The GDPR comes into effect on 25 May 2018, replacing the Data Protection Act 1998 (DPA).
The implementation will require comprehensive changes to the way in which we collect, use and transfer personal data. A GDPR Working Group, chaired by the Director of Student Plus, has been set up to examine the impact on university operations and to oversee the implementation of any changes required. All Faculties and Directorates are represented on the Group.
Further Information Sessions will be arranged early in the 2018-19 academic year. These are open to All Staff, to raise awareness of the changes required and make practical suggestions as to how these can be implemented. These will last for one hour and will be self-bookable via ITrent.
Staff are welcome to forward, in advance, any specific questions, queries or issues they would like be raised at these sessions to: email@example.com
The GDPR has been designed not only to harmonise Data Protection practices across the European Union, but specifically to strengthen the rights of Data Subjects.
The University is ensuring that its processes and procedures will comply with the GDPR. Please revisit this page as further updates are posted.
If you have any questions please contact the Information Compliance Unit by telephone on 028 9097 2506 or by emailing firstname.lastname@example.org.
The following dropdown contains important information on changes to Consent, Privacy notices and Data Privacy impact assessments - guidance will continue to be added.
The GDPR provides some clarity on what will constitute “valid” consent:
“This could include ticking a box when visiting an Internet website, choosing technical settings for information society services or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data.
Silence, pre-ticked boxes or inactivity should therefore not constitute consent”.
Please refer to this CHECKLIST to ensure that any consent you gain from individual's meet these new higher standards.
To meet the enhanced accountability requirements under the GDPR, we must be open and transparent about how we process an individual’s personal information.
A privacy notice is a statement, or document, that discloses the ways in which an organisation will obtain, record, hold, alter, retrieve, destroy or disclose, personal information.
The University undertakes a wide range of processing, and this is reflected in our existing privacy notices for students and alumni. Staff collecting and using personal data at a more local level, in Directorates and Faculties, will need to provide privacy notices of their own; as will researchers processing personal data as part of a study.
The GDPR will require us to have the information listed below as part of a Privacy Notice:
The Information Commissioners’ Office (ICO) has published a revised Privacy Notices Code of Practice to assist organisations in preparing a clear and effective privacy notice.
Carrying out a Privacy Impact Assessment to ensure all projects / new systems are built with appropriate security measures and compliance will become a legal requirement under the GDPR. For high-risk situations, we will be required to consult with the ICO to seek its opinion as to whether the processing operation complies with the GDPR.
Carrying out an impact assessment at the start of a project ensures privacy by design, compliance with legislation and that systems are built with security from outset and risks are managed. This often results in better and cheaper solutions as adding in good security at a later date can be costly. We must carry out a Privacy Impact Assessment when:
This is likely to include the following:
Please get in touch with the Information Compliance Unit for assistance if you are starting a new project or system that uses personal data. A pre-screening questionnaire can be downloaded here. If you answer "Yes" to any of the questions, a full Assessment should be undertaken.
A template Privacy Impact Assessment can be downloaded here.
These are notices, made available online to be viewed at any time in a variety of accessible formats, which describe what personal data we hold, process and where necessary share with third parties. It will describe our legal basis for doing so, as well as the retention details and your own rights in relation to your personal/sensitive data.
A Privacy Notice template has been made available and can be used for any part of the business which requires a notice for their own system, process, event or programme.
Overarching privacy notices will be provided for all staff, students and applicants.
When preparing internal email communications it is important to consider the following:
a) Ensure that any opinions on other staff or student members are clearly stated as such, including who owns the opinion.
b) Only include in your communications what you would be prepared to discuss in a public forum.
c) Ensure that recipient address are correct and do not rely solely on the ‘auto fill’.
d) Ensure that when sending any files which contain sensitive or personal data, that they are password protected and/or encrypted.
When sending communications to students or external parties please consider the following:
a) Ensure that they recipient address is correct.
b) When sending bulk communications to students or external partners, ensure Blind CC (BCC) is used, so as to mask the email addresses of recipients.
c) Consider, before sending, what data it is that is being shared/transferred and determine whether or not it would be better to include further protection in the form of password protection.
The use of ‘consent’ as a legal basis for processing personal data has changed under GDPR. Consent should be able to be withdrawn ‘without any detriment to individuals’. The over use of consent, when asking individuals to constantly ‘consent’ to us using their data, can create ‘consent fatigue’ and there are usually other more appropriate methods of processing data. Such as using ‘legitimate interests’.
It is important to remember that if we are asking someone to sign up to a product, service, event or database etc. this is their ‘active opt in’ as it were. We don’t then need to ask for their consent to process their data. We now have a ‘legitimate interest’ in processing their data or potentially, if they have agreed to terms and conditions, we have a ‘contractual’ obligation to process their data. We may wish to seek consent for specific marketing options (e.g. Would you like to receive email/letters on future events?), as this can be withdrawn without detriment to the individual’s access to the service/event.
Queen's University Belfast is committed to Equality, Diversity and Inclusion.
For more information please read our Equality and Diversity Policy.
Queen's University Belfast is registered with the Charity Commission for Northern Ireland NIC101788
VAT registration number: GB 254 7995 11