Remember, all staff must complete data protection training, which must be refreshed each year. Our online training is available via Blackboard, or this link.
HOW TO WRITE A 'PRIVACY NOTICE'
The University's primary privacy notices should cover most of the ways in which we collect and handle personal data, however there will be occasions where separate privacy notices are required (e.g. because data will be collected for a specific purpose that doesn't apply to a wide range of people). The following guidance and supplementary text is designed to assist staff who need to create a specific privacy notice. The data protection team must be informed of any new privacy notices (see checklist below).
WHAT TO DO IF SOMEONE REQUESTS A COPY OF INFORMATION WE HOLD ABOUT THEM
People are entitled to request a copy of the personal information the University holds about them. These requests are commonly known as Subject Access Requests, and are handled centrally by the University's Information Compliance team.
This is a fundamental data protection right, and requests can be made verbally, as well as in writing. If you are a member of UEA staff and receive a request for personal information, and this is not something you would expect to handle in your day to day work, contact the team at email@example.com or ext. 2431/1143 as soon as possible. By law, we only have a limited time to respond to these requests, so quick action is required.
DATA PROTECTION AND 'LEGITIMATE INTERESTS': WHAT YOU NEED TO KNOW AND DO
The University will, where appropriate and allowed by law, rely on ‘legitimate interests’ as a lawful basis for handling personal data.
In this context, ‘Legitimate Interests’ means the interests of the University in how we conduct and manage our activities. It may also refer to the interest of a third party organisation, or the person whose data we are processing.
We might refer to legitimate interests when we want to use information in a way that we believe will benefit the University and the services we provide. However, as a public body, the University cannot rely on legitimate interests in all cases. Also, we cannot do something we think is in our legitimate interests if it causes undue harm to the person whose information we are using. We need to make sure we get the balance right in all cases.
Where we are relying on 'Legitimate Interests' as our legal basis for processing personal data we must do a Legitimate Interests Assessment (LIA). Our LIA template (Word doc.) can be downloaded and, once complete, sent to firstname.lastname@example.org for review.
USING EXTERNAL SOFTWARE (E.G. DROPBOX, SURVEYMONKEY)
We often get asked if it's ok for staff to use commercial software (e.g. Dropbox, Trello, Slack) to collect, store or otherwise process University personal data.
You might have heard that this is not allowed, 'because of GDPR'. Although this is not purely a data protection issue, here's what you need to know if you want to use non UEA-approved software for any activity involving personal data.
Many of these unofficial software tools offer useful – and sometimes free – services, but if they are used to process UEA personal data they can present the University with significant problems in complying with data protection law.
The law requires us to understand and record where our personal data is, how it is used, and who we share it with. It requires us to make sure our data is adequately secured, and that we have the appropriate written agreements with companies that process data on our behalf. We also need to know when our data is transferred outside the EEA, and put steps in place to protect it.
Although it might be possible to do all of the above with the software providers, the University has limited resource and cannot provide technical support and ensure data protection compliance for all potential software solutions.
Just because software is well-known, easy to use, or even free, it doesn’t automatically follow that it can be used for processing UEA personal data – regardless of whether it fulfils a unique or much-needed function. There is a hidden cost to even ‘free’ services.
What to do if you've found software you want to use
If new software is required you must involve ITCS at an early stage to make sure all relevant technical and data protection requirements are considered, and that we don’t replicate costly licences across the organisation. If the software will be used to process personal data, you must also involve the Information Compliance team.
As you can imagine, all of the above can take time to resolve – often several months. Our advice is to plan well in advance, ask for advice, and work together if possible.
There may be a University-approved alternative to the software you want to use. For example, Outlook's FindTime offers an alternative to DoodlePoll, and Forms (part of Office365) can be used instead of SurveyMonkey. Contact the IT Service Desk to find out more about the software available to you. Remember that not all software listed in the Software Centre (Application Catalogue) is suitable to be used for processing personal data.
Consequences of using non-approved software
The Conditions of Computer Use prohibits staff from using the University’s network and IT facilities in a way that would violate the privacy of others. It also states that continuing to use an item of software/hardware after ITCS has requested that such use cease would constitute ‘unacceptable use’. A breach of these conditions of use may lead to disciplinary proceedings and/or disconnection from the data network. In serious cases, this could result in dismissal for staff.