Introduction to GDPR widget
Key concepts
Key concepts widget
- What is personal data?
- What is a data breach?
- When is the College a data controller and when is it a data processor? What is the difference between the two?
- What policies and procedures are relevant to me?
- What is consent? How do I record it?
- What is a legitimate interest? How do I record it?
- Who is the College's DPO?
Simply put, personal data is any information relating to an individual which can be used to identify them. Examples include a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Pseudonomised data is also classified as personal data.
Personal data may also include ‘special categories’ of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances and subject to additional controls.
For full definitions, please see the College’s guidance on Processing personal data.
A data breach is a breach in security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. You should report a data breach as soon as you suspect one.
A data controller is the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. In contrast, a data processor is the natural or legal person, public authority, agency or any other body which processes personal data on behalf of a controller and only on the data controller’s instruction.
In respect of most of the personal data processed by the College, the College will be a controller in the majority of cases. However, there are some cases in which the College is a processor such as when processing data on the instructions from another organisation for a research project and when supplying a service to another organisation.
Data controllers have a greater number of responsibilities under the data protection laws than data processors.
The College has a number of policies and procedures which all staff are required to comply with. The key policies and procedures which relate to data protection are listed below:
The GDPR sets a new, higher standard of consent for data processing. There are a number of requirements for consent – consent must be:
- Specific
- Informed
- Freely given (a performance of a contract must not be made conditional on the data subject consenting to processing activities that are not necessary for the performance of that contract)
- Able to be evidenced
- Able to be withdrawn
- Opt-in rather than opt-out
- Provided by an appropriate method
- Distinguishable from other matters
In order to assist the following tools and guidance are available:
Processing Personal Data
Under the GDPR, one of the six lawful bases for processing personal data is where legitimate interests apply. It is the most flexible basis for processing and could, in principle, apply to almost any type of processing for any reasonable purpose other than where the College is performing a task in the public interest or exercising any official authority vested in the College e.g. teaching and carrying out research in the public interest.
In order to record data processing under the legitimate interests basis, you must complete a Legitimate Interest Assessment Template [Word]. Guidance from the Information Commissioners Office regarding the Legitimate Interests legal basis is available here
Robert Scott is the College’s Data Protection Officer. His contact details are as follows:
Email: robert.scott@imperial.ac.uk or dpo@imperial.ac.uk
Phone: +44 (0)20 7594 3502
Find other useful contacts.
Safeguarding measures
Safeguarding measures widget
- When is personal data anonymised?
- What is privacy by design and default?
- How can I keep data secure?
- How can I share information securely?
Data is anonymised when it can no longer be attributed to an individual, this is usually accomplished by aggregation of data or by removal of all identifiers. Be aware however that pseudonomised data (for example changing personal identifiers to codes or figures) is still classed as personal data due to the likely presence of a related key.
The Information Commissioner's Office has produced Anonymisation guidance.
Privacy by design and default are mandatory requirements to ensure data protection is built into processing activities. This is accomplished by ensuring we place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights by considering data protection and privacy issues upfront in everything we do.
In order to assist the following tools and guidance are available:
If you are looking at how best to keep digital data secure the College provides guidance and solutions as follows:
For more information please contact the ICT helpdesk.
Depending on whether data is being shared internally or externally the College provides guidance and solutions.
For more information please contact the ICT helpdesk.
Training
Training widget
- What training can I do?
- Where can I find more information about the GDPR?
- I have identified a data protection training need in my team/department. Who can help?
- How to do the Data Protection E-Learning Training?
TheCollege has developed an e-Learning training course which all staff are strongly encouraged to complete. For information on how to access the training, please visit the Training page.
All staff should also complete the Information Security Awareness training, Records Management – e-Learning course and Freedom of Information - e-Learning course
The Data Protection Officer is able to run dedicated training sessions which are specific to the needs of a team or department. Please contact Robert Scott to discuss further:
Email: robert.scott@imperial.ac.uk or dpo@imperial.ac.uk
Phone: +44 (0)20 7594 3502
See the GDPR e-learning Training Guide for step by step instructions on how to complete the Imperial College London data protection E-learning.
Privacy notices
Privacy notices widget
- When is a privacy notice necessary?
- What existing privacy notices does the College have?
- If I need a bespoke privacy notice, is there a template I can use as a starting point?
Data subjects must be provided certain minimum information, usually within a privacy notice, at the time when data is collected from them or within one month from when the personal data is received from a third party.
Current privacy notices for the College are as follows:
- Privacy Notice for staff and prospective staff [PDF]
- Privacy Notice for Students and Prospective Students [PDF]
- Privacy Notice for Events [PDF] relates to all College activities relating to event management (including Advancement events)
- Privacy Notice for Advancement Activities relating to alumni, friends and supporters’ personal data
- Privacy Notice for agency and contractors' staff relates to individuals engaged by third parties that contract with the College to provide services to the College.
There are also various local privacy notices such as a privacy notice for the Library.
If you are proposing to process any personal data, you must check if it is expressly covered by one of the existing privacy notices. If it is covered, clearly draw the attention of the data subject from whom personal data is being collected to the relevant notice at the point at which information is collected or within 1 month from when the information is provided to the College by a third party.
Yes, there are several templates and which one would be a suitable starting point will depend on the nature of the proposed processing.
- Privacy Notice Template [Word]: this is a generic long form template that can be used as a starting point for all types of processing
- Newsletter privacy notice template [Word]: this is a shorter form template suitable for use where personal data is being collected for email newsletters subscription and distribution purposes
- Medical Research Privacy Notice template [Word]: this is a template that is intended to comply with both the GDPR/DPA and with HRA requirements
- Non-medical research privacy notice template [Word]: this template is designed for other research (i.e. not medical/health research) that involves processing personal data
Once a new privacy notice is prepared, please forward the final draft you are happy with to the Data Protection Officer to sign it off.