Colleges and public authority status under data protection legislation

Similar documents
A summary of the implications of the General Data Protection Regulations (GDPR)

DATA PROTECTION POLICY

Data Protection in schools and colleges: Questions from the Governing Board/Trustees/Directors

THE GENERAL DATA PROTECTION REGULATION: GUIDANCE ON THE ROLE OF THE DATA PROTECTION OFFICER

DATA PROTECTION POLICY VERSION 1.0

SCHOOLS DATA PROTECTION POLICY. Guidance Notes for Schools

Foundation trust membership and GDPR

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents

The General Data Protection Regulation: What does it mean for you?

Training Manual. DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Data Protection Officer is Mike Bandurak

KEMBLE PRIMARY & SIDDINGTON CE PRIMARY SCHOOLS DATA PROTECTION & THE GENERAL DATA PROTECTION REGULATION (GDPR) POLICY

Data Protection Policy

GDPR: What Every MSP Needs to Know

Introduction. Summary

Baptist Union of Scotland DATA PROTECTION POLICY

CHANNING SCHOOL DATA PROTECTION POLICY

Introduction. Key points of the recent ODPC guidance, and the Article 29 working group guidance

THE LEGAL CONVERGENCE CRITERION AND THE CZECH REPUBLIC

DATA PROTECTION POLICY 2018

GDPR-CERTIFIED ASSURANCE REPORT BASED PROCESSING ACTIVITIES

VBI VACCINES INC. BOARD OF DIRECTORS MANDATE. Adopted September 23, 2016

How employers should comply with GDPR

General Personal Data Protection Policy

Board and Committee Charters. The Gruden Group Limited

The template uses the terms students / pupils to refer to the children or young people at the institution.

St Michael s CE Primary School Data Protection Policy

ECIIA Comments on the EBA consultation: Guidelines on Internal Governance (EBA/CP/2016/16)

The Charities Property Association. The impact of the GDPR (including its affect on your direct marketing and fundraising activities)

The Gym Group plc. (the Company ) Audit and Risk Committee - Terms of Reference. Adopted by the board on 14 October 2015 (conditional on Admission)

OFFICIAL. Date 18 April 2018 Pacific Quay, Glasgow General Data Protection Regulation (GDPR) Police Scotland Preparedness Item Number 11.

Scottish Charity Number SC Dingwall Baptist Church DATA PROTECTION POLICY

Data Protection. Document Detail Type of Document (Stat Policy/Policy/Procedure) Category of Document (Trust HR-Fin-FM-Gen/Academy) General

Department for Culture, Media and Sport Call for Views: GDPR Derogations

LEICESTER HIGH SCHOOL DATA PROTECTION POLICY

Preparing for the GDPR

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT

ARTICLE 29 Data Protection Working Party

Section a What this Policy is for Policy Statement. 2. Why this policy is important... 3

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

Introduction to the General Data Protection Regulation (GDPR)

NOT PROTECTIVELY MARKED

BOARD OF DIRECTORS CHARTER AMENDED MARCH 2016

ERO COPPER CORP. BOARD OF DIRECTORS MANDATE. As of May 15, 2017

We reserve the right to update this privacy notice at any time. Please check our website from time to time for any changes we may make.

A PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018

Proposed Public Sector and MPP Accountability and Transparency Act, 2014: Implications for Toronto's Ombudsman Function

Data Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents

EARLS HALL BAPTIST CHURCH DATA PROTECTION POLICY

Data Protection Policy

Lords Bill Committee on Digital Economy Bill Information Commissioner s briefing

The General Data Protection Regulation in health & social care. 6 October 2016 Leeds

Preparing Your Vendor Agreements for the General Data Protection Regulation

Data Protection Practitioners Conference 2018 #DPPC2018. Lawful basis myths

ARTICLE 29 DATA PROTECTION WORKING PARTY

Audit and Risk Management Committee Charter

GENERAL DATA PROTECTION REGULATION Guidance Notes

Sample Data Management Policy Structure

CHARTER AUDIT COMMITTEE

Brasenose College Data Protection Policy Statement v1.2

Data Protection Policy

GDPR in schools and academies. Dai Durbridge, Partner Browne Jacobson LLP

RSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company )

Data Protection (internal) Audit prior to May (In preparation for that date)

RULES FOR THE SUPERVISORY BOARD

Sandwell Metropolitan Borough Council

EDPS Opinion on the proposed common framework for European statistics relating to persons and households

The current version (July 2018) is derived from, and supersedes, the version published in February 2017 and earlier versions.

