Data protection legislation sets out rules and standards for the use and handling (‘processing’) of information (‘personal data’) about living identifiable individuals (‘data subjects’) by organisations (‘data controllers’). It is based around the notions of principles, rights and accountability obligations.
The law applies to organisations in all sectors, both public and private. It applies to all electronic records as well as many paper records. It doesn’t apply to anonymous information or to information about the deceased.
Since 1 January 2021, the principal legislation has been the UK version of the General Data Protection Regulation (the ‘UK GDPR’), coupled with the Data Protection Act 2018 (DPA 2018) that supplements the UK GDPR in specific ways. The UK GDPR is almost identical to the EU-wide GDPR that applied from 25 May 2018 to 31 December 2020, with minor technical changes to allow its provisions to work within a UK-only context.
The EU GDPR itself replaced the Data Protection Act 1998 (DPA 1998) and the numerous Statutory Instruments issued pursuant to it. There is also supplementary data protection legislation covering specific topics, such as direct marketing. The legislation is regulated in the UK by the Information Commissioner’s Office (ICO) as well as the courts. The DPA 2018 delineates the regulatory powers of the ICO as well as introducing various criminal offences.
Data controllers processing personal data must follow – and be able to demonstrate that they are following – the data protection principles.
There are six principles. Personal data must be processed following these principles so that the data are:
- Processed fairly, lawfully and transparently – and only if there is a valid ‘legal basis’ for doing so
- Processed only for specified, explicit and legitimate purposes
- Adequate, relevant and limited
- Accurate (and rectified if inaccurate)
- Not kept for longer than necessary
- Processed securely – to preserve the confidentiality, integrity and availability of the personal data
Depending on the context, there are full or partial exemptions from the principles when processing personal data for specific purposes, including academic research.
Data subjects are given various rights, which are free to exercise:
- The right to be informed of how their personal data are being used – this right is usually fulfilled by the provision of ‘privacy notices‘ as described below
- The right of access to their personal data – accessing personal data in this way is usually known as making a ‘subject access request‘
- The right to have their inaccurate personal data rectified
- The right to have their personal data erased where appropriate – known as the right to be forgotten
- The right to restrict the processing of their personal data pending its verification or correction
- The right to receive copies of their personal data in a machine-readable and commonly-used format – known as the right to data portability
- The right to object: to processing (including profiling) of their personal data that proceeds under particular legal bases; to direct marketing; and to processing of their data for research purposes where that research is not in the public interest
- The right not to be subject to a decision based solely on automated decision-making using their personal data
A response to a rights request needs to be sent within one month. However, nearly all of these rights are qualified in various ways and there are numerous specific exemptions (for example, nearly all the rights do not apply if the personal data are being processed solely in an academic research context).
JBSEEL (like most UK data controllers) is required to pay an annual fee to the ICO and to be included in its register of fee payers. JBSEEL’s register entry number is Z9914531. The University of Cambridge and Cambridge Colleges of the University are separate legal entities and data controllers for the purposes of data protection legislation.
Data protection legislation imposes certain accountability obligations on all data controllers which include:
- Implementing policies, procedures, processes and training to promote ‘data protection by design and by default’
- Having appropriate contracts in place when sharing personal data – especially when outsourcing functions that involve the processing of personal data and/or transferring the personal data
- Maintaining records of the data processing that is carried out across the organisation
- Documenting and reporting personal data breaches both to the ICO and the affected data subjects
One of JBSEEL’s most important accountability obligations under data protection legislation concerns personal data breaches – that is, personal data held by JBSEEL is lost, stolen, inadvertently disclosed to an external party, or accidentally published. If a personal data breach occurs, this should be reported immediately to the Data Protection Officer ([email protected]), who will then inform Cambridge Judge Business School’s Compliance Team ([email protected]m.ac.uk).
Some types of personal data breach have to reported to the ICO and the affected data subjects within short timeframes, so recognising and reporting them internally is crucial.
An important aspect of complying with data protection legislation is being open and transparent with individuals about how their personal data will be used. The supply of this information – through documents variously known as ‘privacy notices’, ‘data protection statements’, ‘data collection notices’, ‘privacy policies’ and numerous other interchangeable terms – takes places in numerous targeted ways depending on the context of the interaction with the individual. JBSEEL’s core privacy notices are available below:
- JBSEEL Data Protection Policy (approved May 2018; updated March 2021)
- JBSEEL Privacy Notices (approved May 2018; updated March 2021)
Who to contact
For data protection and records management:
For Freedom of Information requests and enquiries:
To withdraw your consent to receive marketing communications from JBSEEL:
Data protection and Brexit
As explained in the Legislation section of this webpage, from 1 January 2021 (ie the end of the Brexit transition period), all the substantive provisions of the EU-wide GDPR (as supplemented by the DPA 2018) about principles, rights and accountability obligations continue to apply in the UK through the ‘UK GDPR’.
The EU-UK Trade and Cooperation Agreement announced on 24 December 2020 contains some data protection provisions. Most importantly, it includes a ‘bridging’ mechanism that allows the continued free flow of personal data from EEA-based organisations to UK-based organisations for up to six months (ie until the end of June 2021). During this period, it is hoped that the UK will be granted a data protection ‘adequacy finding’ from the European Commission, which would mean that such personal data transfers can continue without additional safeguards. The first step towards achieving this adequacy decision took place on 19 February 2021, with the publication of the Commission’s draft adequacy decision; this is now proceeding through the formal EU mechanisms before adoption.
Wider information on the topic has been published by:
- the UK Government
- the ICO (including its statement on the data protection provisions within the EU-UK Trade and Cooperation Agreement)
- from an EU perspective, the European Data Protection Board