines and under pressure, it’s important that we are constantly vigilant about how we work, particularly in relation to data protection. This involves following some best practice principles when handling hard copy and electronic information.
Policies and procedures also need to be adhered to when working from home. We would expect colleagues to generate less hard copy data when they are away from the office but it is really important that you think carefully about how you are managing and saving electronic data when you are working from home.
If you are working on a computer from home you must make sure that it is encrypted (contact IT Service Desk if you are unsure).
Always use Duo multi factor authentication before accessing University systems.
Let's look at how you can make sure you are doing everything possible to minimise the risk of personal data breaches and cybercrime.
Do you remember Data Protection Principle 5?
Personal information which is in a format that permits identification of data subjects must not be kept for longer than is necessary for the purposes for which it is being processed.
But what is the right way to dispose of personal information?
The University has a legal obligation to keep some data for a specified period of time. Please refer to the retention schedule.
Always dispose of hard copy sensitive information securely. Make sure that you shred confidential documents.
Always consult IT Service Desk about the disposal of equipment and electronic devices.
We hold lots of information in our email folders, but they are not appropriate storage solutions, especially where they contain personal data. Regularly delete the emails that you no longer need and move the messages and attachments that you do need to keep for longer to a secure location, such as a OneDrive folder.
We all have a responsibility to protect the electronic information that we process on computers and other devices. The Information Security training module provides more detail on how we can achieve this.
Be particularly careful when using email as this is one of the main causes of personal data breaches and cybercrime.
Ensure that personal data and sensitive information is only sent to those that need to see it, even within the University.
Try to avoid sending sensitive personal data via email. If you have to, always password protect or encrypt. It is best practice to send the password or key to the recipient via a different medium.
For example, you could ring your colleague and provide the password, or send it in a separate email.
Only ever use your University email address for sending or receiving University-related business.
Make sure the email came from a trustworthy source before you click on any links within an email.
Always double-check the recipient’s email address before you send an email. If you are sending sensitive data then you might want to consider turning off the “auto-fill” function to provide an extra layer of certainty that you are sending the email to the correct person.
Contact the IT Service Desk for more information.
Report any suspicious emails to the IT Service Desk.
You should now know where to go for information and who to ask for assistance if you have questions about personal data and your responsibilities.
Meet Steve. His role means that he has access to a lot of personal and sensitive data.
Do you think that Steve needs to report this as a personal data breach?
If you answered ‘yes’, well done.
A personal data breach occurs if any personal and sensitive information is:
Let's look at some example of data security breach incidents.
Losing a portable device that stores personal data, including USB sticks and work phones, tablets or laptops.
As well as the more commonly discussed cyber-attacks deployed to steal data, data theft can also include any data stolen by an employee or contractor.
Malware is unauthorised software that is designed to infiltrate or damage a computer system without the owner's consent.
The most familiar type of malware program is a computer virus – for example, a Trojan virus which is designed to delete files and steal or corrupt information and personal data.
Compliance means following the policies, procedures, rules and guidelines established within an organisation.
Data compliance requires that all personal data be organised and managed in line with the law and the University's regulations. An example of a data compliance breach would be sharing data outside of the terms agreed in a data sharing agreement.
Data breaches often occur from simple human errors, such as sending an email to the wrong recipient or failing to complete a mail merge and mismatching names and addresses. This highlights the importance of carefully handling information and double-checking any of your work that incorporates data, personal or otherwise.
This will often involve situations that are out of an individual's control – for example, a systems disruption that means data subjects can't receive the vital service that they require, or even a flood which damages records that are not backed up. Organisations with healthy data protection protocols should have preventative and/or recovery measures in place for losing data in this way.
What percentage of personal data breaches do you think are due to human error?
According to a CybSafe analysis of data from the UK Information Commissioner’s Office (ICO), human error caused 90% of cyber data breaches in 2019, up from 61% in 2017 and 87% in 2018.
It is very important to act quickly if you become aware of a personal data breach – all actual or suspected data security breaches must be reported immediately. This allows the University to take necessary steps to prevent a breach or to minimise the potential impact of one.
If you think that you have sent electronic data to the wrong recipient then you must telephone the IT Service Desk on 0113 34 33333 - if you do this quickly then they may be able to retrieve the data before it is accessed by the wrong person.
You should then contact the DPO (dpo@leeds.ac.uk) and let them know what has happened and what action has been taken. The DPO can then decide what further action, if any, is needed. You must never speak with the individuals affected or the ICO until you have spoken with the DPO or somebody from the Information Governance Team.
If you have lost hard copies of personal data then contact the DPO. If you suspect that your computer has been compromised then contact the IT Service Desk. Contact details for reporting a data security breach can be found on the University Data Protection website.
It is really important that all actual or suspected data security breaches are reported immediately. This allows the University to take necessary steps to prevent a breach or to minimise the potential impact of a breach.
Data protection legislation imposes very strict deadlines for reporting serious personal data breaches, which is why you need to report them as soon as you become aware of them.
The University could be fined for late notification as well as for the breach itself.
An investigation will be carried out by the Data Protection Officer and the IT Assurance Team as required.
The investigation looks at what happened and why, what needs to be done to limit the impact, who needs to be told and what can be done to prevent a similar incident in future. The team involved in the incident will need to consider their own work practices and reflect on whether data is being protected appropriately.
The results of the investigation determine whether it is a serious risk that needs to be referred to the Information Commissioner’s Office.
The Information Governance Team will liaise with the Information Commissioner's Office.
If the incident is deemed to be serious, the University must report the details to the Information Commissioner within 72 hours of the incident being known.
The law requires that we inform those whose personal information is affected if their rights or privacy could be at risk. You must not inform individuals directly; this will be coordinated by the Information Governance Team.
Indicate whether the following statements about reporting breaches are true or false:
The first statement is true. It is essential that data protection incidents involving electronic data are reported to the IT Service Desk immediately.
The second statement is also true. The University must report a serious incident to the Information Commissioner within 72 hours of becoming aware of it. You must never speak with the individuals affected or the Information Commissioner until you have spoken with the Data Protection Officer or somebody from the Information Governance Team.
This section has identified the steps that you must take if you become aware of a personal data breach.
Remember that it is essential that you report incidents as early as possible.
Before collecting data, you should consider whether the personal data needs to be identifiable or if it can be anonymised.
Identifiable data is data that easily identifies an individual or a group of individuals.
Anonymised data has had all personal data removed so that an individual or group of individuals cannot be identified.
The University has in place a privacy notice for Staff and a Privacy Notice for Students. These notices cover the types of data processing which have already been authorised and which you can undertake without any further action.
Both documents can be found on the University’s Data Protection website.
If what you want to do is not already covered in the University's Privacy Notices you will need to advise individuals about the proposed processing. This is best done by creating your own privacy notice which explains what data you want to collect and what you want to do with it.
Seek advice from the Information Governance Team.
As well as detailing when personal data can be collected, data protection legislation requires that the collection of personal data is transparent and respects the rights of the individual whose personal data is being collected.
The transparency requirements are met in a privacy notice.
A Privacy Notice explains who is collecting the data; where it is being collected from, what will be done with the data, including how it will be kept safe and who it might be shared with, and when the data will be deleted. It must include a lawful basis for why the data is being used and must also explain the rights of the individual whose data is being collected.
In order to comply with the principles of data protection legislation you must always have a lawful basis for processing personal data. This helps you to define why you need the data and what you will do with it.
The lawful bases for processing personal data are:
If you want to process special category data you must also identify an additional lawful basis; these include processing for research which is in the public interest and processing where measures have been put in place to protect the rights of the individuals whose data is being used. Speak with the Information Governance Team for more information.
This section explores the requirement to let individuals know what data you are collecting about them and what you will do with it; information which is usually made available in a document called a privacy notice.
It is a good idea to familiarise yourself with the Staff and Student Privacy Notices on the University Data Protection website. If you are wanting to gather personal data which is not covered in these notices then contact the Information Governance Team.
Consent is one of the lawful bases that you can rely on to process personal data. It must be:
In instances where a person is at risk of very serious harm you can use their personal data without their consent, for example to share it with emergency services.
Ordinarily, when you are collecting personal data for a research project there is a legal and ethical requirement for you to seek the consent of the individual whose data will be included. Sometimes you are able to re-use their data without consent, but you must secure their consent to participate in the first place.
You must also record details if consent is withheld.
You must keep a record about gaining consent in case you need to provide this as evidence at a later date. Make sure that record is saved in a secure location that your colleagues can also access if they need to.
Remember that you should record this information at the time of the discussion about consent.
You must be able to:
We might need consent for some processing which is not covered by the Staff and Student Privacy Notices” to “Consent is just one of the lawful bases we can rely on to process personal data, but it is not always the most appropriate.
Consent does not last forever and should be re-visited, especially if circumstances change. However, there is no set time frame for how long consent remains valid, you need to decide when it is time to review consent.
If an individual is at risk of serious harm then you can share their personal data without asking for their consent, for example, if you are making a call to Emergency Services because somebody is injured.
Obtaining consent is perhaps not something you do every day.
Remember you can return to this learning and use it as reference to make sure that you comply with data protection legislation.
As data sharing is one of the main reasons for personal data breaches, it’s important that you understand the scope of data sharing.
Sharing data within the University for administrative and business functions is covered by our Staff and Student Privacy Notices.
As long as you have an agreement in place and the research participants understand how their data will be used then you can share data collaboratively with other research partners.
We cannot share data about our students with their parents or family unless the student tells us that it is OK.
Even when you are sharing data internally it is important to make sure that you do it safely. Generally, it is best to share access to the data (for example via a OneDrive or SharePoint folder) than to send data by email.