Supervisory Board Charter of the Audit Committee

Identifying data controllers and data processors Data Protection Act 1998

DATA PROTECTION OFFICER (DPO) Maria Maxim Partner Bucharest October 25, 2017

GDPR factsheet Key provisions and steps for compliance

Terms of Reference Audit Committee. Adyen N.V.

Audit and Risk Committee Charter

Memorandum of understanding between the Competition and Markets Authority and NHS Improvement

Whitepaper. What are the changes regarding data protection. in the future. General Data Protection Regulation? eprivacy GmbH, Hamburg, April 2017

NEW LIFE BAPTIST CHURCH NORTHALLERTON DATA PROTECTION POLICY. Adopted: 20 June 2018 To be reviewed: June 2021

COUNCIL APPOINTMENT OF EXTERNAL AUDITOR

MINISTRY OF THE ENVIRONMENT BILL, 2017

CORPORATE GOVERNANCE GUIDELINES

closer look at Definitions The General Data Protection Regulation

A data processor is responsible for processing personal data on behalf of a data controller.

The Information Commissioner s Office, the Information Governance Alliance and several other organisations are issuing guidance on an on-going basis.

GDPR: AN OVERVIEW.

Briefing No. 2 GDPR. 1 mccann fitzgerald

Department for Culture Media & Sport, Call for views on the General Data Protection Regulation derogations CBI submission, May 2017

COMMISSION DECISION. of

Comply or explain manual Dutch Corporate Governance Code as of December 2018

The Governance Arrangements of the Corporation of Sussex Coast College Hastings SCHEME OF DELEGATION

RULES OF PROCEDURE AUDIT COMMITTEE SUPERVISORY BOARD RABOBANK 1

Paul Jordan Thursday 12 October,

EDPS Opinion on safeguards and derogations under Article 89 GDPR in the context of a proposal for a Regulation on integrated farm statistics

Audit Committee Charter

Supervisory Board Charter of the Audit Committee

ARTICLE 29 DATA PROTECTION WORKING PARTY

What do companies need to do?

ScottishPower Data Protection Policy

Delegations under Section 41 of the State Sector Act 1988

Scottish Parliament Edinburgh EH99 1SP. Dear Convener

DATA PROTECTION POLICY

***I REPORT. EN United in diversity EN. European Parliament A8-0226/

Transcription:

Colleges and public authority status under data protection legislation Introduction 1. This paper sets outs the likelihood that Colleges (and the University) will be designated as public authorities under the General Data Protection Regulation (GDPR), and the implications of such a designation. It also outlines some early proposals on how to address some of those implications. The GDPR will apply in the UK from 25 May 2018: it is anticipated that UK legislation (a new Data Protection Act) will come into force from that same date. GDPR and public authorities 2. The GDPR does not define public authorities but does outline some key elements of how the GDPR applies to them specifically. In particular, data controllers designated as public authorities: may be restricted in which legal bases they are permitted to use to process data, notably a restriction on a reliance on a controller s legitimate interest to do so (see Annex 1); and must employ or appoint a Data Protection Officer, a new governance role not dissimilar to an internal audit function (see Annex 2). 3. The GDPR derogates responsibility for designating the status of public authorities to national governments. The UK is responding to this (and other derogations) through the current Data Protection Bill. The Data Protection Bill and public authorities 4. The Data Protection Bill clearly outlines the intention of the UK government that universities (and the Colleges) are designated as public authorities under national legislation. Its current draft reads: 6 Meaning of public authority and public body (1) For the purposes of the GDPR, the following (and only the following) are public authorities and public bodies under the law of the United Kingdom (a) a public authority as defined by the Freedom of Information Act 2000, subject to subsection (2), (b) a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002 (asp 13)2002 (asp 13), subject to subsection (2), and (c) an authority or a body specified by the Secretary of State in regulations. (2) The Secretary of State may by regulations provide that a person specified in the regulations that is a public authority described in subsection (1)(a) or (b) is not a public authority or public body for the purposes of the GDPR. (3) Regulations under this section are subject to the affirmative resolution procedure. Colleges are caught due to their public authority status under the Freedom of Information Act.

