Frequently asked questions
View all Close all
The UK GDPR and the Data Protection Act 2018 apply to the handling of any personal data by an organisation for the purposes of their business.
Any organization that processes personal data is required by law to abide by UK data protection law.
St George’s, University of London has to comply with the UK GDPR and DPA 2018 when dealing with its personal data, and any St George’s member involved in the processing of that data must have regard for its confidentiality, accuracy and security.
Data protection law governs the protection of personal data in the UK irrespective of the nationality of the individual it relates to.
Compliance with data protection law in the UK is regulated by the Information Commissioner’s Office.
Personal data is information relating to a living individual who can be identified from that data, either directly or from other information which you either have in your possession or which you have access to.
The individual to whom the data relates is referred to as the ‘data subject’.
Information about a deceased person is not covered by the Data Protection Act.
Examples of personal data include:
Personal data can also include ‘expressions of opinion’, either those made about the individual by another person or the opinions of the individual themselves.
You may consider your bank account details or information about what you earn to be ‘sensitive’ data. But for the purposes of the Data Protection Act, sensitive personal data are defined in very specific terms.
This category of data comprises information relating to an individual’s:
-
racial or ethnic origin
-
political opinions or affiliations
-
religious beliefs or beliefs of a similar nature
-
trade union membership
-
physical or mental health
-
sexual life
-
involvement in the commission (or alleged commission) of a criminal offence
-
involvement in legal proceedings for an offence they have committed or been alleged to have committed, or the sentencing of the court in relation to any offence or alleged offence.
In order to justify the processing of sensitive personal data you would need to meet criteria laid out in Schedule 3 of the Data Protection Act.
‘Processing’ covers any activity you perform when handling personal data.
Examples of processing include:
-
collecting information, eg via an application form, though an interview or over the phone
-
using information for administration or for marketing purposes
-
storing information, eg in a filing cabinet or on a computer
-
photocopying information
-
data matching / mining / profiling
-
destroying information, eg shredding files or deleting data from a disc.
Even just accessing information in a file or reading it on your computer screen can be considered processing.
Under the Data Protection Act only two people have the right to access someone’s personal data: the individual who is the subject of the data and the Information Commissioner.
Within the organisation itself access to personal data should be restricted to authorised staff only, ie the staff directly responsible for processing it.
If a person wants to find out what information an organisation holds about them they can submit a ‘subject access request’.
That organisation is then obliged to provide copies of all the personal data relating to that individual, and this must be done within a 40-day period.
There are exemptions to the information you are compelled to provide with a subject access request, but these are very few and quite specific.
For example, you do not have to provide copies of references you have written about the person which have been sent to another organisation, such as a job reference. In this situation the data subject would need to request this information from the organisation who was in receipt of the reference.
You also need to be careful when the information you are being asked for references another person. This may involve redacting before providing copies, or obtaining the consent of the other person mentioned (if appropriate).
NB you should always seek advice from the Data Protection Officer before disclosing personal data.
External enquiries and requests for access to personal information (including those from St George’s members) should be passed to St George’s Data Protection Officer. Where relevant this should be done via your line manager.
Requests must be dealt with promptly to ensure the university responds within the required deadline. Failure to do so could result in action being taken by the Information Commissioner.
The Data Protection Act does not give the police an automatic right to access information an organisation holds about an individual.
The only time you are obliged to release information to the police is if the request is accompanied by an official warrant or other court document.
However, there may be occasions where it is appropriate to disclose information even without a legal document requiring you to do so, for example when it relates to the detection or prevention of crime.
Section 29 of the Data Protection Act outlines a list of exemptions which allow an organisation to release data to someone other than the data subject without being in breach of the Act.
This may not necessarily involve disclosing to the police specifically; it could be to another investigatory body, such as HMRC, the Department of Works and Pensions or the UK Border Agency.
In order to process personal data you need to identify a valid reason to process that data in the first place, ie the processing must be lawful under the Data Protection Act.
The criteria for processing personal data are covered by Schedule 2 of the Data Protection Act.
If you are processing sensitive personal data you will also need to meet criteria under Schedule 3 of the Data Protection Act.
You must also have clearly defined the purpose for obtaining the data. Your data subjects, eg your research project participants, should be fully aware of why you are collecting the information, what you’re going to be doing with it, who you are going to share it with, how long you will be keeping it and so on.
Any new processing of personal data will require a Data Protection Impact Assessment (DPIA) to be carried out. Details on DPIAs and the template to be completed can be found at Information and Technical Security Policies
When it comes to processing data for research purposes, the Data Protection Act allows for exemptions to two of the eight data protection principles.
Firstly, to the second principle, the exemption from which allows for research data to be kept and used for other ‘related’ purposes.
The other exemption is to the fifth principle, which effectively means that data processed for research purposes can be kept indefinitely.
All other principles must be taken to apply.
Researchers should also make sure that they understand the ‘anonymised’ data and the criteria required for being able to describe data as ‘anonymised’.