skip to content

Office of Intercollegiate Services

 

Below are some data protection terms that you are likely to come across in your day-to-day activities in the College.

Personal data and Special category data

Personal data is any information relating to natural (i.e. living) persons who:

  • can be identified or who are identifiable, directly from the information in question; or
  • can be indirectly identified from that information in combination with other information.

Examples of personal data include, but are not limied to:

  • Name and address;
  • Applicant reference number;
  • National Insurance number;
  • University CRSid; and
  • Photographs or CCTV images.

What constitutes personal data may also vary depending on the scenario. For example, a rare name, or one with an unusual spelling, could be considered a specific individual’s personal data. In the case of a name such as John Smith, this is less likely to be the case and other data (e.g. course title) might be needed before a specific individual can be identified.

Some types of personal data are considered more sensitive and therefore require additional security and protection measures. These are:

  • Racial or ethnic origin;
  • Political opinions;
  • Religious or philosophical beliefs;
  • Trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • Data relating to Health;
  • Sex life; and
  • Sexual orientation.

As data protection law applies to living individuals, any personal data belonging to a deceased person falls outside the current legislation.

Data subject

The person whose personal data is being processed is called data subject. Data protection law covers personal data of living people, any personal data belonging to a deceased person falls outside the current legislation.

Processing

Any action of activity involving personal data is considered processing under data protection law. This covers the personal data throughout its entire lifecycle, from creation/collection through to eventual secure destruction or re-designation as a permanent record in the College's Archives.

Data protection law only allows personal data to be processed if there is a valid reason or lawful basis for doing so. Where special category data is being processed, a condition for processing is needed in additional to a lawful basis.

Data controller and Data processor

Controllers are legal entities such as organisations, institutions, charities, clubs, volunteer groups, and businesses (including the self-employed and sole traders) that exercise overall control over the purposes and means of processing personal data. Employees of data controllers process personal data according to organisational procedures, and on behalf of their employers, even if they are the only people using that data.

Data processors process personal data on behalf of, and only under instructions from, data controllers. They cannot use (i.e. process) that data for their own purposes or on behalf of other controllers. Although they are responsible for the security and protection of the data they process, they do so under the terms of their arrangements with data controllers.

Data controllers must be registered with the Information Commissioner's Office (ICO). Each College in the University of Cambridge is independent from the University, as well as a separate legal entity and registered data controller.

A data controller can delegate the processing of personal data to third parties, i.e. data processors. However, it remains the decision maker and responsible party on all aspects of processing, including data security.

Lawful basis and Conditions for processing

Data protection law only allows personal data to be processed for a specified reason, referred to in legislation as a lawful basis. These bases are:

  • Consent;
  • Contract;
  • Legal obligation;
  • Vital interests;
  • Public task; and
  • Legitimate interests.

It is the responsibility of the data controller to determine the lawful basis for each processing activity.

Due to their sensitive nature, special category data require additional security considerations and must meet at least one of 10 specific conditions for processing:

     a) Explicit consent;

     b) Employment, social security and social protection^;

     c) Vital interests;

     d) Not-for-profit bodies;

     e) Made public by the data subject;

     f) Legal claims or judicial acts;

     g) Reasons of substantial public interest*;

     h) Health or social care*;

     i) Public health*; and

     j) Archiving, research and statistics*.

^ This condition requires authorisation by law.

* This condition requires a basis in law.

Individuals' rights

The current data protection law gives individuals enhanced rights to their personal data. In all but exceptional cases, data controllers are required to comply when an individual exercises one of these rights. These are:

  1. Right to be informed;
  2. Right of access;
  3. Right to rectification;
  4. Right to erasure;
  5. Right to restrict processing;
  6. Right to data portability;
  7. Right to object; and
  8. Rights in relation to automated decision making and profiling.

Cambridge Colleges tend to receive more requests from individuals to exercise their right of access and right to erasure than the other rights. However, they should still have procedures in place for dealing with all types of rights requests. More information on individuals' rights can be found on our Data Subjects' Rights page.

 

Data protection principles

Data protection law is based on seven principles, and Colleges must meet all these principles in order to be compliant:

  • Lawfulness, fairness and transparency - this includes ensuring that processing is in accordance with one of the six lawful bases and, where processing involves special category (sensitive) data, one of the ten conditions for processing is identified;
  • Purpose limitation - the College must ensure any processing is specified, explicit and legitimate;
  • Data minimisation - the amount of personal data processed should be limited to what is adequate and relevant to achieve the specified purpose;
  • Accuracy - the College must ensure that any personal data being processed is accurate and kept up-to-date;
  • Storage limitation - data should only be held while it is necessary to achieve the specified purpose for its processing;
  • Integrity and confidentiality (security) - data should be processed in a secure manner; and
  • Accountability - the College is responsible for all the personal data processing it undertakes and must have appropriate procedures and documenation in place to demonstrate its compliance with the other six principles.

More information on the Colleges' compliance requirements can be found on our Accountability and Governance page.

Personal data breaches

The ICO defines a personal data breach as:

"...a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data."

Any incident involving personal data should be reported following the College’s own reporting procedures*, e.g. reporting to manager, filing an incident report online, emailing the College Data Protection Lead, etc.

  *Heads of Department should ensure this information is available to all their staff.

In all cases, an initial incident report should also be submitted via the online reporting tool. Anyone with Raven credentials can access this tool to notify their College Data Protection Lead.

The College Data Protection Lead and the Data Protection Officer will assess the level of risk the incident poses to people (i.e. likelihood and severity of the risk to people’s rights and freedoms). Depending on the outcome, the College may report the breach to the ICO and/or data subjects affected.
 
The statutory timeline for investigating, mitigating/resolving, and reporting a breach – inc. notifying the ICO where necessary – is 72 hours!
 
More information can be found on the Personal Data Breaches page.