data protection guidance and policy documents data protection guidance and policy documents

This page lists guidance and policy documents available to UEA staff, and covers issues the data protection team are asked about most frequently.

UK data protection law has recently been revised and expanded, and we will regularly add to and update this page to reflect changes to the law. 

If you'd like further information on any of these documents, contact the Information Compliance team at dataprotection@uea.ac.uk, or +44 (0)1603 59 2431/1143. 

what do you need to know about? what do you need to know about?

GENERAL INFORMATION ABOUT DATA PROTECTION AT UEA

For a quick overview of the essentials, see our Data protection pamphlet.

Remember, all staff must complete data protection training, which must be refreshed each year. Our online training is available via Blackboard, or this link

HOW TO WRITE A 'PRIVACY NOTICE'

The University's primary privacy notices should cover most of the ways in which we collect and handle personal data, however there will be occasions where separate privacy notices are required (e.g. because data will be collected for a specific purpose that doesn't apply to a wide range of people). The following guidance and supplementary text is designed to assist staff who need to create a specific privacy notice. The data protection team must be informed of any new privacy notices (see checklist below).

Guidance

Template text

the ICO have published a template privacy notice that can be tailored to fit your needs.

Supplementary text

  • 'Further Information' web page (Staff can add this link to any privacy notice they create to ensure that some of the standard information required by GDPR is included in their notice)
  • Data protection text for web forms (Staff who collect personal data via web forms can use this link when creating a privacy notice for their form)

DATA PROTECTION RIGHTS

WHAT TO DO IF SOMEONE REQUESTS A COPY OF INFORMATION WE HOLD ABOUT THEM

People are entitled to request a copy of the personal information the University holds about them. These requests are commonly known as Subject Access Requests, and are handled centrally by the University's Information Compliance team.

This is a fundamental data protection right, and requests can be made verbally, as well as in writing. If you are a member of UEA staff and receive a request for personal information, and this is not something you would expect to handle in your day to day work, contact the team at dataprotection@uea.ac.uk or ext. 2431/1143 as soon as possible. By law, we only have a limited time to respond to these requests, so quick action is required.  

Guidance for staff who may hold data required for a Subject Access Request

Information to be recorded by staff who receive a verbal Subject Access Request (Word doc.)

GETTING CONSENT TO USE PERSONAL DATA

See our Consent checklist (Word doc.)

SHARING PERSONAL DATA - INSIDE AND OUTSIDE UEA

See our webpages on sharing personal data.

DATA PROTECTION AND 'LEGITIMATE INTERESTS': WHAT YOU NEED TO KNOW AND DO

The University will, where appropriate and allowed by law, rely on ‘legitimate interests’ as a lawful basis for handling personal data.

In this context, ‘Legitimate Interests’ means the interests of the University in how we conduct and manage our activities. It may also refer to the interest of a third party organisation, or the person whose data we are processing.

We might refer to legitimate interests when we want to use information in a way that we believe will benefit the University and the services we provide. However, as a public body, the University cannot rely on legitimate interests in all cases. Also, we cannot do something we think is in our legitimate interests if it causes undue harm to the person whose information we are using. We need to make sure we get the balance right in all cases.

Where we are relying on 'Legitimate Interests' as our legal basis for processing personal data we must do a Legitimate Interests Assessment (LIA). Our LIA template (Word doc.) can be downloaded and, once complete, sent to dataprotection@uea.ac.uk for review. 

Further information

See the ICO's Legitimate Interests slideshow for an overview of the key issues.

USING EXTERNAL SOFTWARE (E.G. DROPBOX, SURVEYMONKEY)

We often get asked if it's ok for staff to use commercial software (e.g. Dropbox, Trello, Slack) to collect, store or otherwise process University personal data. 

You might have heard that this is not allowed, 'because of GDPR'. Although this is not purely a data protection issue, here's what you need to know if you want to use non UEA-approved software for any activity involving personal data.  

The problem

Many of these unofficial software tools offer useful – and sometimes free – services, but if they are used to process UEA personal data they can present the University with significant problems in complying with data protection law.

The law requires us to understand and record where our personal data is, how it is used, and who we share it with. It requires us to make sure our data is adequately secured, and that we have the appropriate written agreements with companies that process data on our behalf. We also need to know when our data is transferred outside the EEA, and put steps in place to protect it. 

Although it might be possible to do all of the above with the software providers, the University has limited resource and cannot provide technical support and ensure data protection compliance for all potential software solutions. 

Just because software is well-known, easy to use, or even free, it doesn’t automatically follow that it can be used for processing UEA personal data – regardless of whether it fulfils a unique or much-needed function. There is a hidden cost to even ‘free’ services.

What to do if you've found software you want to use

If new software is required you must involve ITCS at an early stage to make sure all relevant technical and data protection requirements are considered, and that we don’t replicate costly licences across the organisation. If the software will be used to process personal data, you must also involve the Information Compliance team.

As you can imagine, all of the above can take time to resolve – often several months. Our advice is to plan well in advance, ask for advice, and work together if possible. 

Alternative software

There may be a University-approved alternative to the software you want to use. For example, Outlook's FindTime offers an alternative to DoodlePoll, and Forms (part of Office365) can be used instead of SurveyMonkey. Contact the IT Service Desk to find out more about the software available to you. Remember that not all software listed in the Software Centre (Application Catalogue) is suitable to be used for processing personal data.

Consequences of using non-approved software

The Conditions of Computer Use prohibits staff from using the University’s network and IT facilities in a way that would violate the privacy of others. It also states that continuing to use an item of software/hardware after ITCS has requested that such use cease would constitute ‘unacceptable use’. A breach of these conditions of use may lead to disciplinary proceedings and/or disconnection from the data network. In serious cases, this could result in dismissal for staff.

WHERE TO FIND EXTERNAL GUIDANCE

Information Commissioner's Office Guide to Data Protection and  Guide to the General Data Protection Regulation (GDPR)

European Data Protection Board

Article 29 Working Party GDPR Guidelines (EU level guidance)

UEA policies UEA policies

Data Protection Policy (updated May 2018)

The following policies also relate to the use of and access to personal data at UEA: