data protection guidance and policy documentsdata protection guidance and policy documents
This page lists guidance and policy documents available to UEA staff, and covers issues we are asked about most frequently. This sets out the University's position on data protection matters, but should not be taken as legal advice.
UK data protection law has recently been revised and expanded, and we will regularly add to and update this page to reflect changes to the law.
If you'd like further information on anything in this page, contact the Information Compliance team at firstname.lastname@example.org, or +44 (0)1603 59 2431/1143.
what do you need to know about?what do you need to know about?
Remember, all staff must complete data protection training, which must be refreshed each year. Our online training is available via Blackboard, or this link.
HOW TO WRITE A 'PRIVACY NOTICE'
The University's primary privacy notices should cover most of the ways in which we collect and handle personal data, however there will be occasions where separate privacy notices are required (e.g. because data will be collected for a specific purpose that doesn't apply to a wide range of people). The following guidance and supplementary text is designed to assist staff who need to create a specific privacy notice. The data protection team must be informed of any new privacy notices (see checklist below).
WHAT TO DO IF SOMEONE REQUESTS A COPY OF INFORMATION WE HOLD ABOUT THEM
People are entitled to request a copy of the personal information the University holds about them. These requests are commonly known as Subject Access Requests, and are handled centrally by the University's Information Compliance team.
This is a fundamental data protection right, and requests can be made verbally, as well as in writing. If you are a member of UEA staff and receive a request for personal information, and this is not something you would expect to handle in your day to day work, contact the team at email@example.com or ext. 2431/1143 as soon as possible. By law, we only have a limited time to respond to these requests, so quick action is required.
Data protection law doesn’t define specific time spans for the retention of different types of data, and instead says that personal data must be ‘kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed’. This is known as the 'storage limitation' principle, and is fundamental to data protection compliance.
In other words, if we no longer have a business need for personal data to be held and there are no legal reasons for it to be retained (e.g. someone has made an access request, or we are required by statute to keep the data), then it must be securely disposed of, or anonymised.
To help in making that decision, at UEA, all departments should have Records Retention Schedules. These documents describe the types of information the department uses, and how long that information should be kept for.
Email can cause problems for organisations because almost all messages will contain some kind of personal data, and many people simply never get round to deleting messages, or keep them ‘just in case’.
It might be difficult to justify the necessity of keeping many emails - for example those relating to students who are no longer at UEA - unless your department's Records Retention Schedule says that they must be kept for a specific reason.
There are lots of ways of managing your inbox, but it helps to automate the process where possible. For example, sort messages into relevant folders, then use the ‘Assign Policy’ tool to automatically delete messages in that folder after a certain period.
Any member of staff might be asked to provide a written or verbal reference, for example for a colleague or former student. As references will usually contain personal data of both parties, its important to understand the potential data protection implications.
You are not legally obliged to provide a reference, but the University does not prohibit you from doing so
In some Schools there may be an expectation that references will be provided for former students. Check if your School or department has a pro forma document you should use.
HRD may also be able to provide template letters to assist you in writing the reference
Any personal information you provide must be relevant and limited to what is necessary
Things to consider:
Is the person aware you've been approached to provide a reference?
Sometimes this is not clear. If in doubt, consider contacting the person to explain that you've been approached, and what information you can, and are willing to, provide. Although not strictly necessary, this ensures they are aware of how you will share their personal data.
Are you certain the request is legitimate?
Another good reason for contacting the person is to confirm that they were expecting you to be asked by that individual or organisation. Not all people seeking information about our staff or students are who they say they are: make sure that they have a legitimate need for the reference, and are not asking for unnecessary or excessive information.
Have you been asked to provide sensitive information (e.g. health data)?
There are different rules for using and sharing what is known as 'special category' data. If you are asked to comment on, for example, a person's health (or ill-health) you need to be certain that any information you provide is proportionate, justified, and lawful. Contact firstname.lastname@example.org for advice.
What if you can't contact the person?
