= GDPR

Tags: [[Information_Governance_Category]]

== Regulation

- [[http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN|EU Regulation]]
- [[https://gdpr-info.eu/art-9-gdpr/|Nicely Formatted]]
- [[https://publications.parliament.uk/pa/bills/lbill/2017-2019/0074/18074.pdf|UK Data Protection Bill]]

== Latest Developments

- [[https://digital.nhs.uk/media/34227/GDPR-FAQs/doc/20171122_GDPR_FAQs|NHS Digital GDPR FAQ (Check Monthly)]]
- [[https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/whats-new/|ICO - What's New (Check Monthy)]]

== Guidance

- [[http://www.writeupp.com/blog/gdpr-a-practical-perspective/|Write up (GP Sysytem)]]
- [[https://digital.nhs.uk/information-governance-alliance/General-Data-Protection-Regulation-guidance|NHS Digital]]
- [[https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr|ICO]] - Certainly the best.  A good starting point for creating policies and SOPs.  Contains templates and checklists.
- [[https://ico.org.uk/for-organisations/guide-to-data-protection/big-data/|ICO Big Data and Machine Learning guidance]]
- [[https://www.youtube.com/watch?v=S7xKH8KQlqE&feature=youtu.be|GDPR Webinar]]

== Work Requirements

- [[https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/|ICO Checklist]]

=== Communicate with all Researchers

- [[https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf|ICO Overview - distribute?]]

=== Documentation

- [[https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/documentation/|ICO Documentation Guidance with templates and checklists]]

==== Study Data Documentation

- Lawful basis for processing (probably only consent is applicable):
 - Consent
 - Contract with individual
 - Legal obligation
 - Vital interest (i.e., to protect someone's life)
 - Public task (as directed by legislation)
 - Legitimate interest
- Safeguards (Need to double check these):
 - Data minimisation
 - Pseudonymisation
 - Limited period of identification
 - Limited period of retention
 - No distress or damage caused to individual
 - Not used for personal decisions
 - Policies are in place
- Informing the public
- Anonymisation:
 - Anonymous
 - Pseudonymised
 - Identifiable
- Data type:
 - Personal data
 - Special category data
  - Racial or ethnic origin
  - Political opinions
  - Religious or philosophical beliefs
  - Trade union membership
  - Genetic data
  - Biometric data (where used for personal identification)
  - Health data
  - Sex life
  - Sexual orientation
- Conditions for processing Special Category Data (requires link to actually description):
 - Explicit consent
 - Necessitated by employment, social security or social protection law.
 - Necessary to protect vital interest of subject or other person and consent is not possible.
 - Legitimate activities of a not-for-profit organisation with a direct contact to data subject.
 - Data has been made public by the data subject
 - For legal purposes
 - For substantial public interest.
 - For health provision
 - For serious public health issues
 - Archiving for historical or scientific research
- Archives
- Data retension timescales
- Data source
- Location of data
- Outputs and data sharing


==== Audits and Review Meetings

- Frequency
- Attendees
- Items to cover:
 - Review of lawful basis
 - Review of safeguarding
 - Review user access list

==== Transfers, Processors and Data Sharing

- Organisations
- Contracts
- Anonymisation
- Data type
- Data processing agreements / Information sharing agreements
- Length of agreement

=== Data Protection Impact Assessment

- [[https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/|ICO Data Protection Impact Assessment]]
- [[https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf|ICO Code of Practice - i.e., How to guide]]

=== Policies / SOPs / Mitigation

==== Rights of Data Subject

- Right to be informed
- Right to access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Right to not be subject to automated decision-making, including profiling

==== Areas requiring Action

- Public communication:
 - Web sites
 - posters
- Withdrawal / Do not contact / erasure requests
- Data breach notification
- Data review meetings
- Anonymisation / Pseudonymisation
- Data transfer and encryption
- Authentication
- Request management:
 - Access
 - Recification
 - Erasure
 - Restrict processing
 - Data portability
 - Objections

=== Security

- [[https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/security/|ICO Guidance (work in progress)]]

[[BackLinks]]