Data Protection Principles & Applications
About
- Key Terminology of GDPR
- Personal Data Incident & Breach Management
- Data Protection Principles & Applications
- Six Legal Bases for Processing – GDPR Article 6
- Data Subject Rights
- Processing Special Category Personal Data – GDPR Article 9
- International Data Transfers
- Personal Data & Scientific Research
- Research Using Health Related Personal Data
- Data Privacy & Security Training
- Data Protection and its Scope
- Data Protection Obligations of the University
- Role of the DPO
Data Protection Principles & Applications
GDPR, in Article 5, sets out key principles which lie at the heart of the general data protection regime. They both directly and indirectly influence the other rules and obligations found throughout the legislation. On this page below you can find practical instructions on what the University/you need to do to put the principles into practice.
The principles are:
- Lawful, fair & transparent processing
- Purpose limitation
- Minimisation of processing
- Data accuracy/quality
- Storage limitation
- Integrity, security & confidentiality
- Accountability
LAWFUL, FAIR & TRANSPARENT: Any processing of personal data should be lawful and fair. It should be transparent to individuals that personal data concerning them are collected, used, consulted, or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.
What are examples of measures that UCD/you need to take to deliver on the principle of lawfulness, fairness, and transparency?
- Provide individuals with Privacy Notices in advance of any data collection
- Update privacy notices regularly
- Identify one or more Legal Basis for the processing
- Put appropriate agreements and contracts in place when transferring personal data outside the EU
- As appropriate, put one of the following in place, when you share personal data with other organisations: controller-processor contract; joint controller agreements; data sharing agreements; so that each party is clear about their roles and responsibilities
PURPOSE LIMITATION: Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. However, further processing for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes (in accordance with Article 89(1) GDPR) is not considered to be incompatible with the initial purposes.
What are examples of measures that UCD/you need to take to deliver on the principle of purpose limitation?
- Stick to what you have said in your privacy notice!
- It is important to decide on the legal basis for processing from the outset and state this in your privacy notice. Don’t change purposes later If your processing is based on consent and you want to use the data for a new purpose AND if you have existing permission to re-approach data subjects again, you need to do so and get their permission for the new purpose. If you don’t have existing permission to re-approach them, then this is not a way forward.
- Don’t use lists of attendees to an event for marketing to them or for any other purpose without their consent; or don’t use data purely collected for medical treatments for research in a way that individuals concerned would not reasonably expect based on the information they were provided in the privacy notice or have not consented to in cases where consent is needed.
DATA MINIMISATION: Processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum (see also the principle of ‘Storage Limitation’ below).
What are examples of measures that UCD/you need to take to deliver on the principle of data minimisation?
- Clearly define what you want to find out with the personal data you intend to collect. If it is a research question, succinctly describe the research question.
- Look at the ‘Necessity and Proportionality’ of the personal data sets you intend to collect with regards to your e.g. research question or administrative questionnaire.
- Importantly, use and incorporate ‘Data Protection by Design and by Default’. Data protection by design applies to any planning of data processing operations, whereas data protection by default aims at making any default settings of existing settings or collection methods the most private options, without needing any user intervention.
- Use anonymisation and pseudonymisation as part of a ‘data minimisation’ strategy aimed at minimising the risks of a data breach for data subjects. [See also ‘Guidance on Anonymisation and Pseudonymisation’]
- Don’t keep data for longer than needed and permitted by considering and actioning on data retention periods
- Keeping personal data on an individual is not an all or nothing You might initially collect a set of personal data on an individual. As time moves on you might continue to need some of the data like a person’s name, but you might no longer need additional information which has become irrelevant. Consequently, the latter set of data should be securely deleted, the data that remains relevant can be kept.
DATA ACCURACY: Controllers must ensure that personal data are accurate and, where necessary, kept up to date; taking every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. In particular, controllers should accurately record information they collect or receive and also record the source of that information.
What are examples of measures that UCD/you need to take to deliver on the principle of accuracy?
- It is important that individuals (data subjects) have an easy way to exercise their rights, like to have access to their data, to have incorrect data corrected; or to have data that are no longer needed erased. This will allow prompt updates or corrections of personal data held on UCD systems.
- Don’t make local copies of personal data! Local copies not only put the security of data at risk, but also are the cause of old data being used instead of current data.
- Have a clear protocol about who is authorised to make changes to data and log any changes made.