If you do have to share data via email be careful to check that you are sending it to the correct person.
Familiarise yourself with the process for reporting an incident where data might have gone to the wrong recipient.
As when collecting data, you need to have a lawful basis for sharing data. Some sharing is already covered in the Staff and Student Privacy Notices which can be found on the University's Data Protection website.
The Notices also cover the sharing of data within the University where it is necessary to fulfill our administrative functions.
We must not share any data about our students with individuals claiming to be their family members of friends without the student's consent. Speak with your line manger if you have any questions or concerns.
Even when you are sharing data within the University it is important to consider the potential implications, especially if you are sharing special category data.
Data sharing as part of a research collaboration is usually explained in the Research Participant Information sheet. There are some exemptions that allow you to share research results without telling participants, but you usually need to anonymise the data first.
Before you share, check the following:
If the information that has been shared is found to have been inaccurate or if it changes, make sure you tell those you have already shared it with.
These are used when data is being shared outside the University and where the recipient will also be a Data Controller; this means that they can decide themselves how the data will be used (and possibly re-shared with other recipients).
If you are conducting research with an external partner you might need to have a Data Sharing Agreement in place. A template can be found on the University's Data Protection website.
These are used when the recipient of the data will be a Data Processor; this means that they can only process the data according to our instructions. A Data Processing Agreement sets out what the Processor can do with the data, how they must store it, any expectations about their use of a third-party processor and when they must return the data. A Processor has some obligations under the law, but the Data Controller (the University) has overall responsibility for ensuring that the data remains safe.
A template can be found on the University's Data Protection website.
You can share data within the University where it is necessary for our administrative functions. You usually need an agreement in place before you can share data with third parties but there are some legal requirements which can override this obligation.
In most circumstances you need to make the individual aware that the sharing is taking place (normally via a privacy notice), although there are some exceptions where the data is being shared with law enforcement agencies or where the person is at risk. Speak with the DPO if you receive such a request.
Whilst IT has a role in providing the overarching security of electronic data, we are all responsible for ensuring the security of the data that we work with.
Data privacy by design means having appropriate technical and organisational measures in place and building safeguards into processing to provide data security and protect the rights of data subjects.
Data privacy by default means having appropriate technical and organisational measures to ensure that, by default, only the personal data necessary for the purposes of the processing is processed.
This allows the following data considerations to be controlled:
The ICO recommend using Data Protection Impact Assessments (DPIAs) as an integral part of taking a privacy by design approach.
Data protection impact assessment is a process which helps an organisation to identify and reduce the privacy risks associated with specific data usage. An effective DPIA is a "living document" which is reviewed and amended over time. The University has a template on the Data Protection website.
The core principles of the DPIA process can be integrated with existing project and risk management policies.
There is more detailed information on the Information Commissioner’s Office website (www.ico.org.uk).
It's important to know the measures in place to protect personal and sensitive data.
Furthermore, you might want to revisit this section later should you become involved in new projects, or if you think that some existing ways of working with data could be improved.
The following questions are based on what we have covered in this module. The answers can be found below, after the final question.
Chloe wants to send some recordings to a translator company; the recordings contain identifiable personal data about students. What measures must Chloe put in place before she can share the data externally?
Chris is collecting personal data on individuals who attend Women in the Workplace seminars and is creating a privacy notice to send to the participants to inform them on how he will be using their data.
Below is a selection of statements that Chris could include in his privacy notice.
Select all the statements that are true.
Which of the following statements are true when working with personal data?
Hassan has accidentally sent an email containing personal data about a staff member to the wrong person. What should he do?
Which of the following is a core principle of the Data Protection Act (DPA).
Asha wants to tidy up the contents of her email folders. What should she do?
The correct answers are 2 and 3.
Individuals need to be told who their data is being shared with. This is normally done in a Privacy Notice, or a Participant Information Sheet if the data is being used as part of a research project. Where data is shared outside the University there must be an agreement in place setting out how the data will be used and kept safe.
The correct answers are 2, 3, 5, 6 and 7.
A privacy notice must include details of:
The correct answers are 1 and 3.
The University is the Data Controller in charge of all the personal data that it holds and uses to fulfil its business practices.
However, we all have a responsibility to ensure that we use personal data responsibly, respectfully and securely. We should report to the University any incident or potential incident that could put the data entrusted to us at risk.
The correct answer is 4.
All data breaches must be reported to the University immediately. See the reporting a data security incident website.
The correct answer is 4.
Most of us need to process personal data as part of our work or studies at the University. We can all protect the rights of individuals by only using, storing and sharing the minimal amount of personal data required to fulfil our tasks.
The correct answer is 2.
We hold lots of information in our email folders, but they are not appropriate storage solutions, especially where they contain personal data. Regularly delete the emails that you no longer need and move the messages and attachments that you do need to keep for longer to a secure location, such as a OneDrive folder.