How do I handle information within the law?
The rules for good information handling include the following.
Personal data must be:
1. Processed lawfully, fairly and in a transparent way.
- This means we must be open and honest about how we use individuals’ data.
We do this by providing privacy notices (sometimes called privacy policies or, in research, participant information sheets). A privacy notice gives individuals important information about how their personal data is collected and used.
There are a number of University-wide privacy notices, for various users and situations.
https://www1.admin.ox.ac.uk/councilsec/compliance/gdpr/privacynotices/
If your activity is not covered by one of these notices, you will need to provide your own privacy notice. Our privacy notice toolkit will help you to put this together.
https://www1.admin.ox.ac.uk/councilsec/compliance/gdpr/guidance/privacynoticetoolkit/
- We must have a lawful basis for processing personal data.
No collection or use of personal data can take place unless there is a lawful basis for it. We must include the lawful basis in privacy notices.
There are six lawful bases in the GDPR. Consent is one of them, but in many cases it is not the most appropriate. There is guidance on the Information Compliance Team website to help you identify the most appropriate lawful basis. (If you’re handling special category data, you will need to satisfy other requirements, too.)
- We must consider individuals: they must not suffer unjustified harm from our use of their personal data.
- If we are sharing personal data with other people or organisations, or transferring it overseas, we need to do so safely.
2. Collected for specified, explicit and legitimate purposes.
- This means data must only be used for the purpose stated in a privacy notice or as individuals would reasonably expect.
- This also means if a new purpose arises you can only use the data for that purpose if it is compatible with the purpose in the privacy notice and if you tell individuals about the new purpose.
3. Adequate, relevant and limited to what is necessary.
This means:
- we must not collect, use or store more personal data than is strictly necessary;
- all processing activities must be kept to a minimum; and
- access to personal data is limited to those people with a ‘need to know’.
4. Accurate and where necessary kept up to date.
5. Kept only for as long as is strictly necessary and deleted or destroyed when no longer required.
This means:
- we must tell individuals in our privacy notice how long we will keep their personal data for; and
- we must have retention schedules that identify how long we will keep personal data and why we are keeping it, and must implement those schedules. For example, personnel files and training records should be disposed of six years after University employment ends, as detailed in Retention periods for University personnel records.
https://www1.admin.ox.ac.uk/personnel/recruit/rec_recs/retention/#d.en.72020.
There are similar schedules for the retention of student records.
https://www1.admin.ox.ac.uk/councilsec/compliance/gdpr/guidance/retentionofstudentrecords/
Retention periods are based on:
- statutory or regulatory requirements;
- historical value (archives); and
- demonstrable and justifiable business need.
6. Processed in a way that is secure.
This means:
- personal data must be protected against accidental loss, destruction or damage; and
- if the security of personal data is compromised, this is a data breach.
7. Processed in an accountable way.
The GDPR requires us to keep records to demonstrate how we comply with all these rules.