5. Attention is drawn, however, to paragraph 6(2), outlining that the Secretary of State can otherwise exclude data controllers from the definition. A range of lobbying is currently taking place to establish the position of schools, universities and colleges, with two main approaches being taken by a range of lobbyists: i) to draft a legislative clause specifically excluding schools, universities and colleges from the definition in the Bill; ii) to draft a legislative clause to introduce the concept of a hybrid body (not recognised in the GDPR), whereby a public authority may have non-public functions for which they are not designated as public authorities (principally an approach to secure a broader range of legal bases of data processing than those outlined in the GDPR). Annex 3 provides further information on those proposed lobbying positions. 6. The Department for Digital, Culture, Media and Sport (DCMS) (the government department leading on data protection legislation) is on record as noting the importance of the use of legitimate interest as a legal basis for data processing for universities (see Annex 1 for further details). 7. The DCMS and the Information Commissioner are currently of the view that it is lawful to designate hybrid bodies in non-statutory guidance of the Information Commissioner (i.e. that the concept of hybrid bodies is not incompatible with the GDPR and/or the GDPR does not prevent legitimate interest being a legal basis for data processing for public authorities). This does not accord with the Counsel Opinions seen by the Office of Intercollegiate Services (Jonathan Swift QC; Hugh Tomlinson QC) or informal advice from local solicitors (Penningtons; Mills and Reeve). 8. The University is currently relying on the stated views of the DCMS, and is working on the assumption that the University will be a public authority but also be able to use its legitimate interest as a basis for data processing for its non-public functions (however they may be defined!). 9. In conclusion, at this point, it is unclear whether Colleges will be designated as public authorities, but is likely unless lobbying as outlined in paragraph 5i is successful. It is more likely that paragraph 5ii will be enacted. Consequently, it is recommended that Colleges should proceed on the basis that: they will continue to be able to use their legitimate interest to process personal data; and they will need to appoint or employ a Data Protection Officer.

Annex 1: the importance of legitimate interest as a legal basis for data processing A1.1 As a reminder, the GDPR outlines the following legal bases for data processing (author s emphases): Article 6: Lawfulness of processing 1. Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks. A1.2 It is this last sentence that is causing the legal angst: the DCMS and Information Commissioner are of the view that the inclusion of the phrase in the performance of their tasks limits the exclusion of (6)(1)(f) to statutory public duties: as outlined in paragraph 7, a body of legal opinion disagrees with that interpretation. A1.3 Where possible, Colleges are being advised to rely on a legal basis other than consent ((6)(1)(a)), as consent can only be relied upon where it can be freely withdrawn and processing stopped: in draft advice from the Information Commissioner, it is considered inappropriate where the data controller has authority over the data subject (i.e. both staff and students). A1.4 For a large number of data processing functions, Colleges will rely on other legal bases as a matter of course e.g. necessary for the performance of a contract student applications and activities staff applications and activities Fellowship activities data sharing with the University and CAm necessary for compliance with a legal obligation financial transactions health and safety PREVENT

A1.5 A large number of processes may be uncomfortably allocated to either of the above, but more naturally would fit with necessary for the purposes of the legitimate interests pursued by the controller, including: alumni relations and fundraising; 1 national widening participation initiatives (e.g. tracking school students through their engagements with higher education institutions prior to any enrolment); sharing of personal data with the local council (to ease students interactions relating to council tax liabilities); sharing of personal data with the student unions, and independent clubs and societies; pre-contact investigations into potential honorary Fellowships, or due diligence prior to external members appointments onto College committees; informal disciplinary procedures; processing of personal data for network and information security purposes. This list is not exhaustive, but is intended to give an indication of how limiting it may be to the business activities of the Colleges, or where there would be a serious lack of clarity of the legal basis for standard personal data processing. 1 This activity has been the principal focus of discussions with the DCMS and Information Commissioner to date.

Annex 2: Data Protection Officer(s) for the Colleges A2.1 Articles 37-39 of the GDPR state that certain data controllers (and notably public authorities) must appoint a Data Protection Officer (DPO). This role is not like the current roles currently designated as such in Colleges (which tend to focus on the operational matters relating to personal data protection and often reside in either IT or HR functions). The new DPO role is related much more to governance and counsel over the proper interpretation of the GDPR: it should not be interpreted as a parallel or expanded role of existing data protection officers (dpo) nominated in Colleges under the Data Protection Act. A2.2 The new DPO role is not an operational role and its appointment/designation must be discrete from data protection operational activities. Article 39 outlines what the person appointed is responsible for (author s emphases and [additions]): (a) (b) (c) (d) (e) to inform and advise the controller or the processor [the College] and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor [the College] in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits; to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35; to cooperate with the supervisory authority [the Information Commissioner s Office (ICO)]; to act as the contact point for the supervisory authority [the ICO] on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter. A2.3 In addition, the DPO is: a. expected to investigate and manage complaints from data subjects and to facilitate them in exercising their rights; b. required to ensure that any other duties/responsibilities they hold are not in conflict with these roles; c. appointed on the basis of their professional qualities and, in particular, expert knowledge of data protection law and practices ; d. to be in a position where he or she reports to the highest management level, without interference or instruction or risk of penalty or dismissal; e. provided with appropriate resources to carry out their duties, including their own professional development; and f. accessible to any data subject for the discussion of any issues or management of their rights. A person can act as a DPO for more than one organisation, making the appointment/outsourcing of a DPO for two or more Colleges a possibility. A2.4 Colleges, as small organisations, will likely find the identification/appointment of an inhouse Data Protection Officer who can be sufficiently independent challenging: the role is unlikely to be of significant volume but would otherwise be needed to act quickly (e.g. data breaches need resolution and reporting within 72 hours).