It's not always possible or practical to let someone know that you've been approached to provide a reference about them. The Data Protection Act 2018 contains an exemption in relation to confidential references that means we are not obliged to explain how the person's data will be used, so it is possible to provide a reference without consulting with the person beforehand.
For students, we set out the expectation that the University may respond to basic reference requests in our student privacy notice. Our data protection policy explains further that ‘Where the University can confirm employment, student attendance or qualifications, and has not obtained explicit consent, the University will only disclose that information to verified and legitimate enquirers under certain limited circumstances where there is significant advantage to the data subject in so doing.’
Can the person see what you've written about them?
Confidential references are exempt from the right of subject access (people's legal right to request information an organisation holds about them). The exemption applies to the organisations providing and recieving the reference. Organisations are not obliged to apply this exemption, but many will choose to do so.
DATA PROTECTION AND 'LEGITIMATE INTERESTS': WHAT YOU NEED TO KNOW AND DO
The University will, where appropriate and allowed by law, rely on ‘legitimate interests’ as a lawful basis for handling personal data.
In this context, ‘Legitimate Interests’ means the interests of the University in how we conduct and manage our activities. It may also refer to the interest of a third party organisation, or the person whose data we are processing.
We might refer to legitimate interests when we want to use information in a way that we believe will benefit the University and the services we provide. However, as a public body, the University cannot rely on legitimate interests in all cases. Also, we cannot do something we think is in our legitimate interests if it causes undue harm to the person whose information we are using. We need to make sure we get the balance right in all cases.
Where we are relying on 'Legitimate Interests' as our legal basis for processing personal data we must do a Legitimate Interests Assessment (LIA). Our LIA template (Word doc.) can be downloaded and, once complete, sent to email@example.com for review.
USING EXTERNAL SOFTWARE (E.G. DROPBOX, SURVEYMONKEY)
We often get asked if it's ok for staff to use commercial software (e.g. Dropbox, Trello, Slack) to collect, store or otherwise process University personal data.
You might have heard that this is not allowed, 'because of GDPR'. Although this is not purely a data protection issue, here's what you need to know if you want to use non UEA-approved software for any activity involving personal data.
Many of these unofficial software tools offer useful – and sometimes free – services, but if they are used to process UEA personal data they can present the University with significant problems in complying with data protection law.
The law requires us to understand and record where our personal data is, how it is used, and who we share it with. It requires us to make sure our data is adequately secured, and that we have the appropriate written agreements with companies that process data on our behalf. We also need to know when our data is transferred outside the EEA, and put steps in place to protect it.
Although it might be possible to do all of the above with the software providers, the University has limited resource and cannot provide technical support and ensure data protection compliance for all potential software solutions.
Just because software is well-known, easy to use, or even free, it doesn’t automatically follow that it can be used for processing UEA personal data – regardless of whether it fulfils a unique or much-needed function. There is a hidden cost to even ‘free’ services.
What to do if you've found software you want to use
If new software is required you must involve ITCS at an early stage to make sure all relevant technical and data protection requirements are considered, and that we don’t replicate costly licences across the organisation. If the software will be used to process personal data, you must also involve the Information Compliance team.
As you can imagine, all of the above can take time to resolve – often several months. Our advice is to plan well in advance, ask for advice, and work together if possible.
There may be a University-approved alternative to the software you want to use. For example, Outlook's FindTime offers an alternative to DoodlePoll, and Forms (part of Office365) can be used instead of SurveyMonkey. Contact the IT Service Desk to find out more about the software available to you. Remember that not all software listed in the Software Centre (Application Catalogue) is suitable to be used for processing personal data.
Consequences of using non-approved software
The Conditions of Computer Use prohibits staff from using the University’s network and IT facilities in a way that would violate the privacy of others. It also states that continuing to use an item of software/hardware after ITCS has requested that such use cease would constitute ‘unacceptable use’. A breach of these conditions of use may lead to disciplinary proceedings and/or disconnection from the data network. In serious cases, this could result in dismissal for staff.