- In your ‘Record of Processing Activities’ (ROPA) document capture the source of any data set you receive so that you can check back if clarifications is
- In your ‘Record of Processing Activities’ (ROPA) document capture any recipients you share data with. Should you/UCD as controller, receive requests for data corrections or any other related data subject rights request, you/UCD needs to communicate this request to the recipients you sent the data toon. This will allow the recipients to update their records too.
STORAGE LIMITATION: Personal data should only be kept in a form which permits identification of data subjects for as long as is necessary for the purposes for which the personal data are processed. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.
What are examples of measures that UCD/you need to take to deliver on the principle of storage limitation / data retention?
- You need to think about how long you will keep personal data from the outset, even before you collect them, as this needs to be included in a privacy notice. If a specific date cannot be given, then you need to provide information about the criteria that will inform the retention period.
- Any retention period needs to be based on a stringent and robust rational and needs to be as short as possible in line with the original purpose.
- For key areas it is quite likely that there are organisational or sectorial guidelines for retention periods.
- Data retention is not an ‘all or nothing’ consideration. You might have collected several items of personal data at the same time, but that does not mean that you need everything for the same length of time. You might be required to keep some data for longer for legal or auditing purposes and other ones can be deleted much sooner. Regularly review what needs to be kept and what needs to be securely deleted or shredded.
- Individuals (data subjects) can request that you delete their personal data once they are no longer needed.
- Don’t make local copies of personal data, this makes it more likely that data are kept for longer than permitted and also poses a security and confidentiality risk.
INTEGRITY & CONFIDENTIALITY: Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including protection against unauthorised or unlawful access to or use of personal data and the equipment used for the processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
What are examples of measures that UCD/you need to take to deliver on the principle of integrity and confidentiality?
- ‘Technical and Organisational Measures (TOMs)’:
- Any Unit needs to have policies and procedures for data protection in place that reflect the type of work they do. These are organisational measures.
- Any Unit, and indeed every individual working on behalf of UCD, needs to make sure that the technical measures under their control are in line with requirements. These are technical measures. To find out more consult the IT Security
- Any Unit needs to look after, and secure appropriately, any physical personal data assets, like hard copies of documents.
- IT Security is paramount here and is a prerequisite for data protection. UCD IT Services offer a wide range of tools and advice on their website. Make sure that any device you use has all security features installed and activated.
- If you are working wireless and/or remotely, make sure you use a secure connection. This includes the use of VPN; Eduroam, depending on what is appropriate for the location. The default UCD wireless network is a guest network and not a secure connection.
- Have a framework and protocol for who is allowed access to the personal data, the rationale for the access and an access log.
- When you consider sharing personal data, make sure to assess thoroughly if such sharing is appropriate and legitimate.
- Classify personal data according to their sensitivity. Depending on how sensitive they are, this will influence the level of protection needed and the risk involved.
- Know what to do when you suspect a personal data incident or breach has occurred. This includes to promptly inform your line manager as well as the Office of the DPO (gdpr@ucd.ie)
- If you intend to transfer personal data outside the EU, you have to put safeguards in place.
- If you use a third party, a supplier or any other provider of a solution, including IT solutions, which involves personal data, you need to contractually manage the controller-processor relationship.
ACCOUNTABILITY: Finally, the controller is responsible for, and must be able to demonstrate, their compliance with all of the above-named Principles of Data Protection. Controllers must take responsibility for their processing of personal data and how they comply with the GDPR and be able to demonstrate (through appropriate records and measures) their compliance, in particular to the DPC.
What are examples of measures that UCD/you need to take to deliver on the principle of integrity and accountability?
- UCD as an organisation, and any Unit within it, needs to have a number of records in place to demonstrate accountability.
- The following documents are key:
- Record of Processing Activities (ROPA) [UCD Short Guide to Records of Processing Activities (ROPAs)] where you map and keep track of your personal data processing activities
- Privacy Notices [UCD Short Guide on writing privacy notices], in which you inform individuals you want to collect data from about the who, where when, how, etc. of the intended data processing.
- Data Protection Impact Assessments (DPIAs) [DPC Guide to Data Protection Impact Assessments: Full Guidance Note], which are required if the intended processing could results in privacy risks for individuals concerned.
- If you make decisions on the design and the go-ahead of particular processing activities, document your thinking and rational. This will help to show that you gave data protection due consideration and will demonstrate accountability. All of the data protection principles will come into play.