A2.5 Various options which could be explored by Colleges, individually and collectively are: i. Designation of a senior member of the College to fulfil the role The allocation of the role to a member of the governing body (Fellow) is a possibility, but would require that person to remain appraised of both UK and EU data protection law and practice. The role will also not obviate the need for other members of the College to manage the operational aspects of personal data protection. ii. Designation of a senior member from another College to fulfil the role Each College already has a senior person responsibility for data protection matters (commonly referred to as a data protection officer but to avoid confusion here referred to as a data protection manager ): this is often a Bursar of the College. This option would be for the data protection manager of one College to be appointed as the formal Data Protection Officer for another College. (It would need to be clarified whether Colleges would either pair up, or otherwise collaborate in small groups to act for another in this way. All data protection managers would need to remain appraised of both UK and EU data protection law and practice, in order to advise formally the other College(s). iii. Employment of a Data Protection Officer for the Colleges As outlined above, a single Data Protection Officer may act for more than one data controller: it would be feasible to consider the appointment of a member of staff within the Office of Intercollegiate Services to perform the role for all Colleges. A role profile and estimated salary/volume would need to be conducted. iv. Employment of a Data Protection Officer for the Colleges in collaboration with the University Instead of a discrete post for the Colleges, the possibility of a jointly-funded post with the University could be explored. An advantage of this approach would be that it could cover issues and concerns which stretch across the collegiate University. Again, a role profile and estimated salary/volume would need to be conducted, with an additional exercise of negotiating how to divide the costs of the post between the University and the Colleges. v. Engagement of an external firm on retainer It is highly likely that law firms and/or independent auditors will offer services in this area, although no clear marketing of such services is evident at the moment, making it unclear whether this would be more cost-effective than other models. vi. Engagement of an external firm on retainer as part of the collegiate University Similar to above, but retaining external services alongside the University may offer the opportunity of a more effective negotiated rate.

Annex 3: proposed lobbying amendments to Clause 6 of the Data Protection Bill Option 1 clause to exclude schools, universities and schools from the definition The below amendment would enshrine in the Regulation a more permanent way of exercising the powers indicated in clause 6(2): 6 Meaning of public authority and public body (1) For the purposes of the GDPR, the following (and only the following) are public authorities and public bodies under the law of the United Kingdom (a) (b) (c) a public authority as defined by the Freedom of Information Act 2000 (with the exception of those public authorities listed in Part IV of Schedule 1 to that Act), subject to subsection (2), a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002 (asp 13) (with the exception of those public authorities listed in Part 5 of Schedule 1 to that Act), subject to subsection (2), and an authority or a body specified by the Secretary of State in regulations. (2) The Secretary of State may by regulations provide that a person specified in the regulations that is a public authority described in subsection (1)(a) or (b) is not a public authority or public body for the purposes of the GDPR. (3) Regulations under this section are subject to the affirmative resolution procedure. Option 2 clause to legislate for hybrid bodies The below amendment would legitimise the concept of hybrid bodies : 6 Meaning of public authority and public body (1) For the purposes of the GDPR, the following (and only the following) are public authorities and public bodies under the law of the United Kingdom (a) (b) (c) a public authority as defined by the Freedom of Information Act 2000, subject to subsection (2), a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002 (asp 13), subject to subsection (2), and an authority or a body specified by the Secretary of State in regulations. (2) The Secretary of State may by regulations provide that a person specified in the regulations that is a public authority described in subsection (1)(a) or (b) is not a public authority or public body for the purposes of the GDPR. (3) Regulations under this section are subject to the affirmative resolution procedure. (4) In the second subparagraph of Article 6(1) of the GDPR (lawfulness of processing), the tasks of public authorities as defined in this paragraph are limited to their official functions as laid down by European Union law or the law of the United Kingdom or a part of the United Kingdom.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback