Handling personal data responsibly is vital to managing a student group or any sort of organisation. Adibing by Data Protection laws should be treated as seriously as any other laws. It may sometimes feel over-precautious to take such a careful approach to handling personal data but individual rights relating to data are tightly protected by the new laws that came into effect in May 2018 - rightly so, given the access organisations have to information on all of us.
It's important to remember that the information you hold on your members is unique to them and you have a responsibility to ensure that it is looked after carefully. There are many high profile losses, misuses and thefts of data reported in the media so the reasons for looking after personal data should be fairly obvious; the potential for identity fraud, nuisance marketing etc. means that the risks around personal data handling need to be carefully managed.
When dealing with any personal data, ask yourself:
'Would I want my personal information to be handled in this way?'
As a Data Controller, the Union has a responsibility to make sure that we are working within the law. As a volunteer handling personal data on behalf of the Union, you too need to make sure you take this responsibility seriously.
The Union has a privacy notice that covers much of the information that it collects and processes on students, staff and people external to Imperial. However, you may need to have your own Privacy Policy if you are handling any personal information not covered by the Union policy. More information on this is available on the Documentation article.
General Data Protection Regulations (GDPR)
On 25th May 2018, new laws came into effect governing the way data should be collected and processed. The General Data Protection Regulations (GDPR) set out new rights and protections with regards to Data Protection and codified many elements already set out in the Data Protection Act (1998). These are EU-wide laws that will remain part of British law after Britain leaves the EU as the new Data Protection Act.
Under GDPR, regulatory bodies are given wider powers to issue fines, with organisations facing fines of up to €20million or 4% of global turnover (whichever is higher) for the worst breaches of the law. In the worst cases, criminal charges can be made against individuals if matters are referred to the police.
Individual Rights
Under GDPR, there are 8 rights that everyone has in regards to their personal data. These are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
You can find out more about these rights on the Information Commissioner's Office website. It is important that these rights are respected when you handle personal data and that you have provisions in place to be able to meet these requirements.
Handling Data day-to-day
As a responsible guardian of personal data, you need to make sure you have appropriate measures in place to collect, store, update and remove personal data. The Union needs to be able to respond to Subject Access Requests and Data Breaches quickly so it is vital that you keep any personal data that you hold safe and in an organised way. This means:
- Only storing personal data within College or Union systems (they are secure, are backed up for 30 days and makes it easy to know where everything is etc.)
- Making your members, customers or clients aware of how you are using their data if you are collecting it
- Removing data that is inaccurate, out of date or no longer being used
- Avoiding giving out personal data or making sure data sharing agreements are in place with third parties if you need to share data
- Making sure you have process in place to be able to update and remove personal information or suspend processing of data if requested
A few more practical examples are covered later in this guide, but if you have any specific questions you should get in touch with the activities team - it is better to ask first if you are not sure than to do something that could potentially result in an unlawful use of personal data.
This collection contains information relating to the following areas: